Re: [TLS] Network Tokens I-D and TLS / ESNI

Christian Huitema <> Fri, 26 June 2020 17:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E70133A0BBF for <>; Fri, 26 Jun 2020 10:42:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jOLUfoKy63yf for <>; Fri, 26 Jun 2020 10:42:49 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 063D23A0BAB for <>; Fri, 26 Jun 2020 10:42:48 -0700 (PDT)
Received: from ([] by with esmtp (Exim 4.92) (envelope-from <>) id 1josN5-000snn-O7 for; Fri, 26 Jun 2020 19:42:47 +0200
Received: from (unknown []) by (Postfix) with ESMTPS id 49tkjp14qwz22Mx for <>; Fri, 26 Jun 2020 10:42:38 -0700 (PDT)
Received: from [] ( by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <>) id 1josN3-0006iQ-Vx for; Fri, 26 Jun 2020 10:42:38 -0700
Received: (qmail 3943 invoked from network); 26 Jun 2020 17:42:37 -0000
Received: from unknown (HELO []) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 26 Jun 2020 17:42:37 -0000
To: Yiannis Yiakoumis <>
Cc: Melinda Shore <>,,
References: <> <> <> <> <>
From: Christian Huitema <>
Autocrypt:; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <>
Date: Fri, 26 Jun 2020 10:42:36 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------A1EF4775B662EB83EE14254E"
Content-Language: en-US
Authentication-Results:; auth=pass smtp.auth=
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0f6LF1GdvkEexklpcFpSF5apSDasLI4SayDByyq9LIhVMVvqKlQUtLwO BOP0oQh1dUTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4adfMKcflL6IuPnpbJ760OOgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+eYkD5a9Nw7hRCVIMRq0efqTAas0edmB2q/yBRqnQY9Wo6jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhLSQQ4vSj0QEim26t/Moy0UPX5E73H1QfrH/5kkrV/Cr0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAm6ZQhvJRsM2m I6SM4wXHHdy+nDmOO/l0k0eYmgKL9N7NJ6qydqunGeRucQzUa1BY6TESzAX/5TqBYIW16uDk9RT0 lSfuxANzRU5MAZzTOSGB3Akz5lm78RWIReBxnetgOPKY2AXNZGS5G93aGyH8MqMNONNOB63tZ91H 4Bn0Oix6rUrHvUp663w0CHIt3fUi3pxMPnetLBJMh51NiRRoHIA04+WXylLQLB2v6tymK4rhmiK7 x42VjdzChZMe6O/DiWiiIzuXMTE3l4bIsk+O50slILRD2F7oGp9qyS24nW3A08QV3No+S2msRDep v5w/kkG0v17AmegcpQ0tml/sN9lmMy/o83jVXTcfb9k0nLWblJy7uxV6dw8jzlsaNZe6hynMJcjx DydxsJEju76A7X1QIVydqXpZ6MHhiKws9Iiut28r9wo4SqUIg8Yh9hAM0n3LLzx/F2gT3wl8JQJv Bho=
Archived-At: <>
Subject: Re: [TLS] Network Tokens I-D and TLS / ESNI
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jun 2020 17:42:51 -0000

On 6/26/2020 10:16 AM, Yiannis Yiakoumis wrote:
> On Fri, Jun 26, 2020 at 7:29 AM, Christian Huitema
> < <>> wrote:
>     On 6/25/2020 11:11 PM, Melinda Shore wrote:
>         On 6/25/20 3:29 PM, Erik Nygren wrote:
>             One quick comment is that binding tokens to IP addresses
>             is strongly counter-recommended.
>             It doesn't survive NATs or proxies, mobility, and it is
>             especially problematic in IPv6+IPv4 dual-stack environments.
>         There's been a bunch of past work done developing similar
>         sorts of protocols, and for what it's worth I wrote up a
>         mechanism for using address tags and address rewrites, but
>         unfortunately Cisco decided to patent it. Anyway, there are
>         ways of dealing with this problem that don't require binding
>         the address to the token ("all technical problems can be
>         solved by introducing a layer of indirection").
>     There is also an interesting privacy issue. The token is meant to
>     let a provider identify some properties of the connection. I
>     suppose there are ways to do that without having it become a
>     unique identifier that can be tracked by, well, pretty much
>     everybody. But you have better spell out these ways.
> You are right that for the duration of a token, one could use it to
> identify an endpoint (either application or most likely a combination
> of user/application). Tokens expire and intermediary nodes cannot
> correlate tokens with each other as they are encrypted. So tracking
> cannot happen across different tokens (of the same user), or between
> token-enabled and non-token-enabled traffic. I guess similar type of
> tracking happens when users are not behind a NAT and their IP address
> can be used to track them. Would it make sense to have the user add a
> random value to a token, and then encrypt it with the network's public
> key, so that each token becomes unique and cannot be tracked. Would
> that address the privacy concerns better?

That would certainly be better. The basic rule is that any such
identifier should be used only once. Pretty much the same issue as the
session resume tickets.

>     Then, there are potential interactions with ESNI/ECH. The whole
>     point of ECH is to keep private extensions private. The token
>     extension would need to be placed in the outer envelope, which is
>     public but does not expose seemingly important information like
>     the SNI or the ALPN.
> Ah, I was not aware that ESNI can now include all CH extensions -
> thanks for the pointer. Yes, the token would have to stay on the outer
> envelope so the network can process it. The main idea is you can
> encrypt everything that is client-server specific, and just keep a
> token to explicitly exchange information with trusted networks. 
>     There are also implications for QUIC, in which the TLS data is
>     part of an encrypted payload. The encryption key of the TLS
>     carrying initial packets is not secret in V1, but it might well
>     become so in a future version.
> Haven't looked into QUIC yet, but is on the list of things to do. If
> anyone is interested to help us explore this, please let me know.

You may want to have that discussion in the QUIC WG. If you are building
some kind of QoS service, you probably want it to work with QUIC too.

-- Christian Huitema