idnits 2.17.1 

draft-ietf-tls-padding-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The draft header indicates that this document updates RFC5246, but the
     abstract doesn't seem to mention this, which it should.


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

     (Using the creation date from RFC5246, updated by this document, for
     RFC5378 checks: 2006-03-02)

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (Sept 2015) is 3421 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)


     Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 3 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                         A. Langley
3	Internet-Draft                                                Google Inc
4	Updates: 5246 (if approved)                                    Sept 2015
5	Intended status: Standards Track
6	Expires: March 4, 2016

8	                  A TLS ClientHello padding extension
9	                       draft-ietf-tls-padding-03

11	Abstract

13	   This memo describes a TLS extension that can be used to pad
14	   ClientHello messages to a desired size.

16	Status of This Memo

18	   This Internet-Draft is submitted in full conformance with the
19	   provisions of BCP 78 and BCP 79.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF).  Note that other groups may also distribute
23	   working documents as Internet-Drafts.  The list of current Internet-
24	   Drafts is at http://datatracker.ietf.org/drafts/current/.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   This Internet-Draft will expire on March 4, 2016.

33	Copyright Notice

35	   Copyright (c) 2015 IETF Trust and the persons identified as the
36	   document authors.  All rights reserved.

38	   This document is subject to BCP 78 and the IETF Trust's Legal
39	   Provisions Relating to IETF Documents
40	   (http://trustee.ietf.org/license-info) in effect on the date of
41	   publication of this document.  Please review these documents
42	   carefully, as they describe your rights and restrictions with respect
43	   to this document.  Code Components extracted from this document must
44	   include Simplified BSD License text as described in Section 4.e of
45	   the Trust Legal Provisions and are provided without warranty as
46	   described in the Simplified BSD License.

48	Table of Contents

50	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
51	   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   2
52	   3.  Padding Extension . . . . . . . . . . . . . . . . . . . . . .   2
53	   4.  Example usage . . . . . . . . . . . . . . . . . . . . . . . .   3
54	   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
55	   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
56	   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   4
57	   8.  Normative References  . . . . . . . . . . . . . . . . . . . .   4
58	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   4

60	1.  Introduction

62	   Successive TLS [RFC5246] versions have added support for more cipher
63	   suites and, over time, more TLS extensions have been defined.  This
64	   has caused the size of the TLS ClientHello to grow and the additional
65	   size has caused some implementation bugs to come to light.  At least
66	   one of these implementation bugs can be ameliorated by making the
67	   ClientHello even larger.

69	   This memo describes a TLS extension that can be used to pad a
70	   ClientHello to a desired size in order to avoid implementation bugs
71	   caused by certain ClientHello sizes.

73	2.  Requirements Notation

75	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
76	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
77	   document are to be interpreted as described in RFC 2119 [RFC2119].

79	3.  Padding Extension

81	   A new extension type ("padding(21)") is defined and MAY be included
82	   by the client in its ClientHello message.

84	   enum {
85	           padding(21), (65535)
86	   } ExtensionType;

88	   The "extension_data" for the extension consists of an arbitrary
89	   number of zero bytes.  For example, the smallest "padding" extension
90	   is four bytes long and is encoded as 0x00 0x15 0x00 0x00.  A ten byte
91	   extension would include 6 bytes of "extension_data" and would be
92	   encoded as:

94	   00 15 00 06 00 00 00 00 00 00
95	   |---| |---| |---------------|
96	     |     |           |
97	     |     |           \- extension_data: 6 zero bytes
98	     |     |
99	     |     \------------- 16-bit, extension_data length
100	     |
101	     \------------------- extension_type for padding extension

103	   The client MUST fill the padding extension completely with zero
104	   bytes, although the padding extension_data field may be empty.

106	   The server MUST NOT echo the extension.

108	4.  Example usage

110	   As an example, consider a client that wishes to avoid sending a
111	   ClientHello with a record size between 256 and 511 bytes (inclusive).
112	   This case is considered because at least one TLS implementation is
113	   known to hang the connection when such a ClientHello record is
114	   received.

116	   After building a ClientHello as normal, the client can add four to
117	   the length (to account for the "msg_type" and "length" fields of the
118	   handshake protocol) and test whether the resulting length falls into
119	   that range.  If it does, a padding extension can be added in order to
120	   push the length to (at least) 512 bytes.

122	   Note that if the original ClientHello size was between 505 and 507
123	   bytes then, with the handshake protocol overhead, the record would be
124	   between 509 and 511 bytes long.  Since it's not possible for an
125	   extension to take less than four bytes of space, the additional
126	   padding would have to expand the ClientHello record past 512 bytes in
127	   these cases.

129	5.  Security Considerations

131	   The contents of the padding extension could be used as a covert
132	   channel.  In order to prevent this, the contents are required to be
133	   all zeros, although the length of the extension can still be used as
134	   a much smaller covert channel.  Servers MAY verify that the extension
135	   is either empty or contains only zero bytes, in order to enforce
136	   this.

138	6.  IANA Considerations

140	   IANA is requested to permanently assign the early code point for the
141	   padding extension in its ExtensionType registry.

143	7.  Acknowledgements

145	   The author gratefully acknowledges the contributions of Wan-Teh Chang
146	   and the suggestions of Eric Rescorla.

148	8.  Normative References

150	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
151	              Requirement Levels", BCP 14, RFC 2119,
152	              DOI 10.17487/RFC2119, March 1997,
153	              <http://www.rfc-editor.org/info/rfc2119>.

155	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
156	              (TLS) Protocol Version 1.2", RFC 5246,
157	              DOI 10.17487/RFC5246, August 2008,
158	              <http://www.rfc-editor.org/info/rfc5246>.

160	Author's Address

162	   Adam Langley
163	   Google Inc

165	   Email: agl@google.com