draft-rescorla-tcpinc-tls-option-05.txt   draft-rescorla-tcpinc-tls-option.txt 
TCPING E. Rescorla TCPING E. Rescorla
Internet-Draft Mozilla Internet-Draft Mozilla
Intended status: Standards Track October 19, 2015 Intended status: Standards Track October 21, 2015
Expires: April 21, 2016 Expires: April 23, 2016
TCP Use TLS Option TCP Use TLS Option
draft-rescorla-tcpinc-tls-option-05 draft-rescorla-tcpinc-tls-option-latest
Abstract Abstract
This document defines the use of TLS [RFC5246] with the TCP-ENO This document defines the use of TLS [RFC5246] with the TCP-ENO
option [I-D.bittau-tcpinc-tcpeno]. option [I-D.bittau-tcpinc-tcpeno].
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 31 skipping to change at page 1, line 31
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 21, 2016. This Internet-Draft will expire on April 23, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. TLS Profile . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. TCP-ENO Binding . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. TLS 1.3 Profile . . . . . . . . . . . . . . . . . . . . . 4 3.1. Suboption Definition . . . . . . . . . . . . . . . . . . 3
3.1.1. Handshake Modes . . . . . . . . . . . . . . . . . . . 4 3.2. Session ID . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.2. Basic 1-RTT Handshake . . . . . . . . . . . . . . . . 5 3.3. Channel Close . . . . . . . . . . . . . . . . . . . . . . 4
3.1.3. Hello Retry Request [6.3.1.3] . . . . . . . . . . . . 8 4. TLS Profile . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1.4. Zero-RTT Exchange . . . . . . . . . . . . . . . . . . 9 4.1. TLS 1.3 Profile . . . . . . . . . . . . . . . . . . . . . 5
3.1.5. Key Schedule . . . . . . . . . . . . . . . . . . . . 10 4.1.1. Handshake Modes . . . . . . . . . . . . . . . . . . . 5
3.1.6. Record Protection . . . . . . . . . . . . . . . . . . 11 4.1.2. Basic 1-RTT Handshake . . . . . . . . . . . . . . . . 6
3.2. TLS 1.2 Profile . . . . . . . . . . . . . . . . . . . . . 11 4.1.3. Hello Retry Request [6.3.1.3] . . . . . . . . . . . . 10
3.3. Deprecated Features . . . . . . . . . . . . . . . . . . . 12 4.1.4. Zero-RTT Exchange . . . . . . . . . . . . . . . . . . 10
3.4. Session ID . . . . . . . . . . . . . . . . . . . . . . . 12 4.1.5. Key Schedule . . . . . . . . . . . . . . . . . . . . 12
3.5. Cryptographic Algorithms . . . . . . . . . . . . . . . . 12 4.1.6. Record Protection . . . . . . . . . . . . . . . . . . 13
4. Suboption Definition . . . . . . . . . . . . . . . . . . . . 12 4.2. TLS 1.2 Profile . . . . . . . . . . . . . . . . . . . . . 13
5. Transport Integrity . . . . . . . . . . . . . . . . . . . . . 12 4.3. Deprecated Features . . . . . . . . . . . . . . . . . . . 14
6. Implementation Options . . . . . . . . . . . . . . . . . . . 13 4.4. Cryptographic Algorithms . . . . . . . . . . . . . . . . 14
7. NAT/Firewall considerations . . . . . . . . . . . . . . . . . 13 5. Transport Integrity . . . . . . . . . . . . . . . . . . . . . 14
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 6. API Considerations . . . . . . . . . . . . . . . . . . . . . 15
9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 7. Implementation Considerations . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 8. NAT/Firewall considerations . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . 14 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . 16 10. Security Considerations . . . . . . . . . . . . . . . . . . . 16
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
11.1. Normative References . . . . . . . . . . . . . . . . . . 16
11.2. Informative References . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this
draft is maintained in GitHub. Suggested changes should be submitted draft is maintained in GitHub. Suggested changes should be submitted
as pull requests at https://github.com/ekr/tcpinc-tls. Instructions as pull requests at https://github.com/ekr/tcpinc-tls. Instructions
are on that page as well. are on that page as well.
The TCPINC WG is chartered to define protocols to provide ubiquitous, The TCPINC WG is chartered to define protocols to provide ubiquitous,
transparent security for TCP connections. The WG is specifying The transparent security for TCP connections. The WG is specifying The
skipping to change at page 3, line 8 skipping to change at page 3, line 16
The basic idea behind this draft is simple. The SYN and SYN/ACK The basic idea behind this draft is simple. The SYN and SYN/ACK
messages carry the TCP-ENO options indicating the willingness to do messages carry the TCP-ENO options indicating the willingness to do
TLS. If both sides want to do TLS, then a TLS handshake is started TLS. If both sides want to do TLS, then a TLS handshake is started
and once that completes, the data is TLS protected prior to being and once that completes, the data is TLS protected prior to being
sent over TCP. Otherwise, the application data is sent as usual. sent over TCP. Otherwise, the application data is sent as usual.
Client Server Client Server
SYN + TCP-ENO [TLS]-> SYN + TCP-ENO [TLS]->
<- SYN/ACK + TCP-ENO [ENO] <- SYN/ACK + TCP-ENO [TLS]
ACK -> ACK + TCP-ENO ->
<---------------- TLS Handshake ---------------> <---------------- TLS Handshake --------------->
<--------- Application Data over TLS ----------> <--------- Application Data over TLS ---------->
Figure 1: Negotiating TLS with TCP-TLS Figure 1
Client Server Client Server
SYN + TCP-ENO [TLS] -> SYN + TCP-ENO [TLS] ->
<- SYN/ACK <- SYN/ACK
ACK -> ACK ->
<--------- Application Data over TLS ----------> <--------- Application Data over TCP ---------->
Figure 2: Fall back to TCP Figure 2: Fall back to TCP
If use of TLS is negotiated, the data sent over TCP simply is TLS If use of TLS is negotiated, the data sent over TCP simply is TLS
data in compliance with TLS 1.2 [RFC5246] or TLS 1.3 data in compliance with TLS 1.2 [RFC5246] or TLS 1.3
[I-D.ietf-tls-tls13]. [I-D.ietf-tls-tls13].
Once the TLS handshake has completed, all application data SHALL be Once the TLS handshake has completed, all application data SHALL be
sent over that negotiated TLS channel. Application data MUST NOT be sent over that negotiated TLS channel. Application data MUST NOT be
sent prior to the TLS handshake. sent prior to the TLS handshake.
If the TLS handshake fails for non-cryptographic reasons such as If the TLS handshake fails, the endpoint MUST tear down the TCP
failure to negotiate a compatible cipher or the like, endpoints connection and MUST NOT send plaintext data over the connection.
SHOULD behave as if the the TCP-TLS option was not present. This is
obviously not the conventional behavior for TLS failure, but as the
entire idea here is to be opportunistic and the attacker can simply
suppress the TCP-TLS option entirely, this provides the maximum
robustness against broken intermediaries. If the TLS handshake fails
for cryptographic reasons that indicate damage to the datastream
(e.g., a decryption failure or a Finished failure) then the endpoints
SHOULD signal a connection failure, as this suggests that there is a
middlebox modifying the data and there is a reasonable chance that
the state is now corrupted.
3. TLS Profile 3. TCP-ENO Binding
3.1. Suboption Definition
TCP-ENO suboption with cs value set to [TBD]. Specifically, this
means that the SYN contains a 1-byte suboption indicating support for
this specification.
bit 7 6 5 4 3 2 1 0
+---+---+---+---+---+---+---+---+
| 0 | TBD |
+---+---+---+---+---+---+---+---+
[[OPEN ISSUE: It would be nice to indicate the desire to have 0-RTT,
but that would require a variable length suboption, which seems
perhaps excessive. Maybe that's the right answer anyway.]]
The SYN/ACK can be in one of two forms:
o A 1-byte suboption as in the SYN.
o A variable-length suboption. In this case, the remainder of the
option contains a nonce to be used for 0-RTT (see Section 4.1.4.
This nonce MUST be globally unique. Servers MUST NOT use this
form of the suboption unless explicitly configured (see
Section 6). [[OPEN ISSUE: I just thought this up recently, so
it's possible it's totally half-baked and won't work. In
particular, am I chewing up too much option space?]]
The ACK simply contains the bare TCP-ENO suboption.
3.2. Session ID
TCP-ENO Section 4.1 defines a session ID feature (not to be confused
with TLS Session IDs). When the protocol in use is TLS, the session
ID is computed via a TLS Exporter [RFC5705] using the Exporter Label
[[TBD]] and without a context value (the TCP-ENO transcript is
incorporated via the TCPENOTranscript extension).
3.3. Channel Close
Because TLS security is provided in the TCP transport stream rather
than at the segment level, the FIN is not an authenticated indicator
of end of data. Instead implementations following this specification
MUST send a TLS close_notify alert prior to sending a FIN and MUST
raise an error if a FIN or RST is receive prior to receiving a
close_notify.
4. TLS Profile
The TLS Profile defined in this document is intended to be a The TLS Profile defined in this document is intended to be a
compromise between two separate use cases. For the straight TCPINC compromise between two separate use cases. For the straight TCPINC
use case of ubiquitous transport encryption, we desire that use case of ubiquitous transport encryption, we desire that
implementations solely implement TLS 1.3 [I-D.ietf-tls-tls13] or implementations solely implement TLS 1.3 [I-D.ietf-tls-tls13] or
greater. However, we also want to allow the use of TCP-ENO as a greater. However, we also want to allow the use of TCP-ENO as a
signal for applications to do out-of-band negotiation of TLS, and signal for applications to do out-of-band negotiation of TLS, and
those applications are likely to already have support for TLS 1.2 those applications are likely to already have support for TLS 1.2
[RFC5246]. In order to accomodate both cases, we specify a wire [RFC5246]. In order to accomodate both cases, we specify a wire
encoding that allows for negotiation of multiple TLS versions encoding that allows for negotiation of multiple TLS versions
(Section 4) but encourage implementations to implement only TLS 1.3. (Section 3.1) but encourage implementations to implement only TLS
Implementations which also implement TLS 1.2 MUST implement the 1.3. Implementations which also implement TLS 1.2 MUST implement the
profile described in Section 3.2 profile described in Section 4.2
3.1. TLS 1.3 Profile 4.1. TLS 1.3 Profile
TLS 1.3 is the preferred version of TLS for this specification. In TLS 1.3 is the preferred version of TLS for this specification. In
order to facilitate implementation, this section provides a non- order to facilitate implementation, this section provides a non-
normative description of the parts of TLS 1.3 which are relevant to normative description of the parts of TLS 1.3 which are relevant to
TCPINC and defines a baseline of algorithms and modes which MUST be TCPINC and defines a normative baseline of algorithms and modes which
supported. Other modes, cipher suites, key exchange algorithms, MUST be supported. Other modes, cipher suites, key exchange
certificate formats as defined in [I-D.ietf-tls-tls13] MAY also be algorithms, certificate formats as defined in [I-D.ietf-tls-tls13]
used and that document remains the normative reference for TLS 1.3. MAY also be used and that document remains the normative reference
Bracketed references (e.g., [S. 1.2.3.4] refer to the corresponding for TLS 1.3. Bracketed references (e.g., [S. 1.2.3.4] refer to the
section in that document.) In order to match TLS terminology, we use corresponding section in that document.) In order to match TLS
the term "client" to indicate the TCP-ENO "A" role (See terminology, we use the term "client" to indicate the TCP-ENO "A"
[I-D.bittau-tcpinc-tcpeno]; Section 3.1) and "server" to indicate the role (See [I-D.bittau-tcpinc-tcpeno]; Section 3.1) and "server" to
"B" role. indicate the "B" role.
3.1.1. Handshake Modes 4.1.1. Handshake Modes
TLS 1.3 as used in TCPINC supports two handshake modes, both based on TLS 1.3 as used in TCPINC supports two handshake modes, both based on
ECDHE key exchange. Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
o A 1-RTT mode which is used when the client has no information o A 1-RTT mode which is used when the client has no information
about the server's keying material (see Figure 1) about the server's keying material (see Figure 3)
o A 0-RTT mode which is used when the client and server have o A 0-RTT mode which is used when the client and server have
connected previous and which allows the client to send data on the connected previous and which allows the client to send data on the
first flight (see Figure 2 first flight (see Figure 4)
In both case, the server is expected to have an ECDSA signing key In both case, the server is expected to have an Elliptic-Curve
which may either be a freshly-generated key or a long-term key Digital Signature Algorithm (ECDSA) signing key which may either be a
(allowing TOFU-style applications). The key need not be associated freshly-generated key or a long-term key (allowing Trust-On-First-Use
with any certificate and can simply be a bare key. (TOFU) style applications). The key need not be associated with any
certificate and can simply be a bare key.
Full TLS 1.3 includes support for additional modes based on pre- Full TLS 1.3 includes support for additional modes based on pre-
shared keys, but TCPINC implementations MAY opt to omit them. shared keys, but TCPINC implementations MAY opt to omit them.
Implementations MUST implement the 1-RTT mode and SHOULD implement Implementations MUST implement the 1-RTT mode and SHOULD implement
the 0-RTT mode. the 0-RTT mode.
Client Server Client Server
ClientHello ClientHello
+ ClientKeyShare --------> + ClientKeyShare
+ TCPENOTranscript ------->
ServerHello ServerHello
ServerKeyShare ServerKeyShare
{EncryptedExtensions} {EncryptedExtensions}
{ServerConfiguration*} {ServerConfiguration*}
{Certificate} {Certificate}
{CertificateVerify} {CertificateVerify}
<-------- {Finished} <-------- {Finished}
<-------- [Application Data]
{Finished} --------> {Finished} -------->
[Application Data] <-------> [Application Data] [Application Data] <-------> [Application Data]
* Indicates optional or situation-dependent * Indicates optional or situation-dependent
messages that are not always sent. messages that are not always sent.
{} Indicates messages protected using keys {} Indicates messages protected using keys
derived from the ephemeral secret. derived from the ephemeral secret.
[] Indicates messages protected using keys [] Indicates messages protected using keys
derived from the master secret. derived from the master secret.
Figure 1: Message flow for full TLS Handshake Figure 3: Message flow for full TLS Handshake
Note: Although these diagrams indicate a message called Note: Although these diagrams indicate a message called
"Certificate", this message MAY either contain a bare public key or "Certificate", this message MAY either contain a bare public key or
an X.509 certificate (this is intended to support the out-of-band use an X.509 certificate (this is intended to support the out-of-band use
case indicated above). Implementations MUST support bare public keys case indicated above). Implementations MUST support bare public keys
and MAY support X.509 certificates. and MAY support X.509 certificates.
3.1.2. Basic 1-RTT Handshake 4.1.2. Basic 1-RTT Handshake
3.1.2.1. Client's First Flight 4.1.2.1. Client's First Flight
3.1.2.1.1. Sending 4.1.2.1.1. Sending
In order to initiate the TLS handshake, the client sends a In order to initiate the TLS handshake, the client sends a
"ClientHello" message [S. 6.3.1.1]. "ClientHello" message [S. 6.3.1.1].
struct { struct {
ProtocolVersion client_version = { 3, 4 }; /* TLS v1.3 */ ProtocolVersion client_version = { 3, 4 }; /* TLS v1.3 */
Random random; Random random;
uint8 session_id_len_RESERVED; /* Must be zero */ uint8 session_id_len_RESERVED; /* Must be zero */
CipherSuite cipher_suites<2..2^16-2>; CipherSuite cipher_suites<2..2^16-2>;
uint8 compression_methods_len_RESERVED; /* Must be zero */ uint8 compression_methods_len_RESERVED; /* Must be zero */
skipping to change at page 6, line 35 skipping to change at page 7, line 45
ClientKeyShare [S. 6.3.2.3] ClientKeyShare [S. 6.3.2.3]
Zero or more ECDHE shares drawn from the groups in NamedGroup. Zero or more ECDHE shares drawn from the groups in NamedGroup.
This SHOULD contain either a P-256 key or an X25519 key. This SHOULD contain either a P-256 key or an X25519 key.
The client MUST also include a ServerCertTypeExtension containing The client MUST also include a ServerCertTypeExtension containing
type "Raw Public Key" [RFC7250], indicating its willingness to accept type "Raw Public Key" [RFC7250], indicating its willingness to accept
a raw public key rather than an X.509 certificate in the server's a raw public key rather than an X.509 certificate in the server's
Certificate message. Certificate message.
3.1.2.1.2. Receiving The client MUST include a TCPENOTranscript extension containing the
TCP-ENO options that were used to negotiate ENO.
4.1.2.2. The TCPENOTranscript
TCPENOTranscript TLS Extension is used to carry the TCP ENO
negotiation transcript. The body of the extension simply includes
the TCP-ENO negotiation transcript as defined in TCP-ENO Section 3.4.
This serves two purposes:
o It binds the TCP-ENO negotiation into the TLS handshake.
o In 0-RTT mode (see Section 4.1.4) it allows the server to provide
an anti-replay nonce which is then mixed into the TLS handshake.
The server MUST validate that the TCPENOTranscript extension matches
the transcript. If not, it MUST fail the handshake with a fatal
"handshake_failure" exception.
4.1.2.2.1. Receiving
Upon receiving the client's ClientHello, the server selects a Upon receiving the client's ClientHello, the server selects a
ciphersuite and ECDHE group out of the lists provided by the client ciphersuite and ECDHE group out of the lists provided by the client
in the cipher_suites list and the NamedGroup extension. If the in the cipher_suites list and the NamedGroup extension. If the
client supplied an appropriate ClientKeyShare for that group, then client supplied an appropriate ClientKeyShare for that group, then
the server responds with a ServerHello (see {{server-first-flight). the server responds with a ServerHello (see Section 4.1.2.3).
Otherwise, it replies with a HelloRetryRequest (Section 3.1.3), Otherwise, it replies with a HelloRetryRequest (Section 4.1.3),
indicating that the client needs to re-send the ClientHello with an indicating that the client needs to re-send the ClientHello with an
appropriate key share; because all TCPINC implementations are appropriate key share; because all TCPINC implementations are
required to support P-256, this should not happen unless P-256 is required to support P-256, this should not happen unless P-256 is
deprecated by a subsequent specification. deprecated by a subsequent specification.
3.1.2.2. Server's First Flight 4.1.2.3. Server's First Flight
3.1.2.2.1. Sending 4.1.2.3.1. Sending
The server respond's to the client's first flight with a sequence of The server responds to the client's first flight with a sequence of
messages: messages:
ServerHello [6.3.1.2] ServerHello [6.3.1.2]
Contains a nonce and the cipher suite that the server has selected Contains a nonce and the cipher suite that the server has selected
out of the client's list. The server MUST support the extensions out of the client's list. The server MUST support the extensions
listed in Section 3.1.2.1.1 and MUST also ignore any extensions it listed in Section 4.1.2.1.1 and MUST also ignore any extensions it
does not recognize; this implies that the server can implement does not recognize; this implies that the server can implement
solely the extensions listed in Section 3.1.2.1.1. solely the extensions listed in Section 4.1.2.1.1.
ServerKeyShare [6.3.3] ServerKeyShare [6.3.3]
Contains the server's ECDHE share for one of the groups offered in Contains the server's ECDHE share for one of the groups offered in
the client's ClientKeyShare message. All messages after the client's ClientKeyShare message. All messages after
ServerKeyShare are encrypted using keys derived from the ServerKeyShare are encrypted using keys derived from the
ClientKeyShare and ServerKeyShare. ClientKeyShare and ServerKeyShare.
EncryptedExtensions [6.3.4] EncryptedExtensions [6.3.4]
Responses to the extensions offered by the client. In this case, Responses to the extensions offered by the client. In this case,
the only relevant extension is the ServerCertTypeExtension. the only relevant extension is the ServerCertTypeExtension.
skipping to change at page 7, line 40 skipping to change at page 9, line 16
The server's certificate. If the client offered a "Raw Public The server's certificate. If the client offered a "Raw Public
Key" type in ServerCertTypeExtension this message SHALL contain a Key" type in ServerCertTypeExtension this message SHALL contain a
SubjectPublicKeyInfo value for the server's key as specified in SubjectPublicKeyInfo value for the server's key as specified in
[RFC7250]. Otherwise, it SHALL contain one or more X.509 [RFC7250]. Otherwise, it SHALL contain one or more X.509
Certificates, as specified in [I-D.ietf-tls-tls13], Section 6.3.5. Certificates, as specified in [I-D.ietf-tls-tls13], Section 6.3.5.
In either case, this message MUST contain a key which is In either case, this message MUST contain a key which is
consistent with the client's SignatureAlgorithms and NamedGroup consistent with the client's SignatureAlgorithms and NamedGroup
extensions. extensions.
ServerConfiguration [6.3.7] ServerConfiguration [6.3.7]
A server configuration value for use in 0-RTT (see Section 3.1.4). A server configuration value for use in 0-RTT (see Section 4.1.4).
CertificateVerify [6.3.8] CertificateVerify [6.3.8]
A signature over the handshake transcript using the key provided A signature over the handshake transcript using the key provided
in the certificate message. in the certificate message.
Finished [6.3.9] Finished [6.3.9]
A MAC over the entire handshake transcript up to this point. A MAC over the entire handshake transcript up to this point.
Once the server has sent the Finished message, it can immediately Once the server has sent the Finished message, it can immediately
generate the application traffic keys and start sending application generate the application traffic keys and start sending application
traffic to the client. traffic to the client.
3.1.2.3. Receiving 4.1.2.4. Receiving
Upon receiving the server's first flight, the client proceeds as Upon receiving the server's first flight, the client proceeds as
follows: follows:
o Read the ServerHello message to determine the cryptographic o Read the ServerHello message to determine the cryptographic
parameters. parameters.
o Read the ServerKeyShare message and use that in combination with o Read the ServerKeyShare message and use that in combination with
the ClientKeyShare to compute the keys which are used to encrypt the ClientKeyShare to compute the keys which are used to encrypt
the rest of the handshake. the rest of the handshake.
skipping to change at page 8, line 35 skipping to change at page 10, line 11
o Read the server's CertificateVerify message and verify the o Read the server's CertificateVerify message and verify the
server's signature over the handshake transcript. If the server's signature over the handshake transcript. If the
signature does not verify, the client terminates the handshake signature does not verify, the client terminates the handshake
with an alert (Section 6.1.2). with an alert (Section 6.1.2).
o Read the server's Finished message and verify the finished MAC o Read the server's Finished message and verify the finished MAC
based on the DH shared secret. If the MAC does not verify, the based on the DH shared secret. If the MAC does not verify, the
client terminates the handshake with an alert. client terminates the handshake with an alert.
3.1.2.4. Client's Second Flight 4.1.2.5. Client's Second Flight
Finally, the client sends a Finished message which contains a MAC Finally, the client sends a Finished message which contains a MAC
over the handshake transcript (except for the server's Finished). over the handshake transcript (except for the server's Finished).
[[TODO: In the upcoming draft of TLS 1.3, the client's Finished will [[TODO: In the upcoming draft of TLS 1.3, the client's Finished will
likely include the server's Finished.]] Once the client has likely include the server's Finished.]] Once the client has
transmitted the Finished, it can begin sending encrypted traffic to transmitted the Finished, it can begin sending encrypted traffic to
the server. the server.
The server reads the client's Finished message and verifies the MAC. The server reads the client's Finished message and verifies the MAC.
If the MAC does not verify, the client terminates the handshake with If the MAC does not verify, the client terminates the handshake with
an alert. an alert.
3.1.3. Hello Retry Request [6.3.1.3] 4.1.3. Hello Retry Request [6.3.1.3]
Because there are a small number of recommended groups, the Because there are a small number of recommended groups, the
ClientKeyShare will generally contain a key share for a group that ClientKeyShare will generally contain a key share for a group that
the server supports. However, it is possible that the client will the server supports. However, it is possible that the client will
not send such a key share, but there may be another group that the not send such a key share, but there may be another group that the
client and server jointly support. In that case, the server MUST client and server jointly support. In that case, the server MUST
send a HelloRetryRequest indicating the desired group: send a HelloRetryRequest indicating the desired group:
struct { struct {
ProtocolVersion server_version; ProtocolVersion server_version;
CipherSuite cipher_suite; CipherSuite cipher_suite;
NamedGroup selected_group; NamedGroup selected_group;
Extension extensions<0..2^16-1>; Extension extensions<0..2^16-1>;
} HelloRetryRequest; } HelloRetryRequest;
In response to the HelloRetryRequest the client re-sends its In response to the HelloRetryRequest the client re-sends its
ClientHello but with the addition of the group indicated in ClientHello but with the addition of the group indicated in
"selected_group". "selected_group".
3.1.4. Zero-RTT Exchange 4.1.4. Zero-RTT Exchange
TLS 1.3 allows the server to send its first application data message TLS 1.3 allows the server to send its first application data message
to the client immediately upon receiving the client's first handshake to the client immediately upon receiving the client's first handshake
message (which the client can send upon receiving the server's SYN/ message (which the client can send upon receiving the server's SYN/
ACK). However, in the basic handshake, the client is required to ACK). However, in the basic handshake, the client is required to
wait for the server's first flight before it can send to the server. wait for the server's first flight before it can send to the server.
TLS 1.3 also includes a "Zero-RTT" feature which allows the client to TLS 1.3 also includes a "Zero-RTT" feature which allows the client to
send data on its first flight to the server. send data on its first flight to the server.
In order to enable this feature, in an initial handshake the server In order to enable this feature, in an initial handshake the server
sends a ServerConfiguration message which contains the server's semi- sends a ServerConfiguration message which contains the server's semi-
static (EC)DH key which can be used for a future handshake: static (EC)DH key which can be used for a future handshake:
struct { struct {
opaque configuration_id<1..2^16-1>; opaque configuration_id<1..2^16-1>;
uint32 expiration_date; uint32 expiration_date;
skipping to change at page 9, line 45 skipping to change at page 11, line 24
uint32 expiration_date; uint32 expiration_date;
NamedGroup group; NamedGroup group;
opaque server_key<1..2^16-1>; opaque server_key<1..2^16-1>;
EarlyDataType early_data_type; EarlyDataType early_data_type;
ConfigurationExtension extensions<0..2^16-1>; ConfigurationExtension extensions<0..2^16-1>;
} ServerConfiguration; } ServerConfiguration;
The group and server_key fields contain the server's (EC)DH key and The group and server_key fields contain the server's (EC)DH key and
the early_data_type field is used to indicate what data can be sent the early_data_type field is used to indicate what data can be sent
in zero-RTT. Because client authentication is forbidden in TCPINC- in zero-RTT. Because client authentication is forbidden in TCPINC-
uses of TLS 1.3 (see Section 3.3), the only valid value here is uses of TLS 1.3 (see Section 4.3), the only valid value here is
"early_data", indicating that the client can send data in 0-RTT. "early_data", indicating that the client can send data in 0-RTT.
When a ServerConfiguration is available, the client can send an In a future connection, a client MAY send 0-RTT data only if the
EarlyDataIndication extension in its ClientHello and then start following three conditions obtain:
sending data immediately, as shown below.
o It has been specifically configured to do so (see Section 6).
o A ServerConfiguration is available.
o The server supplied a nonce in its SYN/ACK suboption [[TODO: Work
out how to make this work with TFO if at all.]]
In this case, the client sends an EarlyDataIndication extension in
its ClientHello and can start sending data immediately, as shown
below.
Client Server Client Server
ClientHello ClientHello
+ ClientKeyShare + ClientKeyShare
+ EarlyDataIndication + EarlyDataIndication
+ TCPENOTranscript
(EncryptedExtensions) (EncryptedExtensions)
(Application Data) --------> (Application Data) -------->
ServerHello ServerHello
+ EarlyDataIndication + EarlyDataIndication
ServerKeyShare ServerKeyShare
{EncryptedExtensions} {EncryptedExtensions}
{ServerConfiguration*} {ServerConfiguration*}
{Certificate} {Certificate}
{CertificateVerify} {CertificateVerify}
<-------- {Finished} <-------- {Finished}
<-------- [Application Data]
{Finished} --------> {Finished} -------->
[Application Data] <-------> [Application Data] [Application Data] <-------> [Application Data]
() Indicates messages protected using keys () Indicates messages protected using keys
derived from the static secret. derived from the static secret.
Figure 2: Message flow for a zero round trip handshake Figure 4: Message flow for a zero round trip handshake
IMPORTANT NOTE: TLS 1.3 Zero-RTT data is inherently replayable (see IMPORTANT NOTE: TLS 1.3 Zero-RTT does not provide PFS and therefore
the note in [I-D.ietf-tls-tls13] Section 6.2.2). If only passive MUST only be used when explicitly configured.
threat models are relevant, this issue becomes less important.
However, if applications are performing an external channel binding
using the session id to prevent active attack, then care must be
taken to prevent this form of attack. See Section 6.2.2 of
[I-D.ietf-tls-tls13] for more information on this topic. [[OPEN
ISSUE: can we use data from the TCP SYN as anti-replay stuff.]]
3.1.5. Key Schedule Note: TLS 1.3 Zero-RTT data is inherently replayable (see the note in
[I-D.ietf-tls-tls13] Section 6.2.2). However, because the client and
server have already exchanged data in the _TCP_ handshake, this data
can be used to provide anti-replay for a 0-RTT mode TLS handshake via
the TCPENOTranscript extension.
4.1.5. Key Schedule
TLS 1.3 derives its traffic keys from two input keying material TLS 1.3 derives its traffic keys from two input keying material
values: values:
Ephemeral Secret (ES): A secret which is derived from ClientKeyShare Ephemeral Secret (ES): A secret which is derived from ClientKeyShare
and ServerKeyShare. and ServerKeyShare.
Static Secret (SS): A secret which which is derived from Static Secret (SS): A secret which which is derived from
ClientKeyShare and either ServerKeyShare (in the 1-RTT case) or the ClientKeyShare and either ServerKeyShare (in the 1-RTT case) or the
public key in the ServerConfiguration (in the 0-RTT case). public key in the ServerConfiguration (in the 0-RTT case).
The handshake is encrypted under keys derived from ES. The ordinary The handshake is encrypted under keys derived from ES. The ordinary
traffic keys are derived from the combination of ES and SS. The traffic keys are derived from the combination of ES and SS. The
0-RTT traffic keys are derived solely from ES and therefore have 0-RTT traffic keys are derived solely from ES and therefore have
limited forward security. All key derivation is done using HKDF limited forward security. All key derivation is done using the HKDF
[RFC5869]. key-derivation algorithm [RFC5869].
3.1.6. Record Protection 4.1.6. Record Protection
Once the TLS handshake has completed, all data is protected as a Once the TLS handshake has completed, all data is protected as a
series of TLS Records. series of TLS Records.
struct { struct {
ContentType opaque_type = application_data(23); /* see fragment.type */ ContentType opaque_type = application_data(23); /* see fragment.type */
ProtocolVersion record_version = { 3, 1 }; /* TLS v1.x */ ProtocolVersion record_version = { 3, 1 }; /* TLS v1.x */
uint16 length; uint16 length;
aead-ciphered struct { aead-ciphered struct {
opaque content[TLSPlaintext.length]; opaque content[TLSPlaintext.length];
ContentType type; ContentType type;
uint8 zeros[length_of_padding]; uint8 zeros[length_of_padding];
} fragment; } fragment;
} TLSCiphertext; } TLSCiphertext;
Each record is encrypted with an AEAD cipher with the following Each record is encrypted with an Authenticated Encryption with
parameters: Additional Data (AEAD) cipher with the following parameters:
o The AEAD nonce is constructed by generating a per-connection nonce o The AEAD nonce is constructed by generating a per-connection nonce
mask of length max(8 bytes, N_MIN) for the AEAD algorithm (see mask of length max(8 bytes, N_MIN) for the AEAD algorithm (N_MIN
[RFC5116] Section 4) and XORing it with the record sequence number is the minimum nonce size defined in [RFC5116] Section 4) and
(left-padded with zeroed). XORing it with the sequence number of the TLS record (left-padded
with zeroes).
o The additional data is the sequence number + the TLS version o The additional data is the sequence number + the TLS version
number. number.
The record data MAY BE padded with zeros to the right. Because the The record data MAY BE padded with zeros to the right. Because the
content type value is always non-zero, the padding is removed by content type byte value is always non-zero, the padding is removed by
removing bytes from the right until a non-zero byte is encountered. removing bytes from the right until a non-zero byte is encountered.
3.2. TLS 1.2 Profile 4.2. TLS 1.2 Profile
Implementations MUST implement and require the TLS Extended Master Implementations MUST implement and require the TLS Extended Master
Secret Extension [I-D.ietf-tls-session-hash] and MUST NOT negotiate Secret Extension [I-D.ietf-tls-session-hash] and MUST NOT negotiate
versions of TLS prior to TLS 1.2. Implementations MUST NOT negotiate versions of TLS prior to TLS 1.2. Implementations MUST NOT negotiate
non-AEAD cipher suites and MUST use only PFS cipher suites with a key non-AEAD cipher suites and MUST use only PFS cipher suites with a key
of at least 2048 bits (finite field) or 256 bites (elliptic curve). of at least 2048 bits (finite field) or 256 bites (elliptic curve).
TLS 1.2 implementations MUST NOT initiate renegotiation and MUST TLS 1.2 implementations MUST NOT initiate renegotiation and MUST
respond to renegotiation with a fatal "no_renegotiation" alert. respond to renegotiation with a fatal "no_renegotiation" alert.
3.3. Deprecated Features 4.3. Deprecated Features
When TLS is used with TCPINC, a number of TLS features MUST NOT be When TLS is used with TCPINC, a number of TLS features MUST NOT be
used, including: used, including:
o TLS certificate-based client authentication o TLS certificate-based client authentication
o Session resumption [????] o Session resumption
3.4. Session ID
TCP-ENO Section 4.1 defines a session ID feature (not to be confused These features have only minimal advantage in this context and
with TLS Session IDs). When the protocol in use is TLS, the session interfere with offering a reduced profile.
ID is computed via a TLS Exporter [RFC5705] using the Exporter Label
[[TBD]] and with the "context" input being the TCP-ENO negotiation
transcript defined in [I-D.bittau-tcpinc-tcpeno] Section 3.4.
3.5. Cryptographic Algorithms 4.4. Cryptographic Algorithms
Implementations of this specification MUST implement the following Implementations of this specification MUST implement the following
cipher suite: cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
These cipher suites MUST support both digital signatures and key These cipher suites MUST support both digital signatures and key
exchange with secp256r1 (NIST P-256) and SHOULD support key agrement exchange with secp256r1 (NIST P-256) and SHOULD support key agrement
with X25519 [I-D.irtf-cfrg-curves]. with X25519 [I-D.irtf-cfrg-curves].
Implementations of this specification SHOULD implement the following Implementations of this specification SHOULD implement the following
cipher suites: cipher suites:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
4. Suboption Definition
This document uses a one byte TCP-ENO suboption. See Section 8.
5. Transport Integrity 5. Transport Integrity
The basic operational mode defined by TCP-TLS protects only the The basic operational mode defined by TCP-TLS protects only the
application layer content, but not the TCP segment metadata. Upon application layer content, but not the TCP segment metadata. Upon
receiving a packet, implementations MUST first check the TCP checksum receiving a packet, implementations MUST first check the TCP checksum
and discard corrupt packets without presenting them to TLS. If the and discard corrupt packets without presenting them to TLS. If the
TCP checksum passes but TLS integrity fails, the connection MUST be TCP checksum passes but TLS integrity fails, the connection MUST be
torn down. torn down.
Thus, TCP-TLS provides automatic security for the content, but not Thus, TCP-TLS provides automatic security for the content, but not
protection against DoS-style attacks. For instance, attackers will protection against DoS-style attacks. For instance, attackers will
be able to inject RST packets, bogus application segments, etc., be able to inject RST packets, bogus application segments, etc.,
regardless of whether TLS authentication is used. Because the regardless of whether TLS authentication is used. Because the
application data is TLS protected, this will not result in the application data is TLS protected, this will not result in the
application receiving bogus data, but it will constitute a DoS on the application receiving bogus data, but it will constitute a DoS on the
connection. connection.
This attack could be countered by using TCP-TLS in combination with This attack could be countered by using TCP-TLS in combination with
TCP-AO [RFC5925], using ALPN to negotiate the use of AO. [[OPEN TCP-AO [RFC5925], using Application-Layer Protocol Negotiation (ALPN)
ISSUE: Is this something we want? Maybe in a separate [RFC7301] to negotiate the use of AO. [[OPEN ISSUE: Is this
specification.]] something we want? Maybe in a separate specification.]]
6. Implementation Options 6. API Considerations
Needed here:
o How to configure 0-RTT and send 0-RTT data (some sort of sockopt).
o When is the session-id available (post-connect() completion).
o How to indicate that the certificate should be validated.
7. Implementation Considerations
There are two primary implementation options for TCP-TLS: There are two primary implementation options for TCP-TLS:
o Implement all of TCP-TLS in the operating system kernel. o Implement all of TCP-TLS in the operating system kernel.
o Implement just the TCP-TLS negotiation option in the operating o Implement just the TCP-TLS negotiation option in the operating
system kernel with an interface to tell the application that TCP- system kernel with an interface to tell the application that TCP-
TLS has been negotiated and therefore that the application must TLS has been negotiated and therefore that the application must
negotiate TLS. negotiate TLS.
The former option obviously achieves easier deployment for The former option obviously achieves easier deployment for
applications, which don't have to do anything, but is more effort for applications, which don't have to do anything, but is more effort for
kernel developers and requires a wider interface to the kernel to kernel developers and requires a wider interface to the kernel to
configure the TLS stack. The latter option is inherently more configure the TLS stack. The latter option is inherently more
flexible but does not provide as immediate transparent deployment. flexible but does not provide as immediate transparent deployment.
It is also possible for systems to offer both options. It is also possible for systems to offer both options.
7. NAT/Firewall considerations 8. NAT/Firewall considerations
If use of TLS is negotiated, the data sent over TCP simply is TLS If use of TLS is negotiated, the data sent over TCP simply is TLS
data in compliance with {{RFC5246}. Thus it is extremely likely to data in compliance with [RFC5246]. Thus it is extremely likely to
pass through NATs, firewalls, etc. The only kind of middlebox that pass through NATs, firewalls, etc. The only kind of middlebox that
is likely to cause a problem is one which does protocol enforcement is likely to cause a problem is one which does protocol enforcement
that blocks TLS on arbitrary (non-443) ports but _also_ passes that blocks TLS on arbitrary (non-443) ports but _also_ passes
unknown TCP options. Although no doubt such devices do exist, unknown TCP options. Although no doubt such devices do exist,
because this is a common scenario, a client machine should be able to because this is a common scenario, a client machine should be able to
probe to determine if it is behind such a device relatively readily. probe to determine if it is behind such a device relatively readily.
8. IANA Considerations 9. IANA Considerations
IANA [shall register/has registered] the TCP-ENO suboption XX for IANA [shall register/has registered] the TCP-ENO suboption XX for
TCP-TLS. TCP-TLS.
IANA [shall register/has registered] the ALPN code point "tcpao" to IANA [shall register/has registered] the ALPN code point "tcpao" to
indicate the use of TCP-TLS with TCP-AO. indicate the use of TCP-TLS with TCP-AO.
9. Security Considerations 10. Security Considerations
The mechanisms in this document are inherently vulnerable to active The mechanisms in this document are inherently vulnerable to active
attack because an attacker can remove the TCP-TLS option, thus attack because an attacker can remove the TCP-TLS option, thus
downgrading you to ordinary TCP. Even when TCP-AO is used, all that downgrading you to ordinary TCP. Even when TCP-AO is used, all that
is being provided is continuity of authentication from the initial is being provided is continuity of authentication from the initial
handshake. If some sort of external authentication mechanism was handshake. If some sort of external authentication mechanism was
provided or certificates are used, then you might get some protection provided or certificates are used, then you might get some protection
against active attack. against active attack.
Once the TCP-TLS option has been negotiated, then the connection is Once the TCP-TLS option has been negotiated, then the connection is
skipping to change at page 14, line 32 skipping to change at page 16, line 32
while data integrity is provided, the connection is not resistant to while data integrity is provided, the connection is not resistant to
DoS attacks intended to terminate it. DoS attacks intended to terminate it.
If TCP-AO is used, then any bogus packets injected by an attacker If TCP-AO is used, then any bogus packets injected by an attacker
will be rejected by the TCP-AO integrity check and therefore will will be rejected by the TCP-AO integrity check and therefore will
never reach the TLS layer. Thus, in this case, the connection is never reach the TLS layer. Thus, in this case, the connection is
also resistant to DoS attacks, provided that endpoints require also resistant to DoS attacks, provided that endpoints require
integrity protection for RST packets. If endpoints accept integrity protection for RST packets. If endpoints accept
unauthenticated RST, then no DoS protection is provided. unauthenticated RST, then no DoS protection is provided.
10. References 11. References
10.1. Normative References 11.1. Normative References
[I-D.bittau-tcpinc-tcpeno] [I-D.bittau-tcpinc-tcpeno]
Bittau, A., Boneh, D., Giffin, D., Handley, M., Mazieres, Bittau, A., Boneh, D., Giffin, D., Handley, M., Mazieres,
D., and E. Smith, "TCP-ENO: Encryption Negotiation D., and E. Smith, "TCP-ENO: Encryption Negotiation
Option", draft-bittau-tcpinc-tcpeno-02 (work in progress), Option", draft-bittau-tcpinc-tcpeno-02 (work in progress),
September 2015. September 2015.
[I-D.ietf-tls-applayerprotoneg] [I-D.ietf-tls-applayerprotoneg]
Friedl, S., Popov, A., Langley, A., and S. Emile, Friedl, S., Popov, A., Langley, A., and S. Emile,
"Transport Layer Security (TLS) Application Layer Protocol "Transport Layer Security (TLS) Application Layer Protocol
skipping to change at page 16, line 5 skipping to change at page 18, line 5
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, DOI 10.17487/RFC5925, Authentication Option", RFC 5925, DOI 10.17487/RFC5925,
June 2010, <http://www.rfc-editor.org/info/rfc5925>. June 2010, <http://www.rfc-editor.org/info/rfc5925>.
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, <http://www.rfc-editor.org/info/rfc7250>. June 2014, <http://www.rfc-editor.org/info/rfc7250>.
10.2. Informative References 11.2. Informative References
[I-D.bittau-tcp-crypt] [I-D.bittau-tcp-crypt]
Bittau, A., Boneh, D., Hamburg, M., Handley, M., Mazieres, Bittau, A., Boneh, D., Hamburg, M., Handley, M., Mazieres,
D., and Q. Slack, "Cryptographic protection of TCP Streams D., and Q. Slack, "Cryptographic protection of TCP Streams
(tcpcrypt)", draft-bittau-tcp-crypt-04 (work in progress), (tcpcrypt)", draft-bittau-tcp-crypt-04 (work in progress),
February 2014. February 2014.
[I-D.ietf-tls-falsestart] [I-D.ietf-tls-falsestart]
Langley, A., Modadugu, N., and B. Moeller, "Transport Langley, A., Modadugu, N., and B. Moeller, "Transport
Layer Security (TLS) False Start", draft-ietf-tls- Layer Security (TLS) False Start", draft-ietf-tls-
skipping to change at page 16, line 27 skipping to change at page 18, line 27
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings [RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, DOI 10.17487/RFC5929, July 2010, for TLS", RFC 5929, DOI 10.17487/RFC5929, July 2010,
<http://www.rfc-editor.org/info/rfc5929>. <http://www.rfc-editor.org/info/rfc5929>.
[RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words [RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words
for Use in RFCs to Indicate Requirement Levels", RFC 6919, for Use in RFCs to Indicate Requirement Levels", RFC 6919,
DOI 10.17487/RFC6919, April 2013, DOI 10.17487/RFC6919, April 2013,
<http://www.rfc-editor.org/info/rfc6919>. <http://www.rfc-editor.org/info/rfc6919>.
[RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <http://www.rfc-editor.org/info/rfc7301>.
Author's Address Author's Address
Eric Rescorla Eric Rescorla
Mozilla Mozilla
EMail: ekr@rtfm.com EMail: ekr@rtfm.com
 End of changes. 64 change blocks. 
131 lines changed or deleted 215 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/