IETF Logo Mail Archive

Re: [TLS] Multi-CDN and ESNI

"Salz, Rich" <rsalz@akamai.com> Tue, 23 October 2018 17:58 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 118FC130E50 for <tls@ietfa.amsl.com>; Tue, 23 Oct 2018 10:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.171
X-Spam-Level:
X-Spam-Status: No, score=-1.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXAxNMTs3EgW for <tls@ietfa.amsl.com>; Tue, 23 Oct 2018 10:58:49 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5833F130E1D for <tls@ietf.org>; Tue, 23 Oct 2018 10:58:49 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.23/8.16.0.23) with SMTP id w9NHv69p005955; Tue, 23 Oct 2018 18:58:46 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=Mk7vhlU8VyuleKKRFOD/lP6OFr0GfLlP+ydEJHzdy8M=; b=RBBxDaagxUvkNMHpVBlaZvu77bAfjDvZ48qyOhhgZLcPSKvvzBZy4Dj4JbgCaqNlfyeo 1MOobRrCBj9XcVew0OAUSqlYHfrKNQZNEgEZOvYoWw3rVYg9x8RcIdoygSja7YGV3lvC 1eYjocP1TepgjBT7EoZSz48v6Urfz/Wjn0lB2eUQCijhFKl/JAiqskrfJrWR7eOq+mIS kszef6uP2Jubz/6VXvG/qy3Iqn0waPdGR3xoDmNwPL7zf98ilMt5wwEQle4ET5f7RJWE 9YdjWuQPlWfyNuHI/TimJOEv2lbbMqEwmzVZoULD1NCQVLni/nXCFljknhqXxpWuQFr4 gg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050102.ppops.net-00190b01. with ESMTP id 2na00jt16q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Oct 2018 18:58:45 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w9NHni3d008738; Tue, 23 Oct 2018 13:58:45 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint1.akamai.com with ESMTP id 2n7ypvduw4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 23 Oct 2018 13:58:44 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 23 Oct 2018 13:58:43 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1365.000; Tue, 23 Oct 2018 13:58:42 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Mike Bishop <mbishop@evequefou.be>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Multi-CDN and ESNI
Thread-Index: AQHUavoI2p9P3cl/z0GLHKPS/8dcYw==
Date: Tue, 23 Oct 2018 17:58:42 +0000
Message-ID: <DDE6F8E9-6635-4D69-8028-83D49E9D7437@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.12.0.181014
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.33.57]
Content-Type: multipart/alternative; boundary="_000_DDE6F8E966354D69802883D49E9D7437akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-23_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=841 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810230144
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-23_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=841 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810230145
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YwGgRYi7fCY9z-y_E7GnMPmzL18>
Subject: Re: [TLS] Multi-CDN and ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 17:58:51 -0000

I think perhaps we need to take a step back and explain something that might not be well-known outside the community of CDN’s and their customers.  It is not uncommon for (admittedly larger) origins to use multiple CDN’s, and to switch among them. This can be done on a per-request basis, because of things like contractual arrangements that make one preferable, or it can be done globally but switched in a matter of seconds because of a short TTL on the www.example.com<http://www.example.com> entry.

The issues that Mike discusses impact on this, somewhat negatively.

A quick hack thought is to allow multiple entries in the TXT record, forcing a wee bit more work on the CDN.

v2.35.0 | Report a Bug | By Email | System Status