IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Kazuho Oku <kazuhooku@gmail.com> Thu, 28 February 2019 07:34 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ECB112D84D for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 23:34:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JLzJBgkSGhU for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 23:34:53 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 479BD129AA0 for <tls@ietf.org>; Wed, 27 Feb 2019 23:34:53 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id r123so6087836lff.6 for <tls@ietf.org>; Wed, 27 Feb 2019 23:34:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=K3UFDXJGH+BCbjM+o53pfnG6rnTWDhiOHzPUMHFFaU0=; b=ZLjLF2PDmyA8+KzraAL/yfaxhEkXvzPqy+cmhP/tTYaaIaZ3FRiLV/BuCHXDLrFDSb mB8Oetsm8lVx3pf5hMV8y/TmnIbShMCvgyaPNSnHJairZRLgvMj3lhPpn6ZT6RxnBXSh 9khOjjCsQiUTl9WpgwN2tFtzAI3GvwouYg1ddc9FHUv/gYvePY3QNGVnntf98bA0w/8r 8nGmdALQD/j7P5/yHkWQiWGgx2jhnOL2z8csaJYheZO+WiL4EfgVZECEGSIqnZcJv5Tg jFpOwjE80rWJPeKhgQ3bkVsKmR9uUO7DDOKzHTBkClCOR/mZpck6R7tsPYuCpahwHWki IpoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=K3UFDXJGH+BCbjM+o53pfnG6rnTWDhiOHzPUMHFFaU0=; b=jc6BCOr56xhKZ4GjASVOyH3oWtkx03mmCLCoP4TubvAxaflmcdvGLgpDwqhFijdgzO 4iXBYIpi10CmN0u3NW/TFcv/DBFqNCkRwiNNxv8AinU/22TPKBXn+GgJyGU7q5jzQLg3 ieUZvZ4HLd1FYRFlXyCaNluJbP2Rv469c7xFD4wuDoaNsllWkVgjpgpNi3VCMrKDq5Vw lwxoSwsuPTh5jqTi6eOojdMOHRwuw5HAZZaWz38YFxVIYGJEmdhBvYFQwXgreqT84OJF YB9CT+0Wh71iZBCG0wmzahDKpl44b0VX2dnUsQCMfj7+oo3Q10xqFHyCJVM4X7Y0Z6X5 TrGQ==
X-Gm-Message-State: AHQUAubgiaKmvTFuD73Yx5DIPxROTNlwFk0daHTZJdZK+y3qlxjIiCO9 iwMp91gvTwkj5gz+Z9ahPDmUoIUQINQiqSVV8uE=
X-Google-Smtp-Source: AHgI3IbBIbncPvsVMFUjPQ0AF3zsdBwTrr4F409wTRCJEizcfhLyeIRlOtgHF4Cff2s0r15s62rhsmQoI8+Yrk+jkGM=
X-Received: by 2002:ac2:42d7:: with SMTP id n23mr3275424lfl.162.1551339291136; Wed, 27 Feb 2019 23:34:51 -0800 (PST)
MIME-Version: 1.0
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com>
In-Reply-To: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Wed, 27 Feb 2019 23:34:39 -0800
Message-ID: <CANatvzwz4+4KiLhBmeKw2HQ_D8SukcGj0UtfeDuMhTME3Yfy5w@mail.gmail.com>
To: Christopher Wood <christopherwood07@gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VT993Py3ZHgoU6_11MT3-2hM-d0>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 07:34:56 -0000

Hi Chris,

Thank you for writing down the PRs describing possible designs that we
might adopt. I think it helps a lot in understanding the details and
making accurate comparisons.

My comments inline.

2019年2月27日(水) 8:19 Christopher Wood <christopherwood07@gmail.com>:
>
> Hi folks,
>
> Below are two PRs that seek to address the multi-CDN issue discussed
> on this list and in meetings:
>
>    1. https://github.com/tlswg/draft-ietf-tls-esni/pull/136
>    2. https://github.com/tlswg/draft-ietf-tls-esni/pull/137
>
> #136 implements the combined or stapled record approach discussed
> several times, most recently in [1]. It includes these via an ESNIKeys
> extension.

Reading the PR, I think that there is a mild privacy concern. The
issue with the unified record proposal is that it incentivizes the
operators to create more ESNI records possibly using different keys,
which is against the design principle of ESNI: provide anonymity set
by using the least number of keys.

Retaining address resolution unbundled with ESNI incentivizes the
operator to use less number of keys; for example they might just use
one key at a time. That would be a nice property to have, especially
in terms of transparency. It would help third parties verify that an
operator is actually providing an anonymity set (rather than just
pretending to use ESNI).

Also, I would like to point out that it is only when one key is used
by each of the provider at a given time that it would be possible to
use ESNI from a network that blocks DoH or DoT; a user can write the
IP addresses of services he/she wants to access in the hosts file, and
supply the ESNI key to the client he/she uses. Such a hack becomes
difficult under the unified approach, where operators could synthesize
different keys based on various conditions.

At the least, if we are to adopt #136, I think we should change the
definition of record digest included in the ClientHello extension so
that it does not cover the "address_set" extension of the ESNI record.
Otherwise, we would be exposing to the wire the fingerprint of the set
of IP addresses contained in the DNS response the client received
through a secure channel, whereas in the split record approach you
only leak the ESNI key being used and the IP address the client has
chosen.

As much as I like the idea of bundling IP addresses and ESNI key, I am
concerned if the requirement to bundle different types of records is a
requirement specific to ESNI. If not, I think we should (in the long
term) try to create a generic solution, while in the short time we
could rely on a more limited mechanism as proposed in #137.

> #137 builds on this design with a mechanism that lets
> clients detect and recover from A/AAAA and ESNI mismatch (if desired).
> It is certainly more complex in several respects. A third variant,
> which is not (yet) in PR form, is a simplification of #137 wherein
> ESNIKeys addresses are only used as filters, instead of filters *or*
> complete addresses.

I think using IP address blocks to limit the validity of the ESNI key
is a fine approach. I do not oppose to having a name-based filter if
it's impossible for certain operators to apply the IP address-based
filtering approach.

> We are asking for feedback on these PRs, as we would like to merge one
> of them for the next draft version. As #136 is simpler and permits
> extensibility, that is the current preference.
>
> Thanks in advance for your feedback.
>
> Best,
> Chris (no hat, on behalf of the authors)
>
> [1] https://mailarchive.ietf.org/arch/msg/tls/WXrPgaIsIPItDw3IQthmJk9VRlw
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email