[TLS] ESNI and Multi-CDN
Ben Schwartz <bemasc@google.com> Tue, 18 December 2018 17:30 UTC
Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7611C131169 for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 09:30:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zF5W8Jhmqdpy for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 09:30:10 -0800 (PST)
Received: from mail-it1-x129.google.com (mail-it1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8D9131173 for <tls@ietf.org>; Tue, 18 Dec 2018 09:30:10 -0800 (PST)
Received: by mail-it1-x129.google.com with SMTP id w18so5045209ite.1 for <tls@ietf.org>; Tue, 18 Dec 2018 09:30:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Zkq4rC+ulLnkw6+7qHcBRVCw/YNPviWag8OmJr5ONDc=; b=aN+nkzvEkzQN7MI1+0HMOQCUUyQC3Ob6/AftM0ssKS+QLVxnrRp7mhe2YmXn0Ry8YL LM8/nfXT1eEkEP+rH7IWp7zA2blbolFlAEstuu9N8Bf6UsmZFPNebmTu0BkQ/9gm6j2o 5ePiK8fY40oK4oRQSOrx4LGVOT3vpv5jO0PMxzTe9ET3IGijiWlsWXyDDx0wa85vs8fv IqDSv5pVyIK30K7h+/baXdeO/ET1JPE0BF5d6qC8zwv02oto/L/Z36DDyJrInECkHZ0X Ui3LOP6+1jX1nLeE69Grq6XSci3k9OH2fUCWa0HyuygaNzuoU+91Dwudh+A6oFkL7UKG lmDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Zkq4rC+ulLnkw6+7qHcBRVCw/YNPviWag8OmJr5ONDc=; b=e/D2e44eANrmPBAmxe5KmdvAco6VfBRJuZ/gfm6+TJ44sOWp9X//1xKSzs8iYuNUHH vpWVRjmtNek0md7yhQ6yp62rMcs6aD5aHM3gLmR/l7aVf4HapagFfo+NZIJnrqGqygiA Kq3ko6SsntBHbqhulT0PxGg69/eyd/Zm58U2wwdMddVP+kukKzIBX03D4lqgdclOG+IU TwykYsVZla4gil5I/PuirV4OyLd48DXzF5dKV1FdpS2jfJmn4bTETJkm7kKhdKQw6+Jd 6++oiIYIjL0dZrwYaqNK0lB0K5YzjXhRTFAsL/VU8FxpfwzaDKow5H/qbNb8b8iEMo73 53tg==
X-Gm-Message-State: AA+aEWanPUhcEIrGgyO7GNutzLwoib7sqXOun5zg8KoCmt7ld9z1OjxH 6rmqjaBc6TzMZ9UERvtjh4mIPXY5fYkuhY/OHKnsaQny3KtNEg==
X-Google-Smtp-Source: AFSGD/W+AtmI/3AvPDcVHl5FMB96R0tvcPkO9ToiwB3wtJkw7oMkQCWazNd6ZF5SOPJgIBvJ2PCVxmByZIUnitG71cI=
X-Received: by 2002:a02:a003:: with SMTP id a3mr17454453jah.8.1545154208993; Tue, 18 Dec 2018 09:30:08 -0800 (PST)
MIME-Version: 1.0
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 18 Dec 2018 12:29:56 -0500
Message-ID: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000c89f63057d4f3ff1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WXrPgaIsIPItDw3IQthmJk9VRlw>
Subject: [TLS] ESNI and Multi-CDN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 17:30:13 -0000
I'd like to propose a solution to the ESNI + Multi-CDN problem (which has been discussed a lot on this list already). My suggestion is that we define the ESNI DNS record format as optionally including "stapled" A/AAAA records. Server operators would have the option to publish an ESNI record that only contains an ESNIKeys structure (like the current TXT record), or to publish an ESNI record that also includes IPv4 and/or IPv6 addresses. (A Sufficiently Advanced authoritative DNS server would generate such records automatically.) This kind of address stapling would only be required of CDN operators who want to support multi-CDN deployments. Clients would issue A, AAAA, and ESNI queries in parallel (as with the current TXT record). If an ESNI record exists, and it contains IP addresses, the client discards the results of the A or AAAA query. Advantages: - No possibility of mixing up which ESNIKeys goes with which server IP. - No changes needed to recursives (which would treat the entire record as opaque). - Doesn't add roundtrips at any stage. - Fully compatible with existing CNAME delegations. - Only adds complexity to the most sophisticated party (CDNs who want to enable multi-CDN). - Not limited to one protocol (e.g. HTTPS). Disadvantages: - IP address data is duplicated (10-100 extra bytes in the ESNI record), and single-stack (e.g. v4-only) clients would still get both sets of IP addresses. - Clients must wait for the ESNI query to complete before sending a TCP SYN. (Any resulting delay should be very small. Does not apply to TFO or QUIC.) - Support requires implementation work in authoritatives, especially for load-balancing or geotargeting. - If IP stapling is rarely used (or rarely _not_ used), some clients might fail to implement the rare case properly. --Ben Schwartz, Jigsaw
- [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Salz, Rich
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Ben Schwartz
- Re: [TLS] ESNI and Multi-CDN Ilari Liusvaara
- Re: [TLS] ESNI and Multi-CDN Salz, Rich