IETF Logo Mail Archive

Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05

Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 23 April 2019 18:43 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EDB81200E0 for <acme@ietfa.amsl.com>; Tue, 23 Apr 2019 11:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mklQDxuN-9Vb for <acme@ietfa.amsl.com>; Tue, 23 Apr 2019 11:43:24 -0700 (PDT)
Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7087A120463 for <acme@ietf.org>; Tue, 23 Apr 2019 11:43:21 -0700 (PDT)
Received: by mail-ed1-f53.google.com with SMTP id i13so13561492edf.11 for <acme@ietf.org>; Tue, 23 Apr 2019 11:43:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pLNJYPTNR5QiLN/rO29zySqMMQSStfXuJSneXxkiYzY=; b=PIK1XKKcWIU9Hvt0IhAMwBnnhbMHU+zxaijBdTMWn0Zrjf4IIn1LNy5ggKcQHSOIOJ wZL79fuRrZ05IMQeXJ7dfMpyOdMBeLggjQiQ5jETrEugaeY7zLg2kupJVrb2ZFvPIYa6 h6NQeNdJXk7PbWM5BZWr2su5Umqd7fbOwEVkNg5MfMkZz9T5X9AVZ7OVSj/7WSSSPoZe 3HClIuLwytuB9dbf11NJETgFaVugvW8/PHVWH558w24sMx28GWTJMril6kEygzKNcF/+ 9Wp1mLywGDldFtRJF+th1gkblqNP/voLLUTp5lUGfHIny4Dxx37EiENfOBul8VEB66pz hqBw==
X-Gm-Message-State: APjAAAX7cqx64bAzeUOkk2cLAWbpfCSWUrDVU3Pa5eEnBVL/k5CuC00u m9SZy1z1I/wn1KW8/tvWuAQx+JfN
X-Google-Smtp-Source: APXvYqwyfAa81xn6rpZFEPtqJs0uByab7Ici2NxWZO9yP0WvIkqYmE/Wm35EgbyVmbNibWOEaYH0LA==
X-Received: by 2002:a50:8bbd:: with SMTP id m58mr17363913edm.42.1556044999501; Tue, 23 Apr 2019 11:43:19 -0700 (PDT)
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com. [209.85.221.44]) by smtp.gmail.com with ESMTPSA id br19sm3152094ejb.48.2019.04.23.11.43.18 for <acme@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Tue, 23 Apr 2019 11:43:19 -0700 (PDT)
Received: by mail-wr1-f44.google.com with SMTP id s15so21497687wra.12 for <acme@ietf.org>; Tue, 23 Apr 2019 11:43:18 -0700 (PDT)
X-Received: by 2002:adf:eb89:: with SMTP id t9mr19163141wrn.109.1556044998750; Tue, 23 Apr 2019 11:43:18 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR18MB28457CCBEF6FFE2B70E286FCC3250@MN2PR18MB2845.namprd18.prod.outlook.com> <CAErg=HGYuRc+tOBwRedx5a9tnH9iVm3bfWYhfXeiHCgcvp8gMA@mail.gmail.com> <MN2PR18MB2845DBA634A0BC648222C627C3230@MN2PR18MB2845.namprd18.prod.outlook.com> <CAErg=HG=LgqDxZ8QxVSAq2K6MsKJX36o6O7v0ojS3rsgUXuHVw@mail.gmail.com> <24216.1556044089@dooku.sandelman.ca>
In-Reply-To: <24216.1556044089@dooku.sandelman.ca>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 23 Apr 2019 14:43:07 -0400
X-Gmail-Original-Message-ID: <CAErg=HH2NqHH-+AUAXvMWBrmhOPH=86twOkr=b=F0TduB45KSw@mail.gmail.com>
Message-ID: <CAErg=HH2NqHH-+AUAXvMWBrmhOPH=86twOkr=b=F0TduB45KSw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000067ba05058736f5a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/JxmjD5i8xVIq1JsqNbqqylxhInY>
Subject: Re: [Acme] SNI extension for tls-alpn-01 challenge in draft-ietf-acme-ip-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 18:43:26 -0000

On Tue, Apr 23, 2019 at 2:28 PM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
>     > The latter only becomes a consideration if multiple IPs are
> terminated
>     > at the same TLS layer, and that TLS termination layer doesn't
> consider
>     > the destination IP when dispatching certificates. If we were to omit
>
> I am curious to understand the use case for offboard TLS termination by IP
> address.    That would seem to involve some kind of layer-3 (destination)
> NAT.
> Given that TLS would forbid SNI being present in that case, how would such
> a
> offboard TLS termination work?
>

Right. I wasn't trying to suggest that such servers intended to be
responding on 'bare' IP addresses, merely that they were capable of doing
so (by virtue of the SNI absence). As commonly configured by a TLS server,
all IPs would merely be dispatched to a common 'default' host
implementation, *unless* the server used some out-of-band signaling method
to determine the 'original' IP.

In the cloud provider model, this might be multiple physical IPs all
dispatched to a same internal system. The internal system ACLs based on
hostname (the original issue with the tls-sni proposal), and thus may not
have ACLs on the 'bare hostname' form. Let's say I have 'good.example'
(Customer A) resolving to 10.0.0.2, 'evil.example' (Customer B) resolving
to 10.0.0.3, and whenever you connect, TLS termination is dispatched to an
internal service on 10.0.0.1.

Now, the system can already dispatched based on hostname, ensuring that
good.example sessions are served Customer A's response, and evil.example
sessions are served Customer B's response. The issue is whose response is
served when there is no SNI? Under a TLS-ALPN (no-ip) model, there's no
restrictions or requirements there; you could serve Customer A, customer B,
or neither - and none would undermine the security of TLS-ALPN (as a
validation method) or of the security properties you're trying for.

In a world where IPs were possible to be validated using TLS-ALPN, and the
information omitted from the request, if evil.example/Customer B can serve
a certificate that confirms the response for 10.0.0.2, then they could get
a certificate for Customer A's IP.

In a world where we include the to-be-validated IP in the request, and the
Cloud Provider is observing the security invariants required for TLS-ALPN
(that any hostnames to be validated have been successfully authenticated as
belonging to the customer in question), then Customer B would have to
demonstrate control, to the provider, over 2.0.0.10.in-addr.arpa in order
to get such a certificate.

v2.23.0 | Report a Bug | By Email