IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 04 May 2017 10:16 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AECB12E855 for <dns-privacy@ietfa.amsl.com>; Thu, 4 May 2017 03:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.82
X-Spam-Level: *
X-Spam-Status: No, score=1.82 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dhJe7o6w0zRb for <dns-privacy@ietfa.amsl.com>; Thu, 4 May 2017 03:16:09 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id C77181294F4 for <dns-privacy@ietf.org>; Thu, 4 May 2017 03:16:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 9348B20D7D; Thu, 4 May 2017 13:16:06 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id yNDnvQuweoag; Thu, 4 May 2017 13:16:05 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 5292CC4; Thu, 4 May 2017 13:16:05 +0300 (EEST)
Date: Thu, 04 May 2017 13:16:04 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20170504101604.GA31988@LK-Perkele-V2.elisa-laajakaista.fi>
References: <87tw51remp.fsf@fifthhorseman.net> <CAAF6GDcn0Jn3jCeOBts5t53WnY8TA1wz=QXRMJugV0AQr75q5w@mail.gmail.com> <87inlhqz4n.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <87inlhqz4n.fsf@fifthhorseman.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Vka0WVxKxTKRApapSGE4ac8dLck>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 10:16:11 -0000

On Wed, May 03, 2017 at 07:50:00PM -0400, Daniel Kahn Gillmor wrote:

> > Sometimes the backends behind these proxies have to accept traffic directly
> > too, and they fingerprint the first few bytes to determine whether it's a
> > direct HTTP connection, or a proxied request. I haven't thought through it,
> > but it might get a little complicated doing two levels of demuxing, and it
> > might not even be possible in some cases.
> 
> Thanks for the pointers to these protocols!  It's good to know that
> people are already doing this sort of demuxing on the fly in some cases,
> and that they haven't broken HTTP for everyone else yet :)
> 
> One approach for the current draft would be to explicitly call these
> protocols out as things that are incompatible with he proposed form of
> demuxing.  I'd be happy to add a generic "do not mix this mechanism with
> other similar mechanisms" section.  I've just opened
> https://gitlab.com/dkg/hddemux/issues/2 to make sure that doesn't get
> lost.

Note that in case of PROXY, you shouldn't try to discriminate it from
DNS. Read the PROXY header if source is configured to have one and then
tell apart HTTP and DNS if appropriate.

Other reverse proxying schemes that actually play with HTTP headers are
incompatible with demuxing HTTP and DNS this way, since those assume that
all traffic is HTTP.


-Ilari

v2.23.0 | Report a Bug | By Email