Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Rob Sayre <> Sat, 12 October 2019 15:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 35DEE120090 for <>; Sat, 12 Oct 2019 08:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ztRK3awRz4Xm for <>; Sat, 12 Oct 2019 08:37:53 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A2749120052 for <>; Sat, 12 Oct 2019 08:37:53 -0700 (PDT)
Received: by with SMTP id u8so27787263iom.5 for <>; Sat, 12 Oct 2019 08:37:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VwJZzg+uJKvoDiQXhLbhDqufJ9mfsCxI27qlInn079Q=; b=IbN49B6hKkfiOW63k+aiezuXlUl6ovQ/PY1Chi42suHsOh1us3DYTZbJ3cJUF2/Ogq oqQHjEVhmbdbcieQJDaa6/FDACHW7fvmZAwPsFJuzvbFCGrK6Ttqizc4V1fGr5VmfKrP fRjgEgVbTPGm2iFzC4vgVw1dqmY6ZkZOtXxHvumJpbZTlvbeFNqyYj7oEXxuvMFZm59K nbcrYiV7vBeAn32W6oWBQI1wzZGzDZQoa23oHDab9ckXOqwQ5XeFt/JnnYeQLCBSPB9n 03qwo7BxBbCswPGdPAeIs83RkkndBU02pZcFAe+wY6oWaCU/0So+qYM8qFiB6b56xl8s 97MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VwJZzg+uJKvoDiQXhLbhDqufJ9mfsCxI27qlInn079Q=; b=epg6zuJ6mYGjU+U0MMeJvnFcBJE5oRzGZ9B0Lv2EXs057p9UmcCiVwDIP0CM9wKIjA 6iDBT+VTy3NTkLJWy42VzvvGC0snGdzXkdozwyPDHvnOgfVWJOCYGik7jWNEIJsF7Okf LcAqwRJ4oV3V2lZQ6v+pqQ2aocJJqDr/RrGGmMHH6I6fzOY6owxtFhqkSgXRFrL5+jAj lih/dSVWmcOiONWPSIEf61orhWAvQGRw12ejGqQ0BUw7JOhb5awzqqAXDq91fP7smGTm ZsXDGF9Du3NKdFexMrP3g22nKYg1ji0m7ZrohYr+i9alAymH511i73fqNyLXrOXYo3gS L9vg==
X-Gm-Message-State: APjAAAXeNHzzPQDkTDjA4Si3YLh1Ryws/+XvmMDobwZkfJ3DEExrIZYj rCqt326X67BYI4pJHtssNdBQylTwyNe1PMgiWIk=
X-Google-Smtp-Source: APXvYqwUOqbe9+4RMgq4OZR7CWpLPA8zTBFXFj7WZCxMpMEw8f+xcjOvNv5HYbZVK0okoh4aBLUcd/RBZkC+hMSKnNU=
X-Received: by 2002:a02:82:: with SMTP id 124mr8329457jaa.131.1570894672691; Sat, 12 Oct 2019 08:37:52 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Rob Sayre <>
Date: Sat, 12 Oct 2019 22:37:39 +0700
Message-ID: <>
To: Patrick McManus <>
Cc: "Salz, Rich" <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000f204a90594b86a7b"
Archived-At: <>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 12 Oct 2019 15:37:56 -0000

On Sat, Oct 12, 2019 at 9:10 PM Patrick McManus <>

> tldr; imo none of this works if the origin does not have a decent
> anonymity set potential. If it does, just reuse esni for that hop rather
> than minting something new.

Thank you for the thoughtful response. I think it might be helpful to use a
concrete example. The example I have in mind uses CDNs in two distinct ways.

Let's say it's an HTML document from "" that looks
something like this:

   <img src="[CDNHOST]/foo.jpg">
   <img src="[CDNHOST]/bar.jpg">
   <img src="[CDNHOST]/baz.jpg">

One use case for CDNs is to serve those jpegs with a TTL. I've often seen
servers programmed to switch between CDNs in the HTML (or JSON, etc). So,
the ops team for "" might have a switch that changes
"CDNHOST" from Level3 to Cogent (choose any of the big providers). This
provides agility that does not rely on any CDN provider, and doesn't rely
on DNS TTLs. That's good, because CDNs often encounter peering issues that
are not in their control. This experience might be biased toward social
media, where traffic is biased toward newer, popular content.

The other use case concerns the HTML document from "".
This might be served with a zero-length TTL. This is done so that
personalized API traffic can be served over private backhaul links, rather
than the open Internet. Then, a Point-of-Presence data center will serve
the traffic as closely as possible to the client (I know Patrick knows all
of this, but I'm trying to be very clear for everyone).

Two points from Patrick's message are confusing to me:

- "using one v6 per origin (when you've got multiple origins available)
isn't a great pattern imo"

I meant to describe one IPv6 address per TLD+1 domain, so "" and "" could be served from the
same IPv6 origin. It's not clear how to do this with an encrypted SNI from
CDN to origin. I understand that some people think ESNI keys are the way to
go, but I don't think anyone actually does this right now.

- "a few folks do like to authenticate the cdn to the origin with client
certs. That's nifty - but overall its pretty unpopular for the same reasons
managing distributed keys are always unpopular..."

It doesn't seem too complicated to me:

Maybe it is complicated on the CDN side, but not for the origin. And it
seems less complicated than uploading ESNI keys to the CDN.