Re: Question regarding HTTP/2, SNI, and IP addresses
John Mattsson <john.mattsson@ericsson.com> Wed, 23 June 2021 08:23 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587273A2F3A for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Jun 2021 01:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.946
X-Spam-Level:
X-Spam-Status: No, score=-2.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.198, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28Kmad_fpJ2x for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 23 Jun 2021 01:23:17 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A8BB3A2F38 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 23 Jun 2021 01:23:16 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1lvy73-0007R5-Qt for ietf-http-wg-dist@listhub.w3.org; Wed, 23 Jun 2021 08:20:02 +0000
Resent-Date: Wed, 23 Jun 2021 08:19:57 +0000
Resent-Message-Id: <E1lvy73-0007R5-Qt@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <john.mattsson@ericsson.com>) id 1lvy6V-0007Q0-9j for ietf-http-wg@listhub.w3.org; Wed, 23 Jun 2021 08:19:26 +0000
Received: from mail-he1eur02on0624.outbound.protection.outlook.com ([2a01:111:f400:fe05::624] helo=EUR02-HE1-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <john.mattsson@ericsson.com>) id 1lvy6O-0005oM-BI for ietf-http-wg@w3.org; Wed, 23 Jun 2021 08:19:19 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IbPcGIKT31J6V4zG8rWumeaV+r/d/Qcqek+sWxLir9NWbyaDq6n1J3D5Mjn8vwCwn7syjXJ/pz9owFcsYTyMCgPvspXDb1aTAeNFbIwwLgb4sp9hOC9DzfnAFkJOz/xqkQApnWu2/zEbs0pgQSXTGwo7pVEVZN2gK+HccfHW6kwA16gbbHyGIeb/4eQWUmALTVndyAeHybergVeJlB+scPh3cIXOOtwa1OFJOTdbTKrlf1vGVKeF7mAZguvOSN0IrnMBtkGzxMmYO5EvbIwJEkMBJSdqqOXTATHHYWo66N+p+av4gXFrr5LXyGWXNLuHxnaLEPNmdg4sDBqIsnKYYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+Ll74NYnelFPnk0BHUH+Bl3ZbXIEVSybAf5yAdPDSok=; b=RSBQl/MBniMiaYlOGvujrrRgpUnLFh/mmOG6aAnKpinCWIJYrVEXnEi1xSCGsZtT2f8Z3ANi/PtdAymFcTq6GEInvLy6dKZSHYa2KWTuxj9DSx4O+bW/1+Bn1mENwm9gqXbGVGIrrxVyZ5iHNT3DtptN2BMA0MyuXNdgRBX0tbV7rdkIPLOouj4ez2jVb8uy3G602dtZ4LUK+kKdrtQLHKhgM7Q1F0/gFENCY/L+bjRopfXHxRP2RXusiKZQ5/ewz0SNUBocsVOQK6Wrc2+AszyR5Vd0szCFEJiZRrtcqPp8TFCqDVuPWxJVD747MTrVPDBgSVGNAU8iO26Bpb5e4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+Ll74NYnelFPnk0BHUH+Bl3ZbXIEVSybAf5yAdPDSok=; b=R9jLr/JnvCXgPvKMybHwD4yeXbLXAp6Y7hdrcMbT1jvQcVzxGOIFhiQaNZOgYehcVAR3ALJkwfsu+FG+HNUnJJRoXUXTKO1zQlwyLKVJTVU3fcDVS/K68Kne//65LwxGq33iRcwsCRpdOHog64457MwLnUip4T62ThU5NbYOZig=
Received: from DB6PR0701MB3047.eurprd07.prod.outlook.com (2603:10a6:4:74::7) by DB8PR07MB6361.eurprd07.prod.outlook.com (2603:10a6:10:13e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.15; Wed, 23 Jun 2021 08:19:03 +0000
Received: from DB6PR0701MB3047.eurprd07.prod.outlook.com ([fe80::f0fb:72b:8eac:53e8]) by DB6PR0701MB3047.eurprd07.prod.outlook.com ([fe80::f0fb:72b:8eac:53e8%4]) with mapi id 15.20.4264.018; Wed, 23 Jun 2021 08:19:02 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Martin Thomson <mt@lowentropy.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Question regarding HTTP/2, SNI, and IP addresses
Thread-Index: AQHXZDuv85EGTzT58U2AXOAxYpb9oasfOgYAgAIKGBo=
Date: Wed, 23 Jun 2021 08:19:02 +0000
Message-ID: <DB6PR0701MB3047D7C2CD60A9F9443CFC4989089@DB6PR0701MB3047.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30500174B18EDB6C2704D15B890D9@HE1PR0701MB3050.eurprd07.prod.outlook.com>,<bc78d96e-d4dd-4a89-8937-165a2c9f86fa@www.fastmail.com>
In-Reply-To: <bc78d96e-d4dd-4a89-8937-165a2c9f86fa@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 42cfbf54-4401-4ad6-ce01-08d9361f8f7c
x-ms-traffictypediagnostic: DB8PR07MB6361:
x-microsoft-antispam-prvs: <DB8PR07MB63615A14C4823260A358C78989089@DB8PR07MB6361.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k9sG4L/W759ZqZYeKkMy0o7CfKVHJwweXvV3irGinyjJA1eO69vDRkCDY0vPoelfc0zfZlr64E1BuhBt0sK0jikKVD+GqOeDNdE4TB/R4vSu3OQhfTZpuqCzm1NRdJbHmFauFfzsic95C09vCqDn/bwgwrjPP3b54Z+xb9B72yl0992DN1y1Wp2EuZLfoBv6kKxWMu+y9t6Orp5i6KKtYVjiYPV65lzyY9hsuhnia6p6UMwinmzpBviym221JacANdtj7xrzKJm/2y4ZBJ2XyqcFs3Rr2Nt3rPyM+2DlqQQXPzjR6kGucGhu8xG2/Xnvorw/NhqULQdJlgay6PntgglfoW5RYJIIuJ3HmRuuvY1D8oaEWHa3Y1iC5nDDI5d687tpIeFEJ5WDbj4ofAS0pAmR7sNtZ6kto1q8fSp3Dndw69hl/F7pKgmlBkmQsNlNBL0cUxefZdKia9/s4UMWNCaT5cATEPNwQxfHXPl4h166tD+A+A6j8+j6dCZwshUgl0/h7Rjbr6NiKT85quNE8ou/PnMT0K9tgDDpFkA57dpoc/Roi7WbkgptVaFA4eGzA0v/4vHZzG90ljTJb+RtqYozUNuHOjscJEinkOuV2HRpddvhjRPDXw4UeY7CwvfKzunic9L/65iBZIfFZALSQb7LPnQJQglX13X3o0TmOK02bOWaZ/Yd+Jn//fru6KSShEPaZu87fDTzwAXEXHiQHkpuxmNxmDcnPlEgH1q42lEXRF3XmZ2YwTge8vWGdKqTRwPLEDHi8WQDwbm49TuQHA==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB6PR0701MB3047.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(366004)(396003)(39860400002)(346002)(91956017)(66946007)(76116006)(66446008)(64756008)(66556008)(66476007)(83380400001)(55016002)(86362001)(9686003)(166002)(52536014)(38100700002)(5660300002)(33656002)(122000001)(966005)(316002)(2906002)(26005)(71200400001)(110136005)(7696005)(53546011)(6506007)(478600001)(8936002)(8676002)(186003)(44832011);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lBkMmGZoVUAEfs2bliSjtBI0/JTHzHPTxiyP5BVX7p7qHa+vMQXsZDmjjy9FQVna13mQ/8ngVD1SOat/aliZMTiwIAS1vzZgwEsWJXm733Xl5d2UZKxA3Yil57S96jy5KlWw/O/r8i6lCe9f/Or1nEurKTId6+MlTy/klDHIY05wQANCvEAwF1RiHNfk54Q46K/aaJK3CNwq6s9ZqsnwEjUm16O2Cs2QV47j3c27qhtpVSiGmmqv0gF8/MyKAbVIeX2eufMR3DYdJ/dKwgQMu2iq0Ii1QwLiN0POGMS2Z4b9o+HVv6Gvh3iZv5sklT6xtXMMxc0f+qDwLslpj/EZx5aGWZbMtlj6i4ozVixq78pxXH/FelL61GFSmSoFu5dawf99uIzFSDMQ7QM8hB00a7Q2tiZcQp7c9I1nAous2TGXH0o7B9+mz0b2TfqyTvs01Ogwg0keaa3D5wxkSmx7mccqZ2d6bqvgGXslTl4jLJyGmy8FQYYQ9VKBz2emVzsxlV7Bl7DlL0lnXhoiC6bZudbciWtxKc2z9kpQv67Ei8Hht2NdJjimvuVSE658skFzztNeuf9HewfUpeVIZZbxIW4tig87/YPdjILY3EOpXAtrJzaGmiylPMb/aN6L7G1W3cxyJKiC5RLj5FoXRsgEsCUum+JI/JkYIs50l/hXm1ubERsBbXua0GqBoBeSbWLMFHnNtUYLhwI067mE0f95MQ1B4RI771KiqQv681P/w7qhpX/a7OROb2/O6UmtATNCHuGwTKlSfjyukrnl7FIc8wxjHEnhx3bPT388AoaObPv1PWlONyfAMCqhbN4n1bvHUJCYj3Wcz9XLtYvMt3PctccMjUkVJCdyJNWMQL9aef309awxR8g+BauspeRupV2mjs+DET5fbVsNcCEe8P/eylJryPF8A3QgDzc+e3LCJPkX2nX9pUhwsUP1KYtB4joGNIs+TdHuN+RRz5fKJACqhP1vQxP6sIn9N5MHYWIL7ONXDbX2WzHWvBaJIj6VXrR42B3pYdbxAeA2Cg+vBn9Y6d0vS1GnS6ktt7PS9Nke0Cb+YYfYbVc0riiOblR/Wu1aWWrEdBcELP9DqYtpDQURHjEWwksSzCi/YTl3aM4GYxnwUfe4+naLtX2Bkaa1MK1s/ZhdcD+zFQAEc9GjRKKdiUYDCq80h5DcMgbKGhakVCtFi0VtVHdG+wtPIZhlwdBhOQQBfbKhYzXm/8xH/Khmb7nlFDl/lPBHIso3MIYJDlByV60wPuuY1HnUDEUdBT7hFJRWJhtGzX4eE0tTGVPc54zoZUVYir2AFx7wODstpjD/9JTKiYMdCC50MsTZxE6UUSm+tlY+yuZPENHaTZ2mog==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DB6PR0701MB3047D7C2CD60A9F9443CFC4989089DB6PR0701MB3047_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB6PR0701MB3047.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 42cfbf54-4401-4ad6-ce01-08d9361f8f7c
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2021 08:19:02.7493 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NVapTSmBLCmqjMwuAulg1J/8fD1SCI1/kts3Oefj0w5QQhYBI1CmEuFopYgsC1GHjfWvU45JyLOjv95hi2qqOyON8CnlK0e//18pKoJjh8Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR07MB6361
Received-SPF: pass client-ip=2a01:111:f400:fe05::624; envelope-from=john.mattsson@ericsson.com; helo=EUR02-HE1-obe.outbound.protection.outlook.com
X-W3C-Hub-DKIM-Status: validation passed: (address=john.mattsson@ericsson.com domain=ericsson.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-9.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.373, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1lvy6O-0005oM-BI 50a9d0d400b86480349666f6dc6516cc
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Question regarding HTTP/2, SNI, and IP addresses
Archived-At: <https://www.w3.org/mid/DB6PR0701MB3047D7C2CD60A9F9443CFC4989089@DB6PR0701MB3047.eurprd07.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38933
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Martin, Thank for pointing me to the bis document. I think the text in draft-ietf-httpbis-http2bis makes things clear. I think the bis document will be very useful for the discussions in 3GPP. My updated understanding is then: - IP addresses without domain names are ok to use in HTTP/2 - SNI is not required unless a domain name is used. - For domain names, use of SNI is required for both TLS 1.2 and TLS 1.3 Cheers, John From: Martin Thomson <mt@lowentropy.net> Date: Tuesday, 22 June 2021 at 03:08 To: ietf-http-wg@w3.org <ietf-http-wg@w3.org> Subject: Re: Question regarding HTTP/2, SNI, and IP addresses On Fri, Jun 18, 2021, at 22:30, John Mattsson wrote: > Am I correct in my understanding that: > > * HTTP/2 (RFC 7540) requires support of sending the target domain name > in SNI for both TLS 1.2 and TLS 1.3. > * IP addresses cannot be sent in SNI. > * IP addresses are not domain names.. > * Therefore, HTTP/2 with HTTPS requires domain names and cannot be > used with IP addresses only. The revision says: > The TLS implementation MUST support the Server Name Indication (SNI) [TLS-EXT] extension to TLS. If the server is identified by a domain name [DNS-TERMS], clients MUST send the server_name TLS extension unless an alternative mechanism to indicate the target host is used. -- https://protect2.fireeye.com/v1/url?k=b9a701cc-e63c388f-b9a74157-861fcb972bfc-24435a99407b9eb3&q=1&e=fb3a5f03-fc79-46c7-b7aa-641b06dd2dd0&u=https%3A%2F%2Fhttpwg.org%2Fhttp2-spec%2Fdraft-ietf-httpbis-http2bis.html%23section-9.2-2 Is that clearer? There is also similar updates to the HTTP core documents. The intent was never to prohibit the use of IP addresses as authority. That you might interpret the text that way is just an error.
- Question regarding HTTP/2, SNI, and IP addresses John Mattsson
- Re: Question regarding HTTP/2, SNI, and IP addres… Stephane Bortzmeyer
- Re: Question regarding HTTP/2, SNI, and IP addres… Martin Thomson
- Re: Question regarding HTTP/2, SNI, and IP addres… John Mattsson
- Re: Question regarding HTTP/2, SNI, and IP addres… Stephane Bortzmeyer
- Re: Question regarding HTTP/2, SNI, and IP addres… Martin Thomson
- Re: Question regarding HTTP/2, SNI, and IP addres… Ilari Liusvaara