draft-ietf-tls-compression-07.txt   rfc3749.txt 
Network Working Group S. Hollenbeck Network Working Group S. Hollenbeck
Internet-Draft VeriSign, Inc. Request for Comments: 3749 VeriSign, Inc.
Updates: 2246 (if approved) January 16, 2004 Category: Standards Track May 2004
Expires: July 16, 2004
Transport Layer Security Protocol Compression Methods Transport Layer Security Protocol Compression Methods
draft-ietf-tls-compression-07.txt
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document specifies an Internet standards track protocol for the
all provisions of Section 10 of RFC2026. Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Internet-Drafts are working documents of the Internet Engineering Official Protocol Standards" (STD 1) for the standardization state
Task Force (IETF), its areas, and its working groups. Note that other and status of this protocol. Distribution of this memo is unlimited.
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 16, 2004.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved. Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract Abstract
The Transport Layer Security (TLS) protocol (RFC 2246) includes The Transport Layer Security (TLS) protocol (RFC 2246) includes
features to negotiate selection of a lossless data compression method features to negotiate selection of a lossless data compression method
as part of the TLS Handshake Protocol and to then apply the algorithm as part of the TLS Handshake Protocol and to then apply the algorithm
associated with the selected method as part of the TLS Record associated with the selected method as part of the TLS Record
Protocol. TLS defines one standard compression method which Protocol. TLS defines one standard compression method which
specifies that data exchanged via the record protocol will not be specifies that data exchanged via the record protocol will not be
compressed. This document describes an additional compression method compressed. This document describes an additional compression method
associated with a lossless data compression algorithm for use with associated with a lossless data compression algorithm for use with
TLS, and it describes a method for the specification of additional TLS, and it describes a method for the specification of additional
TLS compression methods. TLS compression methods.
Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Compression Methods . . . . . . . . . . . . . . . . . . . . . 3 2. Compression Methods . . . . . . . . . . . . . . . . . . . . . 2
2.1 DEFLATE Compression . . . . . . . . . . . . . . . . . . . . . 4 2.1. DEFLATE Compression. . . . . . . . . . . . . . . . . . . 3
3. Compression History and Packet Processing . . . . . . . . . . 4 3. Compression History and Packet Processing . . . . . . . . . . 4
4. Internationalization Considerations . . . . . . . . . . . . . 5 4. Internationalization Considerations . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
Normative References . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Informative References . . . . . . . . . . . . . . . . . . . . 7 8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . . 8 Full Copyright Statement . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
The Transport Layer Security (TLS) protocol (RFC 2246, [2]) includes The Transport Layer Security (TLS) protocol (RFC 2246, [2]) includes
features to negotiate selection of a lossless data compression method features to negotiate selection of a lossless data compression method
as part of the TLS Handshake Protocol and to then apply the algorithm as part of the TLS Handshake Protocol and to then apply the algorithm
associated with the selected method as part of the TLS Record associated with the selected method as part of the TLS Record
Protocol. TLS defines one standard compression method, Protocol. TLS defines one standard compression method,
CompressionMethod.null, which specifies that data exchanged via the CompressionMethod.null, which specifies that data exchanged via the
record protocol will not be compressed. While this single record protocol will not be compressed. While this single
compression method helps ensure that TLS implementations are compression method helps ensure that TLS implementations are
interoperable, the lack of additional standard compression methods interoperable, the lack of additional standard compression methods
has limited the ability of implementers to develop interoperable has limited the ability of implementers to develop interoperable
implementations that include data compression. implementations that include data compression.
TLS is used extensively to secure client-server connections on the TLS is used extensively to secure client-server connections on the
World Wide Web. While these connections can often be characterized World Wide Web. While these connections can often be characterized
as short-lived and exchanging relatively small amounts of data, TLS as short-lived and exchanging relatively small amounts of data, TLS
is also being used in environments where connections can be is also being used in environments where connections can be long-
long-lived and the amount of data exchanged can extend into thousands lived and the amount of data exchanged can extend into thousands or
or millions of octets. XML [4], for example, is increasingly being millions of octets. XML [4], for example, is increasingly being used
used as a data representation method on the Internet, and XML tends as a data representation method on the Internet, and XML tends to be
to be verbose. Compression within TLS is one way to help reduce the verbose. Compression within TLS is one way to help reduce the
bandwidth and latency requirements associated with exchanging large bandwidth and latency requirements associated with exchanging large
amounts of data while preserving the security services provided by amounts of data while preserving the security services provided by
TLS. TLS.
This document describes an additional compression method associated This document describes an additional compression method associated
with a lossless data compression algorithm for use with TLS. with a lossless data compression algorithm for use with TLS.
Standardization of the compressed data formats and compression Standardization of the compressed data formats and compression
algorithms associated with this compression method is beyond the algorithms associated with this compression method is beyond the
scope of this document. scope of this document.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [1].
2. Compression Methods 2. Compression Methods
TLS [2] includes the following compression method structure in TLS [2] includes the following compression method structure in
sections 6.1 and 7.4.1.2 and Appendix sections A.4.1 and A.6: sections 6.1 and 7.4.1.2 and Appendix sections A.4.1 and A.6:
enum { null(0), (255) } CompressionMethod; enum { null(0), (255) } CompressionMethod;
which allows for later specification of up to 256 different which allows for later specification of up to 256 different
compression methods. This definition is updated to segregate the compression methods. This definition is updated to segregate the
range of allowable values into three zones: range of allowable values into three zones:
1. Values from 0 (zero) through 63 decimal (0x3F) inclusive are 1. Values from 0 (zero) through 63 decimal (0x3F) inclusive are
reserved for IETF Standards Track protocols. reserved for IETF Standards Track protocols.
2. Values from 64 decimal (0x40) through 223 decimal (0xDF) 2. Values from 64 decimal (0x40) through 223 decimal (0xDF) inclusive
inclusive are reserved for assignment for non-Standards Track are reserved for assignment for non-Standards Track methods.
methods.
3. Values from 224 decimal (0xE0) through 255 decimal (0xFF) 3. Values from 224 decimal (0xE0) through 255 decimal (0xFF)
inclusive are reserved for private use. inclusive are reserved for private use.
Additional information describing the role of the IANA in the Additional information describing the role of the IANA in the
allocation of compression method identifiers is described in Section allocation of compression method identifiers is described in Section
5. 5.
In addition, this definition is updated to include assignment of an In addition, this definition is updated to include assignment of an
identifier for the DEFLATE compression method: identifier for the DEFLATE compression method:
skipping to change at page 4, line 26 skipping to change at page 3, line 34
enum { null(0), DEFLATE(1), (255) } CompressionMethod; enum { null(0), DEFLATE(1), (255) } CompressionMethod;
As described in section 6 of RFC 2246 [2], TLS is a stateful As described in section 6 of RFC 2246 [2], TLS is a stateful
protocol. Compression methods used with TLS can be either stateful protocol. Compression methods used with TLS can be either stateful
(the compressor maintains its state through all compressed records) (the compressor maintains its state through all compressed records)
or stateless (the compressor compresses each record independently), or stateless (the compressor compresses each record independently),
but there seems to be little known benefit in using a stateless but there seems to be little known benefit in using a stateless
compression method within TLS. compression method within TLS.
The DEFLATE compression method described in this document is The DEFLATE compression method described in this document is
stateful. It is RECOMMENDED that other compression methods that might stateful. It is RECOMMENDED that other compression methods that
be standardized in the future be stateful as well. might be standardized in the future be stateful as well.
Compression algorithms can occasionally expand, rather than compress, Compression algorithms can occasionally expand, rather than compress,
input data. A compression method that exceeds the expansion limits input data. A compression method that exceeds the expansion limits
described in section 6.2.2 of RFC 2246 [2] MUST NOT be used with TLS. described in section 6.2.2 of RFC 2246 [2] MUST NOT be used with TLS.
2.1 DEFLATE Compression 2.1. DEFLATE Compression
The DEFLATE compression method and encoding format is described in The DEFLATE compression method and encoding format is described in
RFC 1951 [5]. Examples of DEFLATE use in IETF protocols can be found RFC 1951 [5]. Examples of DEFLATE use in IETF protocols can be found
in RFC 1979 [6], RFC 2394 [7], and RFC 3274 [8]. in RFC 1979 [6], RFC 2394 [7], and RFC 3274 [8].
DEFLATE allows the sending compressor to select from among several DEFLATE allows the sending compressor to select from among several
options to provide varying compression ratios, processing speeds, and options to provide varying compression ratios, processing speeds, and
memory requirements. The receiving decompressor MUST automatically memory requirements. The receiving decompressor MUST automatically
adjust to the parameters selected by the sender. All data that was adjust to the parameters selected by the sender. All data that was
submitted for compression MUST be included in the compressed output, submitted for compression MUST be included in the compressed output,
skipping to change at page 6, line 12 skipping to change at page 5, line 21
model addressed by TLS. The security considerations described model addressed by TLS. The security considerations described
throughout RFC 2246 [2] apply here as well. throughout RFC 2246 [2] apply here as well.
However, combining compression with encryption can sometimes reveal However, combining compression with encryption can sometimes reveal
information that would not have been revealed without compression: information that would not have been revealed without compression:
data that is the same length before compression might be a different data that is the same length before compression might be a different
length after compression, so adversaries that observe the length of length after compression, so adversaries that observe the length of
the compressed data might be able to derive information about the the compressed data might be able to derive information about the
corresponding uncompressed data. Some symmetric encryption corresponding uncompressed data. Some symmetric encryption
ciphersuites do not hide the length of symmetrically encrypted data ciphersuites do not hide the length of symmetrically encrypted data
at all. Others hide it to some extent, but still don't hide it at all. Others hide it to some extent, but still do not hide it
fully. For example, ciphersuites that use stream cipher encryption fully. For example, ciphersuites that use stream cipher encryption
without padding do not hide length at all; ciphersuites that use without padding do not hide length at all; ciphersuites that use
Cipher Block Chaining (CBC) encryption with padding provide some Cipher Block Chaining (CBC) encryption with padding provide some
length hiding, depending on how the amount of padding is chosen. Use length hiding, depending on how the amount of padding is chosen. Use
of TLS compression SHOULD take into account that the length of of TLS compression SHOULD take into account that the length of
compressed data may leak more information than the length of the compressed data may leak more information than the length of the
original uncompressed data. original uncompressed data.
Compression algorithms tend to be mathematically complex and prone to Compression algorithms tend to be mathematically complex and prone to
implementation errors. An implementation error that can produce a implementation errors. An implementation error that can produce a
skipping to change at page 6, line 34 skipping to change at page 5, line 43
languages and operating systems that do not provide buffer overrun languages and operating systems that do not provide buffer overrun
protections. Careful consideration should thus be given to protections. Careful consideration should thus be given to
protections against implementation errors that introduce security protections against implementation errors that introduce security
risks. risks.
As described in Section 2, compression algorithms can occasionally As described in Section 2, compression algorithms can occasionally
expand, rather than compress, input data. This feature introduces expand, rather than compress, input data. This feature introduces
the ability to construct rogue data that expands to some enormous the ability to construct rogue data that expands to some enormous
size when compressed or decompressed. RFC 2246 describes several size when compressed or decompressed. RFC 2246 describes several
methods to ameliorate this kind of attack. First, compression has to methods to ameliorate this kind of attack. First, compression has to
be lossless. Second, a limit (1,024 bytes) is placed on the amount of be lossless. Second, a limit (1,024 bytes) is placed on the amount
allowable compression content length increase. Finally, a limit of allowable compression content length increase. Finally, a limit
(2^14 bytes) is placed on the total content length. See section (2^14 bytes) is placed on the total content length. See section
6.2.2 of RFC 2246 [2] for complete details. 6.2.2 of RFC 2246 [2] for complete details.
7. Acknowledgements 7. Acknowledgements
The concepts described in this document were originally discussed on The concepts described in this document were originally discussed on
the IETF TLS working group mailing list in December, 2000. The the IETF TLS working group mailing list in December, 2000. The
author acknowledges the contributions to that discussion provided by author acknowledges the contributions to that discussion provided by
Jeffrey Altman, Eric Rescorla, and Marc Van Heyningen. Later Jeffrey Altman, Eric Rescorla, and Marc Van Heyningen. Later
suggestions that have been incorporated into this document were suggestions that have been incorporated into this document were
provided by Tim Dierks, Pasi Eronen, Peter Gutmann, Elgin Lee, Nikos provided by Tim Dierks, Pasi Eronen, Peter Gutmann, Elgin Lee, Nikos
Mavroyanopoulos, Alexey Melnikov, Bodo Moeller, Win Treese, and the Mavroyanopoulos, Alexey Melnikov, Bodo Moeller, Win Treese, and the
IESG. IESG.
Normative References 8. References
8.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997. Levels", BCP 14, RFC 2119, March 1997.
[2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC [2] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC
2246, January 1999. 2246, January 1999.
[3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA [3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
Informative References 8.2. Informative References
[4] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler, [4] Bray, T., Paoli, J., Sperberg-McQueen, C. and E. Maler,
"Extensible Markup Language (XML) 1.0 (2nd ed)", W3C REC-xml, "Extensible Markup Language (XML) 1.0 (2nd ed)", W3C REC-xml,
October 2000, <http://www.w3.org/TR/REC-xml>. October 2000, <http://www.w3.org/TR/REC-xml>.
[5] Deutsch, P., "DEFLATE Compressed Data Format Specification [5] Deutsch, P., "DEFLATE Compressed Data Format Specification
version 1.3", RFC 1951, May 1996. version 1.3", RFC 1951, May 1996.
[6] Woods, J., "PPP Deflate Protocol", RFC 1979, August 1996. [6] Woods, J., "PPP Deflate Protocol", RFC 1979, August 1996.
skipping to change at page 8, line 5 skipping to change at page 8, line 5
Author's Address Author's Address
Scott Hollenbeck Scott Hollenbeck
VeriSign, Inc. VeriSign, Inc.
21345 Ridgetop Circle 21345 Ridgetop Circle
Dulles, VA 20166-6503 Dulles, VA 20166-6503
US US
EMail: shollenbeck@verisign.com EMail: shollenbeck@verisign.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it might or might not be available; nor does it represent that it has
has made any effort to identify any such rights. Information on the made any independent effort to identify any such rights. Information
IETF's procedures with respect to rights in standards-track and on the procedures with respect to rights in RFC documents can be
standards-related documentation can be found in BCP-11. Copies of found in BCP 78 and BCP 79.
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to Copies of IPR disclosures made to the IETF Secretariat and any
obtain a general license or permission for the use of such assurances of licenses to be made available, or the result of an
proprietary rights by implementors or users of this specification can attempt made to obtain a general license or permission for the use of
be obtained from the IETF Secretariat. such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF Executive this standard. Please address the information to the IETF at ietf-
Director. ipr@ietf.org.
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment Acknowledgement
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/