Re: [Network-tokens] [TLS] Network Tokens I-D and TLS / ESNI

Yiannis Yiakoumis <> Fri, 26 June 2020 05:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F30493A1163 for <>; Thu, 25 Jun 2020 22:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zKfLsuj1XjfB for <>; Thu, 25 Jun 2020 22:34:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C91A43A1153 for <>; Thu, 25 Jun 2020 22:34:15 -0700 (PDT)
Received: by with SMTP id s18so4880026vsi.6 for <>; Thu, 25 Jun 2020 22:34:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:date:to:cc:in-reply-to:references:from:message-id :subject; bh=DAV4x/FVVoW2ehVyLRLwvZ1lVi+tL9KzG/YB7zWBmSc=; b=HJqFFnucsCuGJ84XqERMJq/tcNJ/rQHxxgOftRLSX4Q4SBQreTsnfDezYzUVH9U6O4 HmLWWN7nTyI0MfXC7y3LBRJEhse+EyKcn/w03H5XwX0reGH67MWVi0OxN1r19DTx95u9 ktVtTS/qyRYZX77AkZeXjPuncCTcAadcAGYfJ5b8ad/oDVsrSUhoOLIyAD6VQMv1C1cA YYcnGDznBlE6KoH66kNjzFm74NH4sSA0w0bYh/4O1VXh9Cs3a5Maepb6B+zCAZAcADxv BisUSzffeSgE+PWjH08zxX+oWgHbBzllrYHceqLTafxOtU4PtU47PjPJwjhkMJHRidsU kqIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:date:to:cc:in-reply-to:references :from:message-id:subject; bh=DAV4x/FVVoW2ehVyLRLwvZ1lVi+tL9KzG/YB7zWBmSc=; b=eV2/n/gMvykEL90VDf6ko4WgRoomLQQjQB6XMIBm4Dt7FTNu0sfI6xOE0qH6qk2s8i PIyyN6ljMCcwftEYiVveEyvqZSJlPwu5Y8N4v10oWpHoPvrYVenCTumXwlH1HTGFs4ZS jo6mFEn/W8OJfsFehEGGOfbiCouImhzwVowps/nBCBCAdNSX4VlWXegRr9mwyuzfwQVk JFrZ1cmC1fdKVUo0TtKRKYJZkpJJxumD5rWgjctM9CU/76hK0SwIt9ma8/MKtO77cEKt /Vhli9Y6lJmDUbQO59Sm6myR4xorIu6hyBYNyeLkYZNJzJYAs/6zhivLwNj8LJgnmxj8 9RRA==
X-Gm-Message-State: AOAM533H/4I0iyJ4+ft7IDRT75Ns9lCiM3HNJcsPSsM6NBXL47XV6o1d YNxa2/eHngfPivi/HpOdgR3EIBBb9SY=
X-Google-Smtp-Source: ABdhPJwk/Gvy2Pfi8aFpmqrQjjAEs46bJxoXj0FOvQZeWJ7cnopdnfgiXUVXJU4LUbrxk/wmjy1S2Q==
X-Received: by 2002:a05:6102:73a:: with SMTP id u26mr1145036vsg.216.1593149654339; Thu, 25 Jun 2020 22:34:14 -0700 (PDT)
Received: from localhost ( []) by with ESMTPSA id y12sm4143453vko.40.2020. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 25 Jun 2020 22:34:14 -0700 (PDT)
Mime-Version: 1.0
X-Mailer: Superhuman Desktop (2020-06-25T22:05:59Z)
X-Superhuman-Draft-ID: draft00ec3fbbfa9578c5
Date: Fri, 26 Jun 2020 05:34:12 +0000
To: "Erik Nygren" <>
Cc: "" <>,
X-Superhuman-ID: kbvs5nf6.14a30a07-6e4d-49f3-98ca-1987f2ab8cad
In-Reply-To: <>
References: <> <>
From: "Yiannis Yiakoumis" <>
Message-ID: <>
Content-Type: multipart/alternative; boundary=00582e2968d699e875b4fbb185bab7bbee35f5c3cf65c451e8a8120a451a
Archived-At: <>
Subject: Re: [Network-tokens] [TLS] Network Tokens I-D and TLS / ESNI
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion list for network tokens <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jun 2020 05:34:28 -0000

(cross-posting to network-tokens@ as this is the first related topic - apologies for any duplicates)

Hi Erik,

Thanks for the comments. That's a good point, and wanted to clarify the reasoning around binding fields in general, as well as  binding tokens to IP addresses specifically.

Unlike access and security tokens, network tokens are not protected by a secure TLS connection and can be read by any intermediary node. Therefore, they are open to replay attacks, and unless  used in a fully trusted environment, one should take measures against such attacks. There are two main approaches here:

* Limit a token's lifetime, to make replay attacks hard. The extreme here is to make tokens single use (e.g., through a nonce), and reject tokens with previously seen nonces (within a time window).

* Bind the token to a field that limits the scope it can be used (e.g., a user, a device, a set of exit gateways, etc). The network should be able to separately verify that the token is used within this scope. A binding field can be in an IP address, an IMSI, or any other field the network operator may use to limit the scope of a token.

Note that the binding value matters only at the point of enforcement ( the place where the network checks the scope). It doesn't play any role on the client, the server, or other network nodes.  Moreover, when tokens are encrypted, the binding field itself is not visible to anyone other than the network that issued the token, which should cover privacy concerns.

Two use cases where binding tokens to IP addresses should be fine are i) when users (a home or a mobile subscriber) are assigned a static IP address ( or a DHCP lease that lasts beyond a token's expiration time), and ii) for public IP addresses. Consider the following scenario:

home device → home NAT → operator network (static IP addresses) → operator NAT → Internet .

Despite multiple NATs, the operator can bind the token to the IP address it assigns to the modem and not worry about the downstream and upstream NAT.

As you mentioned, there will be cases where IP binding won't work, either because the endpoint that gets the token doesn't have an assigned IP address, because the enforcement point is behind a NAT, or because of heavy use of proxies etc. In such cases one could bind tokens to a different field, or use short-lived tokens and/or nonces to prevent replay attacks. The overall benefit of binding tokens to certain fields is that they can have a longer lifetime and require less state in the network.

Does this address your concern? Also, any ideas/references on how common it is to have static/long-leased IP addresses in different scenarios (e.g., residential networks and mobile networks)?



On Thu, Jun 25, 2020 at 4:29 PM, Erik Nygren < > wrote:

> One quick comment is that binding tokens to IP addresses is strongly
> counter-recommended.
> It doesn't survive NATs or proxies, mobility, and it is especially
> problematic in IPv6+IPv4 dual-stack environments.
> (Even in IPv6-only, privacy addressing causes problems here.)  Even if you
> have a way to convert tokens over
> for your set of IP addresses (eg, to deal with dual-stack) that still may
> not help enough with NAT environments.
> Erik
> On Thu, Jun 25, 2020 at 4:29 PM Yiannis Yiakoumis < yiannis@ selfienetworks.
> com ( ) > wrote:
>> Hi all,
>> I wanted to briefly introduce network tokens ( )
>> into this list, how they relate with TLS and ESNI, and kindly ask anyone
>> that is interested to share feedback and join the discussion.
>> Network tokens is a method for endpoints to explicitly and securely
>> coordinate with networks about how their traffic is treated. They are
>> inserted by endpoints in existing protocols, interpreted by trusted
>> networks, and may be signed or encrypted to meet security and privacy
>> requirements. Network tokens provide a means for network operators to
>> expose datapath services (such as a zero-rating service, a user-driven QoS
>> service, or a firewall whitelist), and for end users and application
>> providers to access such services. Network tokens are inspired and derived
>> by existing security tokens (like JWT and CWT), borrowing several of their
>> security and privacy properties, and adjusting them for use in a
>> networking context.
>> There are two ways that network tokens relate with TLS:
>> * They can support ESNI adoption: in a world where ESNI is widely adopted,
>> network tokens can enable use cases where endpoint-network coordination is
>> required, without having to go back to plaintext SNI that everyone can
>> read.
>> * Network tokens are embedded as TLS handshake extensions (among others).
>> We are shooting for a BoF in November, and are very much interested into
>> feedback around the concept, use cases, what we need to do to make network
>> tokens adopted as a TLS handshake extension, and folks that are interested
>> to get involved in the effort!
>> Links to an IETF I-D, a mailing list, and initial implementation are
>> available at https:/ / networktokens. org ( ).
>> Best,
>> Yiannis
>> =====================
>> Yiannis Yiakoumis
>> Co-Founder & CEO
>> https:/ / selfienetworks. com ( ) |
>> +1-650-644-7857
>> _______________________________________________
>> TLS mailing list
>> TLS@ ietf. org ( )
>> https:/ / www. ietf. org/ mailman/ listinfo/ tls (
>> )