On Mon, Mar 28, 2016 at 9:11 AM, Benjamin Kaduk <bka...@akamai.com> wrote: > > I understand there are good reasons to want to make the default behavior > of a single-physical-server TLS server as secure as possible, but I think > it's also well-understood that the more "exciting" portions of 0-RTT happen > in a distributed setup, where there are different physical (well, maybe > virtual) machines sharing a session ticket key, potentially in different > data centers. I don't think we've seen a real description of how this > proposal for "single-use" session tickets would behave in the distributed > setup yet. Are you proposing to require a distributed replay cache shared > by all machines sharing the session-ticket key? I expect a lot of pushback > from operators in that case, since distributed replay caches are really > annoying to get right, let alone performant. So then the "single-use" > property would come with a caveat, that it's only "single use" per replay > cache instance, and some limited number of replays become possible. > > Can you say more about how you envision your proposal working for these > distributed environments? >
> In a more general sense, it's starting to seem like we should consider the > spectrum from "actually no replays possible" to "some small number of > replays possible [on the order of the number of machines sharing the > session ticket key]" and ending at "nearly unlimited (millions+) of replays > possible". I think avoiding the last case is a reasonable goal, but I'm > as-yet unconvinced that the first case is achievable. Perhaps the middle > ground is good enough... > I've come to the same conclusion: I don't think it's possible to eliminate all possibility of replay - but it is possible to reduce it to a small window, and I think there are pragmatic design steps that can be made that reduce the idempotency risks too. I'm working on a small write-up now; will send out later today. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
