Re: [TLS] ESNI and Multi-CDN
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 19 December 2018 19:23 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7C0F130EBB for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 11:23:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEN-rcTjAY7R for <tls@ietfa.amsl.com>; Wed, 19 Dec 2018 11:23:50 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C1FD130E86 for <tls@ietf.org>; Wed, 19 Dec 2018 11:23:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id DBB6A4F7B1; Wed, 19 Dec 2018 21:23:47 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id JlalzlsiraaV; Wed, 19 Dec 2018 21:23:47 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id EE3C32308; Wed, 19 Dec 2018 21:23:43 +0200 (EET)
Date: Wed, 19 Dec 2018 21:23:43 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Ben Schwartz <bemasc@google.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20181219192343.GA16574@LK-Perkele-VII>
References: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com> <20181218211435.GB592@LK-Perkele-VII> <CAHbrMsAVNua0TDinVZr7zaO5R_MYSOVwzKDvb1GzeXXvgRJQ9g@mail.gmail.com> <20181218214928.GD592@LK-Perkele-VII> <8ED2A93D-3FC8-43C6-A15D-008F0890DEF4@akamai.com> <20181219112748.GA6681@LK-Perkele-VII> <CAHbrMsD1u3pnOfwTvMUnTzvrOtnrups7O1Owf1wYd3W+OtWwdA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAHbrMsD1u3pnOfwTvMUnTzvrOtnrups7O1Owf1wYd3W+OtWwdA@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NbLB-5CqKWOS4ndj5_bRKkvoSH0>
Subject: Re: [TLS] ESNI and Multi-CDN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2018 19:23:53 -0000
On Wed, Dec 19, 2018 at 01:47:35PM -0500, Ben Schwartz wrote: > On Wed, Dec 19, 2018 at 6:28 AM Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > > But one could do that by > > including address masks in ESNI records so clients can match ESNI > > keys to addresses without breaking database normalization. > > > > No, this doesn't work. If the client has a AAAA RRSET and an ESNI RRSET, > and the ESNI RRSET contains a mask that is not compatible with the AAAA > RRSET, then the client can tell that it has the wrong IP addresses, but it > has no way to acquire the right IP addresses. At least the client can tell the result is not going to work and disable ESNI. Whereas with addresses there is no indication anything is wrong, leading to potentially unrecoverable failure. -Ilari
- [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Salz, Rich