[Add] DDR and SNI -- proposed draft in TLS WG to fix IP addresses in SNI
Erik Nygren <erik+ietf@nygren.org> Wed, 27 July 2022 18:46 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB04CC157B33 for <add@ietfa.amsl.com>; Wed, 27 Jul 2022 11:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.428
X-Spam-Level:
X-Spam-Status: No, score=-1.428 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7lUp9dIZCYU for <add@ietfa.amsl.com>; Wed, 27 Jul 2022 11:46:40 -0700 (PDT)
Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B60CC14F75F for <add@ietf.org>; Wed, 27 Jul 2022 11:46:40 -0700 (PDT)
Received: by mail-pj1-f50.google.com with SMTP id pw15so677080pjb.3 for <add@ietf.org>; Wed, 27 Jul 2022 11:46:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=EGEfi9Yc9VRwh8bsvGhVsW/QGx1MBDh0xQInw+a+H24=; b=wbHxxg5AA0IZhIvRHu5sU0ok9jZKMiyFE7YACqDXkOsz7sYn+fvZm8+tQGs6MpZOoZ hX8FjFwCYw+pHvtW2f6gvOx4vvyzgkltKoJ0TcEkENPXCKfv5Z4ZWIBHzqy0n9oBLZW/ AFP1IL8HcfQz9LLBI+6qmNiD7rCSb5g3NAf6+SdchFXByrSINZCFKx9PPB8YdyH7qOW8 tmO849M8B5E9Sfz1tCeiBUanqEywDS+NzfmYQrLVPK0sxyx5ZC/bGutzQb1tp8L2c9FB 1jB591O3qu2WlgpSLl3m/fMch5afOk2h7z+xD00/r/5ubabVfWDlv+j2AkyZJwQjQl6r 8q+A==
X-Gm-Message-State: AJIora93C8VGWNxiOQA42mHb5nFtBJ+5Upf2TbZ5WWSzQyk427h99Kwe hR0eXd0cS2Ji5Zrxs8TTdJ/+F1g+45neEHBf+qgpr/fQJfc=
X-Google-Smtp-Source: AGRyM1tA4GAsi3HtF6p72CVvrSYE3/hoNQxFp7UgY338Opih2plrI4XIqe5a3HZZh4wGX6+euFD10bG45T9P1UEMrGY=
X-Received: by 2002:a17:90a:9f8a:b0:1f2:5741:cad3 with SMTP id o10-20020a17090a9f8a00b001f25741cad3mr5985752pjp.107.1658947599116; Wed, 27 Jul 2022 11:46:39 -0700 (PDT)
MIME-Version: 1.0
From: Erik Nygren <erik+ietf@nygren.org>
Date: Wed, 27 Jul 2022 14:46:28 -0400
Message-ID: <CAKC-DJgBUKNsVCHV+GgdvU0VuNg5nwVi6yiD6JsOL8j-XaXDEQ@mail.gmail.com>
To: add@ietf.org, Rich Salz <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary="00000000000058aff105e4cdd64a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/krkFcwVM03gRQh6Py_LLt8i4ICc>
Subject: [Add] DDR and SNI -- proposed draft in TLS WG to fix IP addresses in SNI
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 18:46:40 -0000
At the risk of re-opening a can of worms, on a re-read of DDR last week
I was reminded how much I think we will regret not having clients send
the IP address in SNI, which there is no way to currently handle.
After some discussion with Rich Salz, I wrote up a draft for the TLS WG
on how IP addresses might be represented in SNI:
https://datatracker.ietf.org/doc/draft-nygren-tls-ip-in-sni/
Actual discussion on the draft itself likely makes sense to happen
in the TLS WG. (See the mail I just sent to the TLS list
on the topic.) But if we can get this fixed/addressed in TLS,
it would be highly valuable if we could also fix it in DDR.
What motivated me to realize we need to solve this is that
draft-ietf-add-ddr uses IP SANs in a new way. Rather than the
client connecting to an IP address and expecting to see a SAN
(where returning a cert associated with the IP address containing
a SAN that the client connected to is straight-forward),
DDR has clients connecting to a different IP and then
expects to find an original IP also in the SAN list.
This means that for an ISP with a large number of IPs
(or using a services who operates DoH service on-behalf
of many entities), you'd need to quickly/wastefully burn through IPv4
addresses to enable a unique cert per original IP.
As my employer operates recursive DNS services for ISPs,
I'm seeing serious challenges in being able to effectively enable
encrypted upgrades via DDR without having the desired IP address in SNI,
if only due to challenges with scaling up IPv4 addresses to deal
with the lack of SNI.
Erik
---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Wed, Jul 27, 2022 at 2:20 PM
Subject: New Version Notification for draft-nygren-tls-ip-in-sni-00.txt
To: Erik Nygren <erik+ietf@nygren.org>, Rich Salz <rsalz@akamai.com>
A new version of I-D, draft-nygren-tls-ip-in-sni-00.txt
has been successfully submitted by Erik Nygren and posted to the
IETF repository.
Name: draft-nygren-tls-ip-in-sni
Revision: 00
Title: Representing IP addresses in TLS Server Name Indication
(SNI)
Document date: 2022-07-27
Group: Individual Submission
Pages: 7
URL:
https://www.ietf.org/archive/id/draft-nygren-tls-ip-in-sni-00.txt
Status: https://datatracker.ietf.org/doc/draft-nygren-tls-ip-in-sni/
Htmlized:
https://datatracker.ietf.org/doc/html/draft-nygren-tls-ip-in-sni
Abstract:
This specification provides a mechanism for clients to send IP
addresses in a TLS Server Name Indication (SNI) extension as part of
TLS handshakes, allowing servers to return a certificate containing
that subjectAltName. This is done by converting the IP address to a
special-use domain name.
The IETF Secretariat
- [Add] DDR and SNI -- proposed draft in TLS WG to … Erik Nygren
- Re: [Add] DDR and SNI -- proposed draft in TLS WG… George Michaelson
- Re: [Add] DDR and SNI -- proposed draft in TLS WG… Tommy Pauly