Re: [TLS] draft-kinnear-tls-client-net-address comments
Dan Wing <danwing@gmail.com> Thu, 21 March 2019 07:41 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBB12130F39 for <tls@ietfa.amsl.com>; Thu, 21 Mar 2019 00:41:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7RMeyiyOkTp for <tls@ietfa.amsl.com>; Thu, 21 Mar 2019 00:41:54 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF87A130F3E for <tls@ietf.org>; Thu, 21 Mar 2019 00:41:53 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id d25so3751710pfn.8 for <tls@ietf.org>; Thu, 21 Mar 2019 00:41:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fcQkiaRwaJcGR5DguTBbWClEWrxqvFG92AqXnW2vchE=; b=pTdZvYJ3QAc0yHPWNR6BQB0y5fnNmFX85w+BGg10orEQfmu2iUQGnqQEwS6cD77VkX TlbziXUykvHa17/N5hy8qSP2Iny5326gYnDpkURLYi/LAL9UszZiJ6pJyOqnBRxcVFdJ WxA2bFPzpnBofuw07M6rrTC51yMYgz/NX5nHNM6ZybRWD/iilcuU0zN81pKc33cx+HzW rQKkWxQtEcRoX33ei8yl0OUpeA0W5KosqheHpIBCIgizVpoITi7bSB6CuvdoJ7j7xh8N OEl9gw8gK6i8vacl2AjzYsFSwt07s3br3JJmpX8+I4TlyBOMniV71W2/8YnffEdO5NLx /g4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=fcQkiaRwaJcGR5DguTBbWClEWrxqvFG92AqXnW2vchE=; b=FIEDd97DKHHND2EvvanoKPUw1GsOe74wwCUlcxvTnZD+N88U/Piig1JBB4IClDJ/8x l5F8hdLvhupLXgA18EX6zfjADolusJ1Qv5BlD4xL6P7qoF0OputFTeMFdFaKq5CScvXU 4GsUYaN+ijvdvFI/oGEzq+BeDPjbrFY5LTP/MaLgH6+1snun7e8sPHSqJ5zUA6Fd+MeT 1MnCwESNQW7iU6yRVcJzUQ+wovuBiPm+ge21c+PGu8/YpxAeRn1wzHoTtwn/7wOGRqV3 frEmMMP7OiJfw8wLCYkrM4lUtdGgGrHW2qvktJHwBsp+sT2qsBOmB/HwqaqAFfGeyfDl p/cQ==
X-Gm-Message-State: APjAAAXbnlgINeb4VgFPTu+XT1m3pgwZ5cb2ZvQ2ZxdGFQtRkSBRnX2Y AlIdnFfEG83XO57p6RQhwPqY5NahEUlxLw==
X-Google-Smtp-Source: APXvYqxulhxRFGNk+Twn0vn0zQcNB9fMTIpsmbJ6TQZSPnuvaPWPazDaXjYJYKhRxCamsWDMasmw2A==
X-Received: by 2002:a63:94:: with SMTP id 142mr2044016pga.277.1553154113224; Thu, 21 Mar 2019 00:41:53 -0700 (PDT)
Received: from [10.252.242.228] ([115.110.204.140]) by smtp.gmail.com with ESMTPSA id p2sm6244981pfi.95.2019.03.21.00.41.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Mar 2019 00:41:52 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Dan Wing <danwing@gmail.com>
In-Reply-To: <014c01d4df4e$ae8e46f0$0baad4d0$@augustcellars.com>
Date: Thu, 21 Mar 2019 13:11:49 +0530
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <47D9463A-B33E-4144-8E86-0FC621CE53E4@gmail.com>
References: <6c010eff-d2cf-4438-956f-c4ec29ce97e5@www.fastmail.com> <427D0B01-B96F-46A5-B990-46FE14801BBE@apple.com> <014c01d4df4e$ae8e46f0$0baad4d0$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ToupzfYONDDMcl23V5Rbg7OQ4mU>
Subject: Re: [TLS] draft-kinnear-tls-client-net-address comments
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 07:41:57 -0000
Good point. Furthering that point: - what about DTLS/SRTP when that is used with ICE (RFC8445 and its precursor RFC5245) and QUIC (c.f., https://w3c.github.io/webrtc-quic/). Need guidance in the document to use ICE and/or quic-address-extension, as well as what it means if they differ (heaven forbid they differ, but ...). - Some motivational text and advice-to-implementor text explaining how ICE-over-QUIC-over-UDP is unsuitable compared to draft-pauly-quic-address-extension (lack of specification, desire to use same technique for both TLS-over-TCP and QUIC-over-UDP (perhaps), ICE too heavy (and can't be profiled?), or whatever the reasons are. Such guidance will help developers who might happen to notice several IETF protocols that could be made to achieve the same ends. - Also need guidance that the information is time-limited, source network specific (different answers on Ethernet vs WiFi vs LTE) and destination specific (different answer is possible depending on the server queried, due to a NAT or Carrier Grade NAT using multiple outbound interfaces ("pooling") and whatever the NAT's algorithm to choose whichever outbound interface (based on client VLAN, performance of each outbound interface, etc., who knows). NAT pooling can be a significantly complicated issue (https://tools.ietf.org/html/rfc4787#page-7. - Does anyone see a need for a well-known underscore name to retrieve this information from a web server? As written both drafts work with TLS and with QUIC, which means they don't require an HTTP server on the far side so works with SMTP, IMAP, etc. However, I could see it being difficult for an application to learn its public IP address (needs to get its TLS or QUIC implementation to support these I-Ds). Supporting this over HTTP has the advantage that both the OS and an application can programmatically learn its public IP address. - As already mentioned, MPTCP complicates the answer from the server, as will multipath QUIC (which publicly appears to be stalled, but we should reasonably expect it might come to life again). Guidance text needs to be added, or perhaps we can safely punt the problem with 'for further study' and recommend against using it with MPTCP? - Finally, the datastructure doe not convey protocol; I worked on a TCP-to-SCTP gateway a few years ago and one might envision a TCP-to-QUIC gateway or QUIC-to-QUIC8 gateway in 2030. Should we anticipate that and include protocol number to fully qualify the port number that exists already in the datastructure? I honestly don't know the answer to that, but throwing it out for consideration. -d > On Mar 21, 2019, at 12:26 AM, Jim Schaad <ietf@augustcellars.com> wrote: > > I have not looked at this draft yet, but what about DTLS/UDP? > > Jim > > >> -----Original Message----- >> From: TLS <tls-bounces@ietf.org> On Behalf Of Tommy Pauly >> Sent: Wednesday, March 20, 2019 3:00 PM >> To: Martin Thomson <mt@lowentropy.net> >> Cc: tls@ietf.org >> Subject: Re: [TLS] draft-kinnear-tls-client-net-address comments >> >> The QUIC and TLS drafts were written together, and are quite similar as > you >> note. The intention is to use the TLS extension over TLS/TCP connections, >> and the QUIC extension for QUIC/UDP. >> >> I agree that QUIC as a protocol benefits more from the extension than TLS >> does, but applications on top of both can benefit by detecting NATs, for >> making decisions about long-lived connections and privacy mitigations. >> >> Thanks, >> Tommy >> >>> On Mar 20, 2019, at 2:26 AM, Martin Thomson <mt@lowentropy.net> >> wrote: >>> >>> I see a substantially similar draft in > draft-pauly-quic-address-extension. I'd >> like to understand how these might be complementary, or whether the idea >> is to pursue only one. The QUIC extension seems superior, if you have > QUIC. >> There are a lot more plausible reasons to want this information in QUIC >> though. >>> >>> Nits: >>> >>> The format of the extension is not ideal. Wouldn't you want to know > which >> family it came from? >> >> I think the intention was to use the length to infer the family. >>> >>> The term of art is reflexive address (or reflected address). >> >> Thanks, good to know! >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] draft-kinnear-tls-client-net-address commen… Martin Thomson
- Re: [TLS] draft-kinnear-tls-client-net-address co… Tommy Pauly
- Re: [TLS] draft-kinnear-tls-client-net-address co… Ilari Liusvaara
- Re: [TLS] draft-kinnear-tls-client-net-address co… Chris Wood
- Re: [TLS] draft-kinnear-tls-client-net-address co… Stephen Farrell
- Re: [TLS] draft-kinnear-tls-client-net-address co… Jim Schaad
- Re: [TLS] draft-kinnear-tls-client-net-address co… Dan Wing