[TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Rob Sayre <sayrer@gmail.com> Tue, 08 October 2019 14:02 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id D2C96120113 for <tls@ietfa.amsl.com>; Tue, 8 Oct 2019 07:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xMuu7N3KEvUN for <tls@ietfa.amsl.com>; Tue, 8 Oct 2019 07:02:34 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 600BF1200A3 for <tls@ietf.org>; Tue, 8 Oct 2019 07:02:34 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id b136so36698321iof.3 for <tls@ietf.org>; Tue, 08 Oct 2019 07:02:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=dUagSEAx11tq6Ph1l6bJwzvB5tZkEhrOHUHCcOjdbNw=; b=AL6vOOUDJO8x0BiFkBrVLeBfIXPFcSoLC7u6/nJ3nxJHzRbPLo/DaHSt40s/HtxRQU ur69lQMUh3PL3yvZzVWk3VoQ8XvtJiBxP7z4pBe9xuBF7IwYp3H5lPjRrBKhMmIfGFRo +k1qE/lpO/YnST72z0K04xBFJxiJ98Ejz33r2KOtOmjmvfxm1VBmyvF+oxuZ/2IQg9tB BNvgqu3nfYSVDAHAVnIwXx+Uzr+1hWqOsfwgUE006W6GYytEluOa+Ya79nK9+PCOzoQX xZaq5+xHFlyi9dBNotMHAOliEE/OLKx+s7EVMT41hQzyI7dgwSqAR8YocX+IGM6oo3mz pX+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=dUagSEAx11tq6Ph1l6bJwzvB5tZkEhrOHUHCcOjdbNw=; b=X5MUvz4ZzKxqKZxvVSldU6PCjBo5OgHlF4gLSAVeCDDoyVbdewUtaWsAMoM729HuTY 0YVG8aUUwpZ6U1WgcBsqz/9YNAmmgWpa15u7855m5ryAFlRrLMHD9KqwfIUoa/2Fp2hS 5XYbZkjAiqNabntCgsQ6nj6FTPcTtoKeVgy0sNcJqJFTgCVWtRrb0sHxsViKXN8ewq5k 8quVYbisjkHrWRRojBsrILyJs76mzKRVHHnSeepqSl1yHr+Qa1EzOmETFFrPl5MmTl2J skrlvw+pUYlNWdqRnkzREYD1mJz7u7L00QommkA2guuBwq+11aonLA7DV6EZWqf5o6fT si4w==
X-Gm-Message-State: APjAAAXoMd2/f5uf5W5mbBx26/tE8MJtphl/YkzIjQqk5ZBOx0+d2Gll a4fBiH5d3wzTot1ibqs5WKThIjGkj32Q0bgQ07uldWZCdGzfZQ==
X-Google-Smtp-Source: APXvYqySGsbCQmSQ91gi72yH9ZFO2fRvUg43MfzipTnezkmUuMIMwzCqdu8PsylRyLtZ8ThjF/kww6+0KI+WJh2JBbQ=
X-Received: by 2002:a92:d184:: with SMTP id z4mr8596211ilz.189.1570543353006; Tue, 08 Oct 2019 07:02:33 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com>
In-Reply-To: <157048178892.4743.5417505225884589066@ietfa.amsl.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 8 Oct 2019 21:02:20 +0700
Message-ID: <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a912680594669e9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OoBQVNcmqyyOsichA0VlUI7cKCk>
Subject: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 14:02:37 -0000

> Issues and Requirements for SNI Encryption in TLS

One issue not covered in this document is SNI encryption from CDNs to
Origin servers.

For example, if I use ESNI to make a request to Cloudflare, how does
Cloudflare then encrypt the SNI to the origin server?

It seems like this use case could be covered by allowing the SNI to be sent
alongside a client certificate (something many CDNs provide for). I think
an extension accompanying a client certificate would be encrypted, but
please correct me if I'm mistaken.

These CDN<->Origin connections can usually be served over IPv6, so having
the SNI in the ClientHello isn't necessarily as important.


On Tue, Oct 8, 2019 at 3:56 AM <internet-drafts@ietf.org> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Transport Layer Security WG of the IETF.
>         Title           : Issues and Requirements for SNI Encryption in TLS
>         Authors         : Christian Huitema
>                           Eric Rescorla
>         Filename        : draft-ietf-tls-sni-encryption-08.txt
>         Pages           : 14
>         Date            : 2019-10-07
> Abstract:
>    This draft describes the general problem of encrypting the Server
>    Name Identification (SNI) TLS parameter.  The proposed solutions hide
>    a Hidden Service behind a fronting service, only disclosing the SNI
>    of the fronting service to external observers.  The draft lists known
>    attacks against SNI encryption, discusses the current "co-tenancy
>    fronting" solution, and presents requirements for future TLS layer
>    solutions.
>    In practice, it may well be that no solution can meet every
>    requirement, and that practical solutions will have to make some
>    compromises.
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-08
> https://datatracker.ietf.org/doc/html/draft-ietf-tls-sni-encryption-08
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-sni-encryption-08
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls