[TLS] Re: Opsdir ietf last call review of draft-ietf-tls-svcb-ech-07
Ben Schwartz <bemasc@meta.com> Fri, 11 April 2025 16:06 UTC
Return-Path: <prvs=0196dd4ae0=bemasc@meta.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7A8AB1AC2387; Fri, 11 Apr 2025 09:06:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rdu7qw3HJoAg; Fri, 11 Apr 2025 09:05:59 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by mail2.ietf.org (Postfix) with ESMTP id BF4E91AC237F; Fri, 11 Apr 2025 09:05:56 -0700 (PDT)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 53BEsVmP002012; Fri, 11 Apr 2025 09:05:54 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=DmvW39Fuw6f4b4/o6h9M chI4k9Xi5v54G2RPbACmK6Y=; b=g7FZn21BDVJH5HcTtpLReBXcVJRtRiQDlQ+g hzaK3Eo8QG/YGiBKaVNcZ1q6OXUyDl2lcn5oPrmh/VVS2yxbNkg6lMf9idS54gOo 3W6hf/zcn5/cEQLirwM5b3qqBhBGoVjb1EVjkBiMsg4uV9aKpR0I8AS6FKxjo80n V9yahZtY/fWUfLWQ0UNEfCL5/eVbX34Yd/P293aCUFLshc8/RR8v5HGsohCazzaH DA8M/sXkakzjkJLN0JWzLogyaLJRHnmUiYijqeH3Mskpx63MsC/Z/7Ogw/IOdjzY dLAJO38+Rh9lV9fMg3k7Z9MRlTt9bT58aAYFC6agleHmMdDLmA==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2047.outbound.protection.outlook.com [104.47.56.47]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 45y51w0n89-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Apr 2025 09:05:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NaaKWYtehpnHwwQxluYWU8HCv03qiI4Yj49gVzJyWRek674es7wc0skMEXV9WW68Xc85zZxO0Zb8I2IR8MS18Gx92nZ2N/BxPkTFYtEt3A8GGAf54wizSzBAa5yixgWx7/Fnr626Qv/ShZqqqbuWWImLBk0br34bgcJajNgzXXWAUnEax/uzYmtvj282kXSdQFlSqu7LTvHTRARSNOBeXZdcf2iqsinNx/s1MWT9wJU9CzRbja9CAt+VZ/zBdIttcMGoadLwW48Y/gTPIrA0pnN0AfffKevq637KsJK11QBz71LnvS5/T0zyek8Tl6w8sN+e/RaB0qDDK1Vbg+6x8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DmvW39Fuw6f4b4/o6h9MchI4k9Xi5v54G2RPbACmK6Y=; b=hS23YgGmuybwFls/iVcnZHknaF1i49yrwynhHywcPHBzhddZWJS7Gw53ueBsrVhJ+1oAHljQgwKAKvhzVQvmnxEOBf/QahMXM0Ct7X8n+i2kmrxfEvxjFoWmURBXpW8Xqo0kp90TzVu+lEsLArE2mQ2H1Kkuv/Nnv06Q9guqxIZpe1SSmf+GImPmNbcTD7RWQ0KiMrHqD+azo0OIMMrI9g65d2W5rTYV3hD8YhmEj3PjZK1k2o7jsS/1m5bkDEKVMrsnyv/9lh4uDhV9OAhb+bRGzwklqk+iySTzskBYbipQQbIESqTftAahSTEBwILJBRzd3/0cIXjnduU4c//pZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by BLAPR15MB3764.namprd15.prod.outlook.com (2603:10b6:208:27e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8606.34; Fri, 11 Apr 2025 16:05:51 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.8606.029; Fri, 11 Apr 2025 16:05:51 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "ops-dir@ietf.org" <ops-dir@ietf.org>, Linda Dunbar <linda.dunbar@futurewei.com>
Thread-Topic: Opsdir ietf last call review of draft-ietf-tls-svcb-ech-07
Thread-Index: AQHbqYnTBeGoGEqPX0iEPsGOpB6SwbOeoFUP
Date: Fri, 11 Apr 2025 16:05:51 +0000
Message-ID: <SA1PR15MB4370257439FB45A59B061062B3B62@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <174422873005.757485.1040042912670042185@dt-datatracker-64c5c9b5f9-hz6qg>
In-Reply-To: <174422873005.757485.1040042912670042185@dt-datatracker-64c5c9b5f9-hz6qg>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|BLAPR15MB3764:EE_
x-ms-office365-filtering-correlation-id: c4700095-cd0a-48e6-3061-08dd7912bb7f
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|10070799003|38070700018|13003099007|8096899003|7053199007;
x-microsoft-antispam-message-info: HOJF9HZCrwWlXfZUa2uNbgs91iAybp+lhFW6B3iu4z5mMZMV9Lq54g5/RcLkFcCAol5pItIRwk7xA+zvhYLwNZlCpjzHNKv9NCAc1XSzzinlCMhPH27J2+u4HGWKRMCYkIJnnwl9/0c+DRH9k1Rerm0RNQdaHEBLODBrSWuFFSaP0D9wvT15iY1gwzX9c+80Hf9VjOyX+zyMcMpO+U9lKWH3JRD5K4gjx2jw60a7G5YHAE7jcZyw0tQRVN21nY4LpI5bqmrnR0jinM5Apaz29PYvs7Kv5ENcauGRAPuK2GYBJSO4WIal0F/0Fzn2pPc+ODgF4mpN/n8kTgWYzk9FtRQK/pEMywXjLIVHGFIRBn+6lidBOAgR4tDcCTvhXn4FQX41KDvOWd0QwSH0dNjSamL0h21Zhhq8i4qcYiGGHwTdWENiUwHQGOMjsQoUjUB5YF6VVzSJuy5qIUtNDckjfGIaZMtLOJIr0WyuS8lHvVNvbqfutOtFSRk3WqUNpsL41a4C1jFf0GsiEa1upSKDQB3OoIndVh76Rh9RpgLtfgTMGZOBfTlYSlelM+dRQVxTqomt3MS8cB57ZHYPPVrdXJCektpIeDq3Sobef6mZcYnM7amr3dxbhcTbggE/vd7hREO//qAIvTg3MMD+lXfy7bqRE7hOfvQpg2jcxng4S01EyIXkEp9GYCqEK/DdUg5yT+YasASzt5Iz0qQCBzDGK0GODjzElACvW7lA2pBzrKToTP4Pnz08avCuAPNoBdI5U7p/GDOBHaXEEef5IuLjIOR3LYZvmkYCeNDe79Jm0YqbdjObpAUtyhXa4/VDE1SCqxuDdXpWA04r8EJ8clRWK46s4fK/RUrYQ1FZu2tDn3UFoe8Zf/ghaxMDI/tP16c7eXFPx2H8wgyL77AuQywyLVqe4gjLMsytbA6ngbfDuaRxSWlWUHXj1TOoIFuN3HRIlcHBSeyxqjd3WaDimh1oF5DKUvAoSqlg8lDM8f6M+jfYXRnDmBjgv5eTIKrupsBDSGaEvEPCygTnNjduk/LcYya2Evvsweu3OLvfBs459Bpjcwt9psI1dHbtGdtliKx07/xfKZPv0z1nozTSc/Dit90+S+FsEsqCeyqX+fVH2Y5YrTPvMwb/gMR8ogT8YzFNdEqUDzGZOC5P+55a8CmVMVjKsGK2S4FoBJum/WLB2dVBt2X0EPKp0y04LE2RZztXnx955hb8Zo9uuyiIEI3pRVskpsmfwhcl3unaijaNz6At6FFqzcEm8o5o/I/b4jHtTBfHuC81b+kYw+KFSriDdYJQvhNiJuSgjm192opn//JRtPpk7NH3UzNJI8/a8jQVC7hqv681hY4RygnCBPCCTkguBK5zK2aVGiqoY6i+p8EnQ2T+hQVXo4qXqppCjytB8t20HMY9A4eeZVL0cmNG3PGZhbzzamX1eJgzOOBWH7c=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(10070799003)(38070700018)(13003099007)(8096899003)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UeBnBkNRnA2tqW/PeCaULzb9ZlEUcuXKzlHBng3wdXlcdxo+gaW1/7XwRHn101+jsVQuAY2mLzWr1Et+h/LyBybbMocpXzU6lDlNYYbxiiqqRLZln1qr1q9BxiR68P0tZlVSvzUYngjRR0zVLWS1LEvw2syvxpFdsrsn9yIy3cLuo0Hd6o2isu6oKCqiJ0aLGRuzovVYm0eow41eb67X3/FByCHDfSUfLXojdtL8xnHx0zXkPfr9mnGZBOkxf2e8+IYqZweGK89gD+OKnlZOKrZPy4KCpAGlDcGVDqE6s3szrKuB04EeeHTv33Eyfu4H3o0go3fcZn/c8qD4vpIaCZuIUPFN/6+kfwQckV6XLVqjJIIsoCnubSKNRROKyFW3ikDPfhNcLau759QiU2CFk2pO+pqsnpezsFbi57nlmA79U2uSglAitS9wcdOt9QXgjKc0GRHFijPGw42A26mkFI4mJcZUf4RZoC/VNAXnEh4S1FPOXOUqHfQFrsoa81aT4cbpeB545N9jfR2q0/NPtKVW3SrJcnPkFAMY+38afJ/Knahas0rsHJORx9JxcQYvUZhJNNx5xGYzIBLB37a8sniCdzEoM4D81vHOHS7L0pn7Nihm+1vn9l7GCgxmSuoX2uqFTmJU7rRJS/XneFkjPyeWVd+g1vjTMZEtxTIfWtnf7/yXUcfUyUO5iLLGogP5Er/HTMh0wMXZxVneJ2fkWAbHRrU8W2fmf/gzIzpFMRzIB1xa521CO3vi9KTeDz0pCqyKrjUZg/xqmlPpCYiKDWHnUkjcV5R5As5+HoGnj3zPsaFSUavsanCvCiHhibgGXJo/rV1gxa6mwTdaVHAgE1V7tkaEnHvhvCSTgovTYpiCh3xIWPGrY8+AweJyrRBGLt45oNcpUhmwUjp4lc4/5eAjiBv7IGSaIsb3i+DMZ8ut8tHWGPIab/fT7TbsY1tImMOKIdcT27cREjw1sNOZB2Hy/QvhHmAN90658dSl85KiqGgR0KZsvlmnHlmMvYSB/0VTREjtBKsCdatLqx/LIT3btS20rp8HBkwVO7DqEmqvfWLuIcUU+CyBeOnaYuBdGEvUljC3gmBIFO/ruEjap8kPred4NMqfNAIKahhDCWfn4vzI5smqd2AUXRfRXi2LJqANJIrr+ppuDVv+cWrUAVZXDpDTnLwe8neHWpbVnOmA3mcBD0S7w3v0xX1yQK+N1097eaAlgZEXLUyzZZ3D3z4vf++Lfv6hbR2HNfCbpnJ6zB2JoNpn+Hfhhbu1/RKDkS+zYVgOHizstmllRNX6E8XCwix5LpZDWb+PBJz5sbTgj6PZug5s1rjEPtbx4bMld5gu57rXz92pyXMwwW3n9h6wKFHri3vnqi2oXdoFMovDr5ZUQDYu0SpfQ6NEzzEHinyCT5ukyc8Aud980Ref7W5ibzky2oqPsVR/mIaJ4jC/zAJkeQC33YSgdoSciRw/nb+on7hPH74t9IcsU4ImqSU/sSeqZojbV+fRJwRpX0INIcHeqET999N8dshePYweNwDtlYif6UWQhEp20z0oOgZJs9xjzYWEGLpoeEe+Nc2/QQ+AN3Qi3V+3L5QVSl3YSI2SXImP+pXU+4rcbFd9yt/4Fx2jYf/2OLrgJwGEqoY=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370257439FB45A59B061062B3B62SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c4700095-cd0a-48e6-3061-08dd7912bb7f
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Apr 2025 16:05:51.8302 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lyic2PKjuyBG4JJqiJHIj/tFNpdt9jmMySV5a8XP8k9kXReLYatDBeln/didtSaq
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR15MB3764
X-Proofpoint-GUID: _WcE-PxPSFRH_sIAfKkm67Spj-sZn9RD
X-Proofpoint-ORIG-GUID: _WcE-PxPSFRH_sIAfKkm67Spj-sZn9RD
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-11_06,2025-04-10_01,2024-11-22_01
Message-ID-Hash: 5IE4XATZ24XMMOFA2CWND5IS67EFQNNG
X-Message-ID-Hash: 5IE4XATZ24XMMOFA2CWND5IS67EFQNNG
X-MailFrom: prvs=0196dd4ae0=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-tls-svcb-ech.all@ietf.org" <draft-ietf-tls-svcb-ech.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Opsdir ietf last call review of draft-ietf-tls-svcb-ech-07
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2MzhbvwbjD9mEOD1ZIuSbwnktkc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
________________________________ From: Linda Dunbar via Datatracker <noreply@ietf.org> Sent: Wednesday, April 9, 2025 3:58 PM To: ops-dir@ietf.org <ops-dir@ietf.org> Cc: draft-ietf-tls-svcb-ech.all@ietf.org <draft-ietf-tls-svcb-ech.all@ietf.org>; last-call@ietf.org <last-call@ietf.org>; tls@ietf.org <tls@ietf.org> Subject: Opsdir ietf last call review of draft-ietf-tls-svcb-ech-07 ... > Mixed SVCB RRSets with and without the “ech” parameter are vulnerable to > downgrade attacks, yet may occur in multi-provider environments or during > staged rollouts. Clear operational guidance is needed to mitigate these risks, > such as prioritizing ECH-capable endpoints using SvcPriority. Deployments > involving CDNs or multi-CDN setups add complexity around coordination of ECH > keys and consistent DNS records, and would benefit from best practice > recommendations. This situation is addressed in detail already in the Security Considerations: https://www.ietf.org/archive/id/draft-ietf-tls-svcb-ech-07.html#section-8-1. I don't believe we have any further recommendations. > Additionally, diagnosing ECH failures can be difficult due to the lack of > fallback and visibility. The draft should recommend logging and monitoring > strategies to help operators detect misconfigurations. I don't believe we have any relevant recommendations for logging or monitoring. Any such logging would likely not be related to the DNS records, so those recommendations would be in draft-ietf-tls-esni or a later draft. > Key rotation, TTL > management, and rollback procedures are also important but not addressed. draft-ietf-tls-esni does already discuss these topics: Key rotation: https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni#name-maintain-forward-secrecy Rollback: https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni#name-misconfiguration-and-deploy
- [TLS] Opsdir ietf last call review of draft-ietf-… Linda Dunbar via Datatracker
- [TLS] Re: Opsdir ietf last call review of draft-i… Ben Schwartz