Re: [TLS] Encrypted SNI
Brian Sniffen <bsniffen@akamai.com> Tue, 03 July 2018 21:19 UTC
Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E29D6130E54 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 14:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id adEp9bXZq8q1 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 14:19:27 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AB6F130E0F for <tls@ietf.org>; Tue, 3 Jul 2018 14:19:27 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w63LCOcv003567; Tue, 3 Jul 2018 22:19:23 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : content-transfer-encoding; s=jan2016.eng; bh=WI4nqmUfuB0ne7JS9BLwA6+CN0kKHpJp5Y9lDB0SiII=; b=hz/jZAUsu0gZtge85GyWSV7dKIOkVy8LBbsaWUOGTRa2M+TnHIs1mHrDkb8pPOxiG54X l/RAkPK3N0zMgSbNMMvn7C4oPrqcg3jfcNa6EYlT8UtNkyqf3eUO4OGEmIu7tesext13 4xQagqpTYgJrqRvP/7zZv2iAaeyxbz+SGvg+ZKH+grSkpi5rR4vfJ0npwcYwNE7DnRdE bIMn0YVIvc4iC1OFlJ9nRCdN47lAXWFpqFuqMSVvMrDb67wU2SnkDNZWFgSPtBv+MN5H n1pafhnsjF0iAnq8tsIZ1Bg7aS32Q/cQIUTfBEygWG0zSVMRYOOPY82tnM+UjsOr2dCw EA==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2jx14k24n1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 03 Jul 2018 22:19:22 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w63L530q031639; Tue, 3 Jul 2018 17:19:21 -0400
Received: from prod-mail-relay15.akamai.com ([172.27.17.40]) by prod-mail-ppoint3.akamai.com with ESMTP id 2jx57bb8ge-1; Tue, 03 Jul 2018 17:19:21 -0400
Received: from Tereva.local (unknown [172.19.40.96]) by prod-mail-relay15.akamai.com (Postfix) with ESMTP id 654DD20067; Tue, 3 Jul 2018 21:19:21 +0000 (GMT)
From: Brian Sniffen <bsniffen@akamai.com>
To: Hanno Böck <hanno@hboeck.de>, tls@ietf.org
In-Reply-To: <20180703222414.17ee820c@computer.lan>
References: <F4966CAA-454B-4152-A9E5-EA9714978CEA@gmail.com> <20180703222414.17ee820c@computer.lan>
Date: Tue, 03 Jul 2018 17:19:20 -0400
Message-ID: <m2k1qcggpz.fsf@abstraction.kendall.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-03_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807030237
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-03_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807030239
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/N4BHDTuTlxf21Kf7Zz2u4t-8KeI>
Subject: Re: [TLS] Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 21:19:31 -0000
Hanno Böck <hanno@hboeck.de> writes: > So-called "Enterprise" infrastructure has delayed the work of this group > for at least a year. Noone of the people creating that mess has reached > out to this group to explain why they constantly break TLS - let alone > apologize for it. > > I believe there's a large overlap of the actors breaking TLS with the > actors who are worried about things like SNI encryption. I'm not sure I > see any reason not to consider these actors as anything but opposed to > the work of this group. Whoah! I've been involved for years specifically to ask for care about encrypted SNI. I don't know whether I break TLS; maybe opinions vary. But my concerns have been specific: First, at the engineering level, a requirement that servers do expensive cryptographic work in response to a first packet *and* an inability to charge that work to a user or application is a big problem. It makes it too hard for users or applications to share a server, or leads to levels of address waste expensive even with IPv6. If we're going to have 0RTT and 1RTT and TCP Fast Open and ECDHE... then Encrypted SNI is a hard engineering problem! Second, at the architectural level, a serious question about whether this actually helps anybody, and if so whom? I think the case of the Amnesty International worker in an oppressive dictatorship is almost certainly *not* helped by this work---see my questions about how many bits of security this provides against an adaptive adversary from this morning---and would like some clarity that this is about inhibiting the ISPs, from cafes through enterprises up to Comcast-TWC, from monkeying with user sessions. My concerns at the engineering level have been welcomed, recognized, validated, and addressed. Not always exactly the way I'd like, but absolutely addressed in a way that's appropriate and sincere. I saw the same with requests to re-insert RSA Kx late last year. The PATIENT folks have gotten a fair hearing. My architectural concerns have been heard, somewhat less eagerly. Some participants, including our colleagues who are vendors to enterprises and folks like Ben Schwartz, have been clear that they will not bring all their motivations and evidence to the table. I significantly discount their arguments and expect others to do the same---but not to zero. It means we need to check their work as we go, or actually trust them as people, but it *can't* be harder than keeping NSA/IA people on CFRG! Anyway, I think the PATIENT folks concerns about the engineering of TLS 1.3 have been heard, have been taken seriously, and have been addressed---same as mine or yours. What I've seen of the architectural concerns leading to network-centric management and "tap" devices come down to claims about changes in architecture being too expensive, middleboxes being too expensive, changes to applications being too expensive, and general citation of an architecture only a few years old as immutable tradition. Those claims have also been heard, plenty of folks have respectfully and diligently combed through them for evidence, and we've moved on. I bet that's frustrating and frightening for the folks writing from a world where those claims aren't faith-based---they're obvious. They don't need citation any more than "China is a country"[1] needs citation. Nonetheless, engineering conversations based on data-supported arguments continue to be welcome. -Brian Footnotes: [1] https://www.cia.gov/library/publications/the-world-factbook/geos/ch.html but see also https://www.cia.gov/library/publications/the-world-factbook/geos/tw.html -- Brian Sniffen
- Re: [TLS] Encrypted SNI Ackermann, Michael
- [TLS] Encrypted SNI Bret Jordan
- Re: [TLS] Encrypted SNI Hanno Böck
- Re: [TLS] Encrypted SNI Kathleen Moriarty
- Re: [TLS] Encrypted SNI Darin Pettis
- Re: [TLS] Encrypted SNI Benjamin Kaduk
- Re: [TLS] Encrypted SNI Brian Sniffen
- Re: [TLS] Encrypted SNI Eric Rescorla
- Re: [TLS] Encrypted SNI Paul Wouters
- Re: [TLS] Encrypted SNI nalini elkins
- Re: [TLS] Encrypted SNI Tony Arcieri
- Re: [TLS] Encrypted SNI Ben Schwartz