| draft-ietf-tls-ticketrequests-02.txt | draft-ietf-tls-ticketrequests-03.txt | |||
|---|---|---|---|---|
| Network Working Group T. Pauly | Network Working Group T. Pauly | |||
| Internet-Draft Apple Inc. | Internet-Draft Apple Inc. | |||
| Intended status: Informational D. Schinazi | Intended status: Informational D. Schinazi | |||
| Expires: March 30, 2020 Google LLC | Expires: April 20, 2020 Google LLC | |||
| C. Wood | C. Wood | |||
| Apple Inc. | Apple Inc. | |||
| September 27, 2019 | October 18, 2019 | |||
| TLS Ticket Requests | TLS Ticket Requests | |||
| draft-ietf-tls-ticketrequests-02 | draft-ietf-tls-ticketrequests-03 | |||
| Abstract | Abstract | |||
| TLS session tickets enable stateless connection resumption for | TLS session tickets enable stateless connection resumption for | |||
| clients without server-side, per-client state. Servers vend an | clients without server-side, per-client state. Servers vend an | |||
| arbitrary number of session tickets to clients, at their discretion, | arbitrary number of session tickets to clients, at their discretion, | |||
| upon connection establishment. Clients store and use tickets when | upon connection establishment. Clients store and use tickets when | |||
| resuming future connections. This document describes a mechanism by | resuming future connections. This document describes a mechanism by | |||
| which clients may specify the desired number of tickets needed for | which clients can specify the desired number of tickets needed for | |||
| future connections. This extension aims to provide a means for | future connections. This extension aims to provide a means for | |||
| servers to determine the number of tickets to generate in order to | servers to determine the number of tickets to generate in order to | |||
| reduce ticket waste, while simultaneously priming clients for future | reduce ticket waste, while simultaneously priming clients for future | |||
| connection attempts. | connection attempts. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 30, 2020. | This Internet-Draft will expire on April 20, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 31 ¶ | skipping to change at page 2, line 31 ¶ | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | 7.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| As per [RFC5077], and as described in [RFC8446], TLS servers send | As per [RFC5077], and as described in [RFC8446], TLS servers vend | |||
| clients an arbitrary number of session tickets at their own | clients an arbitrary number of session tickets at their own | |||
| discretion in NewSessionTicket messages. There are two limitations | discretion in NewSessionTicket messages. There are two limitations | |||
| with this design. First, servers choose some (often hard-coded) | with this design. First, servers choose some (often hard-coded) | |||
| number of tickets vended per connection. Second, clients do not have | number of tickets vended per connection. Second, clients do not have | |||
| a way of expressing their desired number of tickets, which may impact | a way of expressing their desired number of tickets, which can impact | |||
| future connection establishment. For example, clients may open | future connection establishment. For example, clients can open | |||
| multiple TLS connections to the same server for HTTP, or may race TLS | multiple TLS connections to the same server for HTTP, or race TLS | |||
| connections across different network interfaces. The latter is | connections across different network interfaces. The latter is | |||
| especially useful in transport systems that implement Happy Eyeballs | especially useful in transport systems that implement Happy Eyeballs | |||
| [RFC8305]. Since clients control connection concurrency and | [RFC8305]. Since clients control connection concurrency and | |||
| resumption, a standard mechanism for requesting more than one ticket | resumption, a standard mechanism for requesting more than one ticket | |||
| is desirable. | is desirable. | |||
| This document specifies a new TLS extension - "ticket_request" - that | This document specifies a new TLS extension - "ticket_request" - that | |||
| may be used by clients to express their desired number of session | can be used by clients to express their desired number of session | |||
| tickets. Servers may use this extension as a hint of the number of | tickets. Servers can use this extension as a hint of the number of | |||
| NewSessionTicket messages to vend. This extension is only applicable | NewSessionTicket messages to vend. This extension is only applicable | |||
| to TLS 1.3 [RFC8446], DTLS 1.3 [I-D.ietf-tls-dtls13], and future | to TLS 1.3 [RFC8446], DTLS 1.3 [I-D.ietf-tls-dtls13], and future | |||
| versions thereof. | versions thereof. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| [RFC2119] [RFC8174] when, and only when, they appear in all capitals, | [RFC2119] [RFC8174] when, and only when, they appear in all capitals, | |||
| skipping to change at page 3, line 27 ¶ | skipping to change at page 3, line 27 ¶ | |||
| o Parallel HTTP connections: To minimize ticket reuse while still | o Parallel HTTP connections: To minimize ticket reuse while still | |||
| improving performance, it may be useful to use multiple, distinct | improving performance, it may be useful to use multiple, distinct | |||
| tickets when opening parallel connections. Clients must therefore | tickets when opening parallel connections. Clients must therefore | |||
| bound the number of parallel connections they initiate by the | bound the number of parallel connections they initiate by the | |||
| number of tickets in their possession, or risk ticket re-use. | number of tickets in their possession, or risk ticket re-use. | |||
| o Connection racing: Happy Eyeballs V2 [RFC8305] describes | o Connection racing: Happy Eyeballs V2 [RFC8305] describes | |||
| techniques for performing connection racing. The Transport | techniques for performing connection racing. The Transport | |||
| Services Architecture implementation from [TAPS] also describes | Services Architecture implementation from [TAPS] also describes | |||
| how connections may race across interfaces and address families. | how connections can race across interfaces and address families. | |||
| In cases where clients have early data to send and want to | In cases where clients have early data to send and want to | |||
| minimize or avoid ticket re-use, unique tickets for each unique | minimize or avoid ticket re-use, unique tickets for each unique | |||
| connection attempt are useful. Moreover, as some servers may | connection attempt are useful. Moreover, as some servers may | |||
| implement single-use tickets (and even session ticket encryption | implement single-use tickets (and even session ticket encryption | |||
| keys), distinct tickets will be needed to prevent premature ticket | keys), distinct tickets will be needed to prevent premature ticket | |||
| invalidation by racing. | invalidation by racing. | |||
| o Connection priming: In some systems, connections may be primed or | o Connection priming: In some systems, connections can be primed or | |||
| bootstrapped by a centralized service or daemon for faster | bootstrapped by a centralized service or daemon for faster | |||
| connection establishment. Requesting tickets on demand allows | connection establishment. Requesting tickets on demand allows | |||
| such services to vend tickets to clients to use for accelerated | such services to vend tickets to clients to use for accelerated | |||
| handshakes with early data. (Note that if early data is not | handshakes with early data. (Note that if early data is not | |||
| needed by these connections, this method SHOULD NOT be used. | needed by these connections, this method SHOULD NOT be used. | |||
| Fresh handshakes SHOULD be performed instead.) | Fresh handshakes SHOULD be performed instead.) | |||
| o Less ticket waste: Currently, TLS servers use application- | o Less ticket waste: Currently, TLS servers use application- | |||
| specific, and often implementation-specific, logic to determine | specific, and often implementation-specific, logic to determine | |||
| how many tickets to issue. By moving the burden of ticket count | how many tickets to issue. By moving the burden of ticket count | |||
| to clients, servers do not generate wasteful tickets for clients. | to clients, servers do not generate wasteful tickets. As an | |||
| Moreover, as ticket generation may involve expensive computation, | example, clients might only request one ticket during resumption. | |||
| e.g., public key cryptographic operations, avoiding waste is | Moreover, as ticket generation might involve expensive | |||
| desirable. | computation, e.g., public key cryptographic operations, avoiding | |||
| waste is desirable. | ||||
| o Decline resumption: Clients may indicate they have no intention of | o Decline resumption: Clients can indicate they have no intention of | |||
| resuming connections by sending a ticket request with count of | resuming connections by sending a ticket request with count of | |||
| zero. | zero. | |||
| 3. Ticket Requests | 3. Ticket Requests | |||
| Clients may indicate to servers their desired number of tickets for a | Clients can indicate to servers their desired number of tickets for a | |||
| single connection via the following "ticket_request" extension: | single connection via the following "ticket_request" extension: | |||
| enum { | enum { | |||
| ticket_request(TBD), (65535) | ticket_request(TBD), (65535) | |||
| } ExtensionType; | } ExtensionType; | |||
| Clients may send this extension in ClientHello. It contains the | Clients MAY send this extension in ClientHello. It contains the | |||
| following structure: | following structure: | |||
| struct { | struct { | |||
| uint8 count; | uint8 count; | |||
| } TicketRequestContents; | } TicketRequestContents; | |||
| count The number of tickets desired by the client. | count The number of tickets desired by the client. | |||
| A supporting server MAY vend TicketRequestContents.count | A supporting server MAY use TicketRequestContents.count when | |||
| NewSessionTicket messages to a requesting client, and SHOULD NOT send | determining how many NewSessionTicket messages to send to a | |||
| more than TicketRequestContents.count NewSessionTicket messages to a | requesting client, and SHOULD place a limit on the number of tickets | |||
| requesting client. Servers SHOULD place a limit on the number of | sent. The number of NewSessionTicket messages sent SHOULD be the | |||
| tickets they are willing to vend to clients. Thus, the number of | minimum of the server's self-imposed limit and | |||
| NewSessionTicket messages sent should be the minimum of the server's | TicketRequestContents.count. | |||
| self-imposed limit and TicketRequestContents.count. Servers MUST NOT | ||||
| send more than 255 tickets to clients. | ||||
| Servers that support ticket requests MUST NOT echo "ticket_request" | Servers that support ticket requests MUST NOT echo "ticket_request" | |||
| in the EncryptedExtensions message. A client MUST abort the | in the EncryptedExtensions message. A client MUST abort the | |||
| connection with an "illegal_parameter" alert if the "ticket_request" | connection with an "illegal_parameter" alert if the "ticket_request" | |||
| extension is present in the EncryptedExtensions message. | extension is present in the EncryptedExtensions message. | |||
| Clients MUST NOT change the value of TicketRequestContents.count in | If a client receives a HelloRetryRequest, the presence (or absence) | |||
| second ClientHello messages sent in response to a HelloRetryRequest. | of the "ticket_request" extension MUST be maintained in the second | |||
| ClientHello message. Moreover, if this extension is present, a | ||||
| client MUST NOT change the value of TicketRequestContents.count in | ||||
| the second ClientHello message. | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| IANA is requested to Create an entry, ticket_request(TBD), in the | IANA is requested to Create an entry, ticket_request(TBD), in the | |||
| existing registry for ExtensionType (defined in [RFC8446]), with "TLS | existing registry for ExtensionType (defined in [RFC8446]), with "TLS | |||
| 1.3" column values being set to "CH", and "Recommended" column being | 1.3" column values being set to "CH", and "Recommended" column being | |||
| set to "Yes". | set to "Yes". | |||
| 5. Security Considerations | 5. Security Considerations | |||
| Ticket re-use is a security and privacy concern. Moreover, clients | Ticket re-use is a security and privacy concern. Moreover, clients | |||
| must take care when pooling tickets as a means of avoiding or | must take care when pooling tickets as a means of avoiding or | |||
| amortizing handshake costs. If servers do not rotate session ticket | amortizing handshake costs. If servers do not rotate session ticket | |||
| encryption keys frequently, clients may be encouraged to obtain and | encryption keys frequently, clients may be encouraged to obtain and | |||
| use tickets beyond common lifetime windows of, e.g., 24 hours. | use tickets beyond common lifetime windows of, e.g., 24 hours. | |||
| Despite ticket lifetime hints provided by servers, clients SHOULD | Despite ticket lifetime hints provided by servers, clients SHOULD | |||
| dispose of pooled tickets after some reasonable amount of time that | dispose of pooled tickets after some reasonable amount of time that | |||
| mimics the ticket rotation period. | mimics the ticket rotation period. | |||
| Servers that do not enforce a limit on the number of NewSessionTicket | ||||
| messages sent in response to a "ticket_request" extension could leave | ||||
| themselves open to DoS attacks, especially if ticket creation is | ||||
| expensive. | ||||
| 6. Acknowledgments | 6. Acknowledgments | |||
| The authors would like to thank David Benjamin, Eric Rescorla, Nick | The authors would like to thank David Benjamin, Eric Rescorla, Nick | |||
| Sullivan, Martin Thomson, and other members of the TLS Working Group | Sullivan, Martin Thomson, Hubert Kario, and other members of the TLS | |||
| for discussions on earlier versions of this draft. | Working Group for discussions on earlier versions of this draft. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-tls-dtls13] | [I-D.ietf-tls-dtls13] | |||
| Rescorla, E., Tschofenig, H., and N. Modadugu, "The | Rescorla, E., Tschofenig, H., and N. Modadugu, "The | |||
| Datagram Transport Layer Security (DTLS) Protocol Version | Datagram Transport Layer Security (DTLS) Protocol Version | |||
| 1.3", draft-ietf-tls-dtls13-32 (work in progress), July | 1.3", draft-ietf-tls-dtls13-33 (work in progress), October | |||
| 2019. | 2019. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, | [RFC5077] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig, | |||
| "Transport Layer Security (TLS) Session Resumption without | "Transport Layer Security (TLS) Session Resumption without | |||
| Server-Side State", RFC 5077, DOI 10.17487/RFC5077, | Server-Side State", RFC 5077, DOI 10.17487/RFC5077, | |||
| End of changes. 19 change blocks. | ||||
| 33 lines changed or deleted | 40 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||