Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 13 February 2024 09:05 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C54C14CE29 for <anima@ietfa.amsl.com>; Tue, 13 Feb 2024 01:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySEuV-gSFzi8 for <anima@ietfa.amsl.com>; Tue, 13 Feb 2024 01:04:58 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2136.outbound.protection.outlook.com [40.107.22.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62754C18DBBC for <anima@ietf.org>; Tue, 13 Feb 2024 01:04:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LjAZcaqkl7S9XvxE6y+Qh31sJlbBooB7DxO4C7XcY16l8gkaRbqVCvCTyf+45P7XoevBQ1D4X3Fxiz9c9LtmXoyyy2qy4cw/Q88rtN5sTpcHet6PqDsjHJ92/dR9bvevphF5tK6e2M1dNutEGa2BLTR1AAyOq1g0G2mm+Vgqng0eH8onVWqkj2/mnYUNAKO8gFrdXSXAYtbHLng8ADTPsS8PK5+7tSlGzewiLF3rZ9TKqLbHx6MPmdHGxArovlSeUtCzY0eyTitnjVS6xG9Oou3zX0bD8yHduTICL+c2A0Y6irMujY4+I7SVWEwyfDnpVGUKrFFGpSt2e3UDhKuT+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iGpfsLDgk4XLtnhhbWZy/Vuoyky9FtZD7YXpXmaMRVw=; b=g/lvil4abcrk9HafMxHEuH2kHSftSLHZ7A0Npq9Py0n7x8e+rDtNBUa4PsFBuXE6YSf02eIQ5VdwJWgoMo/uWa731xM3uBZghoX+jGTQMxDAc4iw53Rxs3Y04rNL/G5MgHC64DcQvG5CIVJvAcvxZ0e7HTVtONWm0NbNOwryUcoBRkD2Y1GQFV2eg+P++l3HyYgPQxd+N4QCgwJ/iS7QzZixsHdtj9cyyMUTh5eYQzkF11ZN6aUd65bccwOx85aVWRXYCLKZ4hmJnSGYTD6r6laY4nEVy/tjzayI0MIW1aHuTUkV/ZWOPRVPz6s/0Jwug708kwk1QUaIlMSPRa3CSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iGpfsLDgk4XLtnhhbWZy/Vuoyky9FtZD7YXpXmaMRVw=; b=CmmxPA6wvbglLVQfpyU5CDC+TJFQmzUYOOo+ZtIoZmUJDr+352RMo6p4cHK0MZKumG5fOC8pyVT4LvfD09hXOcW2Isnt/etaR01PdbtIoBn3Upg0brWmuMo6KiVoZcK4btRIdjCL41R7Kni3k2eKV2Mstzn3XUZs3K2dwze37T4=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AS8P190MB2030.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:529::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.27; Tue, 13 Feb 2024 09:04:54 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::e4f2:ff55:407e:5c82]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::e4f2:ff55:407e:5c82%3]) with mapi id 15.20.7270.036; Tue, 13 Feb 2024 09:04:54 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rwilton@cisco.com" <rwilton@cisco.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Thread-Index: AQHaU/uxivULf7/KeUyGF8Ao4iPwTrDz+MaAgAJng4CAALTsAIAGg/WAgAk26wCAAMoEgIAAdP5Q
Date: Tue, 13 Feb 2024 09:04:54 +0000
Message-ID: <DU0P190MB1978DCD3951BE48BF78F51E8FD4F2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl> <659.1625591712@localhost> <7c9a712a-119c-33e1-9031-b464e122881e@gmail.com> <ZbnIkYrDC7-3SwkB@faui48e.informatik.uni-erlangen.de> <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca> <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AS8P190MB2030:EE_
x-ms-office365-filtering-correlation-id: 3eca4a2d-355b-458d-4052-08dc2c72d84e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A9wde36XtbfzeBF3f5Y81+66x4mY0axkhyafiLgWVuhNSmxS6BvUURKmWO5ncNvoOL86hX1k2hPxY11bIzKiQJF/6FZS4ALC5U4xtFA3Ez4FzHxfnCDJEfo6KCSbEMUV4AasOZMlDU1/4FWlwqn7OMwmuQd4yBt+YuYN3QLOpZMKuxJTGvprWB3+T15xaQylNFNvoBn06KWqoep6opOCHBCa4GpNdXvjtB8xA+x9zmRBc+m6E/ZThtddBZUJ41WTbTYYQv8S3kYgofH7YkWuftOAVabrVEkb4md+xzhBqOa2U7986VIZYgIXfPYfdLtxTq8u+jAfbp8qMFIgRrCtvq0vG7RA9Qtm484vN4Z42yqJCdOEm1lPtNKpcTZExZzIPp/ol77e1DA4VqvhkNZP1lg0M0kIpaJHpz9BvT60epB8wbSctH3ITaHqfbfu1S3nwCi1lRujpBeyRxLBxCMPyNSiBroujyQVy7iMdvszxbJdugHGyfxunvRR/YK/OtlVujj3VcNwfY6wrLh4PsraAkIQBo20SErXB0ENpcCofvQncp1nQStx9wHR5SziJRPX9DGswSE1+69tvbFENgYlsMk6ZADYMif+JnZh3hfr4D4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(346002)(366004)(39830400003)(396003)(136003)(230922051799003)(64100799003)(1800799012)(451199024)(186009)(4326008)(8676002)(5660300002)(76116006)(66556008)(64756008)(8936002)(66446008)(66476007)(2906002)(44832011)(83380400001)(26005)(33656002)(38070700009)(122000001)(71200400001)(54906003)(316002)(110136005)(86362001)(38100700002)(41300700001)(966005)(9686003)(7696005)(6506007)(53546011)(66946007)(52536014)(55016003)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DF99zM2P/U1x4SV/EXN4WtotY9uIfqIAnx5ZUi6vC9D9f4dDT6uRw1SC9WxVPKXwfazi+SDCVIx6uITUU32Abcc4bC0DWbgGDV9jAsr+scye4KWdSDTCZPty8UusnrVaxLIYaPPMN75Ara4gPtiRp3bYTcHgygzDNryctJ0Cr8R2LGW1Evuy6cCu3gpr7T7/13q0XXmk3HVG1UluThxef4mBNWR+JMMQuOlvFCoY3M/gGWxPJE6MKubnZYopnUmPopf14ADWlk0ecJArtGlRpqPZeW8+LWB7dL534s0lkjU7R982CD2/cKBl993Frq8KecUwIH4wDUfq1bTeUiPWmWeWiWtVjc1REWwtB5CQxZJ5TIC9bnjCMvuDn+QoGEpa9vOHCRcOy07tYlvb4t6KXPuYnEVlH4b1UGlzJXcwzi7azCTrBgaMSva9r8XkbJ0/31Z+7VrklAN/dSK04q7m/uwpJ5LxMZREtGYdxCjDArXIpAP/TZcDetxyENh5bt1E/YW3YxiWQove7FUH3eD1BkesJBJyh2w8RUm5LMg7WnOAALpqhg3HYy44KOr4wSdxoQjpcz3vYWvonKWvFMsQKeq/TKrG3m9l0cxr02uUtImtKBlIcMn7jn6ua4ZrMTl5U68kGxGX+prc8KEFjiZEJRSvLcoiYk3cc63EL3IHHMK1bJ08UqjVmGL2VJrW5y6+vduXfB4kj+hRKNWVH9gtUv/1eZk7XgE3IPU4AKYSd0+cOwUJZBWe9jmsD5IwzQbRcy6jbAH/DLH2ozlJmpmdPMZC+2t9JZ8KJBiLO7optE2b0K+px7CDxIytKbz5aW61Qgr+p2TksA8b0OFlZoApBbgijlN/N87sfHybm9M/HGFEsyZ/3HDmUTAyOOgKOwKB/00N6yaQoRqwPh/2Br0Z3eXNkgUI37vQ1UFiGMpRbGdcmOnaMQqFgwfwwSwOQUEbcz4aoKcq3PJntBuJfTGhS8c+ISBwQxzMj7JMrxgeXV03FZlQFImVtBlX8rzn1pO5dvDVuesGqSxS/NWms5vikwqt/DIIFEUs+iV6ftKRJ9i7OgqMLEV7IWRcmNTO2H1X/nkT79m/KuBHthGpGrgYSIg8UDW15XOYnqOFd5fETMe23vxHuerYJoEszLHCDroVFXtEa9/4cbnK/qpQjrPqhD0RMzg0sblg4M3g5ilyzbPIuwXe80Y8LPeHlTnck1NUTe5Q5V9YWM7sqGHZhtZP/YQyFA06tIn+yYs07x61o5LnliQGlsRT4kXFv+Gwkb8hPu+1cNr46gb4pOvA3W+HN9pQYE7/yc1uoYiqfJBqD0Fhg0zaI7fW74YHfO0mUaBCi+YUVLNeV9a21uZ1UFVEt9wAqEqMUmuPZqAU8noJHw5XYCKRmbHavzugqODAYOvkrKYjFfb8xTvurWd8TBsRvLUAjZJbEL8JkyWlUGMI5cKenv2Qtafb82URBY6fbAYKobFkcnvs2MVkytxOnTt13ekOgSkQmJbWvvY5DdS3Oid+nIF3QIWHXpcuqk11qhid3KZ0zCqGAwrrMlJmb4LmOF9BZ2Q/pVslDW9093DIOEqMiAN9srRtBnCx/u1RFpjO
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3eca4a2d-355b-458d-4052-08dc2c72d84e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2024 09:04:54.6270 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K3wNPmnPXUVQOylwtLTquZOlXokmQ91e7LOXEWm70SIxMpBqL2EyOLhDpnxpHYxboiVuxVTram/QseEtXn3L/hddpB2TIqZNlc7DuTR7/zY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P190MB2030
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/GdSpJXB9rLsy_L-PC9tfC12eidU>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 09:05:03 -0000
Just wanted to double-check this part: > > Pledges MUST include SNI for 1.2 and 1.3. > > Right. Except for language maybe using the "server-name" terminology as the TLS 1.3 RFC. Instead of "Pledges", it should say "Registrars" here, right? Esko -----Original Message----- From: Anima <anima-bounces@ietf.org> On Behalf Of Toerless Eckert Sent: Tuesday, February 13, 2024 03:05 To: Michael Richardson <mcr+ietf@sandelman.ca> Cc: rwilton@cisco.com; anima@ietf.org Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required On Mon, Feb 12, 2024 at 09:01:50AM -0500, Michael Richardson wrote: > > Toerless Eckert <tte@cs.fau.de> wrote: > > agile. But SNI is one such example, where the pledge does need to > > signal the right info (SNI) to enable "cheaper" cloud registrars, aka: > > those not owning a separate IPv4 address. See e.g.: AWS cost for IPv4 > > address. > > Right, but it's self-righting. > A manufacturer that uses an SNI-only cloud registrar and does not do SNI will > fail immediately: they won't get out of the lab. And the manufacturer > controls both initial sides of this. Just to double check: in this thread we're only talking registrar to MASA (no pledges). Then the biggest risk is when there are a lot of Registrar instances out in the field and the company wants to make the MASA service cheaper by putting it into some cloud service data center from a third party, and only then wake up and see that that cloud data center (opposed to the vendors original own data center) does require SNI. So now, the vendor needs to update all Registrars in the field. Aka: IMHO serious enough that it justifies the one sentence we can write upfront to avoid this. > Where we could go into trouble is when there are 307 redirects. Explain ? Or separate thread ? > > > Lets just agree on the final text for this errata so Rob can close the > > book on it. > > Pledges MUST include SNI for 1.2 and 1.3. Right. Except for language maybe using the "server-name" terminology as the TLS 1.3 RFC. > (Registrar's with provisional-TLS connections MUST ignore the SNI: they can > not be virtual-hosted) > > If you didn't like my errata text, then let's come back to that. > (I wish errata was on gitlab) > > https://www.rfc-editor.org/errata/eid6642 > > says: > Held for Document Update by: Rob Wilton > Date Held: 2024-01-15 > > so we get another chance to fix the text when we do a document update. > Does the text that is there upset you? Yes, to repeat what i said in the first email of this thread: 1. the way you wrote it, you replace the whole two sentences, aka: you remove: Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is REQUIRED. TLS 1.3 (or newer) SHOULD be available. I am sure you wanted your text to be ADDED after those two sentences. 2. "TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if TLS 1.3 is not available." This does not say that Registrars must send SNI/"server-name". It just means the TLS stack on registrars/MASA needs to be able to support SNI. And i am a fourth degree burn victim of text like this. Many customers who could not deploy multicast appropritely because they believed vendor text "device supports IGMPv3" was sufficient, when instead what was required was: "(IPTV) application MUST use SSM signalling via IGMPv3". (see also the TLS 1.3 text related to this "server-name" support vs. application support). Aka: Append to the section 5.4 text from above the following: When the MASA is known to the registrar by its domain name, the registrar MUST send the domain name of the MASA in the TLS "Server Name Indicator" (SNI) option (also called "server-name") [RFC6066] whether TLS 1.2 [RFC5246] or TLS 1.3 [RFC8446] is used. SNI is required when the Registrar communicates with the MASA in order for the MASA to be hosted in a modern multi-tenant TLS infrastructure where it shares its IP/IPv6 address with other HTTPS services. Cheers Toerless > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > -- --- tte@cs.fau.de _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
- [Anima] Registrar to MASA connections: SNI requir… Michael Richardson
- Re: [Anima] Registrar to MASA connections: SNI re… Brian E Carpenter
- [Anima] Errata 6642: Re: Registrar to MASA connec… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Rob Wilton (rwilton)
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- [Anima] Rob: Re: Errata 6642: Re: Registrar to MA… Toerless Eckert
- [Anima] Rob: Reminder: Re: Errata 6642: Re: Regis… Toerless Eckert