IETF Logo Mail Archive

Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Ben Niven-Jenkins <ben@niven-jenkins.co.uk> Tue, 27 October 2015 13:14 UTC

Return-Path: <ben@niven-jenkins.co.uk>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89FB91A88E6 for <cdni@ietfa.amsl.com>; Tue, 27 Oct 2015 06:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScUgoxmiSrBI for <cdni@ietfa.amsl.com>; Tue, 27 Oct 2015 06:14:27 -0700 (PDT)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.145]) by ietfa.amsl.com (Postfix) with ESMTP id 47FD81A88F3 for <cdni@ietf.org>; Tue, 27 Oct 2015 06:14:26 -0700 (PDT)
Received: from host4.velocix.com ([81.134.152.4] helo=bnjenkins-mbp.corp.velocix.com) by smtp04.mailcore.me with esmtpa (Exim 4.80.1) (envelope-from <ben@niven-jenkins.co.uk>) id 1Zr452-0003pT-Mh; Tue, 27 Oct 2015 13:14:25 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_C19417AA-46B0-4079-A5BF-157FF1BB79A1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
In-Reply-To: <EAE2DE25-7D4B-4495-A360-9B2CEEE92B04@niven-jenkins.co.uk>
Date: Tue, 27 Oct 2015 13:14:19 +0000
Message-Id: <B76799A9-6DB0-4FD7-A422-43174B0D095F@niven-jenkins.co.uk>
References: <73F3A4F6-FC5D-4BC8-BEEC-82F27BA3641F@tno.nl> <102272CE-9EF0-4959-B9E2-8A2F10147BF7@cisco.com> <853CC284-D147-4A1F-8C47-213775F47768@cisco.com> <D24513A6.162A5C%jon.peterson@neustar.biz> <437C224B-1C0E-4705-8D52-98E139DDD75E@niven-jenkins.co.uk> <D246687E.164DFF%jon.peterson@neustar.biz> <CF0138DC-609E-4A1D-993A-5CC022450CE2@niven-jenkins.co.uk> <D2468554.16520D%jon.peterson@neustar.biz> <46A08C98-7B12-4F98-8826-8E9FE904B83C@niven-jenkins.co.uk> <D247D7A3.168019%jon.peterson@neustar.biz> <EAE2DE25-7D4B-4495-A360-9B2CEEE92B04@niven-jenkins.co.uk>
To: "Peterson, Jon" <jon.peterson@neustar.biz>
X-Mailer: Apple Mail (2.2098)
X-Mailcore-Auth: 9600544
X-Mailcore-Domain: 172912
Archived-At: <http://mailarchive.ietf.org/arch/msg/cdni/4YJrlmn3a6iuUhrgq6fcglmgijw>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2015 13:14:30 -0000

Hi Jon,

Would the following text address your comments, feel free to wordsmith it to your liking.

===
The redirection interface defined in this document enables a uCDN to return a DNS response on behalf of a dCDN. If DNSSEC is deployed User Agents can authenticate the DNS responses they receive, enabling them to distinguish between genuine responses (redirections) and malicious responses (redirections). Without DNSSEC a User Agent is unable to detect a malicious DNS redirect.  HTTPS redirection provides an additional layer of authentication via TLS because in order for the TLS handshake to complete, the server the User Agent connects to must authenticate itself to the User Agent.
===

Thanks
Ben





> On 22 Oct 2015, at 08:56, Ben Niven-Jenkins <ben@niven-jenkins.co.uk> wrote:
> 
>>> The Redirection Interface defined in this document might be used to redirect a request where the User Agent will subsequently attempt to establish a TLS session with the Redirection Target. In such a case, any surrogate or request router to which the User Agent is redirected needs to be able to successfully complete the TLS handshake and to perform encryption of the TLS channel.
>>> 
>>> The private key for the host in the RT is needed in order to successfully establish a TLS session. The most widespread mechanism currently used by (non-interconnected) CDNs is for the owner of the host in the RT sharing their private key with their CDN(s) of choice. In cases where the owner of the host is not willing to share their private key, other mechanisms that allow the owner to not share their private key are used, for example Keyless SSL [REF].
>>> 
>>> CDNI by definition implies that a Content Provider’s content will be delivered by CDNs other than the CDN with which the Content Provider has a direct business relationship. Therefore, while CDNI does not introduce any new technical requirements on dCDNs when establishing TLS sessions, Content Providers may be less willing to have their private key shared with dCDNs than they are with their chosen CDN(s) in a non-interconnected scenario.
>>> 
>>> Mechanisms to distribute the required information and/or configuration to surrogates and request routers in dCDNs to enable a dCDN to successfully complete TLS handshakes and to perform encryption of the TLS channel for a particular host, such as private keys or the URI/IP address of a key server, are outside the scope of this document.
>>> 
>>> [REF] https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/ <https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/>

v2.23.0 | Report a Bug | By Email