Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Paul Yang <kaishen.yy@alipay.com> Wed, 09 October 2019 13:43 UTC

Return-Path: <kaishen.yy@alipay.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4A40120115 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 06:43:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alipay.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-uoGbihnzKE for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 06:43:34 -0700 (PDT)
Received: from out0-136.mail.aliyun.com (out0-136.mail.aliyun.com [140.205.0.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4A2C12010C for <tls@ietf.org>; Wed, 9 Oct 2019 06:43:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alipay.com; s=default; t=1570628603; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; bh=s0Xics7B7ZpQS3iVTcxZUQWI1QNjm7ScZZEfnbHiDz0=; b=TJiQ7GWuddjDD9R2jIiJApbGr6lJ+MkS9hiwTHzXZhyQFI4sn/AGs3q3CAlT6dRMajuGGnh6bTHNvY3Dho1NUOff64A3aF6fs8PkaHdsyu97cGQY7zZjsNuBGXSKGI+djKqy8/mg3xMVwDsmEy8G/8P5aWRpEbz0bSLV655lYtE=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R621e4; CH=green; DM=||false|; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03303; MF=kaishen.yy@alipay.com; NM=1; PH=DS; RN=3; SR=0; TI=SMTPD_---.FiJVSNU_1570628600;
Received: from 30.27.196.20(mailfrom:kaishen.yy@alipay.com fp:SMTPD_---.FiJVSNU_1570628600) by smtp.aliyun-inc.com(127.0.0.1); Wed, 09 Oct 2019 21:43:21 +0800
From: Paul Yang <kaishen.yy@alipay.com>
Message-Id: <E679DBE6-CEC8-486B-A2EA-EEED38D4E4C8@alipay.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_FCEA78EF-7CDB-4B92-8AE0-16B6A52D667D"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 9 Oct 2019 21:43:18 +0800
In-Reply-To: <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com>
Cc: Rich Salz <rsalz@akamai.com>, "TLS@ietf.org" <tls@ietf.org>
To: Rob Sayre <sayrer@gmail.com>
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2E8TRp-YNgnTyINusXJUL75Sz30>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 13:43:36 -0000


> On Oct 9, 2019, at 9:04 PM, Rob Sayre <sayrer@gmail.com>; wrote:
> 
> On Wed, Oct 9, 2019 at 7:59 PM Salz, Rich <rsalz@akamai.com <mailto:rsalz@akamai.com>> wrote:
> But, if I have Cloudflare (or any CDN) configured for a domain, and the origin is only available via IPv6, the need for a disambiguating SNI in the ClientHello from CDN to Origin is not clear.
> 
> 
> That assumes that there is a one-to-one correspondence between an origin and its certificate, which isn’t true.  I might have “api.example.com <http://api.example.com/>” and “new-api.example.com <http://new-api.example.com/>” at the same IP address.
> 
> 
> I don't think that's quite what I'm proposing. I'm proposing (optionally) sending the SNI with a client certificate. I agree that SNI in ClientHello is needed to choose server certificates for IPv4, for the reason you say.

Are you suggesting: “In an IPv6 backend/origin scenario, the SNI should be sent along with client certificate instead of within ClientHello message”?

From my understandings, either IPv4 or IPv6 should have nothing to do with the concept “virtual host”, so a client (say, a CDN node) connects to either an IPv4/IPv6 server (say, an origin server), the SNI should applies the same in the TLS layer.

> 
> thanks,
> Rob
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls


Regards,

Paul Yang