Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
Toerless Eckert <tte@cs.fau.de> Tue, 13 February 2024 02:05 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4741C14F681 for <anima@ietfa.amsl.com>; Mon, 12 Feb 2024 18:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.657
X-Spam-Level:
X-Spam-Status: No, score=-6.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4g0M8pSeQLc for <anima@ietfa.amsl.com>; Mon, 12 Feb 2024 18:04:59 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5315C15154D for <anima@ietf.org>; Mon, 12 Feb 2024 18:04:58 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TYl5L0ZnmznkTj; Tue, 13 Feb 2024 03:04:54 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TYl5K6rkqzkmpq; Tue, 13 Feb 2024 03:04:53 +0100 (CET)
Date: Tue, 13 Feb 2024 03:04:53 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org, Brian E Carpenter <brian.e.carpenter@gmail.com>, rwilton@cisco.com
Message-ID: <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl> <659.1625591712@localhost> <7c9a712a-119c-33e1-9031-b464e122881e@gmail.com> <ZbnIkYrDC7-3SwkB@faui48e.informatik.uni-erlangen.de> <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <15885.1707746510@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/kickcrc1de9PB2-cJuhqMMs3vP4>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 02:05:04 -0000
On Mon, Feb 12, 2024 at 09:01:50AM -0500, Michael Richardson wrote: > > Toerless Eckert <tte@cs.fau.de> wrote: > > agile. But SNI is one such example, where the pledge does need to > > signal the right info (SNI) to enable "cheaper" cloud registrars, aka: > > those not owning a separate IPv4 address. See e.g.: AWS cost for IPv4 > > address. > > Right, but it's self-righting. > A manufacturer that uses an SNI-only cloud registrar and does not do SNI will > fail immediately: they won't get out of the lab. And the manufacturer > controls both initial sides of this. Just to double check: in this thread we're only talking registrar to MASA (no pledges). Then the biggest risk is when there are a lot of Registrar instances out in the field and the company wants to make the MASA service cheaper by putting it into some cloud service data center from a third party, and only then wake up and see that that cloud data center (opposed to the vendors original own data center) does require SNI. So now, the vendor needs to update all Registrars in the field. Aka: IMHO serious enough that it justifies the one sentence we can write upfront to avoid this. > Where we could go into trouble is when there are 307 redirects. Explain ? Or separate thread ? > > > Lets just agree on the final text for this errata so Rob can close the > > book on it. > > Pledges MUST include SNI for 1.2 and 1.3. Right. Except for language maybe using the "server-name" terminology as the TLS 1.3 RFC. > (Registrar's with provisional-TLS connections MUST ignore the SNI: they can > not be virtual-hosted) > > If you didn't like my errata text, then let's come back to that. > (I wish errata was on gitlab) > > https://www.rfc-editor.org/errata/eid6642 > > says: > Held for Document Update by: Rob Wilton > Date Held: 2024-01-15 > > so we get another chance to fix the text when we do a document update. > Does the text that is there upset you? Yes, to repeat what i said in the first email of this thread: 1. the way you wrote it, you replace the whole two sentences, aka: you remove: Use of TLS 1.3 (or newer) is encouraged. TLS 1.2 or newer is REQUIRED. TLS 1.3 (or newer) SHOULD be available. I am sure you wanted your text to be ADDED after those two sentences. 2. "TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if TLS 1.3 is not available." This does not say that Registrars must send SNI/"server-name". It just means the TLS stack on registrars/MASA needs to be able to support SNI. And i am a fourth degree burn victim of text like this. Many customers who could not deploy multicast appropritely because they believed vendor text "device supports IGMPv3" was sufficient, when instead what was required was: "(IPTV) application MUST use SSM signalling via IGMPv3". (see also the TLS 1.3 text related to this "server-name" support vs. application support). Aka: Append to the section 5.4 text from above the following: When the MASA is known to the registrar by its domain name, the registrar MUST send the domain name of the MASA in the TLS "Server Name Indicator" (SNI) option (also called "server-name") [RFC6066] whether TLS 1.2 [RFC5246] or TLS 1.3 [RFC8446] is used. SNI is required when the Registrar communicates with the MASA in order for the MASA to be hosted in a modern multi-tenant TLS infrastructure where it shares its IP/IPv6 address with other HTTPS services. Cheers Toerless > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > -- --- tte@cs.fau.de
- [Anima] Registrar to MASA connections: SNI requir… Michael Richardson
- Re: [Anima] Registrar to MASA connections: SNI re… Brian E Carpenter
- [Anima] Errata 6642: Re: Registrar to MASA connec… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Rob Wilton (rwilton)
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Toerless Eckert
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Esko Dijk
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- Re: [Anima] Errata 6642: Re: Registrar to MASA co… Michael Richardson
- [Anima] Rob: Re: Errata 6642: Re: Registrar to MA… Toerless Eckert
- [Anima] Rob: Reminder: Re: Errata 6642: Re: Regis… Toerless Eckert