Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Kyle Rose <> Wed, 09 October 2019 12:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8397D120089 for <>; Wed, 9 Oct 2019 05:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GT64C5UqQ4i2 for <>; Wed, 9 Oct 2019 05:41:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::c2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 575C412002E for <>; Wed, 9 Oct 2019 05:41:18 -0700 (PDT)
Received: by with SMTP id w140so756980ywd.0 for <>; Wed, 09 Oct 2019 05:41:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bPw74xp7BIRph9Y05mojh+N09fw4sotvUBlj94M8PAc=; b=HtTOXuOq0itVJaKvLB5iLQOCXdoCEP8TH1LWiuPiiN9MwmjXMNR2D0oHcsrje2T70v tA4OWLDfi+sjwKf8zWkHcY2SKrxM/0D5aMShoh0SIoH/4MYiMt1fwRaHJ0edBrE9B+PO 1qEtLwn6UIRbPzuW05wvWzgaXYquq6/yAAQqk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bPw74xp7BIRph9Y05mojh+N09fw4sotvUBlj94M8PAc=; b=qkaMU1Xkq9+BumgtWiPLTE9wunvBq4eGv9jebsRxfWC7aw/vdxhT8O2KbqogcomSN8 0HS5w9KOaCzkaBT68KOoamJFgXlmsGLbqu5QW5qfX+GF5n5das1+E1wlPYaF/+4r/emK NKSaCglPFf8HtJZ4JfMjvoDLJcA9rgz4cQ5i/HfiQMOCxIic+XRYv8jv/psnAw2+nWP1 6qgAPpDhF8b5EjjUpLWNr1oE+LLycM5gOALda1c/KUyowAH6Fa2Csf0pxc2bSWNUVLi+ pVMqFKO5y1eVAo3XUTT9h2uQiOrEJCtLkkYPEwSBpal+vHHPy7AoTs4Xa80fHh+CVIzO T+oQ==
X-Gm-Message-State: APjAAAVWaH82XAVNN/QDt1+6TEPJHHA3HI4KVM7ixcxdk89Qpiwt3ez8 /OZWDjafoW8Ov5wW4jHeLqrI/PnGtHYMcvxhPu4pEQ==
X-Google-Smtp-Source: APXvYqzSAPJUnkfN4At4ymIkr5Dqz4wprjnLoar/ENJk0n/mzL8WF9ogfyQKfppfOzwDYegyq7jmKu/2MP9qGONAKio=
X-Received: by 2002:a81:a405:: with SMTP id b5mr2586968ywh.380.1570624877061; Wed, 09 Oct 2019 05:41:17 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Kyle Rose <>
Date: Wed, 9 Oct 2019 08:41:05 -0400
Message-ID: <>
To: Rob Sayre <>
Cc: Rich Salz <>, "<>" <>
Content-Type: multipart/alternative; boundary="000000000000df7fd2059479995b"
Archived-At: <>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Oct 2019 12:41:22 -0000

I'm struggling to understand the issue you're raising.

There's typically nothing special about the CDN to origin TLS interaction.
If the origin supports ESNI, why couldn't it advertise that? The CDN node
could just pick it up like any other TLS client would.*

The one way in which CDN to origin interactions may differ greatly from
client to origin interactions is the aggregation of many sessions to the
same origin inside the same connection, but this is at the application
layer. This aggregation may improve privacy by decoupling incoming traffic
from upstream requests through persistent connections and/or pre-cached

Can you more precisely define your concern?


*Not clear that it would be helpful, since the origin is probably obvious
from the destination IP, but I think the whole ESNI discussion presumes
traffic analysis is either hopelessly naïve or impossible, so I'll just
stipulate that and proceed from there.

On Wed, Oct 9, 2019, 7:55 AM Rob Sayre <> wrote:

> On Wed, Oct 9, 2019 at 6:51 PM Salz, Rich <> wrote:
>>    - A link from CDN to Origin is just a particularly easy-to-deploy use
>>    case, since client certificates are already in wide use and IPv6 tends to
>>    work flawlessly.
>> It does?  Gee, cool.
> This response sounds like anger. I'm sorry I've caused you to feel angry.
> It might be best to discuss technical concerns. Do you think an SNI field
> sent with a client certificate is a bad idea? I'm not a cryptographer, so I
> thought I would suggest the approach and see what people thought.
> thanks,
> Rob
> _______________________________________________
> TLS mailing list