Re: [TLS] ESNI and Multi-CDN
Ben Schwartz <bemasc@google.com> Tue, 18 December 2018 21:59 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4F8129BBF for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:59:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ewjv9cYQIdBH for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:59:49 -0800 (PST)
Received: from mail-it1-x136.google.com (mail-it1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60332126F72 for <tls@ietf.org>; Tue, 18 Dec 2018 13:59:49 -0800 (PST)
Received: by mail-it1-x136.google.com with SMTP id b5so6485022iti.2 for <tls@ietf.org>; Tue, 18 Dec 2018 13:59:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lA1Z2kzXwwMq4bMI0ONKFmUyiOYmsOUOSMTW1vNkGWk=; b=d7kDI5t6eYXvHj060s0ZH2VbaUtd3fiCcgQMjsXuJRRXdFMbdwWdhYOruyJgUy+uKX I5mU0Fooi17Z8ITKGV1lz+jPys8ldTUJLEcUWgOWB5EK3osRiRQqOom1Gu+6DyBwDhMJ usByweAemhoi/3hA4Ux5smnIX8iDNPGBIKpG5mZDvBlzbdvrkZ433L+U0Cm91QVwrW+8 X5X5mxAyIc/ABS0d1S7fQYuzwF9VbtFfR1JOdW8VuBDBmtEUzuCPyxKaU18dMCEFTISK 0m5zSCVhnRZRHUliYVmjJpdQfN1EJ3WS5lgqlh/AVpPJYkctW9Lz1A+oNBFhH86ks3i0 WJTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lA1Z2kzXwwMq4bMI0ONKFmUyiOYmsOUOSMTW1vNkGWk=; b=hjU0+EjsE4Etf8j2zDrD/edFEB3DvRfolGIhMD1rJ4Y0pfgrg0GV0ooULy4ZQIl/EP PIGu5ZuY1gwnajO155oEukQIkBiqs5vDcByf5/ZmhBdvtjVgnHTtV60avG70FO3S4Ta1 RpuuclHdyell1z+v9gRXtED9EhY2emoa9InkcDMHb/yzWnn1Iliu7S7an67tMOgNTCRE C6vKLSw8FKlfZM7jotjvINA/GBfig1ooKlWim/LkaRCrf3Ygm5X72dzzDckWIpRypdBB yp3v95ljqairv1B/GJafMnx7Q+vT42DvE3t+XP2Go97Q/XFrJwukVNL+zfyZUhLfPSdE hafw==
X-Gm-Message-State: AA+aEWbKkxIxJnjEQrdzyHgMjRD96a6UudRyrajPR2OiOCo/JC+yvkr5 9Js2m16C3F50+k/pWFMoFncv43NWOruhvBs1dj4OtQ==
X-Google-Smtp-Source: AFSGD/XhK1UKXOm+aGQ+gy3sqrw1g2MGqDvmffOb1IlrwZYzxRFanZ2ba7xNjNgj0M0zk7ujBC1D3Wepr6hHQw0kbmY=
X-Received: by 2002:a02:c891:: with SMTP id m17mr17071192jao.45.1545170388412; Tue, 18 Dec 2018 13:59:48 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com> <20181218211435.GB592@LK-Perkele-VII> <CAHbrMsAVNua0TDinVZr7zaO5R_MYSOVwzKDvb1GzeXXvgRJQ9g@mail.gmail.com> <20181218214928.GD592@LK-Perkele-VII>
In-Reply-To: <20181218214928.GD592@LK-Perkele-VII>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 18 Dec 2018 16:59:35 -0500
Message-ID: <CAHbrMsDop8nB068xJYhUo=M7W3SMegLbBJcmeDpW5YtswBA_tw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000025b61c057d5304fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SFskf09o5f8d6UwRVY59GRcuK0U>
Subject: Re: [TLS] ESNI and Multi-CDN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 21:59:53 -0000
On Tue, Dec 18, 2018 at 4:55 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Tue, Dec 18, 2018 at 04:26:45PM -0500, Ben Schwartz wrote: > > On Tue, Dec 18, 2018 at 4:14 PM Ilari Liusvaara < > ilariliusvaara@welho.com> > > wrote: > > > > > On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote: > > > > I'd like to propose a solution to the ESNI + Multi-CDN problem > (which has > > > > been discussed a lot on this list already). My suggestion is that we > > > > define the ESNI DNS record format as optionally including "stapled" > > > A/AAAA > > > > records. > > > > > > > > Server operators would have the option to publish an ESNI record that > > > only > > > > contains an ESNIKeys structure (like the current TXT record), or to > > > publish > > > > an ESNI record that also includes IPv4 and/or IPv6 addresses. (A > > > > Sufficiently Advanced authoritative DNS server would generate such > > > records > > > > automatically.) This kind of address stapling would only be > required of > > > > CDN operators who want to support multi-CDN deployments. > > > > > > > > Clients would issue A, AAAA, and ESNI queries in parallel (as with > the > > > > current TXT record). If an ESNI record exists, and it contains IP > > > > addresses, the client discards the results of the A or AAAA query. > > > > > > I do not think this will work: > > > > > > - The CDNs need control of ESNIkeys > > > - If you hand them this control, you can hand over address control at > > > the same time. > > > - Now you are in HTTP service discovery territory. > > > > > > I am not saying that HTTP service discovery is undesirable (it is one > > > of those perennial topics that are not seemingly bad ideas but never > > > seem to get done). > > > > > > > Sorry, I don't understand. What are you saying will not work? > > > > This proposal is not HTTP-related, nor is it any kind of service > > discovery. A CDN necessarily controls both the addresses and ESNIKeys; > > this proposal just stores that info in one RR instead of two. > > What I meant is that one must be able to redirect the ESNI lookup > somehow to the CDN itself. Otherwise updating the ESNI keys is too > hard due to excessive coordination required. And if you can somehow > redirect the ESNI lookup, you could redirect the address lookup using > the same mechanism. > Yes. This proposal assumes that these lookups are in fact the same, i.e. they are both for the same name (www.example.com), and this entire name is redirected (i.e. delegated) to the CDN via CNAME (which is not type-specific). This is the typical deployment pattern for CDN customers. > And what that results is a service discovery mechanism. No, it's just CNAME. > And turns > out that HTTP is pretty much the only widely used protocol that does > not have service discovery mechansim (e.g., SMTP uses MX, XMPP uses > SRV, etc..). > > > > -Ilari > > >
- [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Salz, Rich