[Standards] XTLS revisited

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Mon Dec 15 17:17:59 UTC 2008


On Monday 15 December 2008 07:46:16 Peter Saint-Andre wrote:
> Therefore I suggest that we simplify e2e by using
> something very close to the original XTLS proposal to set up, use, and
> tear down and XTLS tunnel. I've outlined the protocol below.

First, we should use IBB.  Sure, it adds complexity with the block sizes and 
message vs iq, but you want this stuff.  The only downside is the extra round 
trip on startup.  If it's that big of a deal, we can make a special extension 
that lets you IBB + XTLS in one shot.

> 1. Initiator sends start request to responder
>
> <iq from='romeo at montague.net/orchard'
>     id='xtls_1'
>     to='juliet at capulet.com/balcony'
>     type='set'>
>   <start xmlns='urn:xmpp:tmp:xtls'/>
> </iq>

<iq from='romeo at montague.net/orchard'
    id='xtls_1'
    to='juliet at capulet.com/balcony'
    type='set'>
  <open sid='mySID'
      block-size='4096'
      xmlns='http://jabber.org/protocol/ibb'>
    <start xmlns='urn:xmpp:tmp:xtls'/>
  </open>
</iq>

> 2. Responder tells initiator to proceed
>
> <iq from='juliet at capulet.com/balcony'
>     id='xtls_1'
>     to='romeo at montague.net/orchard'
>     type='result'>
>   <proceed xmlns='urn:xmpp:tmp:xtls'/>
> </iq>

<iq from='juliet at capulet.com/balcony'
    id='xtls_1'
    to='romeo at montague.net/orchard'
    type='result'/>

That's not much worse, is it?  If XTLS is implemented and we start needing 
tweaks to the transport, we'll be happy we did it this way.

> 3. Initiator and responder complete TLS handshake
> 4. One party sends a stanza over the tunnel
> 4a. Generate stanza
> 4b. Strip off the routing data
> 4c. Encrypt and base64-encode it
> 4d. Send it over the tunnel

It could be that these examples are expanded out for clarity, but I want to 
stress/confirm that we treat TLS as a bytestream, independent of how it is 
actually packetized into transporting stanzas.  This means that a single 
transporting stanza might contain multiple message stanzas, and a single 
message stanza might require multiple transporting stanzas to deliver.  
Additionally, a transporting stanza may contain both application data (e.g. a 
message stanza) and TLS data (handshake messages).

> 5. One party closes the tunnel
>
> <iq from='romeo at montague.net/orchard'
>     id='xtls_10'
>     to='juliet at capulet.com/balcony'
>     type='set'>
>   <close xmlns='urn:xmpp:tmp:xtls'/>
> </iq>
>
> 6. Other party acknowledges the close
>
> <iq from='juliet at capulet.com/balcony'
>     id='xtls_0'
>     to='romeo at montague.net/orchard'
>     type='result'>
>   <closed xmlns='urn:xmpp:tmp:xtls'/>
> </iq>

Also, for good measure, we should close the TLS layer first.

-Justin



More information about the Standards mailing list