Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 20 February 2024 15:08 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5733C14F710 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 07:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoDLbaweDjPn for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 07:08:49 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2101.outbound.protection.outlook.com [40.107.7.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4863C18DB86 for <anima@ietf.org>; Tue, 20 Feb 2024 07:08:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T5SKIy+h8ZMuBCo5h39FtsS8ODJ2zIyfM9FJLeRdqtCnKGXqya/QO9Kh87S5aYYhpKeBssFpLnyh6VRjcAdMNF0H/x6BcVcojnCFBy+ycGvahvUVvlNBCrg90IncYU0wFnIdgBXVAb2zqT0xe/QC4Kk3Tj3oSNTz5xFK8hEIdoMHAtkhUj7nrpgfEnLnFuWAgt3Ql3nrWXMSWR7ZZZhlboX5Pp+QcGcL/nzWcuamgS86r/RI8ftmlmsCILAq6sTAJ7a4X8iKS261NQinNQp/0kI3SesnUbo/ZpzhTR1VoYZOMMJOM/bKFhtLLmxB6eaEGNl+rwVHfBd6YQPX8QFGfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8q6pS53eiw18M+8fUiBH64Mh5UHm0YBVvyWEeoYIj6U=; b=D9ZyyPx+Gt06iOnH00F4k+iW+fZJJ28bJlmwSZ+HEFk8AEwSjMfzn0wrda6Ry4vm24aqRYULPDwOcxT8Hh9UmCyxJJjmkTTsD1bqgwxqHwH5JEG3QA2QR7xg9v0p3mVayWAJzh8BkWYjXUhru9tcKNddXRLjp8ljqhHZJ2h61LG1TOac/AiAfLh4aiCAY1j5PgZyLg/aSL9lOv2SWlWa2habK2qZdHoCZMyXXEqQof1g+qfyjORTgNCuEVj1lxtYZzCp6RCglc9fr3kmbqm5rWC/1JxRiMhDx6dDnNHOstPlGmVUaf5YN/oTbjJcjDv8rjSK8OALrvM4fMLxAEtAGg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8q6pS53eiw18M+8fUiBH64Mh5UHm0YBVvyWEeoYIj6U=; b=aFaNKDLeTEsqgXZd6gICgzjW55/MPsp56B1sFa0ZS2ed4LYnzjnw3dic+g3hAO1R5erRSyrkrIXrX/gKyFrXzPoknZyymlwRoGbR49PRbDaW+2TJxuIlINnjDIFVT3d9HLd5HOR8sOziF+RtIBmJ9Xdud8WAO9NHMzqwATtf/TU=
Received: from GV1P190MB1970.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:56::7) by GV1P190MB2018.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:5a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7292.34; Tue, 20 Feb 2024 15:08:35 +0000
Received: from GV1P190MB1970.EURP190.PROD.OUTLOOK.COM ([fe80::72d:316a:3e6f:d701]) by GV1P190MB1970.EURP190.PROD.OUTLOOK.COM ([fe80::72d:316a:3e6f:d701%4]) with mapi id 15.20.7292.036; Tue, 20 Feb 2024 15:08:35 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Toerless Eckert <tte@cs.fau.de>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "rwilton@cisco.com" <rwilton@cisco.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Thread-Index: AQHaU/uxivULf7/KeUyGF8Ao4iPwTrDz+MaAgAJng4CAALTsAIAGg/WAgAk26wCAAMoEgIACnboAgAAHioCAAAcQgIABLJFggABDowCAB7ndMA==
Date: Tue, 20 Feb 2024 15:08:35 +0000
Message-ID: <GV1P190MB1970F71BD2B660E7BD141AD7FD502@GV1P190MB1970.EURP190.PROD.OUTLOOK.COM>
References: <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca> <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de> <8823.1707933716@obiwan.sandelman.ca> <Zc0GZ39gU0RuxiY6@faui48e.informatik.uni-erlangen.de> <22821.1707936851@obiwan.sandelman.ca> <DU0P190MB19786CC639ACDE423DEAD895FD4D2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <Zc5BMpCqBykhqNzC@faui48e.informatik.uni-erlangen.de>
In-Reply-To: <Zc5BMpCqBykhqNzC@faui48e.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV1P190MB1970:EE_|GV1P190MB2018:EE_
x-ms-office365-filtering-correlation-id: 5b17b5c2-c42f-425c-4aaf-08dc3225cf3d
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hD+3R5j0mLi6cP6pyninjINzoZRgtWdJR4PblYHNCQimWGpNQgApxtIhTFl8Zgc4rwhbYh5ed5HFL/OdYEIBx4mbRTriND3xMFUGg9pfCiDLVWnq1zviR51tmjfsS2Vq36JwhMIwZXNmqxMvSVgSknylJkof4c6XFLcu7jw2B+HOyy8qRa/h3JvgoS5HK5shvsokYUOSev4UuMwlXsi749Ktm+u2LH7+jMDbyJ51aMXR+GcL/6eFOB0LdlYqCc1zgvtqCFsdBygKLf3xv4g62P0kKVuSVbX/xO5tRLI8PznePXFx17r+W3RMz7ViATnImRshPzJwVIG8hpCVEsD+PCgsl46AkypWSvXbRpOUbWqwsdBt3nwKQPb0aB2EmquhwzCPmJ9t7ChUP/vYmPr3qMG1mWbx5KiAhsL9Kyq1/7gxhND8X3nts1z7JyKoPcXs/mBm/guQWy/u4sl5/NEDLjIa5NojD0sXZFnVT954KwjXh4BXOHVMX8FzgKoxj/0YX8AIY3SbGn20zV/oc5KShrjtU0B50r6q7ell0i2UD+fbVxFulBC4+KMcBGUwFXwrURE09TiSMGKIza+axZPfP0wLLu0qYTNJLzK7EQyVHZtbNOAtAWV4MxjfjEx+oG2N
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GV1P190MB1970.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yc9H8zwkHAFq58PjAi0yBgqCVZ0+YPN9pkYENrxMHfVzascEPcjSjoQ+JT97qhiKV2z6rK3QLllTu1g3d3QWd15uZVRqmKquf1ReFH5qC4xkDDygQTgaTQCrvzQK6XCaIf9MX+cz3kgUbANEgbDAQTFedUJftS4E+WG1TN3d5nJMPffAEgTPyqhA/8uefXwje0I/+egcakpps6kHyoOcFAz53oz1d5jGAHaJKYCko4/9ELRCzXFLaXsbfwHCuJGcqCwkYym426seKbi/O6CH4QVSoB/Vvr7jgb7Thcn01mPAYAhnhe9aWdX3ySOw1SFOCzbLW3eBD1xVDBQZjAL9f0rKWFXHwSr7+BFyUDsk9GQwCtu9ItXd0q9FJpIUKvuvyv6fpCZsco5MIMhIt8IO5NktlWtmjN3j8F1R6YlRkYdBgky+BKBtOsvZeCoiyn3HXrMSMFCYQ5DNEMsOncUtymhC5TukCdk6HjDiblDDNEggJmgKib6ZFYSwZzddqseC/32CaFEUegMO+n3z/08veiZ7Uh36pcidOd7vqAems+54ZTBJUWMkFFXa7pvwxMNv8ufvhK106jr6Gsn35U8a66ozrC3eYquRvEcpZjptSvQVzfqbHLGtQYk8gcxgfm5Gdlen0adtiKbYKISVbj6pwGFWfNFnqtzTyncyufj19aA2aozoyvtN4ZOX1zKO6MscO2JGtrpK5MX76enReq5bLcxPZtLZ96qFUSKmADnOekAieiL7c/oSn45OvQ5AIGdnp9JNrEi3FIlyvx584c37xthx/dyD/1VdSLb+Zraq/VzK/QcVkE2HLtQH8NXoj192PjQULNKPZCMhmIfYxKwm617RDt5CRvc+zlHPrDgrRRHYYxyfqfa3ADNJYOdMbCPhyy+8ZO3ksjE2muMopoWOokvsIRJhVOyu1R9maXor7ESR3GZhsxtDeVT6qaGuCkXiuI6R1M9fqomSoYpmS5jD9LNZmRMcDDZvoMy1PSmTCa4zaB9ouwJe2FV9rgXlkRrw9wL9OIbK+KaKQLc72kOS9Mc59CXsDCQllzlubY71sgzNQZLYF3gvM1IHLYGvsrUsTNMO6BBgQo0DAlf0QiCf1p5nE7xhDitDWiT3RhLbj/sG5mI1L6yTDu8U6clRjDdL8DcmDvzI1U9QcxhtnvO75/kb+EHoY9Hbe3c3ovcecKmjK9IOKwSJiGxw9MuL3sW9EWvMdsjIrnvn7x27UBApPzJanai1cx0YmVP1lTmSAGGEtSUzcQy/K3Vp5v0Jzt5swQcCKuJ16Q+w8cu09JJH6PgY0lFKvtAEpCLZzbpDVg3oSbgKz+XrcPUwRKiHM218VIwIFK0iR6nmeDaM/6Yc95LpLpT75G2suKAvsUJzUIJuS3FaF36l+Ej5ZeqytI4mndw/RSvCODbOgD2SfWzHlZgbHhKPM/0uqfhOEUVFyu95i09qB64vUDn2QyiQTKkConD/uu8Vg8IZG8EkStzHPMoNKhIMUvPAnLn4RKTiz4k3v+pdOzLt+AJ7q/oqhpMHk1P2ZrDakkszyTNtpt6oW40uIrDMqYxXrksJtEOa/iHqSU0/l5X7Zc6UHUyVUW0p9tqJ1rjNXgHmp+VofAeBVWPaBdt7oCjjlKIWLTe+PDIxvZtrr3qmnu/tr7B1LGOc
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV1P190MB1970.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b17b5c2-c42f-425c-4aaf-08dc3225cf3d
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2024 15:08:35.1497 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: atalVvNKr8KU75h0dmRLduL9RaMxOQVOL9hGCMpnxZ6og7k9ioQ69d9lwcnL5aSNqXP6ZlAYhpKhQmYzB0LFd9IsbkNEiRqKe3a0AP4rWiA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1P190MB2018
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/PWWulfYBPjIi66GyA1jUIX4wstE>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 15:08:53 -0000
> I think we had a long enough discussion time about this so everybody who has an opinion Ok, agreed. I'm okay with the proposed change you sent to Rob! > And again, this thread is just for the RFC8995 Register/MASA section Errata. Good; some of the thread seemed to imply the Pledge would send SNI but that was only suggested for the Cloud-Registrar case then, probably. Small addendum: Even if RFC 6066 would allow IP literals in a SNI (which it doesn't), then it still could not be used by a Pledge. Reason is that a Pledge would discover only the IP literal of a Proxy and not the one of the Registrar. So the Registrar would receive SNI with an incorrect IP address in it in that hypothetical case. So it wouldn't work anyway. Esko -----Original Message----- From: Toerless Eckert <tte@cs.fau.de> Sent: Thursday, February 15, 2024 17:52 To: Esko Dijk <esko.dijk@iotconsultancy.nl> Cc: Michael Richardson <mcr+ietf@sandelman.ca>; rwilton@cisco.com; anima@ietf.org Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required Trying to find better rules for the process without success, so i think that it's up to Rob to determine whethrer he wants additional input from the WG or simply accept/reject the proposed text change based on his own evaluation. I think we had a long enough discussion time about this so everybody who has an opinion did have a chance to chime in. And again, this thread is just for the RFC8995 Register/MASA section Errata. The discussion about my github request in BRSKI cloud Pledge->Registrar is independent. Sending of SNI is an application choice as explained in TLS 1.3 (probably also in RFC6066), so it really needs to be decided by each application function, although it seems as if the rule of thumb is to always send it as long as the TLS responder is known by DNS hostname. But it seems neither RFC6066 nor TLS 1.3 make this a rule. Cheers Toerless On Thu, Feb 15, 2024 at 12:54:19PM +0000, Esko Dijk wrote: > Shouldn't the ANIMA WG also agree on a new text or a new concept for an erratum? > And who are "all parties"? For me this is just too vague. > > Esko > > -----Original Message----- > From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson > Sent: Wednesday, February 14, 2024 19:54 > To: Toerless Eckert <tte@cs.fau.de> > Cc: rwilton@cisco.com; anima@ietf.org > Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required > > > Toerless Eckert <tte@cs.fau.de> wrote: > >> I'm fine with this. But, since it's hold for document update, we > >> don't have to wordsmith it now, as long as we get across the right > >> idea in the patch. > > > Well, my understanding is that Rob simply wants a replacement text for > > the Errata that we both agree on so he can update the Errata with it. > > All of the text you have proposed is fine with me in the end. > Short of it: all parties always send SNI. > > (Registrar must often ignore SNI upon receipt) > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > -- --- tte@cs.fau.de
- [Anima] Registrar to MASA connections: SNI requir… Michael Richardson
- Re: [Anima] Registrar to MASA connections: SNI re… Brian E Carpenter
- [Anima] Errata 6642: Re: Registrar to MASA connec… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Rob Wilton (rwilton)
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- [Anima] Rob: Re: Errata 6642: Re: Registrar to MA… Toerless Eckert
- [Anima] Rob: Reminder: Re: Errata 6642: Re: Regis… Toerless Eckert