IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Alec Muffett <alecm@fb.com> Mon, 20 July 2015 10:59 UTC

Return-Path: <prvs=464381b352=alecm@fb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4531A1B83; Mon, 20 Jul 2015 03:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.981
X-Spam-Level:
X-Spam-Status: No, score=0.981 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=1.125, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_36=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_HEX=1.122, URI_NOVOWEL=0.5] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8rSpxvDfsGU; Mon, 20 Jul 2015 03:59:05 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 182A61A1B05; Mon, 20 Jul 2015 03:59:05 -0700 (PDT)
Received: from pps.filterd (m0004077 [127.0.0.1]) by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t6KAwOFl023554; Mon, 20 Jul 2015 03:58:55 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=wYpRrKinbGUaEbYsTMhLqwem6NzwZ4IJoe7dUNz7Hy8=; b=Iucwb6e1KNvZcAc0AtATx7+D110NJTcLFLc80DqROIEpYLLHAFQvFzFFZQ29sE7AqFnS vtfZUB3QOvj1j/kTq6bx1OXvdH5euO9bARP4mV2WmznNy7w4xab9ZCvCQOMvm/6ocHYQ EOAbDqg7c4cE0mUvGni8lKEPTvgUm/qgxwA=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 1vry52r3wd-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 20 Jul 2015 03:58:55 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.2.114]) by PRN-CHUB10.TheFacebook.com ([fe80::c983:d64f:e422:461d%12]) with mapi id 14.03.0195.001; Mon, 20 Jul 2015 03:58:53 -0700
From: Alec Muffett <alecm@fb.com>
To: Eliot Lear <lear@cisco.com>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQvmrojAhJLnn8xU++NMtyLYg/4p3gMAIAgAAE8gCAAAr7AIAD+5oAgAA194CAAD0igA==
Date: Mon, 20 Jul 2015 10:58:52 +0000
Message-ID: <04F3F38A-097E-4DCF-9295-273F0C4B4651@fb.com>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <55A90F34.4010901@cisco.com> <CAL02cgTJM1FxTHfaQb_x5=7MExOd3YumQbrAEE487a2+Ax0i=w@mail.gmail.com> <55A91C90.1050201@cisco.com> <49481ED5-52CA-470D-8B0E-895F11A1BA46@difference.com.au> <55ACA123.7020803@cisco.com>
In-Reply-To: <55ACA123.7020803@cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/signed; boundary="Apple-Mail=_2E0831BA-4BC6-411D-8AE8-6EFDCFF5B0BE"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-07-20_01:2015-07-20,2015-07-19,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/BjKLuhIZIiPuoSn98SjMcowt1vY>
X-Mailman-Approved-At: Mon, 20 Jul 2015 09:21:30 -0700
Cc: Richard Barnes <rlb@ipv.sx>, dnsop <dnsop@ietf.org>, David Cake <dave@difference.com.au>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 10:59:07 -0000

> 
> Yes, there is an HTTP Host header.  Yes, responses vary by the *value* but not by the *structure*.  As far as Apache is concerned, for instance, I would imagine it's doing a string compare without counting or considering dots.  By discussing an arbitrary number of components, that paragraph implies that HTTP cares about the *structure* of the name, when it does not (although some implementations might kludge this with www.domain <https://urldefense.proofpoint.com/v1/url?u=http://www.domain&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=PKCvk5ihsZdnlobuFIuhTw%3D%3D%0A&m=A9kJsJTtp7y9FT7avJ3dH%2Biv4nQfZ6morew9jupKe6c%3D%0A&s=6e63e914f40b2ad82dba84208b2004762b55c9e266dc4e941a3b09a015a55c02> = domain).
> 
> And I'll just hasten to add that now between you and Richard there are two interpretations of what the text in the document means.  All I am suggesting is a bit of clarity, please.


Hi Eliot,

I am one of the authors of this draft, and I would like to spell out the concern which was raised to us, and which we sought, with this paragraph to try and address.

Onion addresses are much closed to (say) dotted quads (or other layer-3 addresses) than to domain names, albeit that to denote them there is the label ".onion" affixed in the place where one would expect to find a TLD.

Where the analogy between onion addresses and IP addresses breaks down is that the following is illegal (or, at least, has never been functionally viable):

http://www.192.168.0.1/ <http://www.192.168.0.1/>  (versus http://eliot.blogs.192.168.0.1/ <http://eliot.blogs.192.168.0.1/>)

...whereas the following *is* viable:

https://www.facebookcorewwwi.onion/ <https://www.facebookcorewwwi.onion/>

In some hypothetical alternate universe where we were all using IP addresses rather than DNS to connect to endpoints, it might be cute to support <subdomain>.<ipaddress> and let the "Host" header (and/or the HTTPS SNI) disambiguate the intent, though doubtless this would also lead to some kind of disaster.

In the Onion world, the canonical representation of an onion address is:

sixteencharlabel.onion (compare representations: 192.168.1.1, [::1], etc)

...and in the outline we sketched of how Onions work, we sought to describe them properly in their role as layer-3 analogues, mechanically generated hashes of a randomly generated certificate, beyond human choice except for brute-force mining.

However, the Tor software has a party trick, that (as Richard has explained) given an "onion" label for surety, it's happy to parse-out the "sixteencharlabel" label and use that for connection establishment, ignoring any other labels leftwards of that, if any.

Of course using (say) "ssh" to connect to www.sixteencharlabel.onion <http://www.sixteencharlabel.onion/> will not be beneficial, because SSH supports neither "Host" header nor SNI; but a web browser using HTTP/S will pass a Host header, and thus we may effect virtual hosting over a single ".onion" address.

In pursuit of "clarity", having had this explained, I would welcome a better and more succinct phrasing, if you can offer one and yet not bury the reader in unnecessary detail, or in technical detail which might become inaccurate as implementations improve whilst the outline remains largely unchanged.


    -a

--
Alec Muffett
Security Infrastructure
Facebook Engineering
London

v2.23.0 | Report a Bug | By Email