IETF Logo Mail Archive

[Anima] Registrar to MASA connections: SNI required

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 06 July 2021 17:15 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B11B3A2ECA for <anima@ietfa.amsl.com>; Tue, 6 Jul 2021 10:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4I4XlW5kAbo for <anima@ietfa.amsl.com>; Tue, 6 Jul 2021 10:15:19 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB5083A2EC6 for <anima@ietf.org>; Tue, 6 Jul 2021 10:15:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id DF96738A45 for <anima@ietf.org>; Tue, 6 Jul 2021 13:17:44 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Pn4IEaoomyzr for <anima@ietf.org>; Tue, 6 Jul 2021 13:17:40 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id BB987389FF for <anima@ietf.org>; Tue, 6 Jul 2021 13:17:40 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 25F682B3 for <anima@ietf.org>; Tue, 6 Jul 2021 13:15:12 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
In-Reply-To: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 06 Jul 2021 13:15:12 -0400
Message-ID: <659.1625591712@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/bqrZXAk7vstWQ3V1-irIATnBKpY>
Subject: [Anima] Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2021 17:15:25 -0000

In section 5.1 of RFC8995, we say:

>   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
>   REQUIRED on the Pledge side.  TLS 1.3 (or newer) SHOULD be available
>   on the Registrar server interface, and the Registrar client
>   interface, but TLS 1.2 MAY be used.  TLS 1.3 (or newer) SHOULD be
>   available on the MASA server interface, but TLS 1.2 MAY be used.

and in section 5.4:

>   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
>   REQUIRED.  TLS 1.3 (or newer) SHOULD be available.

In TLS 1.3, the "SNI" is mandatory.
In TLS 1.2, SNI is defined at: https://datatracker.ietf.org/doc/html/rfc6066#section-3
and it's not mandatory, but it's highly recommended, and all browsers
implement it today, and so one can depend upon it being present at the server
side.

Without SNI, each HTTPS tenant needs it's own IP address.
In IPv6, this isn't a big deal.  In IPv4, it is.
TLS has been a justification to ask for multiple IPv4 in the past, but this
is not flying as often anymore.

I guess that I regret we did not write:

>   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer (with RFC6066
>   SNI support) is REQUIRED.  TLS 1.3 (or newer) SHOULD be available.

I don't know if is worth an errata.


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email