Re: [TLS] New Draft: Using DNS to set the SNI explicitly

Christian Huitema <huitema@huitema.net> Wed, 08 February 2017 01:14 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 901F31296FF for <tls@ietfa.amsl.com>; Tue, 7 Feb 2017 17:14:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.487
X-Spam-Level:
X-Spam-Status: No, score=-4.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Ln_Sj0QnRJk for <tls@ietfa.amsl.com>; Tue, 7 Feb 2017 17:14:51 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2305D1296F0 for <tls@ietf.org>; Tue, 7 Feb 2017 17:14:50 -0800 (PST)
Received: from xsmtp03.mail2web.com ([168.144.250.223]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cbGqO-00036M-KU for tls@ietf.org; Wed, 08 Feb 2017 02:14:49 +0100
Received: from [10.5.2.12] (helo=xmail02.myhosting.com) by xsmtp03.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1cbGqM-0000MZ-4X for tls@ietf.org; Tue, 07 Feb 2017 20:14:46 -0500
Received: (qmail 22816 invoked from network); 8 Feb 2017 01:14:43 -0000
Received: from unknown (HELO [192.168.200.66]) (Authenticated-user:_huitema@huitema.net@[72.235.151.78]) (envelope-sender <huitema@huitema.net>) by xmail02.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 8 Feb 2017 01:14:43 -0000
To: Ben Schwartz <bemasc@google.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
References: <CAHbrMsCpCH2qSG=cZjMMuWbpzCn8dQhvaTDaRc1riwnYiKGjsg@mail.gmail.com> <20170207164853.GA979@LK-Perkele-V2.elisa-laajakaista.fi> <CAHbrMsB5q_1e6Pg-hmgt+xUVtFtmdoaQ-XfpXfrQu18uF5+zWw@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <2ad02cb5-7ef0-9b27-818c-eb881f250519@huitema.net>
Date: Tue, 07 Feb 2017 15:14:42 -1000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAHbrMsB5q_1e6Pg-hmgt+xUVtFtmdoaQ-XfpXfrQu18uF5+zWw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------30228A2BAB678E07F8212C7D"
X-Originating-IP: 168.144.250.223
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.10)
X-Recommended-Action: accept
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlVTHAar8Je/lORhy3PZJU8LERWeKKG4PAQY Nyavp7c49KxQtGn3AswOT8Z9YHdvpk1TugiLDom8V25hond3K4RsO76XSTAwtV4mg4i2ouCDa4AU hvIWAV5xUW/+gAh4vXpMT1P6XYz1AUwDDBg1NT8URcOb18WfxGyg6Om6u4YYm+2z8zFgNNTT0xn2 LclGjHY5hjoyEb9Oq0NWpyO3vrfYnGR8JorokUtMqNDt1Oktij3dKxLhoxcmaInYbR5vlqGudzLe k2TYFBStSOMccbr5Uz0sPgnpAk2KA2vJwMd1uWhCmLzOxTAcQmFWVARhgNqBNFD3an3wiMp49rVr ybSB8y9Ga5iCmdJFIvDEJb+pKRQRCdMNhge1Unb77YyuZq6s+SIRWXQfQlHyqCmjPsZTRBdQ80wr wyng3wNtDYr6IWSdEOMftBjsWb6BDQzjSsEw7+KMtoemwN8keIAcPKMBBQ67muZNm3G2c8/Pjjqy k0k0bdVHmDm5y9NcoZdM30MpNkbYYJ8YZ7d5zi74j6F/edseI+0iffshWIcU02XSgP6DwZpjxPTx I2S/vwoydU3rc+Iv2rc9L0aEB794CHU7QkUmTDfMv/tVj9RPDK26f3u07h1Ar0asfEVCjJZw/E01 aDvSI66S1J0VQ44N+76Fosz60lBu3d5bfCNNtiN+o6mxVEE6gtF+B/lEIPzms74rHdmmurdkSlp8 bL7MuNSeJ6fVbIdD0RyyBL+RsQXLIsIclqURQOfTUwDe+Ri01fImIDv5nM6eiChzNVX4AW5QuzGD CsEA6FKlj9/rPsOe4zEvuGslKTrRIXcXpFg5ivY=
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bmchb4lPI3RCLuJqcJs5InnU5j8>
Cc: tls@ietf.org
Subject: Re: [TLS] New Draft: Using DNS to set the SNI explicitly
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 01:14:52 -0000

On 2/7/2017 9:11 AM, Ben Schwartz wrote:

> ...
>
> I proposed to treat IPv4 and IPv6 separately because a "dual stack"
> domain owner might reasonably have very different configurations for
> their IPv4 and IPv6 servers.  For example, a domain owner might use
> shared hosting for IPv4, but assign each domain to a unique IPv6
> address.  Splitting the DNS record in this way allows the server
> operator to disable SNI (by publishing an SNI record with empty RDATA)
> for connections to the IPv6 servers, without affecting requests to the
> IPv4 servers.
>

I am not sure that this is the right trade-off. If some adversary
censors based on the SNI, they will also be able to censor based on the
IP address of the server (v4 or v6). The resistance to censorship (or
monitoring) only happens if the connections are proxied through another
service. I would think that you want the name of that proxy service in
the DNS, independently of the network configuration.

-- Christian Huitema