IETF Logo Mail Archive

[TLS]Re: HTTPS-RR and TLS

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 21 May 2024 07:53 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26992C14F5FA for <tls@ietfa.amsl.com>; Tue, 21 May 2024 00:53:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXqGxDRZJOCl for <tls@ietfa.amsl.com>; Tue, 21 May 2024 00:53:07 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 044B8C14F5F6 for <tls@ietf.org>; Tue, 21 May 2024 00:53:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id F297B1DBDD for <tls@ietf.org>; Tue, 21 May 2024 10:53:03 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Q6NFMOQhjXGA for <tls@ietf.org>; Tue, 21 May 2024 10:53:03 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id C974028B for <tls@ietf.org>; Tue, 21 May 2024 10:53:02 +0300 (EEST)
Date: Tue, 21 May 2024 10:53:02 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: tls@ietf.org
Message-ID: <ZkxS3gA8P0TV_LYO@LK-Perkele-VII2.locald>
References: <CAOgPGoA8-t_x7WLOjZ7kWaoPn9n2m-RM3VGUFaVttBiFrbjZHw@mail.gmail.com> <26143ff1-1c0c-4baf-9054-2f2b10cee90a@cs.tcd.ie> <CAF8qwaBQaM7q22nWqzWjbwXVbPPUU3TrwSHvTXxbwqCKmw1j8Q@mail.gmail.com> <CACsn0cn4fy2Lese6wNzu+UCqJfLAPMdDKHivERLMxwjifOmrkQ@mail.gmail.com> <CAF8qwaAQG9y0Ri8LcwbQushNL4T_XDkawdqo9PNL3xxxFw2Ghg@mail.gmail.com> <048ec036-9c73-40f0-8c5b-6c5288e65da1@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <048ec036-9c73-40f0-8c5b-6c5288e65da1@cs.tcd.ie>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: 6BFQQC2NSBKXZA4NHG2TKVFVCME2R7A7
X-Message-ID-Hash: 6BFQQC2NSBKXZA4NHG2TKVFVCME2R7A7
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: HTTPS-RR and TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/S1t7yT3_woWmHLVGVYpwtz7Fjtk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

On Tue, May 21, 2024 at 01:27:29AM +0100, Stephen Farrell wrote:
>
> 
> What HTTPS RR parameters do we expect will see regular changes,
> and controlled by whom?
> 
> It seems fairly clear that ECHConfig values will be changed
> often, e.g. hourly, which I think motivates the wkech thing,
> but I'm unclear how often other bits of HTTPS RRs might
> change and who may be in charge of those in real deployments.
> 
> My mental picture is something like:
> 
> what, changes how often, controlled by whom
> ech, maybe hourly, client-facing server admin
> alpn, rarely, client-facing server admin
> tls-supported-groups, rarely, client-facing server admin
> ipXhints, unpredictable, DNS admin?
> 
> Does that look kinda right? Are there other things to
> consider now?

Things get more complicated if server is behind gateway, because some
alpn values are incompatible with such setup (especially h3). Those need
to be filtered out. And another nice-to-have is sanity-checking ech
public name (that it points to the correct machine). Gateways do not
need to care about groups, so tls-supported-groups can be just taken
from server.

Then there is possibility that IPv4 has gateway but IPv6 is direct-
routed. Then HTTPS entires need to be duplicated with potentially
different alpn values (filtered for IPv4, full for IPv6). HTTP/3
requires IPv6 in such setup (as opposed to not working at all with
server entirely behind gateway).




-Ilari

v2.30.2 | Report a Bug | By Email | System Status