[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Ben Schwartz <bemasc@meta.com> Thu, 25 July 2024 14:24 UTC
Return-Path: <prvs=2936f93c7b=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D03EC151992 for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 07:24:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.102
X-Spam-Level:
X-Spam-Status: No, score=-7.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsD00v5aPNmo for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 07:24:36 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08029C15154E for <dnsop@ietf.org>; Thu, 25 Jul 2024 07:24:35 -0700 (PDT)
Received: from pps.filterd (m0148460.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46PAmmYP024606; Thu, 25 Jul 2024 07:24:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from :to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=s2048-2021-q4; bh=sQDIpMnR2PEHr/4y YARlTwmhXnWJQC+9dDrUAWyXLhI=; b=fOIKHvRRVUa8nldP7540z+hkxv1mh6IO KuaIUDn98iNET2UbaAPUesNRsbpoQKdwMf9/XoSAy5xGriGahnUU3jaRkL4u7aeR x6AuYQ4KzM9pwjtE5CX1RF6t52Hck0BfC4Tj+wKdjPNi+7QJ6rXBP8Ktj/6kOdYy oAqd3StMSGK/wXugReWBYLGmJTLknnlwWvXLX0/NHdb0Wd2b7w6ekg0kR9gw4Dn/ Ry0runQIY9hTGmjnsTu59TQGX2aOKLT13IHF2dQqZl5miMQAkyTAc+LTGh/+3DgS D1Pwip+OkC10IurkKHxWpSUwsN28FdvnfRnczBlcvyUah+vnFHQLhg==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2168.outbound.protection.outlook.com [104.47.59.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 40jyq6s6p3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 Jul 2024 07:24:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ocgFa5PrjJSDDLrDGp+1b0l1yBkiLln0JbBoFwm8PPT2GKRWAerEJsL5Og2690Jg4i42xdlcvTqmlIcziD0G8CVyaDWBjbFNLOPl9CxGVBrYeeUQhx01mTmcct/UJpEFMK7UTJgHTtbKJYRdxETDrzXvuIMy8CnVi6tkAL3x9JL9aODvBkLJZ5yGflWVBHWKBCXYkuL+kQwq6zZ5iAx5fZeTp1OkDzA2C6WT7jpIGe8SToYiaH5gRCu1iQaxOJxUAxOb/zSycXVZVGVJy7xZHb9LmTU/JCEvFJ0JrwXbaP9bvtmKBVcxHM4K0A2bBygtGktUronrR2OadjNF33aCsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SINtvxBkOB7LQ8KO+DNT983HiKOXBdpQXoZsCj3je/4=; b=Makm9s9LU+6nRm4JzSAOuqADBk6JdZFT+u2r8l+2+U93/zlyjdEixkcEpjuWNzNE/tKxx0stbxYmDwSdDI2/sdXFTurqwlji2um+DdRHdXk9myN4ZEH14E04Ch25DqEqx8alKPG7UeJKDRqJODHwD9raHcAQy3tVTwoqrh4QLEVQWHVSw8/7JPP2MuOvf2hCjki0iitI24YNaklPFVAqQP+rfZ/omXTEyVYgk6oikoR8zxEwMnwfvf7+52K8Yq/Tzbiiqz/e1fWue2aowXe7MG8aPXlWib2uN2hw9rARkjGDBuGfia9NaDD+FyqP4SkR2jixDPvYIE1jMxGpCMMKlQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by SJ0PR15MB4341.namprd15.prod.outlook.com (2603:10b6:a03:380::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.20; Thu, 25 Jul 2024 14:24:30 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.7784.020; Thu, 25 Jul 2024 14:24:30 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Paul Vixie <paul@redbarn.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Thread-Index: AQHayMBg6kjNpOFYMU6jFYLXgA5D67Hb73JZgCeWt7WAAATOvoAADTyAgAE9sYCAAAxMAIAAAqMAgAAOxS2AAgx2gIAAqWce
Date: Thu, 25 Jul 2024 14:24:30 +0000
Message-ID: <SA1PR15MB4370A5B61D8B11EDBA0B0392B3AB2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <3321551.kGzlxMrEDr@heater.srcl.tisf.net> <2334040.7YbXXFKy9f@heater.srcl.tisf.net> <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com> <2516847.7eYt6pKtYU@heater.srcl.tisf.net>
In-Reply-To: <2516847.7eYt6pKtYU@heater.srcl.tisf.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|SJ0PR15MB4341:EE_
x-ms-office365-filtering-correlation-id: 92f4f1a9-644c-4479-f5b7-08dcacb57f85
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: QkRSur4oofkyGGZ30Ucz5HaQMrT997D4gUW/74FexV3DebV2+UDb1NHkp0TXNuaaPm5BFkXnkJQ5BJ+Iu4nw4hDzD/GN+/jtjWMgRy/LMtoO7dN5xUeoYCqVik06TpIcTdQqF3KBj9Yk7pgm4a/KLLIo9pFINZ8FHPESUeQ7wb4fKKbGQB+ABjJZqStvevtVQdzDnONIxWeCMYiNDU/VDLeztRxkD6D5LdgmzU8Und9wYhR7N7b6dotIdS8b/J73pZC1V+VFnsqIor9qOM1MB5QFPFWdefUuQwUMdSUVIZK1zYACsAV2gf6UaOcMAuzr5EjoB+lRU63IvdRJHbc6VPaWX1UDlWebK7x8tVt6exqhAfkoaCcMgkidOBbufr2jIgA9mCDEEzpOywVEE8h9L4UoJbB/rNAQWyTi9mWTVLCwlhw3mxgqk/ArT/kHDetmmpzsVoW/dPFj5a4lEItH0ZSwavFSNAV3EREmcchM21CiZ1O0H1vrdDB5ryEYoVi/wkBo6HCVXP1XlcNB/+dicus8/UVzT2do7nK2mN7bt3km7G/pwJOASd1vn9eU+PzuE/pcNnhFPCbMGVCeJCfL0nQMaCIHeW6fdo4e7CJzOjVUuSzHEYNbKP68oqlsytnXOPXdrGNzI2JWtmlt6QJPp8xI1bngMLBzbqbkgzkY56N8Ajs1eErqa50P+1jSkZGyzo2QWim8tK6UIZsh5FPW4/6eVIUY06hZwhU1nK3PFSz9g20HV1ZqM+UTjX8gqSz20WRuCXeIMILp4Nr9GdIFY4TI2JpHT+RVHw5LDtp0Bjdrg9ubJWeLNHEyHr9vOGHMvFjIor+DyRH+pkQZIG4xbM4+8tfea3h5H61iM4j+c0bn+uS8uBjz5PUw8mwED4Tvg7N10WZuurKiR0NSPiTJ3GaCLUqLGuZ1yXbR34LKEJfOPFk21VzdXKieb+TWReoAiAUu/iT8nR/AWnNHKjvWEZvW6BAKUqrYup46ULbxv+YmOTON/lGYBUJByFL1qB5ARzVgbcbW7InsNQjBUANBnmqkYmY/i7M40/UxC+hfWUtmVqj806o728CGtzjWq5iKo93w28st+WWwN2nFdMgVvWTa9YLtSJ+Z8ZHH4Afn3eT74d84xYWWTogB3gUq58MIXs4gVc1lh/DTRNGmFEQ2zpRobEsmwHZAEAMJ6+ttALukfoBUiTFaknPny7E6CREatPGZgZMf08r+uCdh6uqJ1sGERU7zLft0uQBDUX/Lg2pB4s7C1lTDMofYa7ByMe1eWHLqXsvdWK82sr08wFuU6KfQ33aWGSf0S9Q1wicvzPhzKjLMgs8LHuWKG1QC9kBsldphatD46DiHwh/DTdZM0QBiBruMiJGZOplnXuYRN00=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 60LZYZIZtSBtS+f78aDfBzTS9ImiwkkqgGpDhtbEAwxDC1dw9sbTt8kaS4jCvEgqNcIkXShDHMYInt20RWqUfbr+M2BELbBmkpj9qrc2h7kuC4e8gjwM4Fatx9QYs0J1YU47jUaq5wn6OZBfnRvrquCrIs51LPrt7b7YUdXC0+jwRF7X84I7fnqLyABuC8MVr1tQEcaJ3vciskZH2lHLA8MnLmw2W05EKnmmlqfXZRbUVwVQ6kwstIuSj4t45zyVj2aJFCTG7iUJO8R4wXQbe3qZT2Au3k50zDYNX0p9LRLnWtcQhv9SgfwhNjNcRbAF9iMz26JKeYokcTogEtNCGSl5idiwpX3n0+P8BX0gDlNjC4j27uo6gFxMIE9Y/MnCVtjC4rcU/HRLQUt7yzQsEdv3AMJdfs6N+DvSM47av3e4fluUK6wzMAqaKpgQkEp81ntV3o8F6l+BCP8aRSD5yC4C8clq1x9HvT0194HvEEUbjZ/MO1eKo2ieFYhQoSW8kLG3RrrAP8nuVHZeInOmL5sRAUuQUp/FPEMequQuuKXqyiL31OiAMnBbBKoLI7G+XnlCm8E3LPe3f5j5ME8CHyfdqGqBSlSFwdzLvvegwW4ny1YYhBSScT17UkGa4+SlyNVOuoCIc4Tni/GKCysK6qLTj35eh97dihQNv21qCFlfD/8lQC6tmGrbjzDeHTIVaJo6bMU+SNuDfgReAhW25NFSNm2mAzjO4huwRSNku2jbb1yPPI//1RpTokU9xy/QURX/7x2kcq3Hu0V9zgVhaDJk8lDV6cVFm9QYKTA3ohY8xzaKm5wQhyr1ukol1srhb6zFLl9Sok28xI/YohpookMo8SYEnJnwi8I1+gaTGy64VkJVii4ccjMFk609gVmEXINZDFjXZQVz4ern9KKKVzH1H7586y+PdS/1OvFpMB0Sh0Uc0gxsF//jBDFObP65P5x8bJPP5ug1ZQ84ypHnhAVJDF0jNJs0cABAh6qcKVOXlbT7Ph3OYDV8Au71G52KFqO1kKbc3pU6PVjf/D/OCvPoqxj9lPy5kA5vGLPbv6UP4XrOqwJS09RyqaZJKpeYS9HguNyU7mNGaTqAwq9U/M9vFaULZDB4CwpCnZbKUEn0j1GnbEw4Nd/tff6j6bkCmM80pE53dCbCfzC3/g5YD83O2pothO4GO7dK/sgvbDQ3z4JsI9Hf4PrjMBwBTCZRhBEmkYUhpLEXSAI2+2/6uSDa/9/4739/hTiX81mKatOX2KEmWqe6GDpBqpOtl3KvBVA6hK4pvvSdQTe4UuSMYM67dhBOABZof5xOJxwBtdArZ87VqJEmcBiai35pQimwjMWiggrJkY5F1hXpkggb0NkgHANMStOzOoQFo0UcOQXbGK57I+t5CcXT3gCk9bacm2wtZl2nESuKAW15ZgNiZltd/Jb3P431yew4V17PYL7dWAFpgeWCe6vHtGjMi/OXWPPmyau1IIyNhC6S6GLDqvI5J3Kf/4yBqlF0cEcv9r7yEBDGf76Z7WtgKez1DSc4IKjmcO9UOfg8ETkvNAHrGufzaEppOia2oVICQVhRQwI=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370A5B61D8B11EDBA0B0392B3AB2SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 92f4f1a9-644c-4479-f5b7-08dcacb57f85
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2024 14:24:30.8051 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wHwrGjL0HWXfXkNLY/Xw9vFfsUmiznfRCcTs/5CNsG9cR51rFh6MeZPMKXh9J9gQ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR15MB4341
X-Proofpoint-ORIG-GUID: Dndb8TCfy_OZ9NKzme3QJNCIe1QhPHM2
X-Proofpoint-GUID: Dndb8TCfy_OZ9NKzme3QJNCIe1QhPHM2
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-25_13,2024-07-25_03,2024-05-17_01
Message-ID-Hash: Y5D7H5I75EQQTQXAQZLLE4ELWXQY37IF
X-Message-ID-Hash: Y5D7H5I75EQQTQXAQZLLE4ELWXQY37IF
X-MailFrom: prvs=2936f93c7b=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tommy Jensen <Jensen.Thomas@microsoft.com>, dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FlqbACh6S8n7PXUjaqLBWCRa6uM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
TLS 1.3 clients using ECH will not fall back to non-ECH upon unauthenticated failure, just as TLS clients of any kind will not fall back to a lower version upon unauthenticated failure. To control the TLS version, or the usage of ECH, one must either control the client's behavior directly or be able to authenticate as the TLS destination to the client's satisfaction. In an enterprise context, the latter is often accomplished by implanting a special local certificate authority into the client's trust store. --Ben ________________________________ From: Paul Vixie <paul@redbarn.org> Sent: Thursday, July 25, 2024 12:11 AM To: Paul Wouters <paul@nohats.ca>; Ben Schwartz <bemasc@meta.com> Cc: Tommy Jensen <Jensen.Thomas@microsoft.com>; dnsop <dnsop@ietf.org>; Damick, Jeffrey <jdamick@amazon.com>; Engskow, Matt <mengskow@amazon.com>; Jessica Krynitsky <Jess.Krynitsky@microsoft.com> Subject: Re: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt On Tuesday, July 23, 2024 1:56:50 PM PDT Ben Schwartz wrote: > It seems like there's some confusion here. ECH is an extension to TLS that > is still under development (and now nearly final). Use of ECH is optional > in TLS 1.3. Any entity that can control the TLS version in use also has > the ability to disable ECH, so allowing TLS 1.3 does not require an > administrator to permit ECH. > > --Ben Schwartz If a client who tries TLS 1.3 with ECH can be detected by an enterprise ("next generation") firewall using the spoofed-SYNACK trick so common for HTTPS, and made to fail, and would then have some reason to retry TLS 1.3 without ECH, rather than just giving up or moving straight to TLS 1.2, this is the first i'm hearing of it. is this advice-to-implementors specified somewhere? i'd like to see it referenced in: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/__;!!Bt8RZUm9aw!_mzGaaZFnvwxN4QOGxmIc2AyuEoPGnSu43oxV_tTqWky9LWWsRLui4Ozhk1Boyxi5O2alFFKlw$ ...and i suggest simply referencing that advice in the draft under discussion. -- P Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Erik Nygren
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Wouters
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz