Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 May 2017 23:50 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77379128959 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 16:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jTXQbXHNOxv for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 16:50:07 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 47286127A91 for <dns-privacy@ietf.org>; Wed, 3 May 2017 16:50:07 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id A7156F98C; Wed, 3 May 2017 19:50:07 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 533D020C10; Wed, 3 May 2017 19:50:03 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CAAF6GDcn0Jn3jCeOBts5t53WnY8TA1wz=QXRMJugV0AQr75q5w@mail.gmail.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAAF6GDcn0Jn3jCeOBts5t53WnY8TA1wz=QXRMJugV0AQr75q5w@mail.gmail.com>
Date: Wed, 03 May 2017 19:50:00 -0400
Message-ID: <87inlhqz4n.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XUF7awqGTFaMlX7d3QM9ZB55P9Y>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 23:50:09 -0000
Hi Colm-- On Wed 2017-05-03 12:26:40 -0700, Colm MacCárthaigh wrote: > Cool idea. One concern might be compatibility with other similar > mechanisms. For example, there are protocols such as Netscaler Client IP: > > https://www.citrix.com/blogs/2016/04/25/how-to-enable-client-ip-in-tcpip-option-of-netscaler/ > > or HAProxy's Proxy Protocol: > > https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt > > Where proxies may insert their own pre-amble on the connection, to pass on > something like an L4 X-Forwarded-For. > > Sometimes the backends behind these proxies have to accept traffic directly > too, and they fingerprint the first few bytes to determine whether it's a > direct HTTP connection, or a proxied request. I haven't thought through it, > but it might get a little complicated doing two levels of demuxing, and it > might not even be possible in some cases. Thanks for the pointers to these protocols! It's good to know that people are already doing this sort of demuxing on the fly in some cases, and that they haven't broken HTTP for everyone else yet :) One approach for the current draft would be to explicitly call these protocols out as things that are incompatible with he proposed form of demuxing. I'd be happy to add a generic "do not mix this mechanism with other similar mechanisms" section. I've just opened https://gitlab.com/dkg/hddemux/issues/2 to make sure that doesn't get lost. FWIW, it actually looks like both versions of haproxy's Proxy Protocol can be distinguished from DNS just by looking at the same octet ranges. For the human-readable protocol, its first many octets (more than 14 of them) are all within the 0x0A and 0x7F range. for the binary protocol, its initial static 12-octet preamble puts a 0xD nybble directly in the DNS header's RCODE field, which should be 0x0 in a DNS stream assuming the initial client message must be a Query and not a Response. But i don't plan to turn this draft into a generic how-to-demux-anything-with-anything draft, so i don't think i'll write that up more formally ;) So i think the result is to say that if a server is already demuxing an inbound stream based on the same octets, they might not want to adopt this. Do you have any qualms with making this particular concern something that is out-of-scope for the draft? Regards, --dkg
- [dns-privacy] Demultiplexing HTTP and DNS on the … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Joe Touch
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Colm MacCárthaigh
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Roy T. Fielding
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mike Bishop
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Martin Thomson
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Martin Thomson
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Martin Thomson
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mike Bishop
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Stefan Eissing
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Ilari Liusvaara
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mike Bishop
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Alex Rousskov
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mark Nottingham
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Ilari Liusvaara
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mark Nottingham
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor