Re: [TLS] ESNI robustness and GREASE PRs
Kazuho Oku <kazuhooku@gmail.com> Tue, 18 December 2018 05:25 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25EC1310BA for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 21:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L-TaKrKTsnxs for <tls@ietfa.amsl.com>; Mon, 17 Dec 2018 21:25:45 -0800 (PST)
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B647C1310B7 for <tls@ietf.org>; Mon, 17 Dec 2018 21:25:44 -0800 (PST)
Received: by mail-lj1-x243.google.com with SMTP id n18-v6so13051937lji.7 for <tls@ietf.org>; Mon, 17 Dec 2018 21:25:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=h8PoOVGe+5gafUtOsnhPFW0WDz4IWv4Q0whQmxWA/pA=; b=EsByhLYl6x3T7h7KhhOXc/LH+0RrxBAugNJSkp3wqyw4eLN4Yv6NfUtD8Wg/9sXrbR ZmCamiY1cUh5TCutcy3WbX3gnNgRKlRaYTOUTbcftNEJAkN/7s4Gr+P5mw2ePtrXZkT5 g7AoLWHupbhJyWiVtrGKyuk1Q+xEOeems7YbIE2ziEdkZu+w3RANI8MxM+f1Vnbtrjju 1KdzC2ee7vg1qmZnJSBxOUfaKGWLeI3ST9oLszSCOUiw4214jTjGwHvN5FTx6XGWK72P GO0JqgJWrtT0TlUSgLD0wGNFH8uKVj6w7S1B36xqNOMOCZIncJhX/NbDlMT+R4Zv1j2y 30QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=h8PoOVGe+5gafUtOsnhPFW0WDz4IWv4Q0whQmxWA/pA=; b=SsrTiLFGCcdgYhA5sz2okx7wv8vRfLuoj/1WdyxH1fZBcgO4ykb3Lca/YTnEq7aYpL xcSFTahXpzKAMHpIC99oi8I3HuyrQFXC2Py+LbAtcPSk9dnROktWljrPxeR1dDAEyFwU wjSgbO25p5bhfGb2SLl2bvIhxBz7m0WbEy9xkNvrq7KMR5fuhLQYeUOSSiAPrc5m8Mrw XmZ7ILBdyj5I4M6FyiFhPbTiL2B6A2JsyJEfFddoT/QbUU1NtNhXs0OBYNMyYA800Mq3 Ode0SloShQTS9JifUp9ziJjKIzRmkDBrnl0MqyHpFTfOwCzcxF5Bd+Z3nGebBTAVPRRo 9n1A==
X-Gm-Message-State: AA+aEWZ7ZuyS1dz1JSwHXm5MzK72yHIsd675lVCLy9zgWom+rxxMeCOh SPE0yOFuxo+RKxE6/ORBP1XyA/gC72kltMBqtTw=
X-Google-Smtp-Source: AFSGD/XjHW+ITN30kYs99u/Q1T6Sk5kpASNf3G70YM5gSt0Ip0VqBvb8hXQip3ANwizkYG+TFKBIi75nPFXU5OJrBFc=
X-Received: by 2002:a2e:7f04:: with SMTP id a4-v6mr9911628ljd.156.1545110742904; Mon, 17 Dec 2018 21:25:42 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
In-Reply-To: <CAF8qwaAh-eCLOR3YX3KoVWPe8=uquO+9wwbiSYpOyxvizBSeEg@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Tue, 18 Dec 2018 14:25:30 +0900
Message-ID: <CANatvzwXMfOiUjMHPEQSbTwmcxrPWyq5hdB+9_+G5_dbLW6B2g@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Steven Valdez <svaldez@google.com>, Brad Lassey <lassey@google.com>, Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-UU-TlJgs84DdftA0grHv9d-gfI>
Subject: Re: [TLS] ESNI robustness and GREASE PRs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 05:25:47 -0000
Hi David and others involved in the work, Thank you for the PR. 2018年12月18日(火) 8:18 David Benjamin <davidben@chromium.org>: > > Hi folks, > > We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like the group's thoughts on. The goal is to make ESNI more robust and eliminate a bunch of deployment risks. The PRs are linked below: > > https://github.com/tlswg/draft-ietf-tls-esni/pull/124 > https://github.com/tlswg/draft-ietf-tls-esni/pull/125 > > The first tries to make ESNI more robust. It introduces the notion of a "public name" which gives the client an authenticated signal to retry with new keys or without ESNI at all. This mitigates DNS/server mismatches (a concern on each key rotation), and partial rollouts or rollbacks (a concern when first enabling it, plus some scenarios with TLS-terminating middleboxes). I think that this is a logical solution, under the premise that we need to the fix issue. It provides an authenticated signal, thereby protecting the server-name from even the active attackers. That makes the SNI exchange as secure as DoH or DoT. DNS lookup and SNI are the two moments that we need to protect the server name, and having secure exchange for the both is IMO the correct path. Also, I actually like the fact that there is a non-negligible amount of overhead in the fallback path, because that would encourage people to deploy ESNI correctly. > > The second recommends clients to send GREASE ESNI extensions when they do not have cached ESNIKeys available. This better meets the "Do not stick out" goal. The server behavior in the first PR gives us this for free. I agree that having ESNI extension everywhere is an improvement. We should do this regardless of if we take PR 124. > > Details are in the PRs. > > (The two PRs were originally written up together. I split them in two based on some feedback, but since they touch the same text, the GREASE PR includes the robustness PR. If the WG wishes to go with one but not the other, the text and details can be adjusted accordingly.) > > Thoughts? > > David > > [*] Steven and I wrote the text itself, with input from Adam, Ben, and Brad, all CC'd. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- Kazuho Oku
- [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Stephen Farrell
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs Kazuho Oku
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Fifield
- Re: [TLS] ESNI robustness and GREASE PRs - client… Viktor Dukhovni
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs Ilari Liusvaara
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs David Benjamin
- Re: [TLS] ESNI robustness and GREASE PRs - client… Ilari Liusvaara