Re: [TLS] [Uta] Recommending ALPN (was Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11 ...)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 30 April 2021 11:43 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20BE83A1216; Fri, 30 Apr 2021 04:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SkgE6dnMEPIz; Fri, 30 Apr 2021 04:43:02 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60107.outbound.protection.outlook.com [40.107.6.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2DFC3A1206; Fri, 30 Apr 2021 04:43:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nlaL6VPDdYFZNvbggP1BJ87Ge3JgPJWo1kUljRs3a6Q/gEOUiFwAsx+1VL319+3kflUfWGFiU5R20GTLc4HP03Rm/CxdT1jlPq4xelr9MO41pWvsKngm3VKLn1UCbUi7jDCBAIKGrSXOsyE6JpfkhP6bpc83PWPkwwNnafDSOGv9QivVoR61M73ef8nNdaOttO5DksMTJttOkCmGOeinSI6w3/LG8qEbudquf5lX8ij0rinvPhThImwbIQoQh3Tq8/Zmw/4krw6/U4PAaymWTosjdFWoEg7Ce1Crz5mH6wIsgMJgOnZVK3klyRRqWolhr+sWtDLE/Qg3ZlqpRFTqPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dj9BN8kH9dHxIYTe1g6q5/ImVxtZ0uLQBGWGJdrkgDc=; b=GM0ILUmaDT5e/+KR7Lz0A38tgWrCcews9Doi59uvbjWSpHHmQtwYXAsvz9EOdGz9Ad7Rw74yOp1AHM8p1XCnSTNRvckh+iKWfD0corP3KaTjBAeUKpfROywC6KGtNqSlrpUOHkRfd8/SSt1T0GfgsNBUJ6EmHSlBa6hROHFNIGYQcPgJyY07CWVPFYTLP5X+ipdgHE0FbD4o27z3b9YYDsL9gzepUpyWQViY1XPAXmiHbQiwOIKWG25eECIH+kPWhxjy+yO/xFIcdPoKJba3s0U7oILqBKetxRCgb6YZyhYzogBDkXmW0gxXAH07U4B9o4CVPxasbr6m6Xkitj2csw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dj9BN8kH9dHxIYTe1g6q5/ImVxtZ0uLQBGWGJdrkgDc=; b=G2bf6qCU/Rkkor+s0xG4hFviqkwuvvsi+k8yBVLk9xdtw6a4oRdJRwJMMNRD+eNpeXo7D4t01W/znYkEtKzVzkSisrirQbi7NgsA7tNGduX6q6s+2KkqQeE8gAF211kyU3xc/z8PdhjyKopO2Z9kxeaSeUty7kCCI3QLpZSmfW1A22kG7x+tCjtO6TVfDUkVXrX6eWIsy4clJkdAGIP+jA6vzQ4LPDX/GFVYjNMvGoKZ2bqa9GgWWdU2Is5wTJmfzRBffua9FJs9DBe5qcDWIE5u958W/ea6tBSQXob3zT3/wq8afSJbDD8gFB1MAFGos3wOklhX3vvvf4SgdOXC8A==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB9PR02MB7387.eurprd02.prod.outlook.com (2603:10a6:10:240::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.22; Fri, 30 Apr 2021 11:42:58 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::2d8d:9193:d3f3:6cc6]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::2d8d:9193:d3f3:6cc6%5]) with mapi id 15.20.4087.035; Fri, 30 Apr 2021 11:42:58 +0000
To: Martin Thomson <mt@lowentropy.net>, Valery Smyslov <smyslov.ietf@gmail.com>
Cc: uta@ietf.org, tls@ietf.org
References: <161921129877.20343.10624609154750488813@ietfa.amsl.com> <034F6C49-0195-4FAF-9EF2-1E39E809F902@sinodun.com> <7d8fa1d2-ef1a-4ed3-b660-955248a4ec63@www.fastmail.com> <753E5DAA-37C6-4F82-829D-29DA5458C1DB@akamai.com> <fe80ee08-eebc-45cf-8d83-51f2da83cb96@www.fastmail.com> <0f9101d73d89$a3f252e0$ebd6f8a0$@gmail.com> <2d256f02-95f8-44e5-93ab-239478a53a41@www.fastmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <42053cd0-56ef-c38d-b53a-1a8974acabf6@cs.tcd.ie>
Date: Fri, 30 Apr 2021 12:42:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
In-Reply-To: <2d256f02-95f8-44e5-93ab-239478a53a41@www.fastmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3gJz5OCL5XhjfnMJ9O7V8LZLDFkyryLr5"
X-Originating-IP: [2001:bb6:5e5e:b458:25ff:796f:6614:c5b8]
X-ClientProxiedBy: DB6PR07CA0060.eurprd07.prod.outlook.com (2603:10a6:6:2a::22) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:25ff:796f:6614:c5b8] (2001:bb6:5e5e:b458:25ff:796f:6614:c5b8) by DB6PR07CA0060.eurprd07.prod.outlook.com (2603:10a6:6:2a::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.8 via Frontend Transport; Fri, 30 Apr 2021 11:42:57 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 926bf4be-de51-454c-4475-08d90bcd19af
X-MS-TrafficTypeDiagnostic: DB9PR02MB7387:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB9PR02MB73875260BBC97E1FB4420530A85E9@DB9PR02MB7387.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:3968;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: AY6EwqqvdEO46A/Iakdn93hoHyNVdYGlsQ60fod2C3Zl5TwThDJsZkI2+XD22KO+Sl5alvjttw8MabOK75fBl8VVGaNA5S6zZ4xA+7WPFoPc15PTcqjb2i7fiWCSiY2NslfNxXXdjz/4z+0syOB8sHQmHNJWcXw1llf2rIne+1sFWndPtzdZycDEHWWKBeL2ODoNF5HQXkv32RMp7ZFEqXGksiagDpG6Z3K/JLkkyUgW2xPbzlxxlekc9BgriG88WZxpfnb6oVyc47ML4fSA0YVIM9EqGtC7QqNLNTuuNlKUF8oWLzN6C3d/gXJmkIqd8jxQLaBmQceyGOEsWv8Dn35uAKawxEEFtiyCoOGceCE+pVInzBbmdZ/NBfigRW92UpIAZbKIUazHyWmGc+0oJA9NlvljQomv8G3o4w8aUfvTOD9NFsJXqX0T/MYJrX/9ZokcBaODnUBl1xmkGkDGO8bDcNWhqoBV6gFQqW6GK1+9qCApCu9xkGKlcdFHrSuBDvSpofXaZZZMizDXjairXeY2xVIMmVQ1xEZJGa/dLEVwkFD7LoqDq6YPPVSNS6thMRUk9ABSWdHccACE3+HGcyU4ayvbgk+m0yo1Nj0pRz5IUDBkCmmzP1leygbCVzh/uOZ2CJUXVmhiNHTK+YRxJ1E66sxXe6m3m0EHKjeW3JJU2QRxIQOLyCW2KVTN/4felZAOOvdTysRU2F4DuZU7lVvXSduh3y263/ydmhuEaj00NEGV7X349L1NDJbaGqCk
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(376002)(396003)(366004)(346002)(136003)(2616005)(66556008)(786003)(38100700002)(110136005)(53546011)(44832011)(316002)(2906002)(8676002)(52116002)(66616009)(66476007)(83380400001)(66946007)(478600001)(21480400003)(966005)(36756003)(4326008)(235185007)(86362001)(31696002)(5660300002)(8936002)(33964004)(186003)(16526019)(6486002)(31686004)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?RWk2UVloUW5GRGYydjMyVHI5d2xaSDRKd0x4SU5XYlVoa3QwckJtK2dOb3k2?= =?utf-8?B?REsvdCt4UkVNYWlydmFYMFAwVk1RMEZ2SUFiQk84Ykp2STU2QkpDem1wNS9x?= =?utf-8?B?WE9HUGlNZ3pDWDhvV1dXWmJMMnpWZGNBVFl1Y3R6ZWNGblBqZnVoYXpvU2dS?= =?utf-8?B?SGZ1Zld2OWNEQ09EOU11ZVFKbVk3dXNEaDVEN1NvbWJ0NWZ2UERuTVEwdUMz?= =?utf-8?B?R3RWdXByYUdBZDBJWGE3Yi8wajY3VXdqQ0JBQlY4MWQ1aUROUUZKcXQ0RW5E?= =?utf-8?B?TlNRZU00UFFTN21UbkVqeUxBbEFuNytVS1cyc0x4THpkWDVSN2Z6TW5Ld1Vk?= =?utf-8?B?elk4Y3ZaaEJaejEvSDV5cDJML3JYQytqRkNWaVQ5N3c4YWVSbW1GeGRpRXVn?= =?utf-8?B?dkxqTEFlenVzekhYVStxYmdCbE1oVXRiUzJ6YjI3enVWbTY4UGlkRkw1Sm5h?= =?utf-8?B?bDRlZk1SN2NUOHNxNGk4NnhOY2lRNXdOSWFEUitHVFJtb2VoT0hrL1pYUGZr?= =?utf-8?B?MzdJaXZRWHhHM1FXNmNRTkdFOGFZYlRjTE9ZN3Nocm9PN2E3TW9GK2NHdzJw?= =?utf-8?B?L1ZxV2o2dk9LUThaVXdtckVOVnRoa29CcnRDaFZiS2hXOXpCWVgrd09hMSty?= =?utf-8?B?a0ZXR2ZDdU94ak4zbWR4aEpsNVdKRG13OUM1OCtHMTJ4SmZnRHhTR0tVcEVE?= =?utf-8?B?TXRqK282ajI4UTc4OHo5eG9NZHZZRmtDem1EclR5Sms3VmdIT05wSDFRTENv?= =?utf-8?B?dnlwUEpxZkFpQ0NHeUszU2FNWmZuZlJHQ0tXbkJrQVE0ZSsxVlYra3JBVFhp?= =?utf-8?B?a1NYS1U0WDVSS3R5U0dxcXRPYnpGemhYYkVHRDM3YnRtMXQrQVpwU2JvTlc0?= =?utf-8?B?ZTFQVnphZlFleVV3WXBqQkNBY2R3ZHg5WHVqc3I0eEtGcHlzcEMwRG9rTkFV?= =?utf-8?B?eERUU3pQN2xzVGc3MFV1N1Y1Nys2dTNOQ2Y2dzJHZUp3UVRvMnNpSkhUcStO?= =?utf-8?B?MEdaeXFKVUE0VTJWQk12Z1JhTWxxTmp6dkhDU0FsMmlrU2psdUFHYkNaVjFY?= =?utf-8?B?dHRFL2tLTzA0SG9pSUJEOXFRUU92V0J0MWRLYVNaUUVodFRyVG1wS2QxOE9z?= =?utf-8?B?ZDVnd3VWc1RsSjh1cm9CNExxNnBXWG14Z2pPZVQ3WnRzYU1VZGRwQ0ZNelFY?= =?utf-8?B?Tm4wbTFWUkJiMjF4QmM0U2hsR0dMOGRSeXM5VDIrUlV0RzF4dE1wNHJDRFY2?= =?utf-8?B?YVlrb3lERUhuSDlRMTRiTE9HeXQ5R0dVUWRpVUp2RFBvRHJWUGUvMHRxMk9E?= =?utf-8?B?dnhLc2c1dkFPZmVieVVrVGc1TmY5Z280b0FEa3ByczlmY2FFeU1ueWdjVlM4?= =?utf-8?B?R2Z3Nlplb1lXSFcxYllvNFJsdEF5MkhQeTNWeTZpRFZTdWYrZ21zSjdxcUQr?= =?utf-8?B?bHBIMWhNU0RPZlB3M3lhNHRzWE5ldDZiMkRxaHMxak1KVDMrcUpCV1QxT0gv?= =?utf-8?B?amJsR2dTWUNGM3FOYVJwR1M0QWZ0VmdxaFFIT0ROZzdHaUg0S0JpZlZwWWho?= =?utf-8?B?T0xTaXI5SUxFOVRZckxzM3VBMTJLWlo3Tktzaytva1RuWEZieG55L082ems4?= =?utf-8?B?ODJzZ2ZoUTFaUFM4dkpDUkh5Y01QQ1VIWXp2Nk1jN0Y2bWZmWFJ2QWlZMlh0?= =?utf-8?B?OUQwaUh0N3AvMDduY0JrQUpvWG9iM1ppV1pQWnFDSnF1TjcxdnNKUXk3anNu?= =?utf-8?B?bncxOGFaNkVoTVNadzY5dTNJLzhDOUlBV2s2elh0Tm9zakRGcnQ5TVhOTm9r?= =?utf-8?B?b0hyMitqSXViN2IrVUxpTWtsSHJobDBmTHVDdXRmcG04RVZSbjY1VG5IYVVT?= =?utf-8?Q?s7czSS+tBO794?=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 926bf4be-de51-454c-4475-08d90bcd19af
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2021 11:42:58.0411 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: nZ8NCwLBFieMP5xVUj9Z4ZrK6b1WRsgc038hlY/GknPzsk5V15thQN8WIAG0tn6s
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR02MB7387
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XMisjxrImv9Z4L5fnyutUqnAUqI>
Subject: Re: [TLS] [Uta] Recommending ALPN (was Re: [dns-privacy] Martin Duke's No Objection on draft-ietf-dprive-xfr-over-tls-11 ...)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2021 11:43:07 -0000

Hiya,

I like the text below as a starter. I'd suggest it also
include something to take into account the ECH issue
mentioned on the dpriv list [1]

S

[1] 
https://mailarchive.ietf.org/arch/msg/dns-privacy/3xL59_1P0ZHOUEYsDJ1Q22ZZVvo/

On 30/04/2021 07:46, Martin Thomson wrote:
> On Fri, Apr 30, 2021, at 16:25, Valery Smyslov wrote:
>> The original motivation for 7525bis was to update RFC 7525 in light
>> of TLS 1.3 appearance. However, I believe that recommendations for
>> using ALPN are in scope of this document.
> 
> How about a new Section 3.7 "Application-Layer Protocol
> Negotiation":
> 
> --- TLS implementations MUST support the Application-Layer Protocol
> Negotiation (ALPN) extension [RFC7301].  Correct use of ALPN ensures
> that clients and servers agree on a negotiated protocol.
> 
> Newly defined application protocols that use TLS MUST define an ALPN
> identifier and mandate the use of ALPN for negotiating the protocol.
> 
> An existing application protocol might not have been assigned an ALPN
> identifier.  For other protocols the ALPN identifier might not have
> been part of the original protocol definition, or use of ALPN might
> have been defined originally as being optional.  In all of these
> cases, implementations cannot require the use of ALPN.  A server
> implementation MUST fail a connection attempt with a fatal
> "no_application_protocol" alert if it is configured to use a protocol
> that has no assigned ALPN identifier and a client offers an
> "application_layer_protocol_negotiation" extension. ---
> 
> This last bit might be an update to RFC 7301, but it's important for
> protecting against cross-protocol attacks on clients that support
> protocols with ALPN identifiers where the use of ALPN is not
> guaranteed.
> 
> _______________________________________________ Uta mailing list 
> Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
>