Re: [TLS] Roman Danyliw's No Objection on draft-ietf-tls-sni-encryption-05: (with COMMENT)

Roman Danyliw <rdd@cert.org> Thu, 26 September 2019 16:41 UTC

Return-Path: <rdd@cert.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF7DE1200A1; Thu, 26 Sep 2019 09:41:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xIpXrL8bEDQE; Thu, 26 Sep 2019 09:41:53 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02D4012008D; Thu, 26 Sep 2019 09:41:52 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x8QGfm5P032645; Thu, 26 Sep 2019 12:41:48 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x8QGfm5P032645
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1569516109; bh=tkJhiU/5l8CpzUw7Iej8nLFUK9xGlvTbu0JtxTIfRwg=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=icuohsdaA9hTLcmze5jLBcsiesbYwMNolZjoqz5TUy7KNd5PkuRMdzgLqD/67Lm8z YHCZsEjgISS3kF0/1cW4qfAS/mTM6woRUHQnP4llDWR/LfyMIR9mnIaVM0O0CV453r Efhd1C2MPstWGm7q38yprzC8NVC2XmBx1PgLgIMc=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x8QGfmbq017708; Thu, 26 Sep 2019 12:41:48 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0468.000; Thu, 26 Sep 2019 12:41:47 -0400
From: Roman Danyliw <rdd@cert.org>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Christian Huitema <huitema@huitema.net>, The IESG <iesg@ietf.org>, "draft-ietf-tls-sni-encryption@ietf.org" <draft-ietf-tls-sni-encryption@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Roman Danyliw's No Objection on draft-ietf-tls-sni-encryption-05: (with COMMENT)
Thread-Index: AQHVbi8COnMhMIVEW0a3iVa1HwFkKKcyhpWAgADP/5CAChaCgIAAku2Q
Date: Thu, 26 Sep 2019 16:41:46 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B3469AE4@marathon>
References: <156881761812.4630.11745895149419124830.idtracker@ietfa.amsl.com> <c504a433-cc5b-df00-15c2-fcaf3116798c@huitema.net> <359EC4B99E040048A7131E0F4E113AFC01B3467E89@marathon> <20190926004157.GU6424@kduck.mit.edu>
In-Reply-To: <20190926004157.GU6424@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/54cEpjUcIZqNW_y7Eb344XLQp0Y>
Subject: Re: [TLS] Roman Danyliw's No Objection on draft-ietf-tls-sni-encryption-05: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Sep 2019 16:41:55 -0000


> -----Original Message-----
> From: Benjamin Kaduk [mailto:kaduk@mit.edu]
> Sent: Wednesday, September 25, 2019 8:42 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: Christian Huitema <huitema@huitema.net>et>; The IESG <iesg@ietf.org>rg>;
> draft-ietf-tls-sni-encryption@ietf.org; tls-chairs@ietf.org; tls@ietf.org
> Subject: Re: [TLS] Roman Danyliw's No Objection on draft-ietf-tls-sni-
> encryption-05: (with COMMENT)
> 
> On Wed, Sep 25, 2019 at 05:27:53PM +0000, Roman Danyliw wrote:
> > Hi Christian!
> >
> > Thanks for the detailed responses and the helpful background.  Below are a
> number of proposed text block replacements to clarify my intent (instead of
> more questions).
> >
> > Roman
> >
> > > -----Original Message-----
> > > From: iesg [mailto:iesg-bounces@ietf.org] On Behalf Of Christian
> > > Huitema
> > > Sent: Wednesday, September 18, 2019 10:14 PM
> > > To: Roman Danyliw <rdd@cert.org>rg>; The IESG <iesg@ietf.org>
> > > Cc: draft-ietf-tls-sni-encryption@ietf.org; tls-chairs@ietf.org;
> > > tls@ietf.org
> > > Subject: Re: [TLS] Roman Danyliw's No Objection on
> > > draft-ietf-tls-sni-
> > > encryption-05: (with COMMENT)
> > >
> > > Thanks for the feedback, Roman. Comments in line.
> > >
> > > On 9/18/2019 4:40 AM, Roman Danyliw via Datatracker wrote:
> > > > ** Section 1.  Per “More and more services are colocated on
> > > > multiplexed servers, loosening the relation between IP address and
> > > > web service”, completely agree.  IMO, unpacking “multiplexed
> > > > servers” is worthwhile to explain the subsequent text because it
> > > > motivates the loss of visibility due to encryption with network only
> monitoring.
> > > “Multiplex’ happens at two levels:
> > > >
> > > > -- co-tenants (e.g., virtual hosting) – multiple services on the
> > > > same server (i.e., an IP/port doesn’t uniquely identify the
> > > > service)
> > > >
> > > > -- cloud/cdn  – a given platform hosts the services/servers of a
> > > > lot of organization (i.e., looking up to what netblock an IP
> > > > belongs reveals little)
> > >
> > >
> > > OK, will try to incorporate your text.
> >
> > Thanks.
> >
> > > >
> > > > ** Section 2.1.  Per “The SNI was defined to facilitate management
> > > > of servers, though the developers of middleboxes soon found out
> > > > that they could take advantage of the information.  Many examples
> > > > of such usage are reviewed in [RFC8404].”,
> > > >
> > > > -- Can’t middleboxes also help facilitate the management of servers?
> > > > This text seems to take a particular view on middleboxes which
> > > > doesn't
> > > seem appropriate.
> > >
> > > It is pretty clear that the load balancer in front of a server farm
> > > will need access to the service ID, and must be able to retrieve the
> decrypted SNI.
> > > There may be other examples, such as DoS mitigation boxes. The
> > > "unanticipated usage" comes typically from middle-boxes that are not
> > > in the same management domain as either the client or the server. Is
> > > there an established way to designate those?
> >
> > I'm not sure I understand the original of the requirement that the client
> and server being in the same management domain.
> >
> > RFC3546's definition of SNI opens with:
> >    [TLS] does not provide a mechanism for a client to tell a server the
> >    name of the server it is contacting.  It may be desirable for clients
> >    to provide this information to facilitate secure connections to
> >    servers that host multiple 'virtual' servers at a single underlying
> >    network address.
> 
> I think the idea is that you can have a client-side forward proxy or a server-
> side reverse proxy, and either of those can be okay, but you don't want
> some random unaffiliated thing in the network poking at things.
> So, one might have client != server, but (client == middlebox) OR (server ==
> middlebox), where equality reflects membership in the same administrative
> domain.

Understood, but IMO, this is an interpretation of "anticipated use".  Taking a narrow read of RFC3546, I don't see explicit references to proxies, domain boundaries, etc.  The line of thinking I read in this draft is that there are certain anticipated and unanticipated uses of SNI.  If the practice is categorized as unanticipated, then it should be "thwarted" with encrypted SNI (per Section 2.3).  My concern is that with this framing is that we're unnecessarily divining intent from RFC3546 to classify certain practices.  This draft is a commentary on concerns of certain existing practices (whether they were intended or not).

I'm trying to avoid adjudicating whether proxies are middleboxes and what uses were intended.  My proposed text sticks to citable sources by explicitly referencing the purpose of the SNI from RFC3546 and acknowledging that it gets used for other things.

Roman

> -Ben
> 
> > It seems to me that if we are trying to channel original intent, then only the
> virtual server use case applies.  I'd propose:
> >
> > OLD
> > The SNI was defined to facilitate management of servers, though the
> developers of middleboxes soon found out that they could take advantage
> of the information.  Many examples of such usage are reviewed in
> [RFC8404].
> >
> > NEW
> > The SNI was defined to facilitate secure connections to servers that host
> multiple 'virtual' servers at a single underlying network address [RFC3546].
> However, addition management and security practices emerged making use
> of this information.  Examples of such usage are reviewed in [RFC8404].
> >
> > This language would let you distinguish all of the middle box behaviors
> done by operators and enterprises from a possible [RFC7258] attacker.
> >