IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 28 February 2019 10:50 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D890D130EF1 for <tls@ietfa.amsl.com>; Thu, 28 Feb 2019 02:50:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rgJLvV_juyb for <tls@ietfa.amsl.com>; Thu, 28 Feb 2019 02:50:37 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAEF1130F39 for <tls@ietf.org>; Thu, 28 Feb 2019 02:50:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0DCE8BE4D; Thu, 28 Feb 2019 10:50:34 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBEBQ45-0om0; Thu, 28 Feb 2019 10:50:33 +0000 (GMT)
Received: from [134.226.36.93] (unknown [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C011DBE39; Thu, 28 Feb 2019 10:50:33 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1551351033; bh=I6H0fx234K45r71g+nXxPXLn3pVB/n6aSbsZW/ULLv8=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=Zpw5U3qDsufeMuhzNyxpwIq9oV+/F7a66KbT2g71OqsOxy4rqI3Ot670hqnxWlJeN lVMCgwwqrlU62o/RRzFR8OU5Olo7jwjjJYEGBhe/q08BUh563DYzhti0nhaAHQOWoJ EJykXWnArp+L8ynSOuYnscvT0+JSt6xihP/CeUU8=
To: Eric Rescorla <ekr@rtfm.com>
Cc: Christopher Wood <christopherwood07@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com> <0b19d021-8101-23ee-2899-450d103a8906@cs.tcd.ie> <CABcZeBN0mf7VFCKKdg9gH0=tCS7eLZz6M5_WJdaNG7XrJeyESw@mail.gmail.com> <0b854704-8f93-f9ad-c067-67f7f73cbbbf@cs.tcd.ie> <CABcZeBM61u=DtjQh+NkQF47MLyZS4EyuGBjDnsfjxz-z5kfjoQ@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <1eaaebf3-6e8a-ae84-0ab3-f977295c0721@cs.tcd.ie>
Date: Thu, 28 Feb 2019 10:50:29 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBM61u=DtjQh+NkQF47MLyZS4EyuGBjDnsfjxz-z5kfjoQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="9AMpm5saHftohk4TqkJgaOa28wHFJwMAb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Arel6r7kK7U0XTIle1ZYQGNbFg0>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 10:50:49 -0000

Hiya,

On 28/02/2019 02:40, Eric Rescorla wrote:
> On Wed, Feb 27, 2019 at 5:56 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>>
>> Hiya,
>>
>> On 28/02/2019 01:41, Eric Rescorla wrote:
>>> I think you're misunderstanding the scenario here: we have two CDNs A and
>>> B, and some switching service in front, so that when you lookup
>> example.com,
>>> you get a CNAME to A or B, and then you get the ESNIKeySet
>>
>> (ESNIKeySet is a type you've just invented I guess?)
>>
> 
> No. I forgot it was named ESNIKeys
> 

Phew:-)

>>> for A or B as
>>> the case may be. So you're not going to get both ESNIKeys values.
>>
>> Yes, that's not the model I had in mind. I don't recall that having
>> been written down but maybe I missed it. (Where should I look?)
>>
> 
> I believe this was discussed in Bangkok during the discussion of problems
> with the current structure.

FWIW, I didn't take from that discussion that we only want
that model to be supported, but it may have passed me by
if that was stated.

>> The model I had in mind was where the hidden site has it's own DNS
>> operator but >1 CDN/front-site with each of those having a private
>> ESNI value. (And if there's some front-end DNS cleverness, it'd
>> kick in when the CNAME from #137 is being chased down.)
>>
> 
> I don't see how this is conflicts with what I said above, as that server
> still needs to ensure consistency. 

I don't think mine conflicts with the model you describe,
but I do think it has different consequences for how we
ought structure the ESNIKeys stuff.

To be more specific, say in my model I have example.com
and want to see ESNI used for www.example.com and I
publish the zone for example.com including ESNIKeys.

Now I want browsers to be able to use either cdn1.example
or cdn2.example to front for www.example.com where those
are independent CDNs.

So I need to update my DNS zone periodically whenever
one or other CDN changes their ESNI public key share.
In my tiny little case doing this for a few domains, I
already have a small infrastructure that allows me to
do that kind of thing because of the need for regular
DNSSEC re-signing. (Mine currently works at a weekly
or daily cadence, but doing it hourly would be fine.)

I'd like to do that via a simple update to my zone files
without having to unpack and re-pack the data structures
I get from cdn1 or cdn2. Now sure, I could write a new
tool to munge together what I get from the CDNs but
that's more work (that could go wrong) and doesn't match
my current work flows. And I suspect others may operate
similarly.

That's what leads me to think that we'd be better off
to have multi-valued answers when a browser looks up
the RRset at _esni.www.example.com with each separate
value matching one ESNI public share (or one CDN,
though I'd argue for one share per zone file stanza).

I don't think that conflicts with your model where
_esni.www.example.com is one or another CNAME at a
given moment but it does differ from it.

There is however some dependency on #137 to get what
I want I guess using the host_pointer to get the
privacy benefit of using a CDN. I guess I might need
to publish yet another ESNI public share that matches
the private available at the A/AAAA of www.example.com
as well as those from the CDN even though that may
get me less privacy benefit compared to browsers who
go to cdn1 or cdn2. (It's possible that I'm reading
#137 wrong though, but I read it as supporting the
kind of setup I describe here.)

> In any case, the model I am describing
> has a consistency problem which needs to be addressed.

>> PS: I nonetheless maintain my points about the current ESNIKeys
>> structure - it's over generic and over complex and these PRs can
>> only make that worse:-)
>>
> 
> Yes, I am aware this is your opinion, but I don't agree.
Fair enough:-) Personally I think that if we support
the kind of model above, such simplifications may well
naturally fall out of that work but we'll see I guess.
For example, I think that'd allow re-structuring the
ESNIKeys thing so the host_pointer in #137 no longer
needs to be an extension and hence we don't need the
concept of mandatory/critical extensions at all.

Cheers,
S.



> 
> -Ekr
>

v2.23.0 | Report a Bug | By Email