Re: [TLS] Encrypted SNI

nalini elkins <nalini.elkins@e-dco.com> Wed, 04 July 2018 04:27 UTC

Return-Path: <nalini.elkins@e-dco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CA8B130E39 for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 21:27:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e-dco-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ohu6mOKykYeY for <tls@ietfa.amsl.com>; Tue, 3 Jul 2018 21:27:55 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D6D2126CB6 for <tls@ietf.org>; Tue, 3 Jul 2018 21:27:55 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id s198-v6so8168577oih.11 for <tls@ietf.org>; Tue, 03 Jul 2018 21:27:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e-dco-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WcHCbbsaqvtshyO1y2b1bit5u/SR9AK1rPMt9UOGkE4=; b=JG4QfEhVQxuzLWuZJkz0KGuJdWmmLyjmZx52yFegxakPhLeDOuZdqlWiSIlHwjgfbV z8gP/NVXlZEU1f3F0RaQHdzDufJqnc08gMg6UPQvg8Ib2IM+XZVXLatCgl+3KuD4FcBE fLj69/tJZNj646kSLI7XjY3UxS6KUywQfA/7KeZXqFW10chAnqUp66wtvcaeoDaezNEw aKIG6EaRCMuLsjljPukO9gp07mZF/QkYvyXU6BZ9Och4giThfvOQuDF1QIU12wN06+BM R+c7nJ/GbiGiFrPrxDapLRMkQTmXaKorCXBzcC8Sv8ZF4XtMz3VdGlPNDbuoMwqV1f0y kPZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WcHCbbsaqvtshyO1y2b1bit5u/SR9AK1rPMt9UOGkE4=; b=HNR43gSmFMCJoJapCfwrJ83EDwLazCDlWCRBzdXgzzkQO+UbwhXWosDE8/4b9cCwiN uL/LjNzhKh/DeM0YXkAatyrRHzPiQzuVMs2nAWx85nE/QM32JRQv7orc1rHFe/6w0D2D w2rawzm11+dbNOapiEWfxkkCKZMCk80qyLwqG1T9jBSzfb4RRElQ7od3Qum8EjB4xKvC bZx97HrDMoFYNhARm6OakRX3B/EmFLwx3VDg8iCTB1AlmY5JT+bsGjzq29ADVptZAoLq ZAat1BUJaiZ1JvKTrluiSNlHhWW1PS3xZENkwV/6LJ8YyhcSrfaH7aV5ZMVBlbSo5EvJ FfWQ==
X-Gm-Message-State: APt69E15bnY6dDPJ67TVX0cvMkOGKqkaa14Q4oz3uwVJMIeDWyWh59y2 iuyRM9n1kVNsJVCTIX0z3aq9Vc5tqp+pq4iij5b5qv/4
X-Google-Smtp-Source: AAOMgpejlo/sjVs8FRhlsn+Uj92W1+7vneXRMWaKmYE0A2/LOrK5pZ8tNfd5Rp783gCRw0sle1/Ilgo++zKGVWGuXkU=
X-Received: by 2002:aca:afcc:: with SMTP id y195-v6mr494672oie.322.1530678474587; Tue, 03 Jul 2018 21:27:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:6082:0:0:0:0:0 with HTTP; Tue, 3 Jul 2018 21:27:53 -0700 (PDT)
In-Reply-To: <20180703222414.17ee820c@computer.lan>
References: <F4966CAA-454B-4152-A9E5-EA9714978CEA@gmail.com> <20180703222414.17ee820c@computer.lan>
From: nalini elkins <nalini.elkins@e-dco.com>
Date: Wed, 4 Jul 2018 09:57:53 +0530
Message-ID: <CAPsNn2XEEYwE7RZzZHgTwNh4ofUQzUJPSs2jLimiA0LZM=nCBw@mail.gmail.com>
To: =?UTF-8?Q?Hanno_B=C3=B6ck?= <hanno@hboeck.de>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be5635057024da02"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZFogw2aFXQ03g8KuUbZCpnWABFw>
Subject: Re: [TLS] Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2018 04:27:57 -0000

 >So-called "Enterprise" infrastructure has delayed the work of this group
>for at least a year. Noone of the people creating that mess has reached
>out to this group to explain why they constantly break TLS - let alone
>apologize for it.

>I believe there's a large overlap of the actors breaking TLS with the
>actors who are worried about things like SNI encryption. I'm not sure I
>see any reason not to consider these actors as anything but opposed to
>the work of this group.

I believe that enterprise people have tried over and over again to
explain.
You may wish to take a serious look at:

https://datatracker.ietf.org/doc/draft-fenter-tls-decryption/

I, personally, have tremendous respect for the people in the TLS group.
The level of cryptographic expertise as well as the passion /
commitment is unparalleled.

I think both "sides" are acting with good intentions - while looking at the
world through their own lenses.   Enterprises need to be able to do Business
As Usual (BAU) while integrating innovation into their networks.

I suspect that no one likes middleboxes or "breaking" TLS but it is at least
temporarily necessary.   You cannot hide your head in the sand and pretend
it does not exist.  Markets exist for a reason.

People do not spend time and money to make presentations (at the TLS group)
without having a very good reason to do so.

IMHO,  having everything at the end points (or the end-to-end principle)
has led
to an unsustainable trajectory to expensive and complex network functions
and
end-points.   I have done a rudimentary survey of some of the enterprises I
know and they say that much (if not most) of their time is spent in patching
applications and end points.  This is one reason they cannot look ahead to
bigger tasks like migrating to IPv6.

I completely agree that enterprises have not presented the statistics and a
carefully reasoned study to substantiate the above claims.  I am in the
process of taking a step back to see what we need to do - what drafts we
need to write and what numbers we need to present - to have a full
picture of how Internet protocols are used.

Enterprises are a very large group of users of the Internet protocols and
need to be considered as such.

Nalini


On Wed, Jul 4, 2018 at 1:54 AM, Hanno Böck <hanno@hboeck.de>; wrote:

> So-called "Enterprise" infrastructure has delayed the work of this group
> for at least a year. Noone of the people creating that mess has reached
> out to this group to explain why they constantly break TLS - let alone
> apologize for it.
>
> I believe there's a large overlap of the actors breaking TLS with the
> actors who are worried about things like SNI encryption. I'm not sure I
> see any reason not to consider these actors as anything but opposed to
> the work of this group.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>



-- 
Thanks,
Nalini Elkins
President
Enterprise Data Center Operators
www.e-dco.com