]> Ericsson

john.mattsson@ericsson.com

University of the Bundeswehr Munich

Neubiberg Bavaria 85577 Germany hannes.tschofenig@gmx.net

Münster Univ. of Applied Sciences

tuexen@fh-muenster.de

Security Transport Layer Security next generation unicorn sparkling distributed ledger TLS 1.3 records limit the inner plaintext (TLSInnerPlaintext) size to 2¹⁴ + 1 bytes, which includes one byte for the content type. DTLS 1.3 uses the same plaintext size limit. This document defines a TLS extension that allows endpoints to advertise larger per-direction maximum inner plaintext sizes, up to 2³⁰ - 256 bytes, while reducing overhead in TLS 1.3 and DTLS 1.3 record headers. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction TLS 1.3 records limit the inner plaintext (TLSInnerPlaintext) size to 2¹⁴ + 1 bytes, which includes one byte for the content type. Records also have a 3-byte overhead due to the fixed opaque_type and legacy_record_version fields. TLS-based protocols are increasingly used to secure long-lived interfaces in critical infrastructure, such as telecommunication networks. In some infrastructure use cases, the upper layer of DTLS expects a message oriented service and uses message sizes much larger than 2¹⁴-bytes. In these cases, the 2¹⁴-byte limit in TLS necessitates an additional protocol layer for fragmentation, resulting in increased CPU and memory consumption and additional complexity. Allowing 2³⁰-byte records would eliminate additional fragmentation in almost all use cases. In (DTLS over SCTP), the 2¹⁴-byte limit is a severe restriction. This document defines a "large_record_size_limit" extension. The extension is negotiated during the handshake, and each endpoint independently advertises the maximum inner plaintext (TLSInnerPlaintext) size it is willing to receive. Therefore, the two traffic directions can use different limits. This extension is valid in TLS 1.3 and DTLS 1.3. The extension works similarly to the "record_size_limit" extension defined in . Additionally, this document defines new TLS 1.3 TLSLargeCiphertext and DTLS 1.3 unified_hdr structures to enable inner plaintexts up to 2³⁰ - 256 bytes with reduced overhead. For example, ciphertexts up to 64 bytes can be supported with 4 bytes less overhead and ciphertexts up to 2¹⁴ bytes can be supported with 3 bytes less overhead, which is useful in constrained IoT environments. The "large_record_size_limit" extension is incompatible with middleboxes expecting TLS 1.2 records.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The "large_record_size_limit" Extension The ExtensionData of the "large_record_size_limit" extension is LargeRecordSizeLimit: LargeRecordSizeLimit denotes the maximum size, in bytes, of inner plaintexts that the endpoint is willing to receive. It includes the content type and padding (i.e., the complete length of TLSInnerPlaintext). AEAD expansion is not included. This is the same value as RecordSizeLimit negotiated in the "record_size_limit" extension . The large record size limit only applies to records sent toward the endpoint that advertises the limit. An endpoint can send records that are larger than the limit it advertises as its own limit. A TLS endpoint that receives a record larger than its advertised limit MUST generate a fatal "record_overflow" alert; a DTLS endpoint that receives a record larger than its advertised limit SHOULD discard the record and SHOULD NOT generate a fatal "record_overflow" alert. An endpoint MUST NOT add padding to records that would cause the length of TLSInnerPlaintext to exceed the limit advertised by the other endpoint. Endpoints MUST NOT send a "large_record_size_limit" extension with a value smaller than 64 or larger than 2³⁰ - 256. An endpoint MUST treat receipt of a smaller or larger value as a fatal error and generate an "illegal_parameter" alert. The server sends the "large_record_size_limit" extension in the EncryptedExtensions message. During resumption, the limit is renegotiated. Records are subject to the limits that were set in the handshake that produces the keys that are used to protect those records. This admits the possibility that the extension might not be negotiated during resumption. If the extension is not negotiated in a subsequent handshake, records protected with keys from that handshake are not subject to "large_record_size_limit" and are instead subject to the record size limits and record formats defined by TLS 1.3 and DTLS 1.3 , unless another negotiated extension specifies otherwise. Unprotected messages and records protected with early_traffic_secret or handshake_traffic_secret are not subject to the large record size limit and remain subject to the record size limits and record formats defined by TLS 1.3 and DTLS 1.3 . In particular, these records MUST use TLSCiphertext (TLS) or the DTLSCiphertext unified_hdr length encoding from (DTLS), rather than TLSLargeCiphertext or the varuint length encoding defined in this document. When the "large_record_size_limit" extension is negotiated:

• All TLS 1.3 records protected with application traffic keys (derived from application_traffic_secret_N) MUST use the TLSLargeCiphertext structure instead of the TLSCiphertext structure. Instead of using a fixed-length field, this specification defines a variable-length unsigned integer type, referred to as varuint, as specified in . The varuint encoding is similar to the variable-length integer encoding defined in , but requires minimum-size encoding. As defined in , the two most significant bits of the first byte indicate the base 2 logarithm of the integer encoding length in bytes. The remaining bits encode the integer value in network byte order. The encoded representation MUST use the smallest number of octets necessary to represent the integer value to ensure a unique wire representation. When decoding, any value that uses more octets than necessary is an invalid length encoding and MUST be treated as if the record exceeded the peer's advertised record size limit. This means that integers are encoded in 1, 2, or 4 bytes and can encode 6-, 14-, or 30-bit values, respectively. The varuint type is defined only for the record length fields specified in this document. summarizes the encoding properties from .

Summary of varuint Encodings.

Prefix	Length	Usable Bits	Min	Max
00	1	6	0	63
01	2	14	64	16383
10	4	30	16384	1073741823
11	invalid	-	-	-

If the first two bits of the length field are 11, the encoded length is invalid and MUST be treated as if the record exceeded the peer's advertised record size limit.

• All DTLS 1.3 records protected with application traffic keys (derived from application_traffic_secret_N) and with length present MUST use a unified_hdr structure with a varuint length equal to the TLS 1.3 length field defined above.

• An endpoint MAY generate records protected with application traffic keys (derived from application_traffic_secret_N) with inner plaintext length that is equal to or smaller than the LargeRecordSizeLimit value it receives from its peer. An endpoint MUST NOT generate a protected record with inner plaintext length that is larger than the LargeRecordSizeLimit value it receives from its peer.

The "large_record_size_limit" extension is not compatible with middleboxes expecting TLS 1.2 records and SHOULD NOT be negotiated where such middleboxes are expected. Endpoints that support this specification SHOULD prefer "large_record_size_limit" over "record_size_limit" and "max_fragment_length", and a client SHOULD offer at most one of these extensions. A server MUST NOT send extension responses to more than one of "large_record_size_limit", "record_size_limit", and "max_fragment_length". A client MUST treat receipt of more than one of "large_record_size_limit", "record_size_limit", and "max_fragment_length" as a fatal error, and it SHOULD generate an "illegal_parameter" alert. The Path Maximum Transmission Unit (PMTU) in DTLS also limits the size of records. The record size limit does not affect PMTU discovery and SHOULD be set independently. The record size limit is fixed during the handshake and so should be set based on constraints at the endpoint and not based on the current network environment. In comparison, the PMTU is determined by the network path and can change dynamically over time.

Limits on Key Usage TLS 1.3 and DTLS 1.3 limit the number of full-size records that may be encrypted under a given set of keys. Increasing the maximum inner plaintext size to more than 2¹⁴ bytes while keeping the same confidentiality and integrity advantage per write key therefore requires lower AEAD limits. When "large_record_size_limit" has been negotiated with a record size limit larger than 2¹⁴ + 1 bytes, existing AEAD limits SHALL be decreased by a factor of (LargeRecordSizeLimit) / (2¹⁴). For AES-GCM, usage against the confidentiality limit is block-based: each protected record consumes ceil(record_plaintext_length / 16) * 16 bytes. For example, when AES-GCM is used in TLS 1.3 with a 64 kB record limit, only around 2^22.5 full-size records (about 6 million) may be encrypted under a given set of keys. For ChaCha20/Poly1305, the record sequence number would still wrap before the safety limit is reached.

Security Considerations Large record sizes might require more memory allocation for senders and receivers. Additionally, larger record sizes also means that more processing is done before verification of non-authentic records fails. TLS implementations MUST NOT provide access to the decrypted message content until after its integrity is confirmed. The use of larger record sizes can either simplify or complicate traffic analysis, depending on the application. The LargeRecordSizeLimit is just an upper limit and it is still the sender that decides the size of the inner plaintexts up to that limit.

IANA Considerations IANA is requested to assign a new value in the TLS ExtensionType Values registry defined by :

• The Extension Name should be large_record_size_limit
• The TLS 1.3 value should be CH, EE
• The DTLS-Only value should be N
• The Recommended value should be Y
• The Reference should be this document

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Independent This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes RFCs 5077, 5246, 6961, 8422, and 8446. This document also specifies new requirements for TLS 1.2 implementations. This document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process. This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301. An extension to Transport Layer Security (TLS) is defined that allows endpoints to negotiate the maximum size of protected records that each will send the other. This replaces the maximum fragment length extension defined in RFC 6066. This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document obsoletes RFC 6347. Messaging applications are increasingly making use of end-to-end security mechanisms to ensure that messages are only accessible to the communicating endpoints, and not to any servers involved in delivering messages. Establishing keys to provide such protections is challenging for group chat settings, in which more than two clients need to agree on a key but may not be online at the same time. In this document, we specify a key establishment protocol that provides efficient asynchronous group key establishment with forward secrecy (FS) and post-compromise security (PCS) for groups in size ranging from two to thousands. Informative References This document describes the usage of the Datagram Transport Layer Security (DTLS) protocol over the Stream Control Transmission Protocol (SCTP). DTLS over SCTP provides communications privacy for applications that use SCTP as their transport protocol and allows client/server applications to communicate in a way that is designed to prevent eavesdropping and detect tampering or message forgery. Applications using DTLS over SCTP can use almost all transport features provided by SCTP and its extensions. [STANDARDS-TRACK] This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.

Change Log Changes from -02 to -03:

• Addressed WGLC comments from Magnus Westerlund, Ilari Liusvaara,Valery Smyslov, Eric Rescorla and Martin Thomson.

Changes from -01 to -02:

• Variable length field equal to the one defined in MLS
• Clarification that the extension value is equal to RFC8449
• Clarification and corrections on AEAD limits

Changes from -00 to -01:

• Keep alive

Changes from -05 to -00:

• WG adoption

Changes from -04 to -05:

• Grammar and comprehension tweaks.
• Added change log

Changes from -03 to -04:

• Corrected uint24 to uint32.

Changes from -02 to -03:

• Major rewrite based on discussions at IETF 119
• New independent extension instead of flag extension used together with record_size_limit
• New record format without opaque_type and legacy_record_version fields. This reduces overhead
• Support inner plaintext size up to 2^32 - 256 bytes

Acknowledgments The authors would like to thank , , , , , , , , , and for their valuable comments and feedback. Some of the text were inspired by and borrowed from . We would also like to thank our TLS working group chairs for their support.