IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Mike Bishop <Michael.Bishop@microsoft.com> Thu, 04 May 2017 00:14 UTC

Return-Path: <Michael.Bishop@microsoft.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4EA128D6F for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 17:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJoTQMSfF-Gs for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 17:14:47 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0138.outbound.protection.outlook.com [104.47.40.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69DEB126CBF for <dns-privacy@ietf.org>; Wed, 3 May 2017 17:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xJZTWRu98gCm/xWe5Xc7Ac+MvFSAYtC5gZR3+FVq0uU=; b=TDD3eRY3XaOVBztILUqPYQ7pnAX9T7caOiC5ig8Oz6pLQXXcUSEYfboLX160RXSW/qv5yllh/NhZLM4HqDNvgHTfT2ROxoxBiPt5nUxaykhOYEuntL/mO30nIl29+y1UV3Je/Bw9a510dLhnUI5qy/HMiAeAnSUEPBQu0iiA6ZU=
Received: from BN6PR03MB2708.namprd03.prod.outlook.com (10.173.144.15) by BN6PR03MB2708.namprd03.prod.outlook.com (10.173.144.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1061.12; Thu, 4 May 2017 00:14:44 +0000
Received: from BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) by BN6PR03MB2708.namprd03.prod.outlook.com ([10.173.144.15]) with mapi id 15.01.1061.021; Thu, 4 May 2017 00:14:44 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Patrick McManus <mcmanus@ducksong.com>, Patrick McManus <mcmanus@ducksong.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
Thread-Topic: Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
Thread-Index: AQHSxGSVzArpJBnINkKlwlv/ObjAOKHjTeBg
Date: Thu, 04 May 2017 00:14:44 +0000
Message-ID: <BN6PR03MB27085632B5CBA7324894699487EA0@BN6PR03MB2708.namprd03.prod.outlook.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <CAOdDvNruCCyB2rsF9VgaVEOjQGD82wA0AiLAghiGjDM0SpBFPQ@mail.gmail.com> <87lgqdr0fr.fsf@fifthhorseman.net>
In-Reply-To: <87lgqdr0fr.fsf@fifthhorseman.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: fifthhorseman.net; dkim=none (message not signed) header.d=none;fifthhorseman.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2601:600:8080:63a8:2891:f5f5:9743:f4c8]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2708; 7:qD/5pVDcjbf7FxJLFSuGiFWR1Mj4TQ8Dca6/QMtOcPcKHIRVolI7BDSciW3p1tziDec3xZFJsdGAPoG2aCf16+7K5DrMgY1LEjRCLg3bqmTQY6UMkiCBexDd/DQ6UjSp7zUWa/1u5Dc3GUABCgyAL4hVnHqYfmQSWt7ri2EpkADO68DuajgoB2HG6g+11CAl0M20tRQiuYNSZX7g5USBcHafg9/vHXSJnV4Ov9XxpeAYTJ6CwoyYAtiJpKJU3MCZnPmO8EN/Phxtj6+XPWbKCZrwP1A9PLEnNEgxIHxO1tynMYGCRzjsOlFLyMNfExZEm8exW9rXHYOiGMy211scnuA+pafm7lhE2frCGmI0iKQ=
x-ms-office365-filtering-correlation-id: 68bad1e6-e3c1-4391-97ef-08d492829155
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:BN6PR03MB2708;
x-microsoft-antispam-prvs: <BN6PR03MB270871F2C5D86E09AADCBF1687EA0@BN6PR03MB2708.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(35073007944872);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123562025)(20161123558100)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148); SRVR:BN6PR03MB2708; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2708;
x-forefront-prvs: 02973C87BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39410400002)(39400400002)(39860400002)(39840400002)(39850400002)(39450400003)(13464003)(76104003)(24454002)(377454003)(377424004)(305945005)(6436002)(54906002)(77096006)(6506006)(74316002)(7736002)(10290500003)(53546009)(3280700002)(33656002)(99286003)(7696004)(86612001)(25786009)(478600001)(38730400002)(9686003)(53936002)(86362001)(4326008)(5660300001)(55016002)(230783001)(76176999)(2950100002)(50986999)(54356999)(229853002)(122556002)(8676002)(3660700001)(93886004)(189998001)(6116002)(2906002)(81166006)(8936002)(10090500001)(102836003)(6246003)(15650500001)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2708; H:BN6PR03MB2708.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2017 00:14:44.5480 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2708
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Q8slL_hfSrXSu3Py-O9ol7Fr1Vk>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 00:14:49 -0000

It's ALPN.  At first blush, I would pick a different ALPN token for h2+DNS and define it as a new, derivative protocol.

-----Original Message-----
From: Daniel Kahn Gillmor [mailto:dkg@fifthhorseman.net] 
Sent: Wednesday, May 3, 2017 4:22 PM
To: Patrick McManus <mcmanus@ducksong.com>; Patrick McManus <mcmanus@ducksong.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>; DNS Privacy Working Group <dns-privacy@ietf.org>
Subject: Re: Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

On Wed 2017-05-03 15:13:43 -0400, Patrick McManus wrote:
> I forgot to mention another potential challenge with the demux 
> approach -
> h2 is not client send first.. typically both sides send SETTINGS 
> simultaneously.. and its important to the server not to hold those 
> back .5RTT as it can contain a bunch of configuration information 
> (buffer sizing, levels of parallelism, extension negotiation, etc..) 
> that it wants the client to start honoring asap. (Whether this is 
> actually simultaneous boils down to which flavor of tls handshake is 
> done.)

Ah!  Thanks for this heads-up.  That's definitely an interesting wrinkle.  How does this interact with HTTP/1 clients connecting to the service?  or is it only possible to do this because of the negotiated ALPN?

If so, perhaps the demuxing needs to be done only when not sending an alpn of "h2", and the draft can drop the HTTP/2 section.  What do you think?

     --dkg

v2.23.0 | Report a Bug | By Email