Re: [TLS] Server Name Indication (SNI) in an IPv6 world?

Dean Anderson <dean@av8.com> Mon, 01 November 2010 04:45 UTC

Return-Path: <dean@av8.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 11EE43A688E for <tls@core3.amsl.com>; Sun, 31 Oct 2010 21:45:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gEFq6UHCNJF for <tls@core3.amsl.com>; Sun, 31 Oct 2010 21:44:59 -0700 (PDT)
Received: from cirrus.av8.net (cirrus.av8.net [130.105.36.66]) by core3.amsl.com (Postfix) with ESMTP id C86513A6889 for <tls@ietf.org>; Sun, 31 Oct 2010 21:44:58 -0700 (PDT)
Received: from citation2.av8.net (citation2.av8.net [130.105.12.10]) (authenticated bits=0) by cirrus.av8.net (8.12.11/8.12.11) with ESMTP id oA14iwkV022015 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 1 Nov 2010 00:44:58 -0400
Date: Mon, 1 Nov 2010 00:44:57 -0400 (EDT)
From: Dean Anderson <dean@av8.com>
X-X-Sender: dean@citation2.av8.net
To: =JeffH <Jeff.Hodges@KingsMountain.com>
In-Reply-To: <4CC765D6.6020704@KingsMountain.com>
Message-ID: <Pine.LNX.4.44.1010312356000.30686-100000@citation2.av8.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2010 04:45:00 -0000

Hi Jeff,

Until IPV6 is a viable platform independent of IPV4, it's probably
premature to consider how one might use it with TLS because it's not
stable in its present form.  At present and for the forseeble future,
IPV6 doesn't work independently from IPV4, and as-is, isn't a viable
platform.  Some people might think that is a controversial statement,
but those people been denying the obvious since at least the failure of
the great deployment effort of 2003. And probably even before that since
the 2003 effort was forseeably unrealistic in the 2002 planning stages.  
Present plans are to repeat what didn't work in 2003, with no
substantial change.

I think the easiest way to understand the basis for saying IPV6 is dead
is this:  Anyone who publishes an AAAA record is immediately penalized
by the blackholing of traffic as IPV6 connections are attempted over
IPV4 interfaces. The root cause of this is that DNS doesn't have the
necessary separate stacks;  consequently, there is no such thing as an
IPV6 DNS stack. So there is just one DNS stack, and as soon as anyone
tries to use IPV6, they have to use an AAAA record in the IPV4 DNS, and
as soon as they do that, they get blackholed. Foot, gun, bang. Rollback
on IPV6. End of story. That's why now when you google IPV6, you bring up
more and more pages on how to disable it. And so, it's dead.

DNS bungling is not the only reason it's dead, of course. Just like
there's no single cause for the roman empire collapse. But in the same
way that many people think it was the barbarians who caused the roman
collapse, I think it was DNS bungling that caused IPV6 to fail. But
there are actually a whole lot of reasons. But this isn't the place to
post-mortem IPV6.

		--Dean


On Tue, 26 Oct 2010, =JeffH wrote:

> What do folks think, will the TLS SNI extension still be employed as much in 
> the IPv6 world as it is in the IPv4 world?
> 
> The question stems from the simple observation (on some folks' part) of the 
> IPv6 world ostensibly having multitudinous addresses available, hence instead 
> of virtual-hosting via one IPv4-addressed entity (and employing SNI in order to 
> properly have a cert per virtual host, rather than one cert with a mutitude of 
> subjectAltName:dNSNames), one can instead just multi-home such hosting entities 
> with an IPv6 addr per virtual host.
> 
> thoughts?
> 
> =JeffH
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494