[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt

Paul Vixie <paul@redbarn.org> Thu, 25 July 2024 04:11 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3ADC1DA1F8 for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 21:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLGMbqysqL9R for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2024 21:11:53 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org [24.104.150.222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE8C2C1DFD40 for <dnsop@ietf.org>; Wed, 24 Jul 2024 21:11:53 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id 663D5160E14; Thu, 25 Jul 2024 04:11:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1721880713; bh=ROFjNwhLOdt0h5SOKYBscXvSXHBaEyEb85h52qetmw4=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=cWPlM2sojk0hKXd9M5dXhFuexJxo3XYlvYhT+dXY2B3GonFxMFr7Qj23ed6PZFvJr PcyLORL1EW5nxSZeS0YcJVd68RLVRD+q5Cfi9DeGC6+VySKT8OOweXePQQlDgNry00 +PFdvLcMiey9i4aqJYyN0D+DOqNsgrdF1apOhCsE=
Received: from heater.srcl.tisf.net (heater.srcl.tisf.net [IPv6:2001:559:8000:cc::111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPS id 381E4C3F2E; Thu, 25 Jul 2024 04:11:53 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Paul Wouters <paul@nohats.ca>, Ben Schwartz <bemasc@meta.com>
Date: Wed, 24 Jul 2024 21:11:53 -0700
Message-ID: <2516847.7eYt6pKtYU@heater.srcl.tisf.net>
In-Reply-To: <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <3321551.kGzlxMrEDr@heater.srcl.tisf.net> <2334040.7YbXXFKy9f@heater.srcl.tisf.net> <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Message-ID-Hash: ONXHZHU4QWQVDUJF5HDYVPC4RYAZD6XD
X-Message-ID-Hash: ONXHZHU4QWQVDUJF5HDYVPC4RYAZD6XD
X-MailFrom: paul@redbarn.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tommy Jensen <Jensen.Thomas@microsoft.com>, dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3nSJ6KH3zw4MlRsVAR3mBGE-92o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tuesday, July 23, 2024 1:56:50 PM PDT Ben Schwartz wrote:
> It seems like there's some confusion here.  ECH is an extension to TLS that
> is still under development (and now nearly final).  Use of ECH is optional
> in TLS 1.3.  Any entity that can control the TLS version in use also has
> the ability to disable ECH, so allowing TLS 1.3 does not require an
> administrator to permit ECH.
> 
> --Ben Schwartz

If a client who tries TLS 1.3 with ECH can be detected by an enterprise ("next 
generation") firewall using the spoofed-SYNACK trick so common for HTTPS, and 
made to fail, and would then have some reason to retry TLS 1.3 without ECH, 
rather than just giving up or moving straight to TLS 1.2, this is the first 
i'm hearing of it. is this advice-to-implementors specified somewhere? i'd 
like to see it referenced in:

https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/

...and i suggest simply referencing that advice in the draft under discussion.

-- 
P Vixie