Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
Rob Sayre <sayrer@gmail.com> Sat, 12 October 2019 15:37 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35DEE120090 for <tls@ietfa.amsl.com>; Sat, 12 Oct 2019 08:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztRK3awRz4Xm for <tls@ietfa.amsl.com>; Sat, 12 Oct 2019 08:37:53 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2749120052 for <tls@ietf.org>; Sat, 12 Oct 2019 08:37:53 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id u8so27787263iom.5 for <tls@ietf.org>; Sat, 12 Oct 2019 08:37:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VwJZzg+uJKvoDiQXhLbhDqufJ9mfsCxI27qlInn079Q=; b=IbN49B6hKkfiOW63k+aiezuXlUl6ovQ/PY1Chi42suHsOh1us3DYTZbJ3cJUF2/Ogq oqQHjEVhmbdbcieQJDaa6/FDACHW7fvmZAwPsFJuzvbFCGrK6Ttqizc4V1fGr5VmfKrP fRjgEgVbTPGm2iFzC4vgVw1dqmY6ZkZOtXxHvumJpbZTlvbeFNqyYj7oEXxuvMFZm59K nbcrYiV7vBeAn32W6oWBQI1wzZGzDZQoa23oHDab9ckXOqwQ5XeFt/JnnYeQLCBSPB9n 03qwo7BxBbCswPGdPAeIs83RkkndBU02pZcFAe+wY6oWaCU/0So+qYM8qFiB6b56xl8s 97MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VwJZzg+uJKvoDiQXhLbhDqufJ9mfsCxI27qlInn079Q=; b=epg6zuJ6mYGjU+U0MMeJvnFcBJE5oRzGZ9B0Lv2EXs057p9UmcCiVwDIP0CM9wKIjA 6iDBT+VTy3NTkLJWy42VzvvGC0snGdzXkdozwyPDHvnOgfVWJOCYGik7jWNEIJsF7Okf LcAqwRJ4oV3V2lZQ6v+pqQ2aocJJqDr/RrGGmMHH6I6fzOY6owxtFhqkSgXRFrL5+jAj lih/dSVWmcOiONWPSIEf61orhWAvQGRw12ejGqQ0BUw7JOhb5awzqqAXDq91fP7smGTm ZsXDGF9Du3NKdFexMrP3g22nKYg1ji0m7ZrohYr+i9alAymH511i73fqNyLXrOXYo3gS L9vg==
X-Gm-Message-State: APjAAAXeNHzzPQDkTDjA4Si3YLh1Ryws/+XvmMDobwZkfJ3DEExrIZYj rCqt326X67BYI4pJHtssNdBQylTwyNe1PMgiWIk=
X-Google-Smtp-Source: APXvYqwUOqbe9+4RMgq4OZR7CWpLPA8zTBFXFj7WZCxMpMEw8f+xcjOvNv5HYbZVK0okoh4aBLUcd/RBZkC+hMSKnNU=
X-Received: by 2002:a02:82:: with SMTP id 124mr8329457jaa.131.1570894672691; Sat, 12 Oct 2019 08:37:52 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <CABcZeBMLaiPuXhgrExTkdhfaOU_m4g-c+Lq-YmHsKiHyB0jDRw@mail.gmail.com> <CAChr6SznAYZDHFPNHX8Uoyo-Fnx8_uMxCOda1zf37Cxnb5A4WQ@mail.gmail.com> <CABcZeBPoyb5sF+ddH8OU_78eJF5sD2df-+ScHRb1xTYhHRHS0w@mail.gmail.com> <CAChr6SyM_yX36p2W_-seE-9kuJ99RTYEHY_vCRNFjLx3utjogw@mail.gmail.com> <CABcZeBPkQjsRr83PYyvhGF8ByeC1gGFWQgofrf=dZmfAfm7UJg@mail.gmail.com> <CAChr6SxSP7LbYkK50-KJu4H4VLLyHpuuK_+N_WZs5Ky5PNnM+Q@mail.gmail.com> <CAHbrMsCiC_2PJNuvYMO+owJC=zJgbYzEZD1kkW38c8yw+qe0nQ@mail.gmail.com> <9832ebfb-7c1f-4ce1-9bf3-d98845aad671@www.fastmail.com> <CAChr6SzAvAcyebuDCGzHeuSMqUQE5mC-XjTx2EwFb-OF65b-aw@mail.gmail.com> <CABcZeBMSGv3q_zYZzzYtWfhuM0C2diLU6i7Z6m7E2+3zbmyoJg@mail.gmail.com> <CAChr6Sw4Z2qsgVNUzjHkLeodtk7ZomkC3cbTwtQ59NbiaWCwfA@mail.gmail.com> <D0B30308-AF91-4597-9057-337D402FCF63@akamai.com> <CAChr6SzQDSGLrF1DUuMJpxexuWUsCAq8+DE9Ajp8a1B7maQfhQ@mail.gmail.com> <4BB4C376-D4EE-4C3D-87D2-3611E6285801@akamai.com> <CAChr6SyKdUfexnt2d-RAM-ue0ffTdOUo4ik71xUTVMk3P_ayyg@mail.gmail.com> <CAOdDvNoUfN8m5hdR04ckiaeSKeEffEpAY99ZM15qR-_Qwvx81Q@mail.gmail.com>
In-Reply-To: <CAOdDvNoUfN8m5hdR04ckiaeSKeEffEpAY99ZM15qR-_Qwvx81Q@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Sat, 12 Oct 2019 22:37:39 +0700
Message-ID: <CAChr6Szbi6p7EBMjmYBNgrsT+Z7O_Bu9yeG3NLTaQC6eR+AU1g@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f204a90594b86a7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MSHEfV84DYVZcHa3gCIUFd4xwL8>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Oct 2019 15:37:56 -0000
On Sat, Oct 12, 2019 at 9:10 PM Patrick McManus <mcmanus@ducksong.com> wrote: > > tldr; imo none of this works if the origin does not have a decent > anonymity set potential. If it does, just reuse esni for that hop rather > than minting something new. > Thank you for the thoughtful response. I think it might be helpful to use a concrete example. The example I have in mind uses CDNs in two distinct ways. Let's say it's an HTML document from "username.example.com" that looks something like this: <html> <body> <img src="[CDNHOST]/foo.jpg"> <img src="[CDNHOST]/bar.jpg"> <img src="[CDNHOST]/baz.jpg"> </body> </html> One use case for CDNs is to serve those jpegs with a TTL. I've often seen servers programmed to switch between CDNs in the HTML (or JSON, etc). So, the ops team for "username.example.com" might have a switch that changes "CDNHOST" from Level3 to Cogent (choose any of the big providers). This provides agility that does not rely on any CDN provider, and doesn't rely on DNS TTLs. That's good, because CDNs often encounter peering issues that are not in their control. This experience might be biased toward social media, where traffic is biased toward newer, popular content. The other use case concerns the HTML document from "username.example.com". This might be served with a zero-length TTL. This is done so that personalized API traffic can be served over private backhaul links, rather than the open Internet. Then, a Point-of-Presence data center will serve the traffic as closely as possible to the client (I know Patrick knows all of this, but I'm trying to be very clear for everyone). Two points from Patrick's message are confusing to me: - "using one v6 per origin (when you've got multiple origins available) isn't a great pattern imo" I meant to describe one IPv6 address per TLD+1 domain, so " username1.example.com" and "username2.example.com" could be served from the same IPv6 origin. It's not clear how to do this with an encrypted SNI from CDN to origin. I understand that some people think ESNI keys are the way to go, but I don't think anyone actually does this right now. - "a few folks do like to authenticate the cdn to the origin with client certs. That's nifty - but overall its pretty unpopular for the same reasons managing distributed keys are always unpopular..." It doesn't seem too complicated to me: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls Maybe it is complicated on the CDN side, but not for the origin. And it seems less complicated than uploading ESNI keys to the CDN. thanks, Rob
- [TLS] I-D Action: draft-ietf-tls-sni-encryption-0… internet-drafts
- [TLS] SNI from CDN to Origin (was I-D Action: dra… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Watson Ladd
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Ben Schwartz
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Martin Thomson
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Patrick McManus
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre