IETF Logo Mail Archive

Re: Quic: the elephant in the room

"Salz, Rich" <rsalz@akamai.com> Mon, 12 April 2021 12:57 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790323A1CCC for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 05:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPkfM5cFs1Oi for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 05:57:27 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F0013A1CC9 for <ietf@ietf.org>; Mon, 12 Apr 2021 05:57:27 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13CCiEHA014166 for <ietf@ietf.org>; Mon, 12 Apr 2021 13:57:25 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=LC2bpLiVU9B+uz9G5Q2tdfBaOhpBK9ljnPrxT4wGU8M=; b=TS3h6O0LpSK50pTBq4SGerWe/UixcXU0MKnHJeySJ7Xwt4w7BkBTSw/aBM4pvPiieSPt 6HCwkAwMM+CTyAWgU2r8crItOA3wKIPScMlM8UpmlBQnZ2HPdM72f3+Rncs0krI7dg4b B6vCxKoZIKeGe/xXvbWmbxtxNVvYNCQ+t9juY7cSide6D8VJykkWZYsHmeQnuHDm4d7f aLLzXjjpvB/m6L+wap+AoxTKhdeALquyQjuenY1XetR9kZAwi04QGzQyy1CkbZrDGCFz D1e8pgblUWq3/zGGwtWpuS4bKlMumY1QM35CX79xGXyijFP+wVzRKenRt3XSkOT7/zH/ OQ==
Received: from prod-mail-ppoint5 (prod-mail-ppoint5.akamai.com [184.51.33.60] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 37v566mfpf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <ietf@ietf.org>; Mon, 12 Apr 2021 13:57:25 +0100
Received: from pps.filterd (prod-mail-ppoint5.akamai.com [127.0.0.1]) by prod-mail-ppoint5.akamai.com (8.16.0.43/8.16.0.43) with SMTP id 13CCo8aw001804 for <ietf@ietf.org>; Mon, 12 Apr 2021 05:57:23 -0700
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint5.akamai.com with ESMTP id 37ua0c4wbf-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <ietf@ietf.org>; Mon, 12 Apr 2021 05:57:23 -0700
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 12 Apr 2021 08:57:21 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.012; Mon, 12 Apr 2021 08:57:21 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: Quic: the elephant in the room
Thread-Topic: Quic: the elephant in the room
Thread-Index: AQHXL01BemNfFNMHHkyER9D49fn4h6qw2CWA
Date: Mon, 12 Apr 2021 12:57:21 +0000
Message-ID: <3658907C-200F-4E11-8DAE-160D5C8CE429@akamai.com>
References: <20210412021224.GP9612@localhost> <31A7A397-747D-4099-A3A3-F845137022BD@akamai.com> <20210412002634.GO9612@localhost> <94707E61-D7D2-4494-B88C-E229C8D8F3E4@akamai.com> <YHPAoW8D7K1ew4mQ@straasha.imrryr.org>
In-Reply-To: <YHPAoW8D7K1ew4mQ@straasha.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21040401
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.164.43]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3BCE7AA3704C864F868BF09064E55528@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-12_10:2021-04-12, 2021-04-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxscore=0 bulkscore=0 phishscore=0 mlxlogscore=863 adultscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104120086
X-Proofpoint-GUID: KocxX4wtvtmcarMXKYlOQc1hgAUW9rAQ
X-Proofpoint-ORIG-GUID: KocxX4wtvtmcarMXKYlOQc1hgAUW9rAQ
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-12_10:2021-04-12, 2021-04-12 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxscore=0 phishscore=0 impostorscore=0 mlxlogscore=814 lowpriorityscore=0 spamscore=0 suspectscore=0 clxscore=1015 priorityscore=1501 adultscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104120086
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.60) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint5
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/TYNnSTFjQkhrX1pQbKjzIWTXruo>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 12:57:32 -0000

>    one may as well delegate the TLSA record management to the CDN:

Sure, if you're never going to switch CDN's.

Many big customers switch CDN's and will not delegate because, well, they need to switch.

There is a whole industry and providers around switching CDN's in real time.  Web-search "Cdn switch" will find them, for example.

>    But any sort of TLSA RR on the customer side, while the cert rollover
    are managed by the CDN is too fragile.  The TLSA RRs should properly
    be published by the CDN as above.

Sure, if there's one CDN.

>    If indeed sub-minute migration from one CDN to another is required, then
    the TTL for the _443._tcp.[...] CNAME would need to be sub-minute.  Is
    such a short cutover time really a requirement?

If millions of dollars of commerce are happening per minute, then yes.  Or the head of state dies and the official news source is overloaded.

v2.23.0 | Report a Bug | By Email