Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
"Salz, Rich" <rsalz@akamai.com> Fri, 11 October 2019 17:11 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48428120018 for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 10:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIL3Dddth4Gm for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 10:11:30 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB19A12001A for <tls@ietf.org>; Fri, 11 Oct 2019 10:11:29 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id x9BGqEaM015189; Fri, 11 Oct 2019 18:11:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=OFmD4rElhLyG0Kx/DDEQYfRRWZe5aS3BS3N9BoZXzGE=; b=CfxCcvGC5TJD3jPeiaXf18YrLulnZBuPZdSyC7q7WYSGUaQymXcDvhSs/lJxuV+6jYOC 4wtfO8Y8hUw+szGQV0eDDTjz0IE8HtN+gS+rWRg/KRsP0XmD7h6EofMn3+jE85yhRx+j OhfPk6jNcacEeD9HgAxXLfBSrBdybiqOE8UNOhaLA9GvpD7cvnBrshxsQ0/W48brorB6 FKb7NCt7I3szwe6ypHs22QrPOXK/4bEMHYb1604H6qEt7X8VkXEf/27bVaYKl8UIDJYy 2Qec6NpomfvBLdh1LGKOX2WuGjLd1YeFRQdCUMBKIlWlRpxQ23PKnZnbZ7xRTy1Z6dXI kA==
Received: from prod-mail-ppoint3 (prod-mail-ppoint3.akamai.com [96.6.114.86] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2vekk97ccp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Oct 2019 18:11:28 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x9BH1rGC007047; Fri, 11 Oct 2019 13:11:27 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.117]) by prod-mail-ppoint3.akamai.com with ESMTP id 2veph1cdp2-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 11 Oct 2019 13:11:23 -0400
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.165.119) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.165.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 11 Oct 2019 12:11:09 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.165.119]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.165.119]) with mapi id 15.00.1473.005; Fri, 11 Oct 2019 12:11:09 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Rob Sayre <sayrer@gmail.com>
CC: "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
Thread-Index: AQHVf+GsnWryPMhc506+pN76L/UXB6dVwjUAgAAGBoD//+OwgIAAUf8A///A04A=
Date: Fri, 11 Oct 2019 17:11:08 +0000
Message-ID: <4BB4C376-D4EE-4C3D-87D2-3611E6285801@akamai.com>
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <CABcZeBMLaiPuXhgrExTkdhfaOU_m4g-c+Lq-YmHsKiHyB0jDRw@mail.gmail.com> <CAChr6SznAYZDHFPNHX8Uoyo-Fnx8_uMxCOda1zf37Cxnb5A4WQ@mail.gmail.com> <CABcZeBPoyb5sF+ddH8OU_78eJF5sD2df-+ScHRb1xTYhHRHS0w@mail.gmail.com> <CAChr6SyM_yX36p2W_-seE-9kuJ99RTYEHY_vCRNFjLx3utjogw@mail.gmail.com> <CABcZeBPkQjsRr83PYyvhGF8ByeC1gGFWQgofrf=dZmfAfm7UJg@mail.gmail.com> <CAChr6SxSP7LbYkK50-KJu4H4VLLyHpuuK_+N_WZs5Ky5PNnM+Q@mail.gmail.com> <CAHbrMsCiC_2PJNuvYMO+owJC=zJgbYzEZD1kkW38c8yw+qe0nQ@mail.gmail.com> <9832ebfb-7c1f-4ce1-9bf3-d98845aad671@www.fastmail.com> <CAChr6SzAvAcyebuDCGzHeuSMqUQE5mC-XjTx2EwFb-OF65b-aw@mail.gmail.com> <CABcZeBMSGv3q_zYZzzYtWfhuM0C2diLU6i7Z6m7E2+3zbmyoJg@mail.gmail.com> <CAChr6Sw4Z2qsgVNUzjHkLeodtk7ZomkC3cbTwtQ59NbiaWCwfA@mail.gmail.com> <D0B30308-AF91-4597-9057-337D402FCF63@akamai.com> <CAChr6SzQDSGLrF1DUuMJpxexuWUsCAq8+DE9Ajp8a1B7maQfhQ@mail.gmail.com>
In-Reply-To: <CAChr6SzQDSGLrF1DUuMJpxexuWUsCAq8+DE9Ajp8a1B7maQfhQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191003
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.115.130]
Content-Type: multipart/alternative; boundary="_000_4BB4C376D4EE4C3D87D23611E6285801akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-11_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910110149
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-11_10:2019-10-10,2019-10-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 clxscore=1015 mlxscore=0 lowpriorityscore=0 adultscore=0 priorityscore=1501 spamscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 impostorscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910110149
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dsKDpJXkTb8w_GsHQVNKOF0Geag>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 17:11:33 -0000
* How does a request of the form "username.example.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__username.example.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ujs6Lkbc_IGTiuLdcDk8syhWP1v9lNpztl9OxZuCvas&s=hBGHuzwfs66lIYRw2lkpneJu72vkeC9m5HH46EJ0i3c&e=>" get through a CDN to an Origin while leaving the SNI encrypted on the wire? The CDN needs to see the decrypted SNI. If the CDN and origin share the ESNI keys, the CDN can just pass the original ESNI value along. If the CDN and origin do not share ESNI keys, then the CDN will have to re-encrypt. If that is an issue you haven’t explained why or I missed. * It sounds like you're saying the domain name should change from the CDN to the Origin, but that doesn't seem like something that's automatically supported or interoperable. I guess it depends on the CDN. I said that’s how my employer works, you said CloudFlare doesn’t work that way, and I didn’t quite understand what Watson said. :) * I also disagree with the argument that ESNI is pointless when “IPv6 uniquely identifies the origin”. Can you explain why?
- [TLS] I-D Action: draft-ietf-tls-sni-encryption-0… internet-drafts
- [TLS] SNI from CDN to Origin (was I-D Action: dra… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Watson Ladd
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Ben Schwartz
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Martin Thomson
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Patrick McManus
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre