[TLS] Re: Port number and ALPN of ECH client facing servers
Christian Huitema <huitema@huitema.net> Mon, 09 June 2025 17:13 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9989532C8920 for <tls@mail2.ietf.org>; Mon, 9 Jun 2025 10:13:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=mfg.outbound
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXUZfZNHIdzl for <tls@mail2.ietf.org>; Mon, 9 Jun 2025 10:13:16 -0700 (PDT)
Received: from se03.mfg.siteprotect.com (se03.mfg.siteprotect.com [64.26.60.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1043532C891D for <tls@ietf.org>; Mon, 9 Jun 2025 10:13:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mfg.outbound; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:From:References:To:Subject:MIME-Version:Date:Message-ID:reply-to: sender:cc:bcc; bh=s/xTXP1+l62KS52PgtCmheQRfmFGGhzrozedynmdAXA=; b=ZkpXSJpRI8I 2DKR+iRXVi7M7QBQe02jAEDMF/dSd42yyOwAQ/raCoFxpmncwi1+2hDBftm0uDyLgIm6fOvxOzq9m /y21G+Op5lalMqIRu3/Aj0kc8xlzIqBknucxGiiY6yA0Gud9eVszVKY53FdJ30It8IrfzcU1dLSXr zwXJ9DRNk/TFCMy3zKEpF8DiDLdkhb3wp3H+GFDBasZh0gF5XEu6ETjWA9+uXA3SbvJj1VO3Dy83/ vLpt3YX+Mp0JDBpSKr/bj40uU+jSzLZ8qt4d+qzqn5W+LLxXsFqrN/jCe5BV9XnWbmQxe/HXuli4a xmE5wXGeYy/aPFDF+LByeXg==;
Received: from smtpauth02.mfg.siteprotect.com ([64.26.60.151]) by se03.mfg.siteprotect.com with esmtp (Exim 4.94.2) (envelope-from <huitema@huitema.net>) id 1uOg3Y-0088V2-JG; Mon, 09 Jun 2025 13:13:15 -0400
Received: from [192.168.1.105] (unknown [172.56.170.224]) (Authenticated sender: huitema@huitema.net) by smtpauth02.mfg.siteprotect.com (Postfix) with ESMTPSA id 4bGJQq0GF8zCSFwm4; Mon, 9 Jun 2025 13:13:06 -0400 (EDT)
Message-ID: <e8fa178e-ff59-4405-8c53-fdbaf8d23334@huitema.net>
Date: Mon, 09 Jun 2025 10:13:04 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Martin Thomson <mt@lowentropy.net>, tls@ietf.org
References: <cd762457-4949-4b1d-8cb2-c46ecc9700c6@huitema.net> <ME0P282MB55874535EA95DB504B806C5DA369A@ME0P282MB5587.AUSP282.PROD.OUTLOOK.COM> <8669d982-00e4-428b-9c9e-553241663b94@huitema.net> <b660a55f-af83-46e9-b460-abfde942523e@app.fastmail.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <b660a55f-af83-46e9-b460-abfde942523e@app.fastmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.151
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.24)
X-Recommended-Action: accept
X-Filter-ID: 9kzQTOBWQUFZTohSKvQbgI7ZDo5ubYELi59AwcWUnuUC4asnw9OcN4xmIToJvONWbsjxP7bh3Zzs dRsEAeVevSu2SmbhJN1U9FKs8X3+Nt127hcteP1p0NVNV47moiZtUnZMMMyaNBeO+OvFQHUlG4JL M0i5ZAms0EHrvcCaVIONlb2gQ7kV7LhxgLc0yr7MGnT3EFAinyrilm9zau/FuzkQt9Nb4Ml7QXdk EetczWAAEJg/m+QapWwQMV0JqMideB7itP8hgjDRserKv4bhb3Du2hHLbfwudMeTkB5rPevEMzer JfQa9UAYKsgEV8p+MUJTS2Jsxpkx+IHIsDarm2U3gyy0nlbakKK22WPBaizjKzb+JrnOTbl8FYp7 CIWjverajYy2yB71RZy29b9HL7yliuqXZvH3i216cQum166Jcmo/2HVTKRgjaeOYJK0qbQ3KhKUt R+eI3M/ekwB7PHJV/NQFKB/O6Q6b0/Ol6YwtUSl2WmT0XVwpr4noM18+ui5qGZxc1k2I3si/Z+UJ JkhUcRw5Q3AyyUSjvDdu2N09a5MTHwHNput7ddpnCiJ7QbpT4ZnGRqVI16jJDnPtmLCSWOcGJLBO rfbkGNkh+f9p1xg4ueOVKq9diy4keG/4aIfVaCHpEB6cFH6WJxE4ZnkPsdX4DEeRVbF2DvLx/RdF sMl285wtQj1uVH9I8MEkCNZHTAxBksDeAlzdSqTK7bRCCKfw7/OBTYdDdWHPdSt1H5XQjqZUI8GW ZlhyS0+vD6A85euzGzL25SW+9wJP4IjxSOhU2q1f79fDSje6FGjTPpuFqUUQz+mM8JAD4ECWGkAU aMXcOf0e1rPH2TsFDnwrgSC2Cw3YiPqrhSLQcL5qiAE5pwKylKODoBbEqRaPrA3OGkfKBC7gvG2L njCGGzQO9KS7eAWjkQksf6yR+i7O09eE4E4vyaMiV1/4CCf4CC8GDJC883NQocDaKKajRlKxHB/e tGG+jKYi/tvOWyFlpvsHuKYSZZJWrfSRdSppGBZ9WqzVCVc3XCLdApIlvom9fOhsMnJRUS/e/fE6 gjZa7UWnDA3ri8S6Opnj+LqQooLXiIEFeUBlNYzOXLb7mU3iPN0j1YLukoJVgpEoZr1oq6FBgC9E ffKtJMk0/6wHMS+4ayUpOtEhdxekWDmK9g==
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
X-Complaints-To: abuse@se01.mfg.siteprotect.com
Message-ID-Hash: LO5EFU7FYHXENGQVDWUC5FSZ2GBWO6HR
X-Message-ID-Hash: LO5EFU7FYHXENGQVDWUC5FSZ2GBWO6HR
X-MailFrom: huitema@huitema.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Port number and ALPN of ECH client facing servers
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/g16aPzK_hNpwCh0tlzRNcnE1Muo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On 6/9/2025 12:35 AM, Martin Thomson wrote: > Hi Christian, > > When it comes to ECH, the client won't know about the existence of a backend server. The only thing that the client needs to know is the name that it is seeking to connect to. Whether this is in split mode or not, the protocol works the same. > > As for the question about ALPN, the general view is that ALPN values from the client are in the same bucket of things as other configuration: they aren't based on the choice of server, but on unchanging configuration at the client. If the client is using some new protocol, then it would advertise the same ALPN list (including that new protocol) in every connection attempt it makes. As a result, there's not much value in trying to hide the ALPN list. This isn't entirely clear in RFC 9460, but you can see from the example in Section 7.1.2 how the DNS record should not change what the client offers. > > The purpose of the ALPN parameter in SVCB is not so much to change what the client offers in the ClientHello, but to allow the client to filter out service endpoints that only speak protocols it doesn't understand. Thanks. I am not sure about your reasoning on ALPN. I get the argument about consistency between client connection, which means that the ALPN list is a property of the client, not so much the servers. On the other hand, we see these "properties of the client" used in deep packet inspection and other shenanigans. I believe there is at least some value into hiding what exactly the client wants to do. I get that ECH relies on DNS for configuration, and that the HTTPS records act very much like the MX records, finding the appropriate service for a domain name. That's how clients identify the "client facing server" for a "backend server", whether for finding ECH or simply for managing proxies and load balancing. The obvious issue, noted in the draft, is that third parties that can monitor DNS traffic will be able to associate the HTTPS exchange with the following connection. The "obvious" solution is to carry the HTTPS query over encrypted DNS -- hopefully not the ISP service if the goal is to hide the SNI from ISP monitoring. But as many have noted, if the result is that all HTTPS queries are going through a big centralized service, that service is going to accumulate a lot of knowledge about what's going on. Endpoints can alleviate that somewhat by using different DNS services for the HTTPS query and the following A/AAAA query. For example, resolve HTTPS through an encrypted open DNS resolver, cache the results, then resolve A/AAAA though the ISP service. The encrypted resolver will know that the client checked the HTTPS record for "backend.example.com", but will not know whether and when there was a connection through "facing.example.com". I would call that tactic "split and cache". Privacy oriented endpoint can make that one better by adding "chaff". Instead of just looking HTTPS records for just the service that they intend to use, they could do multiple lookup for different domain names. The encrypted resolver will of course cache all that, but that will be low quality information that does not actually predict which of the services the client will access. For example, that would not be a very good input for "more precise advertisements". But still, one of the most effective ways to reduce the outgoing flow of information is to do caching. The HTTPS + A/AAAA exchange produces three pieces of information: the list of facing servers that might serve the backend service; the ECH configuration and port number for the selected facing server; and the current IP address of that server. These three pieces of information have their own time to live: when the relation between backend and facing server changes due to contracts or other arrangements; when the ECH configuration changes due to configuration changes or software updates on the facing server; when the IP address changes with the connectivity of the facing server. For effective caching, I would like to split those. That means for example refreshing the ECH configuration if the facing server returns a "rety config" response, or doing an HTTPS lookup for the facing server rather than the backend server -- i.e., without making further disclosure about which service the endpoint wants to access. That's what caused my question about ALPN. We have a little bit of mess here because not all facing server are expected to have an HTTPS record. The ones that implement HTTP will, but for other servers one has to look at SVCB records instead. And SVCB records are keyed by domain name + scheme. The scheme depends on the application, and thus from the ALPN. If I want to refresh the data about the client facing server, I need to know for what scheme I am doing that. -- Christian Huitema
- [TLS] Port number and ALPN of ECH client facing s… Christian Huitema
- [TLS] Re: Port number and ALPN of ECH client faci… Christian Huitema
- [TLS] Re: Port number and ALPN of ECH client faci… Raghu Saxena
- [TLS] Re: Port number and ALPN of ECH client faci… Martin Thomson
- [TLS] Re: Port number and ALPN of ECH client faci… Christian Huitema
- [TLS] Re: Port number and ALPN of ECH client faci… Ben Schwartz
- [TLS] Re: Port number and ALPN of ECH client faci… Stephen Farrell