IETF Logo Mail Archive

Re: [TLS] Multi-CDN and ESNI

Erik Nygren <erik+ietf@nygren.org> Fri, 02 November 2018 19:57 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6114B129385 for <tls@ietfa.amsl.com>; Fri, 2 Nov 2018 12:57:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apZ7y42GXXVX for <tls@ietfa.amsl.com>; Fri, 2 Nov 2018 12:57:27 -0700 (PDT)
Received: from mail-it1-f176.google.com (mail-it1-f176.google.com [209.85.166.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D993126BED for <tls@ietf.org>; Fri, 2 Nov 2018 12:57:27 -0700 (PDT)
Received: by mail-it1-f176.google.com with SMTP id b7-v6so4736462itd.5 for <tls@ietf.org>; Fri, 02 Nov 2018 12:57:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BGTPCNEr6Kq+yEaWexB313VAAiVQfvAVDJMp6jrg/uE=; b=tboBr/+i/HdKmZ+vkdj6m07HGxBWS+s60IXh42LFjvSE2eWVTgqLwqV3a5jnpBDxrM Xg/ZcgvmgDH9iGBB0K2Dq9CpghLmlwaY76UzsDsHZM1D3SHUfFcLicp4iezzTnDDSKCy TFIFFyCqtCHAtKsSg5Unqa8z3N97k4M7FLf0vmVCOUIf8hOWP0t/jTpdzoGWVDwXLI6L eAvjqLTURgdV+S5Xil3tZHLzqbfRzxrzBGPZuCIaTMdnjyZeBI+kYzX2Hzj61TzfG+J9 nm2FG7UQOd0taz3lHNHTMI46Lcs4a8HxueiyP8cDvqCN063SHkZ9F85mphxmWGm7o1wY cG8Q==
X-Gm-Message-State: AGRZ1gJ8gY0ba8lIsOzQDKwH/ZGFAfq5su62shNTIAlYhZsrrDL6nS5s 3+7FfzZuE8c+wpgEj2TskW9zyw6T5FQ6xt2w/LDUjWxJ
X-Google-Smtp-Source: AJdET5fUV0hOZJcK7TKT5R4l/x2lCZ3gWJK2tu5bCXtoFbF/lZBcNp4FlJ+DI1UBwmnUPovct8gg378goVYd+D8mX+Q=
X-Received: by 2002:a02:84ce:: with SMTP id f72-v6mr12264014jai.38.1541188645964; Fri, 02 Nov 2018 12:57:25 -0700 (PDT)
MIME-Version: 1.0
References: <DDE6F8E9-6635-4D69-8028-83D49E9D7437@akamai.com> <CAOdDvNpmLdHQj2yE3tNNbjxCqOZMqTriODwG6setC9ajJmx2pQ@mail.gmail.com>
In-Reply-To: <CAOdDvNpmLdHQj2yE3tNNbjxCqOZMqTriODwG6setC9ajJmx2pQ@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Fri, 02 Nov 2018 15:57:13 -0400
Message-ID: <CAKC-DJhrDyGd3DYHz6-BHobyP+LoYuzsKz8kEw6uc8c4C8FF4A@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Rich Salz <rsalz@akamai.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c6675a0579b3f14d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/I9myrV5lEHK3Ki-p2DrtrXAxx0E>
Subject: Re: [TLS] Multi-CDN and ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 19:57:30 -0000

Another important scenario that is closely related to multi-cdn is how to
safely enable and disable ESNI, as well as how to handle cases where not
all CDNs in a multi-CDN setup have ESNI turned on.  As some examples:

* A site is using a CDN that has ESNI enabled.  As part of switching off of
that CDN to their own hosting provider or another CDN (which either has no
ESNI or has a different ESNI key) there is the same sort of inconsistency
in the records, or a missing record.

* A site is on a multi-CDN setup.  There is no way to get all CDNs to turn
on ESNI at the same time (or likely even within a reasonable time window,
and there may be cases where only some support it).

For example, with #3 one way to handle it would be to treat an NXDOMAIN for
the _esni ESNI record as a "disable sending ESNI in this case".

Some general commentary on some of the proposed options:

On #1) Experience with coordinating keys across providers suggests this
likely won't work.  (Plus will open up lots of security issues.)   The ESNI
DNS record, ESNI key, and ESNI server-side config likely need to be managed
by the same entity for any given case in order for this to be operationally
maintainable.

On #2) Given the number of addresses involved in some of these cases this
may not work or scale well.  In some cases the number of address candidates
may be more than possible in an rrset.  For CDNs that change their DNS
results frequently and have low TTLs, this is also likely to have a very
high rate of mismatches.

On #3) As Nick mentions this won't help with the address collapsing case.
It also needs a way to handle the offboarding situation described above.

I think there's also an option #4 that has a slightly higher integration
overhead for
sites but solves other problems as well.  If we take a step back, the issue
here is that
DNS is a database but any two given responses lack some sort of primary key
tying them
together.  One approach would be to introduce an intermediate record/object
that explicitly
does tie them together.  Two examples of this are the ALTSVC-in-DNS
proposal as well as
something like a "Service Binding" record (which I wrote up when we were
talking
about this back in 2014 following a brainstorm, in which case the"tlshp"
parameter
in that draft is effectively the ESNI key):
      https://www.ietf.org/archive/id/draft-nygren-service-bindings-00.txt

More recently with the ALTSVC DNS record, we'd add an ALTSVC attribute
that contains either the ESNI key or the name of the record containing the
ESNI key:
     https://tools.ietf.org/html/draft-schwartz-httpbis-dns-alt-svc-02

One big advantage of using an ALTSVC record is that it also addresses the
"http-srv" problem.
(See a discussion thread titled "Alternative to SRV?" on the http-srv list
from back in August.)

Another big advantage of using an ALTSVC record approach here is that it
means
that ESNI could be generally configured by Alt-Svc as well.  For example,
this means that the ESNI key could also just be included when doing an
Alt-Svc to QUIC.

What this ends up looking like is something like is an rrset along the
lines of:

  _443._https.example.com. IN TYPE???  {priority1}
{transportprotocol1} {servername1} {port1} {extension_fieldset_1}

  _443._https.example.com. IN TYPE???  {priority2}
{transportprotocol2} {servername2} {port2} {extension_fieldset_2}

  _443._https.example.com. IN TYPE???  {priority3}
{transportprotocol3} {servername3} {port3} {extension_fieldset_3}


For example:

  _443._https.example.com. IN ALTSVC  10 quic2
example.com.examplecdn.net 443 ( esni=key124._esni.examplecdn.net )

  _443._https.example.com. IN ALTSVC  20 h2 example.com.examplecdn.net
443 ( esni=key124._esni.examplecdn.net; ipv6-only=true )

  _443._https.example.com. IN ALTSVC  40 http/1.1
legacy.example.com.examplecdn.net 443 (
esni=key124._esni.examplecdn.net )


I suspect that some CDNs would then have customers CNAME over "_443._
https.example.com."
to some name on the CDN.  For example in the example above it might be that
it actually
CNAMEs to _443._https.example.com.examplecdn.net which then means that the
A and AAAA records for "example.com.examplecdn.net" can be returned as
additionals from the same examplecdn.net authority
along with the ALTSVC record.

So in the multi-CDN case, the multi-CDN switcher is switching on the CNAME
to the ALTSVC record,
allowing each CDN or hosting provider target to provide their own ALTSVC
record.
Tying this back up to the above the ALTSVC record then becomes this
intermediate object
that explicitly ties the server (A/AAAA records) and ESNI key together.

One downside is that ALTSVC is primarily defined for HTTPS today,
but nothing prevents it from being more broadly used as an extensible
SRV alternative.

(Side-note: no matter what we'll also want to think and document
how ESNI and cross-hostname Alt-Svc interact.)

        Erik



On Tue, Oct 23, 2018 at 5:28 PM Patrick McManus <mcmanus@ducksong.com>
wrote:

> Definitely agree this is something that needs to be addressed..
>
> As Mike notes, the fundamental issue is that there are 2 pieces of
> information that are statefully related (the key and address) but obtained
> statelessly from each other and can therefore come from un-coordinated
> sources. 2 CDNs are commonly un-coordinated sources.. but I've seen this
> with other kinds of cloud providers too. All of which should be target
> audiences of ESNI (because they terminate a variety of hostnames on a
> smaller number of addresses).
>
> fwiw there is a muddled github issue open on this in the old
> individual-draft repo:
> https://github.com/ekr/draft-rescorla-tls-esni/issues/35 .. which I'll
> re-open when the tls-wg repo starts being used for this draft.
>
> I see three solution spaces.
>
> 1] As Rich suggests, you can coordinate the uncoordinated sources to have
> one keying record to rule them all. I suspect that's actually not good for
> anonymity unless it somehow had a normalized global set .. and given the
> one way nature of a CNAME pointer, I feel like this would be really fragile.
>
> 2] you could scope the keys to only be valid for certain addresses by
> putting the valid addresses in the key record. This wouldn't help you do
> ESNI when they didn't match, but at least you could avoid hard failure. (or
> you could ignore the addressing record but that might be a bridge too far?)
>
> 3] My preferred approach, you could scope the keys to the same
> intermediate name. So if www.example.com -> cname www.cdn-a.com -> ESNI
> record www.cdn-a.com we could make a rule that the ESNI record would only
> apply to address records with a final intermediate of www.cdn-a.com. (I'm
> presuming we'll shift from TXT to ESNI RRTYPE without a prefix, but I don't
> think it matters for this..).. when there is a mismatch you could use the
> addressing intermediate as a place to try a new ESNI query from.. That's a
> perf penalty, but its only paid in the hopefully rare case where these
> things are unsyncd.
>
> #3 is admittedly a bit non traditional, but I spent a bit of time looking
> at the features of DNS APIs that already have the necessary surface to make
> a query for a new RRTYPE... and the cname intermediates are indeed
> generally available.. its true of getdns, res_query, the IOS and MacOS
> interfaces, DnsQuery* on windows, and of course the custom dns stacks in
> cronet/android and firefox/doh could do it.
>
> I hope to work this into a PR.. my first attempt wasn't very readable, but
> I'll try again tomorrow.
>
> -P
>
>
>
>
>
>
> On Tue, Oct 23, 2018 at 1:59 PM Salz, Rich <rsalz@akamai.com> wrote:
>
>> I think perhaps we need to take a step back and explain something that
>> might not be well-known outside the community of CDN’s and their
>> customers.  It is not uncommon for (admittedly larger) origins to use
>> multiple CDN’s, and to switch among them. This can be done on a per-request
>> basis, because of things like contractual arrangements that make one
>> preferable, or it can be done globally but switched in a matter of seconds
>> because of a short TTL on the www.example.com entry.
>>
>>
>>
>> The issues that Mike discusses impact on this, somewhat negatively.
>>
>>
>>
>> A quick hack thought is to allow multiple entries in the TXT record,
>> forcing a wee bit more work on the CDN.
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email