Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
Rob Sayre <sayrer@gmail.com> Fri, 11 October 2019 03:49 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 836FE1200B7 for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 20:49:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lwFbj8Xw5qj5 for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 20:49:31 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63BC912004C for <tls@ietf.org>; Thu, 10 Oct 2019 20:49:31 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id w12so18490247iol.11 for <tls@ietf.org>; Thu, 10 Oct 2019 20:49:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LBkguoJWku27DNyAGwlCoYheKte+Qs2yi7qiZ/Bq7fM=; b=BemxbLZ1pYGAk1a8bgJwvSXbxeXYfDREsajdnjno3JWbin8ovK0SPyBBy+S8jC7ZpD 0/8VJknZeihPkem5zAMFsKtlvr7CGbkHeK2TsOx6PNuek9cSm1bw/FnZ/bdvXWG/SiDQ 0wjXxZ2xh/XVpbI89hwtTC2dzMexWTOjnIj3BTUi8j9CCRofG6Jv4iUChsFA7HhpXnri rxmMQgYJjNtua3QpqVXru40oId/7YfKD9clLaNUavGiCYVCcXa9QxvX6fcO7G5fnN7vd yVtVrwS3TDdx/rD+XUF3vuE1n7ewq0ZgZykYZ6EBEnMEl4ADhTWJMNJS1R/1wH5HeJDr 3dQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LBkguoJWku27DNyAGwlCoYheKte+Qs2yi7qiZ/Bq7fM=; b=YGEi3Q+XmP8nJeeDw38UMod7xPeergCXpku5OgutAuoo3b0hCsr70F6QlDC5tV95ZH aSQs3TTokuE5b6tLiTjbfeuKGuKkg6CKs7mTnAo82LalYMK4c9b1jpWQ6Zsj5dWjAD22 l+XCEAmTQvbaJO8Gv3OxhCa02T1CqapVh+chYhV97wxqT1m/2lNUZUrj59qeReoybA0F uKoIOL6ks1zBwx3P5+xiDVIaHPpFggAvpChUrFAbi6xDqr+fJcUoJx+9HnNcMuZ9vFYk l5Oa3qbvI92nk10QRwgSRexocTl2okLa8926UIdejnB5fY/fvhTnuHVSP7I4RVnU5Ihh 7+qg==
X-Gm-Message-State: APjAAAXVGeUS+TaPYY1i8U3QclCdA8MmfF36EnBnOwDksgNxbcchMJ7g Wl/5FSZBbSu2wentbDHTlyQwadP7rlg+4kk+KQY=
X-Google-Smtp-Source: APXvYqyQHJgBYcUtGHADEsdEKVwrXxIKPJCa1v8WQQdn5qxuj33HPNxKabubrW9RhHtuKHxi7oFnbfztQSs7oZhQ76c=
X-Received: by 2002:a6b:b807:: with SMTP id i7mr15379409iof.254.1570765770568; Thu, 10 Oct 2019 20:49:30 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <CABcZeBMLaiPuXhgrExTkdhfaOU_m4g-c+Lq-YmHsKiHyB0jDRw@mail.gmail.com> <CAChr6SznAYZDHFPNHX8Uoyo-Fnx8_uMxCOda1zf37Cxnb5A4WQ@mail.gmail.com> <CABcZeBPoyb5sF+ddH8OU_78eJF5sD2df-+ScHRb1xTYhHRHS0w@mail.gmail.com> <CAChr6SyM_yX36p2W_-seE-9kuJ99RTYEHY_vCRNFjLx3utjogw@mail.gmail.com> <CABcZeBPkQjsRr83PYyvhGF8ByeC1gGFWQgofrf=dZmfAfm7UJg@mail.gmail.com> <CAChr6SxSP7LbYkK50-KJu4H4VLLyHpuuK_+N_WZs5Ky5PNnM+Q@mail.gmail.com> <CAHbrMsCiC_2PJNuvYMO+owJC=zJgbYzEZD1kkW38c8yw+qe0nQ@mail.gmail.com> <9832ebfb-7c1f-4ce1-9bf3-d98845aad671@www.fastmail.com> <CAChr6SzAvAcyebuDCGzHeuSMqUQE5mC-XjTx2EwFb-OF65b-aw@mail.gmail.com> <D6F41392-CB9C-4935-84BB-3045D342607B@akamai.com>
In-Reply-To: <D6F41392-CB9C-4935-84BB-3045D342607B@akamai.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 11 Oct 2019 10:49:18 +0700
Message-ID: <CAChr6Szgdt1oRxpy9pPzxsbucRqVCy7rATtvsCvPJT+RhBRY3g@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Martin Thomson <mt@lowentropy.net>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7b96f05949a67fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JKlCohLXvzroKjxU33XL82_qFxg>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 03:49:34 -0000
On Fri, Oct 11, 2019 at 10:28 AM Salz, Rich <rsalz@akamai.com> wrote: > *>*Isn't that more complicated than sending the SNI in the second client > message, though? > > > The server needs to know which cert to use after it receives the **first** > client message. > If the CDN ---> Origin traffic is IPv6, there's no need to serve multiple certs from one IP address. But, if the original request was for "username.example.com" to a CDN IPv4 address shared by many sites, my question is how "username.example.com" would reach the origin and remain encrypted. I think a few people have suggested uploading ESNI keys to the CDN, but it's not clear to me what domain they would be for. Maybe the best thing to do is just set up a site that documents whether the CDN is sending SNI in the clear. I'm not really attached to any given solution, but that will probably help them find one. thanks, Rob
- [TLS] I-D Action: draft-ietf-tls-sni-encryption-0… internet-drafts
- [TLS] SNI from CDN to Origin (was I-D Action: dra… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Watson Ladd
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Ben Schwartz
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Martin Thomson
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Patrick McManus
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre