Re: [DNSOP] Multiplexing DNS & HTTP over TLS

Warren Kumari <warren@kumari.net> Fri, 15 February 2019 21:22 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8928F12426A for <dnsop@ietfa.amsl.com>; Fri, 15 Feb 2019 13:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKBvZcMmy95c for <dnsop@ietfa.amsl.com>; Fri, 15 Feb 2019 13:22:28 -0800 (PST)
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1958131028 for <dnsop@ietf.org>; Fri, 15 Feb 2019 13:22:27 -0800 (PST)
Received: by mail-wr1-x442.google.com with SMTP id o17so11784727wrw.3 for <dnsop@ietf.org>; Fri, 15 Feb 2019 13:22:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6HHyAjzwJ+suP69I1USStw6KCHHEOYSEwzQy/n7yEO8=; b=teD5PEErFHFIRAMb6Vf0RWPGRiVSAeGV8SCoJDwXZg6kibsm7jFmuo9bAOtJHmKMSU C6o1yj7gl7hJaR+armUSKFOWzW7QHnlStcLW5Yy8jRbq768s/hzJJrn0dUT33gamdgPG jFgbjYT5aWJV5fHhQfH9FnSawlwVLliKZueHm83UvHXTLLtEnGC/TmSyDZPXRf3HAzqD JOIRWn4XI5d4iyzSEOf58u7gYrBQCWbZdxmGCl75QDK6AblIqh1Iv9PTMNSCEbYHuKxx ocx4HKhBP0C3AvvhA0FxaJRslWGNrFpWhPquvR+OkWuzhhY9i0sGCtoC+pbtMi3Gmlx5 M+Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6HHyAjzwJ+suP69I1USStw6KCHHEOYSEwzQy/n7yEO8=; b=QbMTrg5B7wvBOOynjCsj/l2+pUvHo5y1EpiygmcUJ5doOShbnKnllOGeukhY7E1Eon /6Rme4o48Qz3wJERttEWz+5ZZ0xXQzyxWYFEyCb8afrDEkazkDrMqkMNNN12iigqO1sk YDkyHw8Oqj+wO4ZzTfo1K5+ippFfezFUWrZeXKtym1nhSzEJmV/HTmtATzNSC27auf/4 JfHepCwj/2+6XRvf2IFteVu9HalsNsSbTm8pmu2Gr82ERE0SuvKysDUtZJp9JPIt91st h3R9PQ6T7GNH86v0gYH0rXMJPTM9k0SbSlDnNqpBY+roe5vPtGyLOvCUst9hBH8qlFum AHow==
X-Gm-Message-State: AHQUAuansWK1mlxg2I9ACTpT+JcYx2uLAg+JfDQrqYZmQ/fALlpuBepd DtBXQohDZ/TRJ234/TMMUMgq5ZaN6NH1moPz5McifpmICnY=
X-Google-Smtp-Source: AHgI3IZWibFYCmLMjxloOTLuFKIVNl+qm7CF/17fCwyQZ+qMeAymCz6ktsxzwsOmT4eyNy147Qj50QqbVXtGbBT4QlY=
X-Received: by 2002:a5d:5504:: with SMTP id b4mr5559383wrv.291.1550265745933; Fri, 15 Feb 2019 13:22:25 -0800 (PST)
MIME-Version: 1.0
References: <C5525DE2-DCF3-43E5-8C41-BAA58049DC3A@verisign.com> <edc1d393-ad19-2f8e-5f58-367d9b7e3290@nic.cz> <20190214080508.zab7r6hzkbj7kp54@nic.fr> <3baf795c-46ff-3993-4cb1-fff10295bc0a@time-travellers.org> <01d20441-8533-9a35-70f1-58cb4b6d8960@knipp.de> <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org>
In-Reply-To: <9a7b4bc4-018a-9f8c-d3fd-2428356d6605@time-travellers.org>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 15 Feb 2019 16:21:50 -0500
Message-ID: <CAHw9_iJ1_a3rt75ZxqDsfqU1F9AztpiN+8vgmQL0nKM1tEZb=w@mail.gmail.com>
To: Shane Kerr <shane@time-travellers.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000181b890581f55f00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KutTH3eeLhAvAnDq28xe1_Xe6Kc>
Subject: Re: [DNSOP] Multiplexing DNS & HTTP over TLS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Feb 2019 21:22:32 -0000

On Thu, Feb 14, 2019 at 8:24 AM Shane Kerr <shane@time-travellers.org>;
wrote:

> Klaus,
>
> On 14/02/2019 14.00, Klaus Malorny wrote:
> > On 14.02.19 11:03, Shane Kerr wrote:
> >
> >> Is there a write-up on this?
> >>
> >> Thinking about it naively, a demultiplexer really only needs to say
> >> "is there a non-ASCII character in the first 2 or 3 bytes of a TLS
> >> session?".
> >>
> > please think of HTTP/2, which is a binary protocol (although I don't
> > know what the first bytes are). But I guess ALPN (RFC 7301) would do the
> > trick.
>
> I think that HTTP/2 preserves the initial handshake of HTTP/1.1.
>
> But looking at ALPN, it was designed for exactly this the multiplexing
> use case. In principle all that would be needed is adding an identifier
> to the ALPN protocol IDs:
>
>
> https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
>
> It would also address Joe's concerns about other protocols.
>
> Maybe creating an ALPN protocol ID for DNS-over-TLS is something for the
> DPRIVE working group? 🤔
>

https://mailarchive.ietf.org/arch/browse/dns-privacy/?q=ALPN

https://tools.ietf.org/html/draft-hoffman-dprive-dns-tls-alpn-00

https://www.ietf.org/archive/id/draft-dkg-dprive-demux-dns-http-03.txt

I'd encourage folk to go read the archive (and, again, there is a WG for
this -- https://datatracker.ietf.org/wg/dprive/about/ ).

W



>
> Cheers,
>
> --
> Shane
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf