Application-Layer TLS
draft-friel-tls-atls-01
Network Working Group O. Friel
Internet-Draft R. Barnes
Intended status: Standards Track M. Pritikin
Expires: February 1, 2019 Cisco
H. Tschofenig
ARM Limited
M. Baugher
Consultant
July 31, 2018
Application-Layer TLS
draft-friel-tls-atls-01
Abstract
This document specifies how TLS sessions can be established at the
application layer over untrusted transport between clients and
services for the purposes of establishing secure end-to-end encrypted
communications channels. Transport layer encodings for application
layer TLS records are specified for HTTP and CoAP transport.
Explicit identification of application layer TLS packets enables
middleboxes to provide transport services and enforce suitable
transport policies for these payloads, without requiring access to
the unencrypted payload content. Multiple scenarios are presented
identifying the need for end-to-end application layer encryption
between clients and services, and the benefits of reusing the well-
defined TLS protocol, and a standard TLS stack, to accomplish this
are described. Application software architectures for building, and
network architectures for deploying application layer TLS are
outlined.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 1, 2019.
Friel, et al. Expires February 1, 2019 [Page 1]
Internet-Draft ATLS July 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Application Layer End-to-End Security Use Cases . . . . . . . 4
3.1. Bootstrapping Devices . . . . . . . . . . . . . . . . . . 4
3.2. Constrained Devices . . . . . . . . . . . . . . . . . . . 5
3.2.1. Constrained Device Connecting over a Closed Network . 5
3.2.2. Constrained Device Connecting over the Internet . . . 6
4. Current Approaches to Application Layer End-to-End Security . 7
4.1. Noise . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2. Signal . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3. Google ALTS . . . . . . . . . . . . . . . . . . . . . . . 7
4.4. Ephemeral Diffie-Hellman Over COSE . . . . . . . . . . . 8
5. ATLS Goals . . . . . . . . . . . . . . . . . . . . . . . . . 8
6. Architecture Overview . . . . . . . . . . . . . . . . . . . . 8
6.1. Application Architecture . . . . . . . . . . . . . . . . 8
6.1.1. Application Architecture Benefits . . . . . . . . . . 11
6.1.2. ATLS Packet Identification . . . . . . . . . . . . . 12
6.1.3. ATLS Session Tracking . . . . . . . . . . . . . . . . 12
6.1.4. ATLS Record Inspection . . . . . . . . . . . . . . . 12
6.1.5. Implementation . . . . . . . . . . . . . . . . . . . 12
6.2. Functional Design . . . . . . . . . . . . . . . . . . . . 13
6.3. Network Architecture . . . . . . . . . . . . . . . . . . 13
7. Key Exporting and Application Data Encryption . . . . . . . . 15
Show full document text