Re: [TLS] ESNI and Multi-CDN
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 18 December 2018 21:14 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E6E130F29 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:14:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rqUNyXIfW5tM for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:14:40 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BCE31292F1 for <tls@ietf.org>; Tue, 18 Dec 2018 13:14:40 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 452C915FE9; Tue, 18 Dec 2018 23:14:38 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id tp9VFLAamzRN; Tue, 18 Dec 2018 23:14:37 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 91898287; Tue, 18 Dec 2018 23:14:35 +0200 (EET)
Date: Tue, 18 Dec 2018 23:14:35 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Ben Schwartz <bemasc@google.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20181218211435.GB592@LK-Perkele-VII>
References: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NLqP-JyICutsjChC4C9kg2aKyMs>
Subject: Re: [TLS] ESNI and Multi-CDN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 21:14:42 -0000
On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote: > I'd like to propose a solution to the ESNI + Multi-CDN problem (which has > been discussed a lot on this list already). My suggestion is that we > define the ESNI DNS record format as optionally including "stapled" A/AAAA > records. > > Server operators would have the option to publish an ESNI record that only > contains an ESNIKeys structure (like the current TXT record), or to publish > an ESNI record that also includes IPv4 and/or IPv6 addresses. (A > Sufficiently Advanced authoritative DNS server would generate such records > automatically.) This kind of address stapling would only be required of > CDN operators who want to support multi-CDN deployments. > > Clients would issue A, AAAA, and ESNI queries in parallel (as with the > current TXT record). If an ESNI record exists, and it contains IP > addresses, the client discards the results of the A or AAAA query. I do not think this will work: - The CDNs need control of ESNIkeys - If you hand them this control, you can hand over address control at the same time. - Now you are in HTTP service discovery territory. I am not saying that HTTP service discovery is undesirable (it is one of those perennial topics that are not seemingly bad ideas but never seem to get done). Conversely, if one had HTTP service discovery, almost everything about the CDN problems with ESNI would be solved instantly (what is not solved by the same-owner rule). -Ilari
- [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Salz, Rich