IETF Logo Mail Archive

Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required

Toerless Eckert <tte@cs.fau.de> Tue, 06 February 2024 17:20 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B55C14F60E for <anima@ietfa.amsl.com>; Tue, 6 Feb 2024 09:20:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.66
X-Spam-Level:
X-Spam-Status: No, score=-6.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kS-s9C4UgU0L for <anima@ietfa.amsl.com>; Tue, 6 Feb 2024 09:20:03 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B761DC151524 for <anima@ietf.org>; Tue, 6 Feb 2024 09:19:01 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TTqjG12tfznkKt; Tue, 6 Feb 2024 18:18:58 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TTqjF707Czkmlq; Tue, 6 Feb 2024 18:18:57 +0100 (CET)
Date: Tue, 06 Feb 2024 18:18:57 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org, Brian E Carpenter <brian.e.carpenter@gmail.com>, rwilton@cisco.com
Message-ID: <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl> <659.1625591712@localhost> <7c9a712a-119c-33e1-9031-b464e122881e@gmail.com> <ZbnIkYrDC7-3SwkB@faui48e.informatik.uni-erlangen.de> <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5675.1706881746@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/FrHMcLjeqapniyfz10-cdB66zFA>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 17:20:09 -0000

Hah, forgot to discuss this topic today. Well, it's not running away.

I am really only interested to be diligent with pledge requirements because those will have
the biggest variety of potentially crappy software stacks. Registars/MASA ci expect to be much
more software agile. But SNI is one such example, where the pledge does need to signal the
right info (SNI) to enable "cheaper" cloud registrars,  aka: those not owning a separate IPv4
address. See e.g.: AWS cost for IPv4 address. 

Now, cloud is a separate case from this threads subject (registar->masa), but i think technically
it is correct to ask for SNI support on Registrar. But i am not adament to make a fuzz about it.

Lets just agree on the final text for this errata so Rob can close the book on it.

Cheers
   toerless

On Fri, Feb 02, 2024 at 08:49:06AM -0500, Michael Richardson wrote:
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > Lets maybe finalize next tuesday during our meeting.
> 
>     > In general i think that whenever a TLS initiator did learn the TLS
>     > responder through a URL with a domain name, then it needs to insert the
>     > domain name as the SNI "server_name".
> 
>     > If thats not an unwritten rule, then i'd like to understand why not.
> 
> I think it is.  I'm not objecting to that.
> As you said, sometimes old/rusty TLS libraries don't do this.
> But, the manufacturer knows that, and this can build their MASA based upon
> SNI (or not) assumption, and it's fine.
> 
> But, for BRSKI-EST link, we can assume enough modern TLS to allow for SNI
> based virtual hosting.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
> 



-- 
---
tte@cs.fau.de

v2.23.0 | Report a Bug | By Email