IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Mike Bishop <mbishop@evequefou.be> Thu, 28 February 2019 00:36 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A5B11311FE for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 16:36:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNeWyqOF8E_t for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 16:36:47 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800107.outbound.protection.outlook.com [40.107.80.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B201311EF for <tls@ietf.org>; Wed, 27 Feb 2019 16:36:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vQGhSn3XTcz4MxYLDtLfa880b3K7yu+oDDJZnom6uLk=; b=jIPN7YJxeJhrgRtjC3Vf0T7dNFwlbKEFjqba1Qwiz/j6uXgBR248EX9Z4xVFQkFivEoh2LojixEGH4HDtt5f/EXaRjcc2uhgIit+GKwQPyzmc/n0fBqAV3TtI1kA8yfo4b7aQEk6Zt9H2rfqFoQ4M/0jFpZRhxjdWKpJ/zM07To=
Received: from CY4PR22MB0983.namprd22.prod.outlook.com (10.171.164.151) by CY4PR22MB0806.namprd22.prod.outlook.com (10.171.169.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Thu, 28 Feb 2019 00:36:42 +0000
Received: from CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::76:e309:d27f:23e6]) by CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::76:e309:d27f:23e6%2]) with mapi id 15.20.1665.015; Thu, 28 Feb 2019 00:36:42 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Christopher Wood <christopherwood07@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Two Multi-CDN proposals
Thread-Index: AQHUzrgq/mj86VpJpU6F+CUABXSdh6X0XA7g
Date: Thu, 28 Feb 2019 00:36:42 +0000
Message-ID: <CY4PR22MB098340D8B4C6FD7D9EB9C32EDA750@CY4PR22MB0983.namprd22.prod.outlook.com>
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com>
In-Reply-To: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [38.134.241.6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ead8a407-4737-4466-5046-08d69d14cf85
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:CY4PR22MB0806;
x-ms-traffictypediagnostic: CY4PR22MB0806:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <CY4PR22MB0806256E5C6C520B14BC8971DA750@CY4PR22MB0806.namprd22.prod.outlook.com>
x-forefront-prvs: 0962D394D2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39830400003)(376002)(346002)(136003)(366004)(396003)(13464003)(51874003)(189003)(199004)(606006)(33656002)(74316002)(7736002)(256004)(14444005)(110136005)(316002)(508600001)(14454004)(966005)(71190400001)(71200400001)(86362001)(66066001)(53936002)(486006)(81166006)(81156014)(8676002)(25786009)(74482002)(6436002)(236005)(9686003)(6306002)(54896002)(55016002)(229853002)(5660300002)(6506007)(53546011)(11346002)(446003)(26005)(102836004)(99286004)(106356001)(476003)(7696005)(76176011)(186003)(97736004)(52536013)(68736007)(8936002)(105586002)(3846002)(6116002)(790700001)(2906002)(6246003)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR22MB0806; H:CY4PR22MB0983.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-exchange-diagnostics: 1; CY4PR22MB0806; 23:f0xSjh25Dg8C7eedFf1fdp7KLq2D6OZf6cSj9nTHOhUCjCdZoQVmpydmlByQ6CXbgQjO1lWkd2kJNm4zyxpZRsl8iBD79huhtIZZk8d5/NHCyPYxhEZletsWMZbgpcrUKQqkOMhNoyT7sUXRjKB0jGpRiIGaTWzbH4XnrFVg6vRuVfq2rQ+SRDU/1BbcjeEFR09ITYqdpBT8hM8t/nZH3CDwnA3z+OIdo5QIPcomMi2LL0nosfxdaCUSZ2UiWs0BW6yzYJgNbDpXEvVNch0CHhRY++U5vy+voAyiSG6DJFP96W5c4AWrkplIFoeE88sM+B0qKwN2e1RpGJLIKdnMXaLvyj8hr1O4Tyj48it4rwDSvRaasClEv0e02OhDTN0yz7rIFz2r7szJFZ3jIvbFw034MthE8be1e/iGX5wVBGgaZ+xABAdRnYvH7ILBIfK71PzBWth+JJPPBiZowxlCBKMLl8LqtZZRll+MKZvbhpMFpJ4nMwBo1vsEgLARMmtNloZLJZfRjfxb+IPbdInFGUOX4n/I8auaZEmohVzKiCJZ4lUvo/csKe5r8xn5chHdNxndlbbFrmZVsRzexS6H65calskNnXlhjTZrWkw2qAdL7p9f9rbwkNGwfg6YCKo84at5TmW2cQ8xA/t00jxhhCMoG7VohZ3ZRmdBHSWSeAaNbPJs5ht2/3INBYzRLqRwCe0ZczFthmHcQ+tjLYt4VMco16pvW0SGzx1fXDCZ7Fvy8KkllGCYf5AFSQMOgcnjIY/Bz4Ix6KGOjLXnleqr/rDYl93HJsbWSu9f+euf3XSGK0LmEQyzkQUtcctaGJuE3d2RxQBb+xJ4Ojyr0Cxn3J99RJ9gQaBgX1+/FDqNcxw/lmPQNwH7MYMjBQZrFhBx2okyQzIkyfC5xxavHyCubnil6BiODJzi+nvJSr0oChA5kLNWC/iDhtTFu9v6nMXesMgqwebkBuF7xa0KvOwSY4FCVtETHMFVF2rmvwGPZ35kLiNKxHxbY7ythNUEpnvKjmhftrVTmj5y5WRvT7zb4Ntl1BKTT8cwguD2sLUsZ3FExweCfF2zGxSvSilejkFgq3w1jS5wm1aTAd3Ks4luBRpkfiGddzIty4iIfv0J86cMzYgmVti9YMvZJZ5iFJ5a5H71+P+7l5jNBa+Nr2ywT1SikUpSW7aT7H1DOq/7Y7UbqZXwi18PmIJceNV0uqpWiSm603vhtu0STKiGeYzhZgZddzV1ZbtAsQxV28STm3cMixlJ8tw3xL5IpKTldmP+wbjj7H+S+c9NlIWu7xdSLDw1I2uiD6otlY8yBKfbDrE/OnBPW4Os+XEzdinjA7XVgSFcYwIJ1+yjE1xWIr3K/3hRSy92PFE4f0DBaMEt55g=
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mxmgZTogUr+wUqrGFygKSPihzFF8bm7S/KvYuYo8mEnaa7Bd3dfvxz42gqJ6H5afhlUu9+6I9Dbb+bQJormypHvujgA7HoUi4ujCJnJiv0kFjpLsyDj5jEEyAQ6sXNM4//0KGg3ga8KV+hrrxJ58FwOdtyRUiB+n5REINUcLI/I6laVvyx61whRDoDGDiCRxy4cIwdftbpBU1v0KD6+nwyJM/XssGa/8qxrS09/4NJTdnU8e0zny7qz90OTnx45kG0TH9E8L6q+7O9TPClsDvj4iT28B0H68pFjns5eufVhuMbTf3Fi2MZnxIMExB+pW6yup2MM70iTd0IDU51KmHpw+iSE390IVIjG1W+acBHYgdojDD2EpVfD4HX+Yk8U+oWbSXoH0jooRQRD/AOCK2X0KpoT4waswotqxzBq+8pk=
Content-Type: multipart/alternative; boundary="_000_CY4PR22MB098340D8B4C6FD7D9EB9C32EDA750CY4PR22MB0983namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: ead8a407-4737-4466-5046-08d69d14cf85
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2019 00:36:42.5120 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR22MB0806
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ux41hTy_T-QCm-1_5eLaOaqV-ck>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 00:36:51 -0000

Despite the additional complexity of #137, I think it's probably the better approach (and I would be fine with the simplification, if that makes it more palatable).  Particularly when multi-CDN is used, there's a lot of logic involved in generating the "right" A/AAAA record in response to a request.  #136 essentially lets the ESNIKeys result override the A/AAAA, which means ESNIKeys needs to be equally tailored and duplicate all the existing logic for a new record type.  In #137, the ESNIKeys essentially contains enough information to check that the A/AAAA results came from the same entity as the ESNIKeys result but leaves the DNS complexity where it already exists.  (It has the option to override, and removing that would be the simplification.)



The tripping point of #137, however, is that it may need a recovery path (i.e. a second A/AAAA resolution) in case the records come from mismatched providers.  We don't currently have data on how often that would happen -- whether it's 10% or 0.001% of the time would make a big difference.



-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Christopher Wood
Sent: Wednesday, February 27, 2019 8:18 AM
To: <tls@ietf.org> <tls@ietf.org>
Subject: [TLS] Two Multi-CDN proposals



Hi folks,



Below are two PRs that seek to address the multi-CDN issue discussed on this list and in meetings:



   1. https://github.com/tlswg/draft-ietf-tls-esni/pull/136

   2. https://github.com/tlswg/draft-ietf-tls-esni/pull/137



#136 implements the combined or stapled record approach discussed several times, most recently in [1]. It includes these via an ESNIKeys extension. #137 builds on this design with a mechanism that lets clients detect and recover from A/AAAA and ESNI mismatch (if desired).

It is certainly more complex in several respects. A third variant, which is not (yet) in PR form, is a simplification of #137 wherein ESNIKeys addresses are only used as filters, instead of filters *or* complete addresses.



We are asking for feedback on these PRs, as we would like to merge one of them for the next draft version. As #136 is simpler and permits extensibility, that is the current preference.



Thanks in advance for your feedback.



Best,

Chris (no hat, on behalf of the authors)



[1] https://mailarchive.ietf.org/arch/msg/tls/WXrPgaIsIPItDw3IQthmJk9VRlw



_______________________________________________

TLS mailing list

TLS@ietf.org<mailto:TLS@ietf.org>

https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email