TCPLS presentation @ietf 109
Download as PPTX, PDF0 likes139 views
TCPLS closely integrates TCP and TLS by using new TLS record types to carry TCP control plane information. This allows TCP options and control data to be encrypted and authenticated within TLS records. TCPLS provides benefits like securing Multipath TCP connections, enabling stronger TCP Fast Open, providing more space for TCP options, allowing true TCP keepalives, securely releasing TCP sessions, supporting Happy Eyeballs, and enabling connection migration. The integrated TCPLS protocol could improve privacy, security and functionality compared to treating TCP and TLS as separate and independent protocols.
TCPLS presentation @ietf 109
- 1. TCPLS : Closely Integrating TCP and TLS Florentin Rochet, Emery Assogba, Olivier Bonaventure UCLouvain This work was partially supported by the Walloon government within the MQUIC project 1
- 2. Our current stack • TLS 1.3 • provides security • More and more used on WANs and by a variety of applications • TCP • provides connection abstraction, realibility, congestion control • Most popular transport protocol • In the future, TCP could always be used with TLS TCP Socket IP Application TLS 2
- 3. Control and data separation in TCP Source port Destination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window Payload TCP Options • Very simple Control Data restricts the length of 3
- 4. TLS 1.3 in one slide • Secure Handshake • The encrypted TLS records ClientHello( ... Extension) ServerHello(.. EncryptedExt) Finished Application Data Finished 0-rtt mode in parallel with the TCP handshake is possible Type Version Length Always 23 App Data TLS 1.3 TrueType Encrypted and authenticated Encrypted and thus invisible to middleboxes 4
- 5. An integrated stack • Key idea • Use new TLS record types to carry TCP control plane information • TLS record to carry TCP option • TCP option inside ClientHello Extension • TCP option inside ServerHello EncrytedExt • TCPLS has 2 different channels for TCP control • regular TCP options • Encrypted TLS recordsIP Application TCPLS TLS TCP Socket 5
- 6. The TCPLS control channels 6 Application TCPLS TLS TCP Socket Enc. TLS rec #2 (data) Source port Destination port Checksum Urgent pointer THL Reserved Flags Acknowledgment number Sequence number Window TCP Options Enc. TLS rec #1(control) Application TCPLS TLS TCP Socket TCP header TLS records
- 7. Use case : Securing Multipath TCP • Security concerns • token is exchanged inside SYN/SYN+ACK • ADD_ADDR authentication • ADD_ADDR not reliable • With TCPLS • Derive token from TLS secrets • TCPLS record for ADD_ADDR • reliable and authenticated • REMOVE_ADDR could still be sent as TCP option 7
- 8. Use case : Stronger TFO • Concern • The security of TFO is limited by the length of the TCP options in the SYN to encode the cookie • TCPLS approach • Use TLS’s 0-RTT and • send ClientHello inside SYN payload with TCPLS cookie • send ServerHello inside SYN+ACK payload with TCPLS cookie • Cookies can be longer and more secure by leveraging the existing TLS mechanisms • Middlebox interference • Apple’s measurements do not seem to indicate that the length of the payload in the SYN is a strong factor in middlebox interference 8
- 9. Use case : More space for TCP options • TCPLS approach • More options during the handshake • Leverage the 0-RTT handshake • ServerHello inside SYN+ACK and TCP Options as ServerHello EncryptedExt • Define TLS record type to carry TCP options • Late negotiation of TCP extensions • Since TLS records are reliably exchanged, we could also negotiate a TCP extension after the establishment of a connection 9
- 10. Use case : True keepalives • Concern • Keepalives really part of TCP • TCPLS approach • New ping/pong TCPLS record type • Hosts can send ping/pong records including data without interfering with payload • TCPLS can negotiate keepalive intervals and other informations RFC1122 10
- 11. Use case : Secure session release • Concern • Middleboxes or attackers can force the termination of TCP connections using RST or FIN • TCPLS approach • New authenticated record type indicating end of TCPLS connection • If RST or FIN are received before the exchange of this record, then the underlying TCP connection can be automatically reestablished 11
- 12. Use case : Happy eyeballs • Server supports IPv4 and IPv6 • Client learns addresses from DNS and initiates IPv6 and later IPv4 connection • With TCPLS • Server uses EncryptedExt in ServerHello to advertise its alternate address • Similar to what QUIC connection migration or MPTCP’s ADD_ADDR • Client learns alternate server address during handshake • Client can create connection to alternate address, test it and migrate the connection 12
- 13. Use case : Connection migration • Concern • Smartphone wants to move to cellular while preserving established TCPLS session • Implemented TCPLS approach • Server provides connection identifier and cookie in ServerHello • Client creates second TCPLS subflow to server using this information • Server and client move data transfer to new TCPLS subflow 13
- 14. Conclusion • Don’t consider TCP and TLS as separate and independent protocols • TLS 1.3 can be efficiently combined with TCP to improve it • More details are available in our Hotnets’20 paper • There is running code based on picotls at https://pluginized-protocols.org 14
- 15. Conclusion • Don’t consider TCP and TLS as separate and independent protocols • TLS 1.3 can be efficiently combined with TCP to improve it • More details are available in our Hotnets’20 paper • There is running code based on picotls at https://pluginized-protocols.org 15