Re: [TLS] Two Multi-CDN proposals
Eric Rescorla <ekr@rtfm.com> Thu, 28 February 2019 01:42 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A87130EAB for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 17:42:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YwRwEi44iQsL for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 17:42:37 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 650551277D2 for <tls@ietf.org>; Wed, 27 Feb 2019 17:42:36 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id x206so5962299lff.3 for <tls@ietf.org>; Wed, 27 Feb 2019 17:42:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9kaWs7gKrLyJ9agiC0++HXt6kkJwLfV1sFDsB6eaa58=; b=xTqZal19z1PEFwsl54dSkugyOuRWkfUq5MOxeLuWDC0C0HyJoCVE+neQI/tkWR+YSZ 76dUlcDpbGeBZheDIWW8m+aM8KAMijcjJldK2y9GxLroFghVcG9Xys4P7g+aKzDwOQ+P IRZVoW8+E9DPp4/t+KOG9GsESsuTyq3j1fRRy7nAUd4x/Qx92Ik966CggcEXg8c8CEiR v5DfHDb1DCOBxSbDSYVSVcIYHsDhw+nQlMljXNFp29Wf+F4Gj1eXUMUlh8Mn0h9ajk2S vzAdNUPDAud5RXJL7xwYVZrKG54Ryal1xLTcF21mgPJ90h9559fqevpUKnhuNQMJnxke mvdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9kaWs7gKrLyJ9agiC0++HXt6kkJwLfV1sFDsB6eaa58=; b=ZC4MCUGSP4+kfPKffLWLKIpo//x5UTfk2pqTvgd4nlMs5PR74PIlX0XU54Jd+hc5ig KFEYSN+0EVjG8+1+89ebNLNzgujVzbpeDJZkaCvio7fUjBugLNGGdm39DfSocb882fse TplyPcwpD8SfLZfU0xRdxFP47kS3h+taqaSDhofjQ5qfytqPu6u7LKRg1SHmyEvtybSm vpHZx0+hcZmRxlYTspd2YOIf1RO0K5IPAnq7I/iW7QE/6oOed9IsshhrCvVAowYD7Xle Xz9PU6faVQOkH/I6utjb8RGr5Mg5VsE9kVWbza5R9MGG6V1VMV36tIMuXt6cug44W53W CErA==
X-Gm-Message-State: AHQUAuYkTVR6PXVBbXv0fWDIzXeODyR2fXlq2tTEcK/TJNKnOmBse8nR VaYMlJnzcyr35P5FnC2uCBlDUjElKhTuA+YkS6dN6w==
X-Google-Smtp-Source: AHgI3Iaoi9/vLpdYu0ueVarts8Mr3umobwewj0DrT3mV45bUO0NsaJHFTqOPtjlDI2awehpv+8XdnyjjtNNXyyIdCsE=
X-Received: by 2002:ac2:51bc:: with SMTP id f28mr2724288lfk.123.1551318154354; Wed, 27 Feb 2019 17:42:34 -0800 (PST)
MIME-Version: 1.0
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com> <0b19d021-8101-23ee-2899-450d103a8906@cs.tcd.ie>
In-Reply-To: <0b19d021-8101-23ee-2899-450d103a8906@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 27 Feb 2019 17:41:56 -0800
Message-ID: <CABcZeBN0mf7VFCKKdg9gH0=tCS7eLZz6M5_WJdaNG7XrJeyESw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Christopher Wood <christopherwood07@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008635710582ea6785"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WF_4i9AxqZ6mRR1dP1I6v3XrlpI>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 01:42:41 -0000
On Wed, Feb 27, 2019 at 5:24 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > First, I think both are wrong:-) > > If there are really different ESNI private value holders, > then each of those should provide separate ESNIKeys RR value > instances Yes, this is the idea and the set of all of those should be in the RRset > returned when the ESNIKeys are queried. > I think you're misunderstanding the scenario here: we have two CDNs A and B, and some switching service in front, so that when you lookup example.com, you get a CNAME to A or B, and then you get the ESNIKeySet for A or B as the case may be. So you're not going to get both ESNIKeys values. > Requiring different private value holders to find some > entity to wrap up all their crap into one single TLS blob > is not, IMO, a good design. > That's not the way this works. > On 27/02/2019 16:18, Christopher Wood wrote: > > Hi folks, > > > > Below are two PRs that seek to address the multi-CDN issue discussed > > on this list and in meetings: > > > > 1. https://github.com/tlswg/draft-ietf-tls-esni/pull/136 > > 2. https://github.com/tlswg/draft-ietf-tls-esni/pull/137 > > I'm not sure of the details of #137 but I think I prefer > that one a bit. I suspect either of them will be a pain to > code given how we'll be mixing names and addresses. > > #136 seems broken to me in that it gives the new AddressSet > invention priority over A/AAAA resolution. I think that'd > need much more justification as it essentially calls for > duplicating A/AAAA information over two administrative > domains which seems like a recipe for failure. > This is not correct for the reasons I indicated above. What happens is that the terminal CDN is responsible for publishing a record with its keys and its A/AAAA values. Indeed, the source of the problem we are trying to solve is that you might in successive resolutions get the CNAME for A and B, thus having a keys/A mismatch. > > My reason for preferring #137 is that (if I'm reading it > right, and I'm not sure!), it resolves a CNAME and then > compares the resulting A/AAAA acquired via normal CNAME > chasing to a mask from the ESNIKeys stuff. I think that > is a better approach than replicating A/AAAA values inside > a novel repetitive structure like ESNIKeys. > > Lastly, we will need to fix the TLS-developer-friendly > but DNS-admin-unfriendly ESNIKeys structure, [Citation needed] IMO the way to do > that is for each ESNI private value holder's stuff to be > a separate RR value in the RRset (and so each is likely a > separate stanza in a zone file). This seems to rest on the same misunderstanding of the scenario in question. -Ekr So in summary: > > - both are wrong:-) > - if I had to pick one to proceed with temporarily, > I'd go with #137 despite it being unclear > - I'd rather we fix the ESNIKeys to be DNS friendly > now too and not wait to have to inevitably fight > that battle later (but fight I will:-) > > Cheers, > S. > > > > > #136 implements the combined or stapled record approach discussed > > several times, most recently in [1]. It includes these via an ESNIKeys > > extension. #137 builds on this design with a mechanism that lets > > clients detect and recover from A/AAAA and ESNI mismatch (if desired). > > It is certainly more complex in several respects. A third variant, > > which is not (yet) in PR form, is a simplification of #137 wherein > > ESNIKeys addresses are only used as filters, instead of filters *or* > > complete addresses. > > > > We are asking for feedback on these PRs, as we would like to merge one > > of them for the next draft version. As #136 is simpler and permits > > extensibility, that is the current preference. > > > > Thanks in advance for your feedback. > > > > Best, > > Chris (no hat, on behalf of the authors) > > > > [1] > https://mailarchive.ietf.org/arch/msg/tls/WXrPgaIsIPItDw3IQthmJk9VRlw > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Kazuho Oku
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Stephen Farrell
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- Re: [TLS] Two Multi-CDN proposals Nick Sullivan
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Mike Bishop
- Re: [TLS] Two Multi-CDN proposals Eric Rescorla
- Re: [TLS] Two Multi-CDN proposals Kazuho Oku
- Re: [TLS] Two Multi-CDN proposals Kazuho Oku
- Re: [TLS] Two Multi-CDN proposals Christopher Wood
- [TLS] More issues with current ESNIKEYS DNS appro… Erik Nygren
- Re: [TLS] More issues with current ESNIKEYS DNS a… Stephen Farrell