Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Paul Yang <kaishen.yy@alipay.com> Wed, 09 October 2019 14:17 UTC

Return-Path: <kaishen.yy@alipay.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96CD2120115 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 07:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alipay.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4q3NSP_4d9RU for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 07:17:54 -0700 (PDT)
Received: from out0-137.mail.aliyun.com (out0-137.mail.aliyun.com [140.205.0.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CAEF120077 for <tls@ietf.org>; Wed, 9 Oct 2019 07:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alipay.com; s=default; t=1570630657; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; bh=mm8MixlRvGl4iWFn7oq1o/892SXUx8uzK4ORZOkm3y4=; b=RGNaqGwZaqqco0xG6d4HQ7TPDN6JhrnRITAKRyfF3BEaD8SwX5EKiE6Q83xdoZ+T0y2F+eTerN5CmkyTgy75574HG+HRniO8DeeYvVl+qJxIEal+/6tMEFdktLVDTPGPwMtC/Bw+TIQ4CmFEjwlV1Y4tE529Yk2lSPU3h00STAo=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R171e4; CH=green; DM=||false|; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03300; MF=kaishen.yy@alipay.com; NM=1; PH=DS; RN=3; SR=0; TI=SMTPD_---.FiMLGFE_1570630654;
Received: from 30.27.196.20(mailfrom:kaishen.yy@alipay.com fp:SMTPD_---.FiMLGFE_1570630654) by smtp.aliyun-inc.com(127.0.0.1); Wed, 09 Oct 2019 22:17:34 +0800
From: Paul Yang <kaishen.yy@alipay.com>
Message-Id: <8D9F60B9-E507-4465-B761-BAD37B6E1156@alipay.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_F4E1568D-A345-4ADE-B229-3F705CDEB020"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 9 Oct 2019 22:17:33 +0800
In-Reply-To: <CAChr6SzRZJ4g=TDwM2jjhp8S_Oyk+kQ0VNEsd3FYV2xVBn-sNw@mail.gmail.com>
Cc: Rich Salz <rsalz@akamai.com>, "TLS@ietf.org" <tls@ietf.org>
To: Rob Sayre <sayrer@gmail.com>
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <E679DBE6-CEC8-486B-A2EA-EEED38D4E4C8@alipay.com> <CAChr6SzRZJ4g=TDwM2jjhp8S_Oyk+kQ0VNEsd3FYV2xVBn-sNw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/78yLvo6yRELI02Ao9IvagnQ-PXw>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 14:17:56 -0000


> On Oct 9, 2019, at 9:46 PM, Rob Sayre <sayrer@gmail.com>; wrote:
> 
> On Wed, Oct 9, 2019 at 8:43 PM Paul Yang <kaishen.yy@alipay.com <mailto:kaishen.yy@alipay.com>> wrote:
> 
> From my understandings, either IPv4 or IPv6 should have nothing to do with the concept “virtual host”
> 
> Hi Paul,
> 
> That is correct. However, the scarcity of IPv4 addresses is one major factor driving the need for virtual hosts.

Yes, that’s right. So even IPv6 addresses are enormous enough to hold every domain name, we still can’t assume it’s all used in this way in practice. An administrator can always configure the origin server as hosting multiple domain names on one IPv6 address. It may not be very reasonable for doing so, but it could be done in that way. Actually popular web servers as NGINX supports such kind of configurations, for instance.

For TLS protocol, when being used between an IPv6 CDN node and an origin server, the SNI still need to be present in ClientHello to address the above circumstance; otherwise, the IPv6 origin may fail to choose the right host/certificate to finish the handshake.

> 
> Thank you for reading the mailing list in detail.
> 
> thanks,
> Rob


Regards,

Paul Yang