Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 04 May 2017 01:07 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AFCF129479 for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 18:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1L3Q5eqip3-q for <dns-privacy@ietfa.amsl.com>; Wed, 3 May 2017 18:07:00 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id 7471D12947A for <dns-privacy@ietf.org>; Wed, 3 May 2017 18:06:58 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id B32A2F997; Wed, 3 May 2017 21:06:58 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id C464E20C10; Wed, 3 May 2017 20:38:24 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Alex Rousskov <rousskov@measurement-factory.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <2564afa5-1a0d-c3e0-e620-37d67482ce28@measurement-factory.com>
References: <87tw51remp.fsf@fifthhorseman.net> <CAOdDvNoNPXNXzpVcX7TZX=Z++kWMBhG_+uDH3Vk1Jp8+adcHLQ@mail.gmail.com> <87o9v9r0mh.fsf@fifthhorseman.net> <2564afa5-1a0d-c3e0-e620-37d67482ce28@measurement-factory.com>
Date: Wed, 03 May 2017 20:38:21 -0400
Message-ID: <87fuglqww2.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/qIkAh4CwQE7UFANmjFi8EgaZmq8>
Subject: Re: [dns-privacy] Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 01:07:01 -0000
Hi Alex-- On Wed 2017-05-03 17:34:47 -0600, Alex Rousskov wrote: > On 05/03/2017 05:17 PM, Daniel Kahn Gillmor wrote: >> The idea of the demuxing stage is that a server that opts into this would >> put the demuxing *before* the HTTP/1 server implementation gets access >> to the data. > > Think of the HTTP proxies, not just origin servers. Using an HTTP proxy > is often _required_ when sending traffic over an HTTP port. These HTTP > proxies will break all the muxed DNS traffic they will get. Opting them > "in" will be a lot more difficult than opting a specialized origin > server that wants to participate... > > And yes, this deployment concern applies to port 443 traffic as well, > unfortunately. Thanks for this, but i'm not sure i understand the whole situation you're describing. Can you help me make more sense of it? Here's a few things i think you might be saying: 0) A DNS client shouldn't expect this mechanism to work in the clear over port 80, because existing transparent HTTP proxies that the client doesn't know about will likely choke on it. I've noted this as https://gitlab.com/dkg/hddemux/issues/3 1) A DNS client shouldn't expect to use this mechanism through an explicit HTTP proxy either, as the explicit proxy will also choke on it. However, i'm not sure how this works for port 443. I think you're saying that the common network interference pattern is to block outbound TCP port 443 explicitly, but to allow HTTP CONNECT when established through the local required HTTP proxy. Is that right? I've tried to capture this as https://gitlab.com/dkg/hddemux/issues/4 I'm not sure what the right tradeoffs are here, or how widespread such network interference is. I am aware that the draft under discussion can't solve all problems for all networks. But i imagine that any network that blocks TCP port 443 outbound and expects clients to route through an HTTP CONNECT to an explicit proxy has already blocked TCP port 853 outbound, so the DNS client that tries to use DNS-over-TLS is no worse off for trying 443 instead of 853, at any rate. Am i missing some other details of the circumstances you're describing? Do you have suggestions of text for the draft that would address these concerns? Regards, --dkg
- [dns-privacy] Demultiplexing HTTP and DNS on the … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Joe Touch
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Colm MacCárthaigh
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Roy T. Fielding
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mike Bishop
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Martin Thomson
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Martin Thomson
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Martin Thomson
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mike Bishop
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Stefan Eissing
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Ilari Liusvaara
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mike Bishop
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Alex Rousskov
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mark Nottingham
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Ilari Liusvaara
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Mark Nottingham
- Re: [dns-privacy] Demultiplexing HTTP and DNS on … Daniel Kahn Gillmor