[Anima] Rob: Re: Errata 6642: Re: Registrar to MASA connections: SNI required
Toerless Eckert <tte@cs.fau.de> Thu, 15 February 2024 16:47 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E88EC14F738 for <anima@ietfa.amsl.com>; Thu, 15 Feb 2024 08:47:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.66
X-Spam-Level:
X-Spam-Status: No, score=-1.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKLpoZgu8mkl for <anima@ietfa.amsl.com>; Thu, 15 Feb 2024 08:47:54 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F3AEC14F6FE for <anima@ietf.org>; Thu, 15 Feb 2024 08:47:53 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TbLbB2qxMznkLn; Thu, 15 Feb 2024 17:47:50 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TbLbB1vM7zkmr3; Thu, 15 Feb 2024 17:47:50 +0100 (CET)
Date: Thu, 15 Feb 2024 17:47:50 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org, Brian E Carpenter <brian.e.carpenter@gmail.com>, rwilton@cisco.com
Message-ID: <Zc5ANukYgMn8oZW5@faui48e.informatik.uni-erlangen.de>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl> <659.1625591712@localhost> <7c9a712a-119c-33e1-9031-b464e122881e@gmail.com> <ZbnIkYrDC7-3SwkB@faui48e.informatik.uni-erlangen.de> <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca> <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/HmnPWGdpUM1ZrcpcIVRc6g7GygQ>
Subject: [Anima] Rob: Re: Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Feb 2024 16:47:56 -0000
Rob: ------ Current text --------- Section 5.4 says: Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is REQUIRED. TLS 1.3 (or newer) SHOULD be available. It should say: TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if TLS 1.3 is not available. The Server Name Indicator (SNI) is required when the Registrar communicates with the MASA in order for the MASA to be hosted in a modern multi-tenant TLS infrastructure. ------- Please replace with --------- Section 5.4 says: Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is REQUIRED. TLS 1.3 (or newer) SHOULD be available. Append after that paragraph: If the MASA is known to the registrar by its DNS hostname, the registrar MUST send that MASA DNS hostname in the TLS "Server Name Indicator" (SNI) "server_name" option [RFC6066] whether TLS 1.2 [RFC5246] or TLS 1.3 [RFC8446] is used. SNI is required when the MASA is hosted in a modern multi-tenant TLS infrastructure where it shares an IP or IPv6 address with other HTTPS services. -------------------------------------- Justification: Michael's alternative to "always send SNI" is not permitted according to RFC6066 (just found that sentence): "Literal IPv4 and IPv6 addresses are not permitted in "HostName" Hence it is prudent to condition the requirement to send SNI on the condition (DNS hostname) under which it not only makes sense, but is also known to be permitted by RFC6066 - so implementers do not need to find that sentence in RFC6066. Cheers Toerless
- [Anima] Registrar to MASA connections: SNI requir… Michael Richardson
- Re: [Anima] Registrar to MASA connections: SNI re… Brian E Carpenter
- [Anima] Errata 6642: Re: Registrar to MASA connec… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Rob Wilton (rwilton)
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- [Anima] Rob: Re: Errata 6642: Re: Registrar to MA… Toerless Eckert
- [Anima] Rob: Reminder: Re: Errata 6642: Re: Regis… Toerless Eckert