IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Eliot Lear <lear@cisco.com> Mon, 20 July 2015 13:34 UTC

Return-Path: <lear@cisco.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684F01A87AD; Mon, 20 Jul 2015 06:34:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.163
X-Spam-Level:
X-Spam-Status: No, score=-11.163 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=1.125, J_CHICKENPOX_36=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URI_HEX=1.122, URI_NOVOWEL=0.5, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKaXmdCWD-r7; Mon, 20 Jul 2015 06:34:04 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B7CE1A8854; Mon, 20 Jul 2015 06:34:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12838; q=dns/txt; s=iport; t=1437399243; x=1438608843; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=pCKl+T3SARw/+A1L9FRpvWRwZJWgB9UnLLRx5v4zPsg=; b=VtAk12KFsu49ZK8shsBHk0Gypfn0HpBOTv9oME6FIFaypszOD4vJtMyP zn9OsS3Dfv8H7EOXazj1vz8fJfbrfgs80aI/z0tZ0xxy6Dksp3vda0ja4 qtaCUCQ6iC25Aa0I2h1R+ZTyNfQkBr24umRF04GvJHN87pFiF6HskxSYX M=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C6CQBa+KxV/xbLJq1cgkaBIWmDI6tTjnCCRoM0AoFjEQEBAQEBAQGBCj6DZgEBBCMmAgEtEAsYCRoHAgIPAkYGDQgBAYgqDbElhTM5AYtHhB8BAQEBAQEBAQEBAQEBAQEBAQEBAQEXi0yEMVUHgmiBQwWFYIZYiBqCM4FUBWOHMoFDRoNUgm6QPAIkY4EqHBWBQDwyAQECgkYBAQE
X-IronPort-AV: E=Sophos;i="5.15,508,1432598400"; d="asc'?scan'208,217";a="574409749"
Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP; 20 Jul 2015 13:34:01 +0000
Received: from [10.61.170.123] ([10.61.170.123]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id t6KDY0OA001753; Mon, 20 Jul 2015 13:34:01 GMT
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
To: Alec Muffett <alecm@fb.com>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <55A90F34.4010901@cisco.com> <CAL02cgTJM1FxTHfaQb_x5=7MExOd3YumQbrAEE487a2+Ax0i=w@mail.gmail.com> <55A91C90.1050201@cisco.com> <49481ED5-52CA-470D-8B0E-895F11A1BA46@difference.com.au> <55ACA123.7020803@cisco.com> <04F3F38A-097E-4DCF-9295-273F0C4B4651@fb.com>
From: Eliot Lear <lear@cisco.com>
Message-ID: <55ACF8C8.90303@cisco.com>
Date: Mon, 20 Jul 2015 15:34:00 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <04F3F38A-097E-4DCF-9295-273F0C4B4651@fb.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="PfdSbO24sLlwMrcCukN8qu1g3UtawcrTf"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/qQd2K8CaAxXncN2TMzlo60dlGW8>
Cc: Richard Barnes <rlb@ipv.sx>, dnsop <dnsop@ietf.org>, David Cake <dave@difference.com.au>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 13:34:06 -0000

So... Alec and I did a bit of wordsmithing and what I propose is a
slight clarification on the existing text, based on this exchange, and
here it is:


   Like Top-Level Domain Names, .onion addresses can have an arbitrary
   number of subdomain components.  Only the first first label to the
   left of ".onion" is significant to the layer 3 Tor protocol, while
   application layers above have access to the full name.  For example...


And then an HTTP example would be inserted (or otherwise "For
example..." taken out).

Eliot


On 7/20/15 12:58 PM, Alec Muffett wrote:
>>
>> Yes, there is an HTTP Host header.  Yes, responses vary by the
>> *value* but not by the *structure*.  As far as Apache is concerned,
>> for instance, I would imagine it's doing a string compare without
>> counting or considering dots.  By discussing an arbitrary number of
>> components, that paragraph implies that HTTP cares about the
>> *structure* of the name, when it does not (although some
>> implementations might kludge this with www.domain = domain). 
>>
>> And I'll just hasten to add that now between you and Richard there
>> are two interpretations of what the text in the document means.  All
>> I am suggesting is a bit of clarity, please.
>
> Hi Eliot,
>
> I am one of the authors of this draft, and I would like to spell out
> the concern which was raised to us, and which we sought, with this
> paragraph to try and address.
>
> Onion addresses are much closed to (say) dotted quads (or other
> layer-3 addresses) than to domain names, albeit that to denote them
> there is the label ".onion" affixed in the place where one would
> expect to find a TLD.
>
> Where the analogy between onion addresses and IP addresses breaks down
> is that the following is illegal (or, at least, has never been
> functionally viable):
>
> http://www.192.168.0.1/  (versus http://eliot.blogs.192.168.0.1/)
>
> ...whereas the following *is* viable:
>
> https://www.facebookcorewwwi.onion/
>
> In some hypothetical alternate universe where we were all using IP
> addresses rather than DNS to connect to endpoints, it might be cute to
> support <subdomain>.<ipaddress> and let the "Host" header (and/or the
> HTTPS SNI) disambiguate the intent, though doubtless this would also
> lead to some kind of disaster.
>
> In the Onion world, the canonical representation of an onion address is:
>
> sixteencharlabel.onion (compare representations: 192.168.1.1, [::1], etc)
>
> ...and in the outline we sketched of how Onions work, we sought to
> describe them properly in their role as layer-3 analogues,
> mechanically generated hashes of a randomly generated certificate,
> beyond human choice except for brute-force mining.
>
> However, the Tor software has a party trick, that (as Richard has
> explained) given an "onion" label for surety, it's happy to parse-out
> the "sixteencharlabel" label and use that for connection
> establishment, ignoring any other labels leftwards of that, if any.
>
> Of course using (say) "ssh" to connect to www.sixteencharlabel.onion
> <http://www.sixteencharlabel.onion> will not be beneficial, because
> SSH supports neither "Host" header nor SNI; but a web browser using
> HTTP/S will pass a Host header, and thus we may effect virtual hosting
> over a single ".onion" address.
>
> In pursuit of "clarity", having had this explained, I would welcome a
> better and more succinct phrasing, if you can offer one and yet not
> bury the reader in unnecessary detail, or in technical detail which
> might become inaccurate as implementations improve whilst the outline
> remains largely unchanged.
>
>
>     -a
>
> --
> Alec Muffett
> Security Infrastructure
> Facebook Engineering
> London
>

v2.23.0 | Report a Bug | By Email