Merge pull request #564 from tlswg/caw/clarify-network-capabilities

Clarify attacker capabilities
tlswg · Oct 13, 2023 · 567b79c · 567b79c
2 parents c08b4e6 + 670d46e
commit 567b79c
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/draft-ietf-tls-esni.md b/draft-ietf-tls-esni.md
@@ -115,7 +115,8 @@ notation comes from {{RFC8446, Section 3}}.
 # Overview
 
 This protocol is designed to operate in one of two topologies illustrated below,
-which we call "Shared Mode" and "Split Mode".
+which we call "Shared Mode" and "Split Mode". These modes are described in the
+following section.
 
 ## Topologies
 
@@ -162,6 +163,9 @@ the "client-facing server" and to the TLS terminator as the "backend server".
 These are the same entity in Shared Mode, but in Split Mode, the client-facing
 and backend servers are physically separated.
 
+See {{security-considerations}} for more discussion about the ECH threat model
+and how it relates to the client, client-facing server, and backend server.
+
 ## Encrypted ClientHello (ECH)
 
 A client-facing server enables ECH by publishing an ECH configuration, which
@@ -1250,7 +1254,25 @@ such as interfering with existing connections, probing servers, and querying
 DNS. In short, an active attacker corresponds to the conventional threat model
 for TLS 1.3 {{RFC8446}}.
 
-Given these types of attackers, the primary goals of ECH are as follows.
+Passive and active attackers can exist anywhere in the network, including
+between the client and client-facing server, as well as between the
+client-facing and backend servers when running ECH in Split Mode. However,
+for Split Mode in particular, ECH makes two additional assumptions:
+
+1. The channel between each client-facing and each backend server is
+authenticated such that the backend server only accepts messages from trusted
+client-facing servers. The exact mechanism for establishing this authenticated
+channel is out of scope for this document.
+1. The attacker cannot correlate messages between client and client-facing
+server with messages between client-facing and backend server. Such correlation
+could allow an attacker to link information unique to a backend server, such as
+their server name or IP address, with a client's encrypted ClientHelloInner.
+Correlation could occur through timing analysis of messages across the
+client-facing server, or via examining the contents of messages sent between
+client-facing and backend servers. The exact mechanism for preventing this sort
+of correlation is out of scope for this document.
+
+Given this threat model, the primary goals of ECH are as follows.
 
 1. Security preservation. Use of ECH does not weaken the security properties of
    TLS without ECH.