Re: [TLS] Multi-CDN and ESNI
Nick Sullivan <nick@cloudflare.com> Wed, 24 October 2018 00:45 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36239128CB7 for <tls@ietfa.amsl.com>; Tue, 23 Oct 2018 17:45:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPvkvXl5AYMa for <tls@ietfa.amsl.com>; Tue, 23 Oct 2018 17:45:41 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FB93126BED for <tls@ietf.org>; Tue, 23 Oct 2018 17:45:41 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id c32so3311486otb.8 for <tls@ietf.org>; Tue, 23 Oct 2018 17:45:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lhcdf2iEQ5vrICWBhpbT1vlYArpr471rI5Wc0AzusBw=; b=jWcy1wDZG3LRGCoGkOm4SwCVTkO5R7Xl9WTX2hMaJX1MoQCSu0trmfEo7leGXZVQv8 MWZQiwbxOcklVg9AxGv2GObCaz1fuuP+uVVQe27bEDUQt462rjbghZwcereH85QWmRaY dVRvb5CPVT9APxvWQsjSBC9chnlCwmKHr9Oeg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lhcdf2iEQ5vrICWBhpbT1vlYArpr471rI5Wc0AzusBw=; b=AQFp2Ri0vE2ksC7Er8z2hZh7v4GHkvww+FRcb6zWbEQc6macdfeBNQUzFKHHhqjy9a AWsax5nKvcbIZlao9MRfmroCqHmJfTadmNq9L8TAaNSR76v+/JxKCkp9ZWbxM+oiMtfA GVp/tIvecU5ke+aHtdTlqc6Jnf4WHrrzd9SOLmcME2Oeni64oCcCYnAfWe1gu3YaCLO+ Hc0vLS1JiEqJhlkTEDGzJToscl+JuhdcY3MKEHLoElMVu3FsbIF8z4AtZyN2cPLBywVz iZmOClTkar6FNzj92++hIwPp7qcl4y+kNx8Cma2GWUZvkIem72lj/ML8BjmLWqkHePqX BT0g==
X-Gm-Message-State: AGRZ1gKUoxlFyGFun1PVjAplRMgmLSYbGRpl9JZ7BbLWeBgHA9paZtdO aHQ0sLuTGRN18b8mIaVWP0QUJwx6+eOobGR/OZmPVJKo07Y=
X-Google-Smtp-Source: AJdET5em2FAZweSxIqKoTeLsG7chIhQnoRo6FDb2wfIROxtD9z3K7HrgKnADsKH3Br+/rxDylzspC6WIM0pQr1DfM5A=
X-Received: by 2002:a9d:59c1:: with SMTP id u1mr325436otg.115.1540341940329; Tue, 23 Oct 2018 17:45:40 -0700 (PDT)
MIME-Version: 1.0
References: <DDE6F8E9-6635-4D69-8028-83D49E9D7437@akamai.com> <CAOdDvNpmLdHQj2yE3tNNbjxCqOZMqTriODwG6setC9ajJmx2pQ@mail.gmail.com>
In-Reply-To: <CAOdDvNpmLdHQj2yE3tNNbjxCqOZMqTriODwG6setC9ajJmx2pQ@mail.gmail.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Tue, 23 Oct 2018 17:45:28 -0700
Message-ID: <CAFDDyk9dSW0Ts6kQpRwWN4d7GiaNDkMo4Dmyg9iEUro6Ecp1_Q@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002fedfd0578eeceec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ARQ7yhHmLTK3hQRMsiErgPmU-mI>
Subject: Re: [TLS] Multi-CDN and ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 00:45:44 -0000
This line of commentary describes one instance of a more general situation that is unrelated to the multi-provider case: what happens when you connect to a server that doesn't know the ESNI key you're using? This can even happen on a single provider due to DNS caching issues, for example. The two cases are related and there are two features missing from the current ESNI draft that might be useful to mitigate these scenarios: 1) Allow multiple simultaneous ESNI keys. The DNS provider could present ESNI keys from multiple HTTPS providers (perhaps as different DNS records) and the client could choose to send multiple entries in its ESNI extension, each encrypted to a different key. This would likely solve the multi-CDN scenario at the cost of some clienthello bloat. 2) Allow in-band distribution of ESNI keys if the server does not know the ESNI key sent by the client. The server could prove ownership over a specific long-term "fallback key" advertised in the ESNI record (or maybe a fallback domain) when sent a TLS connection for which no ESNI extensions can be decrypted, then in-band send back a new ESNI public key that the client could use to send the SNI in a follow-up message. It's also possible that handshake encryption alone is enough. This might require some TLS message gymnastics, but doesn't seem impossible. I've heard more well-baked versions of this idea batted around by others. (note that this incurs at least one additional round-trip, but considering that a server not having the active ESNI key should be rare, it is likely ok) To comment specifically on your proposals, Patrick, I don't see #3 as a workable solution since many authoritative DNS providers hide the fact that a CNAME is used when returning A/AAAA records. This obfuscates the indirection that would be necessary to do what you propose, and it does it for a good reason (saving round trips on DNS resolution). Furthermore, intermediate values of CNAME chains seems like a brittle mechanism to rely on for policy enforcement. Nick On Tue, Oct 23, 2018 at 2:28 PM Patrick McManus <mcmanus@ducksong.com> wrote: > Definitely agree this is something that needs to be addressed.. > > As Mike notes, the fundamental issue is that there are 2 pieces of > information that are statefully related (the key and address) but obtained > statelessly from each other and can therefore come from un-coordinated > sources. 2 CDNs are commonly un-coordinated sources.. but I've seen this > with other kinds of cloud providers too. All of which should be target > audiences of ESNI (because they terminate a variety of hostnames on a > smaller number of addresses). > > fwiw there is a muddled github issue open on this in the old > individual-draft repo: > https://github.com/ekr/draft-rescorla-tls-esni/issues/35 .. which I'll > re-open when the tls-wg repo starts being used for this draft. > > I see three solution spaces. > > 1] As Rich suggests, you can coordinate the uncoordinated sources to have > one keying record to rule them all. I suspect that's actually not good for > anonymity unless it somehow had a normalized global set .. and given the > one way nature of a CNAME pointer, I feel like this would be really fragile. > > 2] you could scope the keys to only be valid for certain addresses by > putting the valid addresses in the key record. This wouldn't help you do > ESNI when they didn't match, but at least you could avoid hard failure. (or > you could ignore the addressing record but that might be a bridge too far?) > > 3] My preferred approach, you could scope the keys to the same > intermediate name. So if www.example.com -> cname www.cdn-a.com -> ESNI > record www.cdn-a.com we could make a rule that the ESNI record would only > apply to address records with a final intermediate of www.cdn-a.com. (I'm > presuming we'll shift from TXT to ESNI RRTYPE without a prefix, but I don't > think it matters for this..).. when there is a mismatch you could use the > addressing intermediate as a place to try a new ESNI query from.. That's a > perf penalty, but its only paid in the hopefully rare case where these > things are unsyncd. > > #3 is admittedly a bit non traditional, but I spent a bit of time looking > at the features of DNS APIs that already have the necessary surface to make > a query for a new RRTYPE... and the cname intermediates are indeed > generally available.. its true of getdns, res_query, the IOS and MacOS > interfaces, DnsQuery* on windows, and of course the custom dns stacks in > cronet/android and firefox/doh could do it. > > I hope to work this into a PR.. my first attempt wasn't very readable, but > I'll try again tomorrow. > > -P > > > > > > > On Tue, Oct 23, 2018 at 1:59 PM Salz, Rich <rsalz@akamai.com> wrote: > >> I think perhaps we need to take a step back and explain something that >> might not be well-known outside the community of CDN’s and their >> customers. It is not uncommon for (admittedly larger) origins to use >> multiple CDN’s, and to switch among them. This can be done on a per-request >> basis, because of things like contractual arrangements that make one >> preferable, or it can be done globally but switched in a matter of seconds >> because of a short TTL on the www.example.com entry. >> >> >> >> The issues that Mike discusses impact on this, somewhat negatively. >> >> >> >> A quick hack thought is to allow multiple entries in the TXT record, >> forcing a wee bit more work on the CDN. >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Multi-CDN and ESNI Mike Bishop
- Re: [TLS] Multi-CDN and ESNI Salz, Rich
- Re: [TLS] Multi-CDN and ESNI Patrick McManus
- Re: [TLS] Multi-CDN and ESNI Nick Sullivan
- Re: [TLS] Multi-CDN and ESNI Patrick McManus
- Re: [TLS] Multi-CDN and ESNI Salz, Rich
- Re: [TLS] Multi-CDN and ESNI Patrick McManus
- Re: [TLS] Multi-CDN and ESNI Erik Nygren