IETF Logo Mail Archive

Re: Quic: the elephant in the room

Michael Thomas <mike@mtcc.com> Mon, 12 April 2021 15:38 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD1693A22BC for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 08:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f1B3KJo7wU1M for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 08:38:01 -0700 (PDT)
Received: from mail-pg1-x531.google.com (mail-pg1-x531.google.com [IPv6:2607:f8b0:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F5003A22BB for <ietf@ietf.org>; Mon, 12 Apr 2021 08:38:01 -0700 (PDT)
Received: by mail-pg1-x531.google.com with SMTP id k8so9688779pgf.4 for <ietf@ietf.org>; Mon, 12 Apr 2021 08:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=2GbnhBxXw+rOF+JSaEbKwNZN+u7K048nuCeqF7LvIJk=; b=bp25UQGAOIMLP6dgNrXsYnwQgBdBZ1XDCtvVb59sBz5DcptKgmHqH5Pkayq53gEE6g P8J1JFqOuDLrUNjH1YjVGqw9QhSvsDn19f2g1aoq/IKSSZu5fXkL0QbRW4+6TCp8oLZh JKZPbzaU0vz3Yt23PdY1nYJ22suuPmKrjmraV6LqRNTrauA5CZsOM0yXmSdg4mypxVyo tOBHDB6h3NhnBnVgU9I0aovYY0hs0m0myUoaUZcE2qmmjIklJ8431bSG1ocYXpW8Qna+ LpfsyvbIksjTSDvhZxzQoS+MjqrqiWT8XqaY6B3Mi66+CJnY0bXMKtn/KkQDt3YSP3I+ BKJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=2GbnhBxXw+rOF+JSaEbKwNZN+u7K048nuCeqF7LvIJk=; b=B6OQe7kT9IeoR+luMQ+czCd11Y/wpx/BLcn5zz4ZV4DAB0gw+l2h4EpHYqHtadlnv8 uCc7/+pTL4Zijq8VLLIoF8gbnN6mCxEkunfSb8Z9J13+yGIg6D1DdORNt30M5aBdjao/ k8fpj7J6XzqccVAjyF+cGqn7cAqS+sl0ferEBwlEci5jiFpO9ZYwETNyVwbuiAMeKEGo f6lyJMc6AuNmOVYTlCHXVJRVSYtiUKGN6jnJcwD5yvaqyfglsFaD0z7eIdwwTCT0txTk HnNQuF39RLpjaJrNiT6YMo4cmAnyDajD4FBCvpGSHH4zHfuph47gjK2R75X2zPdcq97q 9dXg==
X-Gm-Message-State: AOAM533+TFdrssPLyVOwvao78EqoA61OphohaKLjO0WA1aBKV9yHVq1l 35ty7KlMEHNZHN1qDhnZ0pjQb8cZ9iyy0A==
X-Google-Smtp-Source: ABdhPJzg6jiDLelC99wYztTwNo6Wt/3bN+jF0q5HeWFX4Dxuu1r5coNIqM5smKShWN0oQHU5/6FDxg==
X-Received: by 2002:a63:5f0c:: with SMTP id t12mr27250904pgb.381.1618241879753; Mon, 12 Apr 2021 08:37:59 -0700 (PDT)
Received: from mike-mac.lan (107-182-38-56.volcanocom.com. [107.182.38.56]) by smtp.gmail.com with ESMTPSA id o11sm1945731pfu.188.2021.04.12.08.37.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 08:37:59 -0700 (PDT)
Subject: Re: Quic: the elephant in the room
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Andrew McConachie <andrew@depht.com>, "Salz, Rich" <rsalz@akamai.com>, IETF Discussion Mailing List <ietf@ietf.org>
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com> <E4374100-265E-4426-9F9A-AC437DA31D2B@depht.com> <15059e21-b7c2-4211-869e-df3ffdf7c34a@mtcc.com> <CAMm+LwgnoqXKNSKxt0-rDa8ze6J9LsZz0jVeogBXAWNDveC_ZQ@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <91ea341f-87dd-2760-82a8-db03a7616c59@mtcc.com>
Date: Mon, 12 Apr 2021 08:37:57 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwgnoqXKNSKxt0-rDa8ze6J9LsZz0jVeogBXAWNDveC_ZQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------698B119B7F215A1D3CDD8BD0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/1jOe3cQGv2S0ABS9RIMtBTBuUKc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 15:38:06 -0000

On 4/12/21 8:33 AM, Phillip Hallam-Baker wrote:
>
>
> On Mon, Apr 12, 2021 at 11:22 AM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>
>     On 4/12/21 3:36 AM, Andrew McConachie wrote:
>     >
>     >
>     > When looking at how one might implement DANE for HTTPS/TLS I
>     don’t see
>     > any reason to handle these things sequentially. You don’t have to
>     > change TLS you just have to do things asynchronously. Query for
>     TLSA
>     > RRs at the same time as sending the TLS ClientHello, and kill the
>     > connection setup when/if DANE validation fails. On the off
>     chance that
>     > the DNS actually takes longer than TLS, maybe delay sending data
>     via
>     > TLS until DNS responds. But I bet this almost never happens.
>     >
>     Correct. Better: you can do the TLSA request at the same time as the
>     A/AAAA request speculatively. Plus if you've ever had a TLSA
>     record for
>     that domain, you know it's pretty likely you'll get a fresh one
>     even if
>     the last one is expired, so the speculation is minimal.
>
>
> Or replace the DNS resolver protocol with a privacy protected one in 
> which a single request packet can be answered by multiple response 
> packets. This maintains the 'stateless' nature of DNS queries but 
> allows responses of 1-32 packets.
>
> Then introduce a new DNS query for 'tell me how to connect to protocol 
> X at name Y'
>
> Then a query to the responder can return the A record, the AAAA 
> record, the SRV record, any relevant TXT and TLSA records and the 
> entire cert chain for one particular host chosen by the responder.
>
I really have no desire to boil the ocean. My post was something that is 
actually achievable with existing protocols with and achievable by way 
of many browser vendors having the capability of implementing those 
protocols on their front and backends. That was its entire point: it's 
achievable in the here and now.

Mike

v2.23.0 | Report a Bug | By Email