IETF Logo Mail Archive

Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 03 May 2017 23:50 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77379128959 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 16:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jTXQbXHNOxv for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 16:50:07 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 47286127A91 for <dns-privacy@ietf.org>; Wed, 3 May 2017 16:50:07 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id A7156F98C; Wed, 3 May 2017 19:50:07 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 533D020C10; Wed, 3 May 2017 19:50:03 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CAAF6GDcn0Jn3jCeOBts5t53WnY8TA1wz=QXRMJugV0AQr75q5w@mail.gmail.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAAF6GDcn0Jn3jCeOBts5t53WnY8TA1wz=QXRMJugV0AQr75q5w@mail.gmail.com>
Date: Wed, 03 May 2017 19:50:00 -0400
Message-ID: <87inlhqz4n.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XUF7awqGTFaMlX7d3QM9ZB55P9Y>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 23:50:09 -0000

Hi Colm--

On Wed 2017-05-03 12:26:40 -0700, Colm MacCárthaigh wrote:
> Cool idea. One concern might be compatibility with other similar
> mechanisms. For example, there are protocols such as Netscaler Client IP:
>
> https://www.citrix.com/blogs/2016/04/25/how-to-enable-client-ip-in-tcpip-option-of-netscaler/
>
> or HAProxy's Proxy Protocol:
>
> https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
>
> Where proxies may insert their own pre-amble on the connection, to pass on
> something like an L4 X-Forwarded-For.
>
> Sometimes the backends behind these proxies have to accept traffic directly
> too, and they fingerprint the first few bytes to determine whether it's a
> direct HTTP connection, or a proxied request. I haven't thought through it,
> but it might get a little complicated doing two levels of demuxing, and it
> might not even be possible in some cases.

Thanks for the pointers to these protocols!  It's good to know that
people are already doing this sort of demuxing on the fly in some cases,
and that they haven't broken HTTP for everyone else yet :)

One approach for the current draft would be to explicitly call these
protocols out as things that are incompatible with he proposed form of
demuxing.  I'd be happy to add a generic "do not mix this mechanism with
other similar mechanisms" section.  I've just opened
https://gitlab.com/dkg/hddemux/issues/2 to make sure that doesn't get
lost.

FWIW, it actually looks like both versions of haproxy's Proxy Protocol
can be distinguished from DNS just by looking at the same octet ranges.
For the human-readable protocol, its first many octets (more than 14 of
them) are all within the 0x0A and 0x7F range.  for the binary protocol,
its initial static 12-octet preamble puts a 0xD nybble directly in the
DNS header's RCODE field, which should be 0x0 in a DNS stream assuming
the initial client message must be a Query and not a Response.

But i don't plan to turn this draft into a generic
how-to-demux-anything-with-anything draft, so i don't think i'll write
that up more formally ;)

So i think the result is to say that if a server is already demuxing an
inbound stream based on the same octets, they might not want to adopt
this.  Do you have any qualms with making this particular concern
something that is out-of-scope for the draft?

Regards,

        --dkg

v2.23.0 | Report a Bug | By Email