Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 13 February 2024 09:05 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C54C14CE29 for <anima@ietfa.amsl.com>; Tue, 13 Feb 2024 01:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySEuV-gSFzi8 for <anima@ietfa.amsl.com>; Tue, 13 Feb 2024 01:04:58 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2136.outbound.protection.outlook.com [40.107.22.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62754C18DBBC for <anima@ietf.org>; Tue, 13 Feb 2024 01:04:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LjAZcaqkl7S9XvxE6y+Qh31sJlbBooB7DxO4C7XcY16l8gkaRbqVCvCTyf+45P7XoevBQ1D4X3Fxiz9c9LtmXoyyy2qy4cw/Q88rtN5sTpcHet6PqDsjHJ92/dR9bvevphF5tK6e2M1dNutEGa2BLTR1AAyOq1g0G2mm+Vgqng0eH8onVWqkj2/mnYUNAKO8gFrdXSXAYtbHLng8ADTPsS8PK5+7tSlGzewiLF3rZ9TKqLbHx6MPmdHGxArovlSeUtCzY0eyTitnjVS6xG9Oou3zX0bD8yHduTICL+c2A0Y6irMujY4+I7SVWEwyfDnpVGUKrFFGpSt2e3UDhKuT+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iGpfsLDgk4XLtnhhbWZy/Vuoyky9FtZD7YXpXmaMRVw=; b=g/lvil4abcrk9HafMxHEuH2kHSftSLHZ7A0Npq9Py0n7x8e+rDtNBUa4PsFBuXE6YSf02eIQ5VdwJWgoMo/uWa731xM3uBZghoX+jGTQMxDAc4iw53Rxs3Y04rNL/G5MgHC64DcQvG5CIVJvAcvxZ0e7HTVtONWm0NbNOwryUcoBRkD2Y1GQFV2eg+P++l3HyYgPQxd+N4QCgwJ/iS7QzZixsHdtj9cyyMUTh5eYQzkF11ZN6aUd65bccwOx85aVWRXYCLKZ4hmJnSGYTD6r6laY4nEVy/tjzayI0MIW1aHuTUkV/ZWOPRVPz6s/0Jwug708kwk1QUaIlMSPRa3CSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iGpfsLDgk4XLtnhhbWZy/Vuoyky9FtZD7YXpXmaMRVw=; b=CmmxPA6wvbglLVQfpyU5CDC+TJFQmzUYOOo+ZtIoZmUJDr+352RMo6p4cHK0MZKumG5fOC8pyVT4LvfD09hXOcW2Isnt/etaR01PdbtIoBn3Upg0brWmuMo6KiVoZcK4btRIdjCL41R7Kni3k2eKV2Mstzn3XUZs3K2dwze37T4=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by AS8P190MB2030.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:529::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.27; Tue, 13 Feb 2024 09:04:54 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::e4f2:ff55:407e:5c82]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::e4f2:ff55:407e:5c82%3]) with mapi id 15.20.7270.036; Tue, 13 Feb 2024 09:04:54 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "rwilton@cisco.com" <rwilton@cisco.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Thread-Index: AQHaU/uxivULf7/KeUyGF8Ao4iPwTrDz+MaAgAJng4CAALTsAIAGg/WAgAk26wCAAMoEgIAAdP5Q
Date: Tue, 13 Feb 2024 09:04:54 +0000
Message-ID: <DU0P190MB1978DCD3951BE48BF78F51E8FD4F2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl> <659.1625591712@localhost> <7c9a712a-119c-33e1-9031-b464e122881e@gmail.com> <ZbnIkYrDC7-3SwkB@faui48e.informatik.uni-erlangen.de> <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca> <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|AS8P190MB2030:EE_
x-ms-office365-filtering-correlation-id: 3eca4a2d-355b-458d-4052-08dc2c72d84e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: A9wde36XtbfzeBF3f5Y81+66x4mY0axkhyafiLgWVuhNSmxS6BvUURKmWO5ncNvoOL86hX1k2hPxY11bIzKiQJF/6FZS4ALC5U4xtFA3Ez4FzHxfnCDJEfo6KCSbEMUV4AasOZMlDU1/4FWlwqn7OMwmuQd4yBt+YuYN3QLOpZMKuxJTGvprWB3+T15xaQylNFNvoBn06KWqoep6opOCHBCa4GpNdXvjtB8xA+x9zmRBc+m6E/ZThtddBZUJ41WTbTYYQv8S3kYgofH7YkWuftOAVabrVEkb4md+xzhBqOa2U7986VIZYgIXfPYfdLtxTq8u+jAfbp8qMFIgRrCtvq0vG7RA9Qtm484vN4Z42yqJCdOEm1lPtNKpcTZExZzIPp/ol77e1DA4VqvhkNZP1lg0M0kIpaJHpz9BvT60epB8wbSctH3ITaHqfbfu1S3nwCi1lRujpBeyRxLBxCMPyNSiBroujyQVy7iMdvszxbJdugHGyfxunvRR/YK/OtlVujj3VcNwfY6wrLh4PsraAkIQBo20SErXB0ENpcCofvQncp1nQStx9wHR5SziJRPX9DGswSE1+69tvbFENgYlsMk6ZADYMif+JnZh3hfr4D4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(346002)(366004)(39830400003)(396003)(136003)(230922051799003)(64100799003)(1800799012)(451199024)(186009)(4326008)(8676002)(5660300002)(76116006)(66556008)(64756008)(8936002)(66446008)(66476007)(2906002)(44832011)(83380400001)(26005)(33656002)(38070700009)(122000001)(71200400001)(54906003)(316002)(110136005)(86362001)(38100700002)(41300700001)(966005)(9686003)(7696005)(6506007)(53546011)(66946007)(52536014)(55016003)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DF99zM2P/U1x4SV/EXN4WtotY9uIfqIAnx5ZUi6vC9D9f4dDT6uRw1SC9WxVPKXwfazi+SDCVIx6uITUU32Abcc4bC0DWbgGDV9jAsr+scye4KWdSDTCZPty8UusnrVaxLIYaPPMN75Ara4gPtiRp3bYTcHgygzDNryctJ0Cr8R2LGW1Evuy6cCu3gpr7T7/13q0XXmk3HVG1UluThxef4mBNWR+JMMQuOlvFCoY3M/gGWxPJE6MKubnZYopnUmPopf14ADWlk0ecJArtGlRpqPZeW8+LWB7dL534s0lkjU7R982CD2/cKBl993Frq8KecUwIH4wDUfq1bTeUiPWmWeWiWtVjc1REWwtB5CQxZJ5TIC9bnjCMvuDn+QoGEpa9vOHCRcOy07tYlvb4t6KXPuYnEVlH4b1UGlzJXcwzi7azCTrBgaMSva9r8XkbJ0/31Z+7VrklAN/dSK04q7m/uwpJ5LxMZREtGYdxCjDArXIpAP/TZcDetxyENh5bt1E/YW3YxiWQove7FUH3eD1BkesJBJyh2w8RUm5LMg7WnOAALpqhg3HYy44KOr4wSdxoQjpcz3vYWvonKWvFMsQKeq/TKrG3m9l0cxr02uUtImtKBlIcMn7jn6ua4ZrMTl5U68kGxGX+prc8KEFjiZEJRSvLcoiYk3cc63EL3IHHMK1bJ08UqjVmGL2VJrW5y6+vduXfB4kj+hRKNWVH9gtUv/1eZk7XgE3IPU4AKYSd0+cOwUJZBWe9jmsD5IwzQbRcy6jbAH/DLH2ozlJmpmdPMZC+2t9JZ8KJBiLO7optE2b0K+px7CDxIytKbz5aW61Qgr+p2TksA8b0OFlZoApBbgijlN/N87sfHybm9M/HGFEsyZ/3HDmUTAyOOgKOwKB/00N6yaQoRqwPh/2Br0Z3eXNkgUI37vQ1UFiGMpRbGdcmOnaMQqFgwfwwSwOQUEbcz4aoKcq3PJntBuJfTGhS8c+ISBwQxzMj7JMrxgeXV03FZlQFImVtBlX8rzn1pO5dvDVuesGqSxS/NWms5vikwqt/DIIFEUs+iV6ftKRJ9i7OgqMLEV7IWRcmNTO2H1X/nkT79m/KuBHthGpGrgYSIg8UDW15XOYnqOFd5fETMe23vxHuerYJoEszLHCDroVFXtEa9/4cbnK/qpQjrPqhD0RMzg0sblg4M3g5ilyzbPIuwXe80Y8LPeHlTnck1NUTe5Q5V9YWM7sqGHZhtZP/YQyFA06tIn+yYs07x61o5LnliQGlsRT4kXFv+Gwkb8hPu+1cNr46gb4pOvA3W+HN9pQYE7/yc1uoYiqfJBqD0Fhg0zaI7fW74YHfO0mUaBCi+YUVLNeV9a21uZ1UFVEt9wAqEqMUmuPZqAU8noJHw5XYCKRmbHavzugqODAYOvkrKYjFfb8xTvurWd8TBsRvLUAjZJbEL8JkyWlUGMI5cKenv2Qtafb82URBY6fbAYKobFkcnvs2MVkytxOnTt13ekOgSkQmJbWvvY5DdS3Oid+nIF3QIWHXpcuqk11qhid3KZ0zCqGAwrrMlJmb4LmOF9BZ2Q/pVslDW9093DIOEqMiAN9srRtBnCx/u1RFpjO
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3eca4a2d-355b-458d-4052-08dc2c72d84e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Feb 2024 09:04:54.6270 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K3wNPmnPXUVQOylwtLTquZOlXokmQ91e7LOXEWm70SIxMpBqL2EyOLhDpnxpHYxboiVuxVTram/QseEtXn3L/hddpB2TIqZNlc7DuTR7/zY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8P190MB2030
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/GdSpJXB9rLsy_L-PC9tfC12eidU>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 09:05:03 -0000

Just wanted to double-check this part:

> > Pledges MUST include SNI for 1.2 and 1.3.
>
> Right. Except for language maybe using the "server-name" terminology as the TLS 1.3 RFC.

Instead of "Pledges", it should say "Registrars" here, right?

Esko


-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Toerless Eckert
Sent: Tuesday, February 13, 2024 03:05
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: rwilton@cisco.com; anima@ietf.org
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required

On Mon, Feb 12, 2024 at 09:01:50AM -0500, Michael Richardson wrote:
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > agile. But SNI is one such example, where the pledge does need to
>     > signal the right info (SNI) to enable "cheaper" cloud registrars, aka:
>     > those not owning a separate IPv4 address. See e.g.: AWS cost for IPv4
>     > address.
> 
> Right, but it's self-righting.
> A manufacturer that uses an SNI-only cloud registrar and does not do SNI will
> fail immediately: they won't get out of the lab.  And the manufacturer
> controls both initial sides of this.

Just to double check: in this thread we're only talking registrar to MASA (no pledges).

Then the biggest risk is when there are a lot of Registrar instances out in the
field and the company wants to make the MASA service cheaper by putting it into
some cloud service data center from a third party, and only then wake up and see
that that cloud data center (opposed to the vendors original own data center) does
require SNI. So now, the vendor needs to update all Registrars in the field.

Aka: IMHO serious enough that it justifies the one sentence we can write upfront to
avoid this.

> Where we could go into trouble is when there are 307 redirects.

Explain ? Or separate thread ?
> 
>     > Lets just agree on the final text for this errata so Rob can close the
>     > book on it.
> 
> Pledges MUST include SNI for 1.2 and 1.3.

Right. Except for language maybe using the "server-name" terminology as the TLS 1.3 RFC.

> (Registrar's with provisional-TLS connections MUST ignore the SNI: they can
> not be virtual-hosted)
> 
> If you didn't like my errata text, then let's come back to that.
> (I wish errata was on gitlab)
> 
> https://www.rfc-editor.org/errata/eid6642
> 
> says:
> Held for Document Update by: Rob Wilton
> Date Held: 2024-01-15
> 
> so we get another chance to fix the text when we do a document update.
> Does the text that is there upset you?

Yes, to repeat what i said in the first email of this thread:

1. the way you wrote it, you replace the whole two sentences, aka: you remove:

   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is 
   REQUIRED.  TLS 1.3 (or newer) SHOULD be available.

   I am sure you wanted your text to be ADDED after those two sentences.

2. "TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if 
   TLS 1.3 is not available."

   This does not say that Registrars must send SNI/"server-name". It
   just means the TLS stack on registrars/MASA needs to be able to support
   SNI. And i am a fourth degree burn victim of text like this.  Many
   customers who could not deploy multicast appropritely because
   they believed vendor text "device supports IGMPv3" was sufficient, when instead
   what was required was: "(IPTV) application MUST use SSM signalling via IGMPv3".
   (see also the TLS 1.3 text related to this "server-name" support vs. application
   support).

   Aka: 

   Append to the section 5.4 text from above the following:

   When the MASA is known to the registrar by its domain name,
   the registrar MUST send the domain name of the MASA in the
   TLS "Server Name Indicator" (SNI) option (also called "server-name")
   [RFC6066] whether TLS 1.2 [RFC5246] or TLS 1.3 [RFC8446] is used.

   SNI is required when the Registrar communicates with the MASA in
   order for the MASA to be hosted in a modern multi-tenant TLS infrastructure where
   it shares its IP/IPv6 address with other HTTPS services.

Cheers
    Toerless

> -- 
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 



-- 
---
tte@cs.fau.de

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima