idnits 2.17.1 draft-ietf-tls-padding-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 24, 2015) is 3167 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Langley 3 Internet-Draft Google Inc 4 Intended status: Standards Track August 24, 2015 5 Expires: February 25, 2016 7 A TLS ClientHello padding extension 8 draft-ietf-tls-padding-02 10 Abstract 12 This memo describes a TLS extension that can be used to pad 13 ClientHello messages to a desired size. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at http://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on February 25, 2016. 32 Copyright Notice 34 Copyright (c) 2015 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents 39 (http://trustee.ietf.org/license-info) in effect on the date of 40 publication of this document. Please review these documents 41 carefully, as they describe your rights and restrictions with respect 42 to this document. Code Components extracted from this document must 43 include Simplified BSD License text as described in Section 4.e of 44 the Trust Legal Provisions and are provided without warranty as 45 described in the Simplified BSD License. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 50 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 2 51 3. Padding Extension . . . . . . . . . . . . . . . . . . . . . . 2 52 4. Example usage . . . . . . . . . . . . . . . . . . . . . . . . 3 53 5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 54 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 55 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 56 8. Normative References . . . . . . . . . . . . . . . . . . . . 4 57 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 4 59 1. Introduction 61 Successive TLS [RFC5246] versions have added support for more cipher 62 suites and, over time, more TLS extensions have been defined. This 63 has caused the size of the TLS ClientHello to grow and the additional 64 size has caused some implementation bugs to come to light. At least 65 one of these implementation bugs can be ameliorated by making the 66 ClientHello even larger. 68 This memo describes a TLS extension that can be used to pad a 69 ClientHello to a desired size in order to avoid implementation bugs 70 caused by certain ClientHello sizes. 72 2. Requirements Notation 74 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 75 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 76 document are to be interpreted as described in RFC 2119 [RFC2119]. 78 3. Padding Extension 80 A new extension type ("padding(21)") is defined and MAY be included 81 by the client in its ClientHello message. 83 enum { 84 padding(21), (65535) 85 } ExtensionType; 87 The "extension_data" for the extension consists of an arbitrary 88 number of zero bytes. For example, the smallest "padding" extension 89 is four bytes long and is encoded as 0x00 0x15 0x00 0x00. A ten byte 90 extension would include 6 bytes of "extension_data" and would be 91 encoded as: 93 00 15 00 06 00 00 00 00 00 00 94 |---| |---| |---------------| 95 | | | 96 | | \- extension_data: 6 zero bytes 97 | | 98 | \------------- 16-bit, extension_data length 99 | 100 \------------------- extension_type for padding extension 102 The client MUST fill the padding extension completely with zero 103 bytes, although the padding extension may be empty. 105 The server MUST NOT echo the extension. 107 4. Example usage 109 As an example, consider a client that wishes to avoid sending a 110 ClientHello with a record size between 256 and 511 bytes (inclusive). 111 This case is considered because at least one TLS implementation is 112 known to hang the connection when such a ClientHello record is 113 received. 115 After building a ClientHello as normal, the client can add four to 116 the length (to account for the "msg_type" and "length" fields of the 117 handshake protocol) and test whether the resulting length falls into 118 that range. If it does, a padding extension can be added in order to 119 push the length to (at least) 512 bytes. 121 Note that if the original ClientHello size was between 505 and 507 122 bytes then, with the handshake protocol overhead, the record would be 123 between 509 and 511 bytes long. Since it's not possible for an 124 extension to take less than four bytes of space, the additional 125 padding would have to expand the ClientHello record past 512 bytes in 126 these cases. 128 5. Security Considerations 130 The contents of the padding extension could be used as a covert 131 channel. In order to prevent this, the contents are required to be 132 all zeros, although the length of the extension can still be used as 133 a much smaller covert channel. Servers MAY verify that the extension 134 is either empty or contains only zero bytes, in order to enforce 135 this. 137 6. IANA Considerations 139 IANA is requested to permanently assign the early code point for the 140 padding extension in its ExtensionType registry. 142 7. Acknowledgements 144 The author gratefully acknowledges the contributions of Wan-Teh Chang 145 and the suggestions of Eric Rescorla. 147 8. Normative References 149 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 150 Requirement Levels", BCP 14, RFC 2119, 151 DOI 10.17487/RFC2119, March 1997, 152 . 154 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 155 (TLS) Protocol Version 1.2", RFC 5246, 156 DOI 10.17487/RFC5246, August 2008, 157 . 159 Author's Address 161 Adam Langley 162 Google Inc 164 Email: agl@google.com