IETF Logo Mail Archive

Re: [TLS] New Draft: Using DNS to set the SNI explicitly

Ben Schwartz <bemasc@google.com> Wed, 08 February 2017 03:29 UTC

Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BAA212979D for <tls@ietfa.amsl.com>; Tue, 7 Feb 2017 19:29:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSxlk5e92eHA for <tls@ietfa.amsl.com>; Tue, 7 Feb 2017 19:29:41 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E45961297CE for <tls@ietf.org>; Tue, 7 Feb 2017 19:20:29 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id l66so106539294ioi.1 for <tls@ietf.org>; Tue, 07 Feb 2017 19:20:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7J7HdJdilfKUwQQG07iu5rBKf2pioEznXQI1nNjj0tU=; b=Ita2oTad3gLOvVnlOA5wX7L7Di3yPtE0OYlevjSQkN7pkN7uvU/BZKR6wbgv05C1pb HhUGba6ltRcVXKg3rKlTpAhKa0b9rK40zIdzjiwFM4ksRh5xxgIe1T073nd0YFjqtMU4 DNRVjSVy4O1kWG3N5qTAVTV/FsHkrkLde+OdASdedTjLt+Ta5UwXPCZSdkEjYGHwPc5G OxIFZJd/gVk+vLIlRoEEXA6e1kjipvE6Psn2bgP2UOiTqwfO1eUp+V9MQ7wJqggBm0gN 4VQ6H3mjQywmGAchWDtyAbsobEs3djPtZ5OPH82WjGKVPRSyVJPz9QJBKgS6G38XSu// JqDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7J7HdJdilfKUwQQG07iu5rBKf2pioEznXQI1nNjj0tU=; b=WM4UxI5IkDYsuQ1VmfJiS40tGMmNqLxDlPHW1+STUf6YaiZ+xsh7q2CmY0amf3FIsg GPISQ4r8it3u1NBYHt25NEb9lJQwGRAkOwSJOpOnrISuiuC1NPL6PBBTTZkUwDW5OxvO ufE3UA7gFjq6H5nvdAStykez9offXaOBMnCyf7KCtKnD7ZljuHQFM+hIo61WJX3Y8Ylt MEddlR29X0PY4rAcaLhJx3OwykwjHI9l9iuZkr9h0yq9BPj/T5uvy2v97C7axW5LIWLB ZLAdJt+TVVaCQTXFeIrYhYOrGvqhjpAGHJqMasimLdhn23ePQF8CRjaPV6Ni3fvIEGT4 MSNQ==
X-Gm-Message-State: AMke39lZCyd/Fc1nP7vadhDK9ORMWzhs0p1+sn0U8vjh26LT+EJr+zlcRYNd6mAzC4mwdB96sS33hs3bTmBtWMxY
X-Received: by 10.107.15.70 with SMTP id x67mr6857602ioi.103.1486524029155; Tue, 07 Feb 2017 19:20:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.135.164 with HTTP; Tue, 7 Feb 2017 19:20:28 -0800 (PST)
In-Reply-To: <2ad02cb5-7ef0-9b27-818c-eb881f250519@huitema.net>
References: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com> <20170207164853.GA979@LK-Perkele-V2.elisa-laajakaista.fi> <CAHbrMsB5q_1e6Pg-hmgt+xUVtFtmdoaQ-XfpXfrQu18uF5+zWw@mail.gmail.com> <2ad02cb5-7ef0-9b27-818c-eb881f250519@huitema.net>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 07 Feb 2017 22:20:28 -0500
Message-ID: <CAHbrMsDT45gC4W_06ZMXWbNx85Yf01ug0fJiM=4eU_4V=dBnvA@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="001a113ed7feb572230547fc5852"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ViFCUkKcLZ7nt76WxxxreY8bTc4>
Cc: tls@ietf.org
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 03:29:42 -0000

On Tue, Feb 7, 2017 at 8:14 PM, Christian Huitema <huitema@huitema.net>
wrote:

> On 2/7/2017 9:11 AM, Ben Schwartz wrote:
>
> ...
>
> I proposed to treat IPv4 and IPv6 separately because a "dual stack" domain
> owner might reasonably have very different configurations for their IPv4
> and IPv6 servers.  For example, a domain owner might use shared hosting for
> IPv4, but assign each domain to a unique IPv6 address.  Splitting the DNS
> record in this way allows the server operator to disable SNI (by publishing
> an SNI record with empty RDATA) for connections to the IPv6 servers,
> without affecting requests to the IPv4 servers.
>
>
> I am not sure that this is the right trade-off. If some adversary censors
> based on the SNI, they will also be able to censor based on the IP address
> of the server (v4 or v6). The resistance to censorship (or monitoring) only
> happens if the connections are proxied through another service. I would
> think that you want the name of that proxy service in the DNS,
> independently of the network configuration.
>
> -- Christian Huitema
>

I agree: against "knowledgeable" adversaries, moving services onto separate
IPs hurts instead of helping, so my example isn't great motivation.  Based
on your and Ilari's feedback, I'll probably remove the v4/v6 split unless
we can come up with a more attractive version.

v2.23.0 | Report a Bug | By Email