IETF Logo Mail Archive

Re: [TLS] [EXTERNAL] Re: Representing IP addresses in SNI -- proposed draft

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 29 July 2022 16:24 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BC98C14F743 for <tls@ietfa.amsl.com>; Fri, 29 Jul 2022 09:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.797
X-Spam-Level:
X-Spam-Status: No, score=-6.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTTP_ESCAPED_HOST=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z30i2bE5wWAU for <tls@ietfa.amsl.com>; Fri, 29 Jul 2022 09:24:05 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (unknown [52.101.56.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59969C14CF01 for <tls@ietf.org>; Fri, 29 Jul 2022 09:24:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pfm3mg+XGchJlG5I2Dqcry0FANzxReGstbo0dOvY0+EJcPo6e978w0d23DifzqCQKMfbF8dOwglUUOKZPSIf03+R1IYnZlQ/8YVPLMx/HeuXZS51nHNBpz2F5jIytDKC8rkXixWmwG99UlaVseWwP7iaZ5IT5xCivOQmZ7E4e+BKexQ/1H7Qb6cJG97G/dWzhbAkNf0H1KY47E38SCcRGVSfNUiOBsXrm3hjzvyVH160ig6ynoNwOWked+ERzMClDdEoix2R3lYriaL7NS33c90hnhZ+NgTYr199ZR3F1QxB79rk44Kf+igdj4zI27KmGXc5AP1YY7ipvoGDdiPCEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oz8XYFBYtzFN4DGmfECklquGIXreZ1g+KxILo+AtiiI=; b=eM1zQdHPHYR6xbaAZRP673Fgd1OVqRclAA1bBu9HPaPK1YEIP+EtKdNJpR0lbj7INgGSoUa+Lks7za2e/4mTUyy28J8mysXiCx5sWCIMG6G+PQMXDFfaw/05hL2m4rblLuVWnq3v2O292vBVQb0ty74sn3j5bKj5XQGqpnK1TzfJQ++FJO3UdzIKuhaF7MaKyZwfnBO6D2ap/zO/2p+NYq7iL9l51gTmgyNKFTuMbJabPi01tvAMvXcpdOo+mRuCd084ofMk/u+rX/0hJfhAlXal6JCHG09on1Tce6eWXmxnneSeYiTcMef8niyhfcYm0WZ95QLBVeS46O4TrNI1mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oz8XYFBYtzFN4DGmfECklquGIXreZ1g+KxILo+AtiiI=; b=euWhRhHpZxNUwpsOyouclVXXiBr8ciZnzgCFWme/oPbqKD4kjbOI0XY/x4JFDmSSJT4OkIsacxh9QxvojPSrQZRFCU9bvC01Xp+f9HUAQtp69qAtsBCdLr23/WjXWxc/rbw2spfFsw1DZAvjebR6XYExH7oypeIsdYrAADR/zZU=
Received: from BY5PR00MB0707.namprd00.prod.outlook.com (2603:10b6:a03:211::12) by PH0PR00MB1029.namprd00.prod.outlook.com (2603:10b6:510:48::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5523.0; Fri, 29 Jul 2022 16:23:37 +0000
Received: from BY5PR00MB0707.namprd00.prod.outlook.com ([fe80::d9f0:87a8:6259:cf8e]) by BY5PR00MB0707.namprd00.prod.outlook.com ([fe80::d9f0:87a8:6259:cf8e%4]) with mapi id 15.20.5528.000; Fri, 29 Jul 2022 16:23:37 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <mt@lowentropy.net>, Erik Nygren <erik+ietf@nygren.org>, David Benjamin <davidben@chromium.org>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [EXTERNAL] Re: [TLS] Representing IP addresses in SNI -- proposed draft
Thread-Index: AQHYoe2BMRITQCPJr0q7hM7G+e34/q2Sp5gAgAK5AACAAB8BAIAACzXg
Date: Fri, 29 Jul 2022 16:23:37 +0000
Message-ID: <BY5PR00MB0707E69D957687F5C2B409018C999@BY5PR00MB0707.namprd00.prod.outlook.com>
References: <165894600746.5156.16661196948798932257@ietfa.amsl.com> <CAKC-DJgG9f1fkZO7aAV18wYyobHxPL9LW48Htj9Ut1Uqu=78Sg@mail.gmail.com> <22b537c2-9c28-407c-8916-a5cc3dcf0be7@www.fastmail.com> <CAF8qwaCMNSBgiypfzJ8Vi+8M6pxohE_HvzsHMHYBnN9wuc1B8Q@mail.gmail.com> <CAKC-DJin=BZfPgt3Yq1yr4Pb5JbN=N7d_nMY_piwdhTWLa13HQ@mail.gmail.com> <568c1c84-d701-47ef-a9ce-0d5a22688240@www.fastmail.com>
In-Reply-To: <568c1c84-d701-47ef-a9ce-0d5a22688240@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=1f74d67c-7f1d-45b7-bd68-0196ac52d215; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-07-29T16:22:00Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a56b72e9-79bc-44f3-7e2b-08da717eb0dc
x-ms-traffictypediagnostic: PH0PR00MB1029:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GBV9UJCMHMqZSPEK0tQsaZBcOMmzBJoN8oktBhdCtDWmP4yjjLNJ70d3BgJxjZmw/7rZk24jUv9WNnH0ue2NJr0A4L+sdDMCmIuB4mhgpGf/BrvTZObBmJgrgsU181alcMEgKQsdm1HQjGHliUOjyZXxjcDwWJmCPTRG+8Wa0V+r24ilODFQQSp0lv6xt0vthITCmfsT+Pm7owbthw7Y7c2uoQDVdjcoiIoCyApKVpCC77NefExdY9XOYvhxtClyBE3fnqG31jdkJ+eGAmlPfEB+h6HvzBcqbWfGH73g26nZK88prupi9tn9TEXfMcSyKYW4VSQtu1DQefSdDFazq/bdgomSYnnbWgNWFkwY5oPUEQfxmrLbPRNmv2eBLJnr5FLrLNmO/lEfAYveNgE0mY/43salMUMA3MjRKqb/+lDTghP7SoQfXeArcIt7wJl7mlGMMDAMZbpVN5ZTgp1NSG9rPwlmI3jGeSkUshgqeEl7sYFzjRs5x9uedgQcLp8YreIuLNJTwLGSNPS5SJs6on/+X7BhS198ck6A+RCxTF24Cs4WY+nq2UIRnPIJEcP4JQ5NAdeszX6XHdpnHZwYhxju1LELkxA9JW37vjezZdmqkHWH/JQ/BjfLizUSWoqVK3wBebDgNAkVdYLXlSFjIkV4z78dyIknjy5Y9D+sCIUGc+krKXUrr970QyXSFYNeXKmcz03IRTlcXkdFpBtqGHjXtQxMBdsvfm0O2qeMoKreixpVRry44J6TK8IYN1OnMXUSEzNv0od6KHHIdejxMSt5h4oOe0IKMO17sSbnReoikTdlQaayJ5IgOCOlEvYSVWdg5e8FtdS1kR+IYV2bLioVOXVdXurvvcY0VYCEqJJ6XkyIbiN0aExfGvho+2krh0LkKmn3XH6KElEnqDP79rpnxSAA2PJCqmMmOWPi4zA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0707.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(39860400002)(376002)(136003)(396003)(346002)(451199009)(316002)(7696005)(478600001)(6506007)(110136005)(83380400001)(53546011)(10290500003)(26005)(33656002)(86362001)(15974865002)(8990500004)(71200400001)(55016003)(122000001)(52536014)(9686003)(8936002)(2906002)(38100700002)(38070700005)(82950400001)(41300700001)(66446008)(8676002)(66946007)(966005)(186003)(76116006)(66556008)(66476007)(82960400001)(5660300002)(4326008)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /WaIY9iDjTOum8wFOxGNikOzH5WKOdVjTsajPaWSXqEgUFpMnxTUUWo1znKHXwrKL2nmWpfbQDhJ8007kvDWCKpMTzcpMuEJ64YCxayU+Xzu5hxqwbGQch0tykyGYt5Im+km4YGunaAOTy/TM35yYi04SX1GUrmfytB5Y73e+TVTaz+C7KDjmtCbc0XVFX1eMNRwIylosOWG8qAx9zWmU3pobROJ4l8sn4ZARtQSbRlzEu8L9og6ZPzhV6/YOns39CC/XwD75euGxeTFT0Izlvcqd4Yxx2LIncYepGhsvg1mFL0ibTalbomHicBDGJ1t/H8QSmNg2RR03DShkOVALUoAUpKGMnMc0JPMKVWCguMyI8HB2K7ktI48ctUfhPzSH2uwcSCLgl6120I+2Huv34ZYLFTjED7kBYc/U0sI9neIsO4qmoA3bPJS42byPAYT2M7N+hCZBqMWMEqnx5erqqkn/dzcLLnN5wzNeCxzMEq3qmAERzpFbJNcRAIBZq0/zw5YwgHAApiTYfs4ixQH52hidKR3osilFGjlWXWbJyVIwgqe2XBwAc6P5p2W/UL4r91GXkrxKvIaZPjoKWq0+ilSbEFNVjoit4tNIqsNcKPlEVgLY/9A3D3Y2l7Tda6bH4o5KN+uofLCHaXxGZxHdhEG4gYWpxpSZg49OxiHu/j8auqSNLPmeq7FpypUh8fFI0ZOOh6BSvNR+jdOvXf5EJIEPu9dPlaLx/NSL3UFZjkR5SogAxUlzX9veC3LfDWFXlcQEBZCTn9Jgy4zwKwbVeyhqJF8yr5Q8cjggwS6Jxlsd64t3gKKu/4zkU8geTGu0wabz142L0JwKquM87lIqyEF/Fm28KEsL1LmFjBPISfK2rhS1Mwazh8zeNbLAUpGKeL7/c5iO9OK9e6bO3SHjYWDV1YQZzCJ8rHLuvdi1KRqnvndpGXlVvoxrGCH1TEl9rs3T3WjLQ6leOYtC4qdxIvXVBmxNZE+Jtm/+Uratr1Max2Wt4HMFHMIWU/lFfxu8KNvhXgtfE7xtCCoHAPgjipzlPQrwn0GyND1WdGeJlGXS3+kyW/5P3xxZrpdPIPVc2LC9l+smIub40eIzn/WTor+lx03NJPvvYMxf4jJR1/bJJTJnKIDGszGmGYRj54u10DSZIL7G0McxiiGSkvjWaF7NCvi1k709Ot5letg0HugILVo+0qJEWU5/3mfl1L7ep8Tc49GretMF93tlZMpqxqgoSwE1ugaM5eZzHCJ+FGsWTVAiyeRH91OC9hd1ESYKO0VMLOa/ks77lLpEyy7UEwksgu+K2Ni3MKej59bVwsyhrjiUqI9IFZEsZX+tFTCAxl88QHbTOcg/x9ddVrFy1kFQ7ZbPfuoXs1c5iNAjD4cUn3hGGlSpwcefoN9zWkQdk270Q0vfsq+mi5cvInvRCMUrsctNwLyJ27PBjgYuUMsEBR/bwmw0KrO6iKUwJO9qx04DWzpsq/1HdaEi3E3AOReiGRiR7wMA8PvkPkBQuX9Z1YJxSYReWesY2zJfrvlItkHdoGm0teFZ9VPgLm0rAyOYrA7SnYgtzefd4j+sKQUl3KRjHtOg5Fya+1Mvq/Z
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1029
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uieCQIlN8rinKTjTCxlDWB0J0PM>
Subject: Re: [TLS] [EXTERNAL] Re: Representing IP addresses in SNI -- proposed draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 16:24:07 -0000

+1 to defining separate extensions and avoiding unnecessary coupling.

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of Martin Thomson
Sent: Friday, July 29, 2022 8:42 AM
To: Erik Nygren <erik+ietf@nygren.org>; David Benjamin <davidben@chromium.org>
Cc: TLS@ietf.org
Subject: [EXTERNAL] Re: [TLS] Representing IP addresses in SNI -- proposed draft

Please don't define an "extended SNI".  A new extension to signal the target IP address would be fine.  Keep it narrowly focused.

Having a separate extension might allow the DDR client to express both the SNI and the IP it is seeking.

A separate expected certificate extension is another, separate, separable idea that can have its own extension.

However...Both of these need ECH protection.  Which means new ECH parameters.  I'm not sure that I like that idea very much.


On Fri, Jul 29, 2022, at 09:50, Erik Nygren wrote:
> I was thinking about the new extension idea more.  It has the downside 
> of potentially being an API change in client/server TLS stacks, but 
> opening this up might generally be worth considering.  If we added an 
> "Extended SNI" extension to support IPAddress, we might also want to 
> consider if there are other things worth adding.
>
> Also including an Extended SNI option for "Certificate Fingerprint" 
> would solve a bunch of issues
> that have come up from time-to-time.  For example, it might help with 
> DANE.
>
> We've also talked in the past about being able to include a 
> certificate fingerprint in URIs, and being able to signal that in 
> Extended SNI would likely make that work better.
> (A use-case for this is for using TLS in local/private network 
> environments such as to home network devices or even localhost 
> processes where being able to have a URI with an 
> {IP,cert_fingerprint(s)} pairing would have better security properties 
> than trying to use some global PKIX framework.)
>
> Is this something worth considering or that others in the WG might be 
> interested in?
>
>     Erik
>
> 
>
>
>
> On Wed, Jul 27, 2022 at 4:16 PM David Benjamin <davidben@chromium.org> wrote:
>> I agree this is quite a compatibility risk. In addition to messing with SNI lookup, there are servers that try to correlate TLS SNI and HTTP Host. Indeed, when we accidentally sent IP literals in SNI, we broke a server that tried to do that but got very confused by the colons in an IPv6 literal. That server would likely also be confused by this draft, less by syntax and more by SNI/Host mismatch. I would be surprised if this option were viable.
>> 
>> Another option, which doesn't require redefining existing fields, is to simply allocate a new extension. Though I agree with Martin that one would expect the server to know its own IP. If you implicitly interpret a missing server_name extension as "I want the IP cert for this connection's IP", it's already unambiguous. Granted, there may be edge cases because missing server_name can also mean "I want the default cert" and perhaps your "default" cert and IP cert are different.
>> 
>> On Wed, Jul 27, 2022 at 12:17 PM Martin Thomson <mt@lowentropy.net> wrote:
>>> Hi Erik,
>>> 
>>> As far as it goes, this might work.  However, I'm not sure about the effect of this on compatibility.  I'm concerned that maybe this would end up causing some servers to choke.  Servers that receive SNI can sometimes use that SNI value to lookup the correct certificate.  Your design could have those servers searching for a certificate that doesn't exist.
>>> 
>>> Anything along these lines would need to be tested for compatibility - extensively - before it could even be trialed.
>>> 
>>> (I never saw the DDR as having deployment problems along these 
>>> lines.  It isn't THAT hard to know your own IP address for that 
>>> purpose.)
>>> 
>>> On Wed, Jul 27, 2022, at 14:38, Erik Nygren wrote:
>>> > Following discussions in ADD around the DDR draft (as well as in 
>>> > UTA around Martin Thomson's PR to add IP address SANs to 
>>> > 6125-bis), I wrote up a draft on how IP addresses might be represented in SNI:
>>> >
>>> >       
>>> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>> > datatracker.ietf.org%2Fdoc%2Fdraft-nygren-tls-ip-in-sni%2F&amp;dat
>>> > a=05%7C01%7CAndrei.Popov%40microsoft.com%7C9e531fd5d3634c79fb6b08d
>>> > a71791222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63794706208
>>> > 9321629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMz
>>> > IiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=w5M5RQ3
>>> > Ivo8%2FjWc6VQcoI4fXdAP2Yg8fXIQTzFmM7aw%3D&amp;reserved=0
>>> >
>>> > There are at least three different ways we could do it, but this 
>>> > draft proposes what seems to be the least bad while also talking 
>>> > about the other alternatives.  (I suspect we'd want to move the 
>>> > alternatives to an appendix or remove entirely from a final 
>>> > version.)
>>> >
>>> > Is this interesting to the working group?
>>> > While IP address SANs have a bunch of corner cases and gaps, they 
>>> > do seem to be picking up new uses.
>>> >
>>> > What motivated me to realize we need to solve this is that 
>>> > draft-ietf-add-ddr uses IP SANs in a new way.  Rather than the 
>>> > client connecting to an IP address and expecting to see a SAN 
>>> > (where returning a cert associated with the IP address containing 
>>> > a SAN that the client connected to is straight-forward), DDR has 
>>> > clients connecting to a different IP and then expects to find an 
>>> > original IP also in the SAN list.
>>> > This means that for an ISP with a large number of IPs (or using a 
>>> > services who operates DoH service on-behalf of many entities), 
>>> > you'd need to quickly/wastefully burn through IPv4 addresses to 
>>> > enable a unique cert per original IP.
>>> >
>>> >     Erik
>>> >
>>> >
>>> > ---------- Forwarded message ---------
>>> > From: <internet-drafts@ietf.org>
>>> > Date: Wed, Jul 27, 2022 at 2:20 PM
>>> > Subject: New Version Notification for 
>>> > draft-nygren-tls-ip-in-sni-00.txt
>>> > To: Erik Nygren <erik+ietf@nygren.org 
>>> > <mailto:erik%2Bietf@nygren.org> <mailto:erik%2Bietf@nygren.org 
>>> > <mailto:erik%252Bietf@nygren.org>>>,
>>> > Rich Salz <rsalz@akamai.com>
>>> >
>>> >
>>> >
>>> > A new version of I-D, draft-nygren-tls-ip-in-sni-00.txt has been 
>>> > successfully submitted by Erik Nygren and posted to the IETF 
>>> > repository.
>>> >
>>> > Name:           draft-nygren-tls-ip-in-sni
>>> > Revision:       00
>>> > Title:          Representing IP addresses in TLS Server Name Indication 
>>> > (SNI)
>>> > Document date:  2022-07-27
>>> > Group:          Individual Submission
>>> > Pages:          7
>>> > URL:            
>>> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-nygren-tls-ip-in-sni-00.txt&amp;data=05%7C01%7CAndrei.Popov%40microsoft.com%7C9e531fd5d3634c79fb6b08da71791222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637947062089321629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=q6yJ59t1MXOLJ9w1qVJZgVHPIGhXY%2FBdsfSGENpK2TA%3D&amp;reserved=0
>>> > Status:         
>>> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-nygren-tls-ip-in-sni%2F&amp;data=05%7C01%7CAndrei.Popov%40microsoft.com%7C9e531fd5d3634c79fb6b08da71791222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637947062089321629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=w5M5RQ3Ivo8%2FjWc6VQcoI4fXdAP2Yg8fXIQTzFmM7aw%3D&amp;reserved=0
>>> > Htmlized:       
>>> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>> > datatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-nygren-tls-ip-in-sni&amp
>>> > ;data=05%7C01%7CAndrei.Popov%40microsoft.com%7C9e531fd5d3634c79fb6
>>> > b08da71791222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6379470
>>> > 62089321629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
>>> > luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=7QJ
>>> > dCRUccCI6K%2Fce0u0PuyqtQQdH%2Bup2bMLZGsfK%2F8w%3D&amp;reserved=0
>>> >
>>> >
>>> > Abstract:
>>> >    This specification provides a mechanism for clients to send IP
>>> >    addresses in a TLS Server Name Indication (SNI) extension as part of
>>> >    TLS handshakes, allowing servers to return a certificate containing
>>> >    that subjectAltName.  This is done by converting the IP address to a
>>> >    special-use domain name.
>>> >
>>> >
>>> >
>>> >
>>> > The IETF Secretariat
>>> >
>>> >
>>> > _______________________________________________
>>> > TLS mailing list
>>> > TLS@ietf.org
>>> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F
>>> > www.ietf.org%2Fmailman%2Flistinfo%2Ftls&amp;data=05%7C01%7CAndrei.
>>> > Popov%40microsoft.com%7C9e531fd5d3634c79fb6b08da71791222%7C72f988b
>>> > f86f141af91ab2d7cd011db47%7C1%7C0%7C637947062089321629%7CUnknown%7
>>> > CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiL
>>> > CJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=YOEVTTNuIgMLf%2FevfvNUzxtJ
>>> > taFN36px0FCdTZuwpaM%3D&amp;reserved=0
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
>>> w.ietf.org%2Fmailman%2Flistinfo%2Ftls&amp;data=05%7C01%7CAndrei.Popo
>>> v%40microsoft.com%7C9e531fd5d3634c79fb6b08da71791222%7C72f988bf86f14
>>> 1af91ab2d7cd011db47%7C1%7C0%7C637947062089321629%7CUnknown%7CTWFpbGZ
>>> sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>> %3D%7C3000%7C%7C%7C&amp;sdata=YOEVTTNuIgMLf%2FevfvNUzxtJtaFN36px0FCd
>>> TZuwpaM%3D&amp;reserved=0

_______________________________________________
TLS mailing list
TLS@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&amp;data=05%7C01%7CAndrei.Popov%40microsoft.com%7C9e531fd5d3634c79fb6b08da71791222%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637947062089321629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=YOEVTTNuIgMLf%2FevfvNUzxtJtaFN36px0FCdTZuwpaM%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email