IETF Logo Mail Archive

Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 20 February 2024 23:09 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62CCC180B62 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 15:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qhicWQfykb8 for <anima@ietfa.amsl.com>; Tue, 20 Feb 2024 15:09:14 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDEDFC180B68 for <anima@ietf.org>; Tue, 20 Feb 2024 15:09:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 708E238991; Tue, 20 Feb 2024 18:09:13 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2pyzZIND791q; Tue, 20 Feb 2024 18:09:12 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 548A838990; Tue, 20 Feb 2024 18:09:12 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1708470552; bh=sIwbqoW2xL+0tv72ZwE7YKsERZYWmQ6TE3JTCTotyzQ=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=m9ObsGq/6pzJ1zH5bz8QMlBrzjEt8gvfkWIUnngm5YBVGJlr8va7KmfoB2kBpjTVj dZMExrvXEIXNQ33w3dFboFidM+0a+WYJWz5ftDxGkp+kp/hWANT6dMHy7/o9CnEe4d 11fis544YGWjjcw8olidxNQ1bf3HolMqgkWcdTXTnNAMmjYvkgh01wXu0udX9vq8Lp dwZXjGmht5UDLFg5TLzb0JV3hFqdsmgozGuDMU9zlDRtlGZFozNgBz/tnyJ5TFHZ+m iqxETa62VJBQDmBtgS9ScSHsDkiuV+Xk8ZJ1XLRv7gaORrQ7zXRXQbXn2lV8u7aAfC E9ofC9yqkBy6A==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 4D386A5; Tue, 20 Feb 2024 18:09:12 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
cc: Toerless Eckert <tte@cs.fau.de>, "rwilton@cisco.com" <rwilton@cisco.com>, "anima@ietf.org" <anima@ietf.org>
In-Reply-To: <GV1P190MB1970F71BD2B660E7BD141AD7FD502@GV1P190MB1970.EURP190.PROD.OUTLOOK.COM>
References: <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca> <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de> <8823.1707933716@obiwan.sandelman.ca> <Zc0GZ39gU0RuxiY6@faui48e.informatik.uni-erlangen.de> <22821.1707936851@obiwan.sandelman.ca> <DU0P190MB19786CC639ACDE423DEAD895FD4D2@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <Zc5BMpCqBykhqNzC@faui48e.informatik.uni-erlangen.de> <GV1P190MB1970F71BD2B660E7BD141AD7FD502@GV1P190MB1970.EURP190.PROD.OUTLOOK.COM>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 20 Feb 2024 18:09:12 -0500
Message-ID: <3558.1708470552@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/S5DKZwxJIqcgJFVcukJVFgcy16o>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 23:09:18 -0000

Esko Dijk <esko.dijk@iotconsultancy.nl> wrote:
    > Small addendum: Even if RFC 6066 would allow IP literals in a SNI
    > (which it doesn't), then it still could not be used by a Pledge. Reason
    > is that a Pledge would discover only the IP literal of a Proxy and not
    > the one of the Registrar. So the Registrar would receive SNI with an
    > incorrect IP address in it in that hypothetical case. So it wouldn't
    > work anyway.

Complete agreement.

I don't know if client libraries are smart enough to omit SNI when the
connection is to an IP address, or if they just include the string expression
of the IP address.
As you say, it won't work, so the Registrar, being defensive, needs to just
ignore any SNI.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email