[TLS] Re: ECH Proxy Mode

Raghu Saxena <poiasdpoiasd@live.com> Wed, 11 September 2024 07:16 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 549C7C151995 for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 00:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.992
X-Spam-Level:
X-Spam-Status: No, score=0.992 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DEAR_NOBODY=3.099, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3v0pDapepXic for <tls@ietfa.amsl.com>; Wed, 11 Sep 2024 00:16:50 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01olkn2082.outbound.protection.outlook.com [40.92.63.82]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58692C151984 for <tls@ietf.org>; Wed, 11 Sep 2024 00:16:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cW1ak2eMjqbwztLGUkfd2RRuq/3IBd6aWOTl40F1NQRrdrdtXoEAXCRrcE9mXgTLqJpqb4qsm2TuIzK/1hTBKRZnNcoTFDy5rjWghDmYsp5q65y2rxCgrxGLE/O/xo7F0XWMa/z8fOQYBn7pZ2JVReDDbX2oL/1FeGXvSawI0O2939SFo5NVaau4X5MMGsEQgDSPi1CYiz0wAoNSF/d1tEUZQPvim6Rr7i46OBUnuMlcSA0Ur9xZELKAbrc8gRtUKH84i9BNZJMOWpDvScLSTk5iJbVC2IOC4k0vOUCs4uZ0uOZf56l0iS0h3BiajC2U752IvsgSBrE8zdx1JpmPNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YQ1t7n/ugS366yfZ4SLWXpjOoGwWfniw4tmkAEYb68Q=; b=JgxM1Tgy6YPrlkUzF4dMODrvJ7IS4JR5ndp1gVKRIVhF24DSHAkhBoN8irag/3o67nsUCnnpqYO1T5fxqm7WDGd0wqHEMiwL/GrlUHnMuQV5BPccx/l+Zf9z+OwAenufAcU0vpgts6YKn5L8FFuLq/w1QYdKW29LtczqF2d4TX8S7wCj0ANQVStgnDSwLw9dygdVyWBT6aUiBQ0VWlo8z+PNQs4kuXaTpNRvjsLMU2jOof/6BrBbCr/mNwatTog70KASdbqhTaVvuGnApCwC3qULYz4vJU4HrN9tOZPG6b8YXmxANeCj4eZxJQWOHUXT5YNfBNlJktnUosV2N2Lr4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YQ1t7n/ugS366yfZ4SLWXpjOoGwWfniw4tmkAEYb68Q=; b=sJghuJRGT90REg4PhXW8wTUh7shIwhDsc+M+Cl2aPAl21cwojsX+vtr3VrW7PvIpb9PNujYtJ0cQx9OckzBk9/bjb9kyAd18G5ngb4k6AK9Ie3ANr4xt/pxFg+KXXYIi31o0ZMyyAzsH6+jUnv1ywSzC015gMzPZTEDbIoBYiydrrM7Oy1lR2gRSMLMAaAvGPVxRMw9P59Q8CAj/5u9h/oZUNQn6GMT5aSeUySSmYilfpwCMoRK8j/XLOZTlKe2bdn3h65AZWEhFDtPk7Pv3XZ/QGzOs+rth1ZJ6iTPjrl68y9TYz+CQyfwVgT8dprpif8XsOc+XDmgEeZoSl4TcEw==
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5) by ME3P282MB1699.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:a6::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7962.17; Wed, 11 Sep 2024 07:16:47 +0000
Received: from ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178]) by ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM ([fe80::5a2d:ed43:6b7a:6178%4]) with mapi id 15.20.7939.022; Wed, 11 Sep 2024 07:16:47 +0000
Message-ID: <ME0P282MB55871BDDF016659F149743E8A39B2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM>
Date: Wed, 11 Sep 2024 15:16:37 +0800
User-Agent: Mozilla Thunderbird
To: 涛叔 <hi@taoshu.in>
References: <03D6DC16-2AFE-41E8-8404-F456D67582EB@taoshu.in> <ME0P282MB5587AFB9A303CE7FABEAF008A39C2@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <C3A1FBAA-CEB9-49FD-A50F-831D86FDECC7@taoshu.in> <ME0P282MB55870395CC2C672C7A607C01A3992@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <7E16914E-3F97-4DB3-8AFD-40898A4DABD0@taoshu.in>
Content-Language: en-US
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <7E16914E-3F97-4DB3-8AFD-40898A4DABD0@taoshu.in>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------OB49hUhy2wCnHsRL0IJNWXic"
X-TMN: [aqPz0OmP72c1razk3oxp3tJgNvwbn0bS]
X-ClientProxiedBy: KL1PR01CA0031.apcprd01.prod.exchangelabs.com (2603:1096:820:1::19) To ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:246::5)
X-Microsoft-Original-Message-ID: <89da892d-db2e-4e35-9ae2-5139f1acc60f@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: ME0P282MB5587:EE_|ME3P282MB1699:EE_
X-MS-Office365-Filtering-Correlation-Id: 3db2eb75-dee4-41d6-81e3-08dcd231b24e
X-Microsoft-Antispam: BCL:0;ARA:14566002|6092099012|461199028|5072599009|15080799006|19110799003|8060799006|7092599003|1602099012|440099028|4302099013|3412199025;
X-Microsoft-Antispam-Message-Info: sBmcYCzBMXB6TvPq2jnGE0TPjQYla8hjeCxek2My/52lYVA6U8AyhhRDdKUnWMSJfAHyrNQztTYBgyNYOXHdbziRq40y0F16vsiHxIBvzLli4L9xp27rAOVu+qB0/Gp24QVgaTVESQp18zdaYuaSKv9Sn8k1c5phA1ktti4io8nYj34svTTGRlJKdqyoESRjl61KKEFVICGrJuHeddojqTAO0QYB8M2vVuYltN4uNHgtVpDhemyfJZPc5TkTFJozCXS3MK80s/0XxF8dCVpz299qWZEHyUamStUS5zNOT19T03ZGagg4mtWSCTmw4NjkYvDcgJleq2b9SgdDFEnZzeOgrde9m9mg3b7kWpDEJaE0EEJkCOjYsR/LxqGxbQ+uL687LM8EM0Gfri5pMzq8lJOgcvB6qWHXNuIINjMofzgksXrMZWadecZhljyfV9eQi0P8Cu2R4vceVaulJdr1YPE0+pbzLHg9r0Zi0bWHkPl+uvYOQ7ccB/lKMdw70m8TrUnEuKh+KxsT3wl6Tz9BhOgt8ZDFv0xm/1EN9/lLTUCNIVFbJhuR6+BztZxfvv2NK8FHH6V/yuMI9AYUULYxZtwD2bUdyn2MRDb20ukkAAajrvOwNLzNs5fIAcSQG58n0uWDdvFSn30Xa1ZrEmn3uNtPxREZduwZ0d2/wT7vd8jmFMy3mirUT2i1W+yRJxwIWrX+m8q9pWq7Q3rXwxsNW+PDSG+1ZB3pNdp7Zcgv3AGVeg1r0ZYHxBuqbPEzWTELnfTT/iEdi6vV0TWdqGDuMuQ9cqqA/Wnt9enWU+wCTvl2/M5Fl1wxdrbAk8UcQemogAWY9eerOW8oKKyauFkll9BJNfGAHfNiihiGv/NazB+qsiBCt7XPnF5o6V3WBJ1W
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: uEgyoVJTsJeeMC4VS+MOViMev7neMuFw+Nccane3E/LQqUD/KFERUIpUll6SpwkWUiDOQVgejxDKqnF1UBsmpjtVBap/QNekOXJ1MVM1IYEYi/Now1Z9uLa9GsP8cn7Dc4E2VRBzMdsgJLWCdVDkfA3J4TIDIyU3YuNsNalMCpwln4/wQTa9mFrHDl7artZI/47YvfUGDPeU4TJnc3uL6yxLMf3YszqvowHzYs9nEwHKh/7Ps/UZxCAf62RQ6bq8qxKxy4wQKeG9Od6nhbtZBQTI0Pq2Td2ebgDHAfKauO3v0RrX7uhNANGmNWoq3YYdsJIehfVki9QPu612gpaQQgbgpGtD/jzxyXuvqW6hMIXR95u7XX4ojjXIu1Prb5KyeezzRxUf8yNtYObLSBhnFfMOQ0E5uo5ch+q0lAxJih/+oKMA/LLiqefr5RWx3fF+n1HF5YOFok9DbDKJVKhxU5FUmRgsS46bXlbBNvXhqlPVrpH93yj82Wst/in88xTrWtNZI0m3kuJzQXo4rNqoRmnps4g1gH31bm2CEyWzMfQpKh9ACeCZ3fqWkjZG813naNgRoOKYpmZMB8nbxvPdMX7HUcXP7ERQ32ZrSCxImkzQDfBpaiQmvJvhO6mri3YQD7bi7GpkDnTt6CRNcrE2NdVzJCROM7+A/g9TdGe7ZQHB/f6NNljQG+ucKC1CBughl3TECY5CqsNAagVqjpJlnUm8nz2CThTluejZtrg5/US6aTe8E3uFIAGeSWUffpz2nVC0Q9+9gv48q/h5YZO2Qn8Xfa1OVnkQ7LZTQtnLh33jsfFXEhzxmzDsnaIrBLctwcK7/kYtb+TjRkvmt5XQ99WiHOWekqqOltzEHNZccsXx5Mi98wa7JVrb8ON3TYyYKXZVuRWy0ce4ikSOZKzIn6BU5NW6GYNx5HYNV2p2HnNkgPNZWHr8FaH+6NvUdbrcyPEJV88AwERBkHEWPJtJLwtHtJDMOaVeyNNx6nviqiVhUXWJ87FjtoFV5A9GDjqBbTX24GrDb6iviOng1SSmGEylxpPqJ6eBTMeWgO6Fvka7CVoG/MrBHv7WorWV0wA0VCyf2EBEpz9qOhS/A02Y2HcBwXljfPWyv0HjmLLsQyt5hHGCsDPgeS3PJQi+x6U8i8GZ30/CgORk6FTFjxPr6NKWj9I9azmIeuT86/FcTl/NYcAezT/3XRy8oTw+zvYyuAetpfAF3hQjJnaHCU8PQkNXsWDJUKejEgqpJR2vYYY=
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-722bc.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 3db2eb75-dee4-41d6-81e3-08dcd231b24e
X-MS-Exchange-CrossTenant-AuthSource: ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2024 07:16:46.9942 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3P282MB1699
Message-ID-Hash: 5GZJBPEZEZLRFVUK36B543ZR7L7J3O3E
X-Message-ID-Hash: 5GZJBPEZEZLRFVUK36B543ZR7L7J3O3E
X-MailFrom: poiasdpoiasd@live.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: ECH Proxy Mode
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bVKeWlabzXvGClcL5y0joiF4vW0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Dear 涛叔,

On 9/10/24 11:00 PM, 涛叔 wrote:
> If we can use the ECH-based proxy, we could transfer all these tasks 
> to the server side. The only
> task that the end user need to do is to setup a custom DoH URL, which 
> is personalized to this user
> only with auth data in the URL. The proxy list is maintained on the 
> server side, and the server works
> as both DoH and ECH-based SNI proxy.
>
> Once the DoH has been set, the browser will query A/AAAA/ECH records 
> for one domain. The server
> will response "fake" records according to the proxy list. The 
> public_name of the fake ECHConfig will
> be used to associate to the target domain and for auth.

You make a good point, thanks for clarifying. It is an interesting idea 
that the DoH operator can basically control the proxies which would be 
used per domain effectively. I'm going to give this idea a bit more 
thought, seems interesting.

By the way, you may be interested in this project: 
https://github.com/quininer/nosni-proxy , which has a similar idea, but 
instead to completely strip SNI, and relying on TLS interception. One 
could think of an alternative, basically like the Cloudflare MiTM model 
you mentioned, except self-hosted with certificates manually trusted. 
Then the DoH server would return the IP of this server, which would 
allow an ECH-TLS connection to it, but then performs a separate TLS 
handshake with the real origin server.

It is not as elegant as what you mentioned since now there is a need to 
manually trust certificates, but could still be an approach.

Regards,

Raghu Saxena