Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required

Toerless Eckert <tte@cs.fau.de> Tue, 13 February 2024 02:05 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4741C14F681 for <anima@ietfa.amsl.com>; Mon, 12 Feb 2024 18:05:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.657
X-Spam-Level:
X-Spam-Status: No, score=-6.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X4g0M8pSeQLc for <anima@ietfa.amsl.com>; Mon, 12 Feb 2024 18:04:59 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5315C15154D for <anima@ietf.org>; Mon, 12 Feb 2024 18:04:58 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4TYl5L0ZnmznkTj; Tue, 13 Feb 2024 03:04:54 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4TYl5K6rkqzkmpq; Tue, 13 Feb 2024 03:04:53 +0100 (CET)
Date: Tue, 13 Feb 2024 03:04:53 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org, Brian E Carpenter <brian.e.carpenter@gmail.com>, rwilton@cisco.com
Message-ID: <ZcrORdk0_4sCY87J@faui48e.informatik.uni-erlangen.de>
References: <611fd78bc7b4fced22ddc8689b96f345@bbhmail.nl> <659.1625591712@localhost> <7c9a712a-119c-33e1-9031-b464e122881e@gmail.com> <ZbnIkYrDC7-3SwkB@faui48e.informatik.uni-erlangen.de> <22766.1706710713@obiwan.sandelman.ca> <ZbxbDS8vRJpNvpxJ@faui48e.informatik.uni-erlangen.de> <5675.1706881746@obiwan.sandelman.ca> <ZcJqAbO4H7mqmlT5@faui48e.informatik.uni-erlangen.de> <15885.1707746510@obiwan.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <15885.1707746510@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/kickcrc1de9PB2-cJuhqMMs3vP4>
Subject: Re: [Anima] Errata 6642: Re: Registrar to MASA connections: SNI required
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 02:05:04 -0000

On Mon, Feb 12, 2024 at 09:01:50AM -0500, Michael Richardson wrote:
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>     > agile. But SNI is one such example, where the pledge does need to
>     > signal the right info (SNI) to enable "cheaper" cloud registrars, aka:
>     > those not owning a separate IPv4 address. See e.g.: AWS cost for IPv4
>     > address.
> 
> Right, but it's self-righting.
> A manufacturer that uses an SNI-only cloud registrar and does not do SNI will
> fail immediately: they won't get out of the lab.  And the manufacturer
> controls both initial sides of this.

Just to double check: in this thread we're only talking registrar to MASA (no pledges).

Then the biggest risk is when there are a lot of Registrar instances out in the
field and the company wants to make the MASA service cheaper by putting it into
some cloud service data center from a third party, and only then wake up and see
that that cloud data center (opposed to the vendors original own data center) does
require SNI. So now, the vendor needs to update all Registrars in the field.

Aka: IMHO serious enough that it justifies the one sentence we can write upfront to
avoid this.

> Where we could go into trouble is when there are 307 redirects.

Explain ? Or separate thread ?
> 
>     > Lets just agree on the final text for this errata so Rob can close the
>     > book on it.
> 
> Pledges MUST include SNI for 1.2 and 1.3.

Right. Except for language maybe using the "server-name" terminology as the TLS 1.3 RFC.

> (Registrar's with provisional-TLS connections MUST ignore the SNI: they can
> not be virtual-hosted)
> 
> If you didn't like my errata text, then let's come back to that.
> (I wish errata was on gitlab)
> 
> https://www.rfc-editor.org/errata/eid6642
> 
> says:
> Held for Document Update by: Rob Wilton
> Date Held: 2024-01-15
> 
> so we get another chance to fix the text when we do a document update.
> Does the text that is there upset you?

Yes, to repeat what i said in the first email of this thread:

1. the way you wrote it, you replace the whole two sentences, aka: you remove:

   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is 
   REQUIRED.  TLS 1.3 (or newer) SHOULD be available.

   I am sure you wanted your text to be ADDED after those two sentences.

2. "TLS 1.2 [RFC5246] with SNI support [RFC6066] is REQUIRED if 
   TLS 1.3 is not available."

   This does not say that Registrars must send SNI/"server-name". It
   just means the TLS stack on registrars/MASA needs to be able to support
   SNI. And i am a fourth degree burn victim of text like this.  Many
   customers who could not deploy multicast appropritely because
   they believed vendor text "device supports IGMPv3" was sufficient, when instead
   what was required was: "(IPTV) application MUST use SSM signalling via IGMPv3".
   (see also the TLS 1.3 text related to this "server-name" support vs. application
   support).

   Aka: 

   Append to the section 5.4 text from above the following:

   When the MASA is known to the registrar by its domain name,
   the registrar MUST send the domain name of the MASA in the
   TLS "Server Name Indicator" (SNI) option (also called "server-name")
   [RFC6066] whether TLS 1.2 [RFC5246] or TLS 1.3 [RFC8446] is used.

   SNI is required when the Registrar communicates with the MASA in
   order for the MASA to be hosted in a modern multi-tenant TLS infrastructure where
   it shares its IP/IPv6 address with other HTTPS services.

Cheers
    Toerless

> -- 
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 



-- 
---
tte@cs.fau.de