Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Kyle Rose <krose@krose.org> Wed, 09 October 2019 12:56 UTC

Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 242941200C3 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 05:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jxh5tsAcMKxS for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 05:56:32 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8CC12002E for <tls@ietf.org>; Wed, 9 Oct 2019 05:56:32 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id z125so689493ybc.4 for <tls@ietf.org>; Wed, 09 Oct 2019 05:56:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HM+zHlhi58i94Rric50G071V9/giQ7JHpqOIK0Wx690=; b=gNc/NG4dgwPfgZUkpKIVg7wQuc1/h+NHk1ivLKANyFCKWhTt4udn4wpg2qBUigFRnQ 924FlwhV4zdardDoELoka2HhwBU1+3EVo+ZinXMGyoOOxUJ2kPqau6Bl/OcFPXrIYlKD TdWFJTYabjTIuK5h3CAh7H1JhCOabSIYeygik=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HM+zHlhi58i94Rric50G071V9/giQ7JHpqOIK0Wx690=; b=ed7Z+ElmPbL0ZQqxJmDPKES5OSbQPfVXAeSLEnhcUvP5/xCD9q4wqwbXI3slFuGgrI XyonNroQICSmp8WJf9zIvBD3FkKgwFYt74dVkVjzyaRUyYo+0vyMvAHNB31JIuF6rx1Q 9FM/lr7Ou3a2u7047AscUnfSMwAwX7aaptRFsdZ7A7S6SMR8eE0QBDnSezs8KJZOAKze hVmF/9pxFF7sfclpYij2WLfKgobPwusVN6UGwS/WFJ14agkbtdiJ5CqudRmAN7+ryvKI 1dQeMZw4cY+JsahN+HYglm49HoD4BUbtIEXhIJb8IrFanXF9ANXL0tOTZ+s97SnVP8+4 vX8g==
X-Gm-Message-State: APjAAAVfGAIEQ2sOGTQIlYAxGIjBx1Ap9EZYiBmsgR3bk8R+TePrZSKh f3iPD5AU1nHr/GBxOcptcWuyTENP6/9s0B+VewGNZQ==
X-Google-Smtp-Source: APXvYqza2P6TeX8LngP1MxBdOdymyY5Y5ExaRcdf3Z5rSjam0azW6tEvIhX/XcrkkX6gDO4QgWFwm0+umEUMtBShU6E=
X-Received: by 2002:a25:414f:: with SMTP id o76mr1712862yba.401.1570625791172; Wed, 09 Oct 2019 05:56:31 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com>
In-Reply-To: <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
Date: Wed, 9 Oct 2019 08:56:19 -0400
Message-ID: <CAJU8_nVehh6PAZArzy_w=x=eWQeyiY1mmKk5T0Qmdk6zg362sQ@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Rich Salz <rsalz@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005bbb79059479d00d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gRjd3YDZBFn9E_Y-c6V-6O_8dY0>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 12:56:34 -0000

>
> I'm wondering what the backhaul traffic from CDN to Origin looks like,
> even if a user-agent request to the CDN used ESNI. I noticed that many CDNs
> provide client certificates.
>

Some origins do require client certificates, but not all. This is up to the
customer.

In TLS handshakes that use a client certificate, it seems like the SNI
> might be able to be sent with the second message from the client (alongside
> the client certificate).
>

As I alluded to in the footnote from my last reply, I'm not sure how much
value this would have since the identity of the origin is typically evident
from the destination IP.

Kyle

>