IETF Logo Mail Archive

[TLS] Re: ECH Proxy Mode

Raghu Saxena <poiasdpoiasd@live.com> Mon, 09 September 2024 16:35 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B52FC14CE2C for <tls@ietfa.amsl.com>; Mon, 9 Sep 2024 09:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8OMFjrA9bQu for <tls@ietfa.amsl.com>; Mon, 9 Sep 2024 09:35:47 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01olkn2066.outbound.protection.outlook.com [40.92.63.66]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F45C14F6F4 for <tls@ietf.org>; Mon, 9 Sep 2024 09:35:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ChR8iNnImDPQYjcvikr6HeLaWyqGf0OGFKGd93GdKudOc80mJuTpRU5jXwzrg/92OLXsA+ARtc8AMEZMDd5m5hdfJK+ptBTrKyxQBIPF8wZFMgxeUbMtn7VXi3jcDMsdwWg1S7NP2RYQ7vW7JP7tkoKJiW9EJkFPeb43irdZnDvbdwXzwjcXT/0xXcyWtcLiCqurNDnVmQT7LGdKLUkGvOmb6vqMMG76/Ph3KHcscX6QaXHatLwTCFh0Q4Mno652nw4amMutDSpdD8Dspb19WI+1aYaQ6W3Komi696Pvj09uLFnKewnHjUFTUmuSpgVyrhJK20UN/t98ttEfsvfrOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tGYePRQBNOlCzmIs+Mdj62WpmbBQGszTDQasDBXbwEw=; b=qXlMwSJKDK1cS8YxZJNtnsZRjhdPy86oOKPaFqhPQqBiYYiuFNFYJ07rC189TmrUO+YOcZO5pTeYbl6w1sRgOtaYGuJQIgwu/DMEyxQXSKknE/h/mtv3tGtAxA60wqJGAnop+oS+I2hhCAvO1SVujqctxDfPW8Go4bo8WNhOrXSes0OZiwtaAGA6mSz8n42GDR0A6H/UKJCfdThZTVxu97iJMJJiEnXc8kOXvwJf6iYPx/7cTDjUS8cBK+OGUys+bVtS68t8c+SPzLzcmWjNeRFVWYsxHDJyL9L911AE/Zig+icrx13KuK6lWPloNbGBKr7Q08MEl/rMp6rcM815rg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tGYePRQBNOlCzmIs+Mdj62WpmbBQGszTDQasDBXbwEw=; b=qlXqUCnV1qI9+nckp/Nyow5j9865H14jeCP19DXF/+UZckBnzC+ZE0oPxiJyfy2U0n2sj02aUMUhKJp7U8QW5n1leI/3Ci8Buz424lObQ9zpc20gubX4xYzljAMYpwZ3RMmCjzpGDIjTvzvGczYTW7nayUtvRA7bDQmxGBfvH5gAbfU0cmshycjw595DREO/FAwlPBI96k/ZziPKIJvi/mQ/GdCEEt/AmnC1HetApio0WqIViuNQVd/nMppgWRBoWmCqwm5SiHcGfUCScWtkj4hRhbK9ZSpl02ANEf8ghn5FuK6K0iodiM0LitbpF12hkK2+y32pBuWq2J0SiHDRIw==
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5) by SY4P282MB1513.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:d0::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.24; Mon, 9 Sep 2024 16:35:43 +0000
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178]) by ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178%4]) with mapi id 15.20.7939.022; Mon, 9 Sep 2024 16:35:43 +0000
Message-ID: <ME0P282MB55870395CC2C672C7A607C01A3992@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
Date: Tue, 10 Sep 2024 00:35:34 +0800
User-Agent: Mozilla Thunderbird
To: 涛叔 <hi@taoshu.in>
References: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in> <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <C3A1FBAA-CEB9-49FD-A50F-831D86FDECC7@taoshu.in>
Content-Language: en-US
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <C3A1FBAA-CEB9-49FD-A50F-831D86FDECC7@taoshu.in>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------G0RqrHQJlRC5N0dKxWqbgQMD"
X-TMN: [y8VutkJwaix0zYjD7oUatNhGap5rvoiw]
X-ClientProxiedBy: SI2PR02CA0036.apcprd02.prod.outlook.com (2603:1096:4:195::15) To ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5)
X-Microsoft-Original-Message-ID: <75bf2458-fafc-4f32-85c3-a1576b38cb6b@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: ME0P282MB5587:EE_|SY4P282MB1513:EE_
X-MS-Office365-Filtering-Correlation-Id: d8042cc9-ccc2-45d7-6e9b-08dcd0ed72ac
X-Microsoft-Antispam: BCL:0;ARA:14566002|6092099012|15080799006|5072599009|461199028|8060799006|19110799003|440099028|3412199025;
X-Microsoft-Antispam-Message-Info: JVutXOw0eEIM2IBmUMUqff9cMZpOS8sKlxc0rBvOlTeL8yP+DVC8o0CYgdX0ajvsGPmR7XzbEFZhnkdgdRZ9rndo19YlgUU7M9hlUbpPZTt7+H8hhRoKrFnsPE5Y0RVT7qjyPOkBqVrpyWizc1N2b7banffgjBO4GbrsDrh+Ixx25aGqjqhVuwkGOb+HUo9Z+GUCZK4pcTianlk3/+M6zK568zEMuFh5TeW9DK/MW4RohAvlEwoiCnwQ/R3iGEgRdiSKC5Acoi2ouNOiEmSXSasRJCZLJuLCmOvKXbkK9tQHmx2czTiDDwuFXmW5tPkOfTYYbNtdqLE8dxu1okyKRpQgysrxQuqVvtaKGKfzhyYILibZE+xnB+WteXnXzYD1DzQ6STEBC/+C07LESpoh6KlVdbUgfkYc/3gDXp1OtRedSN2U4jCo0vDA2d1JR3b4Sonf2AJPvwtFPBXK22D9PnC1SvPeg2RSLIzKsGfzJ2q4jCAAQ3X4f2nssQAzSkTyUGFC46RJfH7K5bFfhQ7r2JCAzCYKCAeiFWIrIf4cH5drraL0GUXeD1enmQgVoZfGt3kE+Rg0/BuCCqf4YttCGRqUBBdonR7bO0l3xdGrABNTUifiJcABYI8bMrtOhwOo4bMq5MGAUD+WWAfd1nJ3zZpc6Xf5AYZYyi6Z87BSPI6EDTFUayMkNVMrZRFJrscpsGebULIqPiVQ7QA4MiQ1PrI3zF6Zc+V7aEDQonnXKzs=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 68zelKCF5o699zatdcEHWt3Fozwzf0OjDLE4jtuiiPbElJHTHS8SBXDq86Jz2i1ruMw8N32Key2PCOMtoCkHd25px1aNvAXgu/+3q33lX393AZJrt7gCImuwM5olOPM3jPXtvUvNqGjum3YTkFcLn1KacIQUEjmV11PFjc35z5w3L9XWfuaEujJLOhodx8/YdnEHdPfnHjfLsuRld9v8Ygp5GFI0tRY7uzHm3NKVRb/RWL4SzVfFZCxUzLGjco2wjSqkS6oivp5gbC/g2iCdriJNIrxoWhhNlYSfzkUgQso1wqP9V/hnL/NXTWz+27hTwsqkpK3JAqOKWyPOTZf7C1j78fkIKtAYkpRjHBeOMNwBSjbLPYcHJkyLuP6/Euh8WEIU7RwVuAaoOL5flLF9tj526/5Xy6X0TnneOyxfDVUZVTtL6sOJECxIPFAblNG2eXiUKOF6sjvbE9UPGeI70h5tqEegl6k1vdbFpOFtVhnCL7gyhnVCFYbkM3hGfVgJ9uX358PayVq/731XbFr4vsnQMJ2//y6QtX2ujxlGwtbNsFGmYphz8kvoN0CgARKYDI7YM58KAsfZSeiQAjtubOONaZmD0SWy9gl2CtM0vVKEKctTrGb103HIIuFJVDEcMtghGk0BGwCCp7iUXdflc33Iq/aXE1hZRweyOcHCAbI9+slhKUjLrYyq3we6y5XeUHpwKf6FhMWDRtaZkxYNQGd8dY1+76RCZ5hT3THJ4+rg0mXWRsnsO1xZ9HqG3tz634XkIlmOFfjn1HBZsqCeV5LT/O6sXagynG6444xYNd5tXtrCEtXlAk3CQADVmyUtk/1ooJykh97FvvqUP6Th5RkXOo7eF+B4yuOj+CFX90s8b3taseh4DKXvfxU/rh+RHcKwfDRZ4OB0T/BTvgs6VFXgvSR6UnthY+h4/Mr58aVWmlhWrSE6e/1K3OEonVIOr//H9NQvQI7s5CiOVJdvkwdPxDv3GpVTrcc+ww2T3l0B8oO9/rpLHi4YFWzkUNaJ3/fOB/oe1rPLL1ir0FGZKuPmqXacX3SPxmhLK+N1PAB0jE7WfhYHXR8wacn7gvlfL5eDDf2LHxHhT16JqdVV3IKITUn7EklUmulL1CMWOlc17lyyGiXH1Du0D91z+Tk3upKRr5YhSUWMv4Skj3CSaxqr8gOS3QlREeEmqLvyKUgA+I5n7eyyKxgRekRwMCI/yayb/DEHouhZis+2d106SAHlBVT8cx/zVOTAWOPHJxE=
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-722bc.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: d8042cc9-ccc2-45d7-6e9b-08dcd0ed72ac
X-MS-Exchange-CrossTenant-AuthSource: ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Sep 2024 16:35:43.2656 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY4P282MB1513
Message-ID-Hash: ZDQAK2WFRW4S4YDVAOKI7ZJMW6GEFQTQ
X-Message-ID-Hash: ZDQAK2WFRW4S4YDVAOKI7ZJMW6GEFQTQ
X-MailFrom: poiasdpoiasd@live.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2RA6na42718pF4y5eFbR0XMn5NU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hey 涛叔,

Sorry for the late reply. Was taking time to read through and try to 
understand completely what you were saying.

On 9/5/24 17:53, 涛叔 wrote:
> Yes, the native HTTPS Proxy with CONNECT has similar feature. However, the ECH based SNI Proxy
> still has some benefits.
>
> First, we setup one DNS over HTTPS server, and let the user agent use the DoH server.
>
> Second, we setup the client-facing ECH server as SNI proxy.
>
> ....
>
> If we can implement ECH-based SNI proxy, we can "deploy" ECH to all TLS server without upgrading the HTTPS server
> software of the backend server. All we need is to do some kind of "DNS hijacking". This hijacking will result in no security problem
> because the client-facing server will only see the ClientHelloInner and can not monitor the real plain traffic under TLS.
>
> If we can implement ECH-based SNI proxy, the user agent setup will be simplified as much as possible. All it needs to do is
> setup a proper DoH server, and let all other configuration in the remote side of ECH client-facing server and DoH server.

I'm still not sure what specific benefit this has compare to a TLS HTTPS 
connect proxy + HTTP CONNECT.

In both cases, we need to modify the User-Agent behavior a little bit 
(e.g. tell browser to use HTTPS proxy, vs. configure a "custom" DoH 
server to do the hijacking), and configure a remote server a bit (setup 
HTTPS proxy, vs. setup the ECH-based SNI proxy).

In fact, I'd argue looking at the common HTTP User-Agents today, the 
support for configuring an HTTPS proxy is already very widely supported, 
so it would have a better reach immediately.

I'd like to hear if you have any ECH specific benefits of this proposed 
proxy design, maybe I'm missing something.

Regards,

Raghu Saxena

v2.35.0 | Report a Bug | By Email | System Status