Re: [TLS] Network Tokens I-D and TLS / ESNI
Melinda Shore <melinda.shore@nomountain.net> Fri, 26 June 2020 06:11 UTC
Return-Path: <melinda.shore@nomountain.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 46DD63A1144
for <tls@ietfa.amsl.com>; Thu, 25 Jun 2020 23:11:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=nomountain-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id a717FvPsAE3w for <tls@ietfa.amsl.com>;
Thu, 25 Jun 2020 23:11:26 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com
[IPv6:2607:f8b0:4864:20::42a])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id A1B473A0121
for <tls@ietf.org>; Thu, 25 Jun 2020 23:11:26 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id u185so2177643pfu.1
for <tls@ietf.org>; Thu, 25 Jun 2020 23:11:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=nomountain-net.20150623.gappssmtp.com; s=20150623;
h=subject:to:references:from:autocrypt:message-id:date:user-agent
:mime-version:in-reply-to;
bh=Vb2cJ8hpg29nRU2kc1SQX1Rbrnc1foIbjZ0bxPS20L4=;
b=B/86FJu+XgYPDH3IpXxKl+x794dy19s8mFB2spBP31ET9bf8kA7OtYwSufLUkqwlX7
XOAowqWNyrXmWU3sl2ClQh07jYAqHQjIcUaolSqUF3GMC44J3P/g2WMqOmYbYoXk03Ks
3v/CVEHaXPLcoar5SFwaK5tmBmI8ZRf2YdYwitnFP0OT5NIeJxYdwyB2aTq3cb+H+IcS
9M2VBg33P31aoOiZtdrladp5/DWFKqyMoHpMAL7JOmE+vu/zAxaHO5MEqdPG5oNTAxIE
GEfD4YV6P1oADAdNEwBtIFvjDLYdq80+zlJMNjaxM2CGSbFFNNXI2Z26UA7MJlpZ780L
YtOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:references:from:autocrypt:message-id
:date:user-agent:mime-version:in-reply-to;
bh=Vb2cJ8hpg29nRU2kc1SQX1Rbrnc1foIbjZ0bxPS20L4=;
b=H0WO8Pq9/0gr08BXwt1jyQ2IdvTmwnIcY0tU/P2lhwk45c5UlodNibSexdmNYblq0+
QAzYRkKLYCjfJa4kd9ZDrd8kvc7M8GYVoV8ElSqchJ6HPh0pIqpCgMwFfxtBzJlOd6uh
Z7s42W0e/hzNHzFoDQnBQBkV0Y5vCMuZjbAf136PkoEIYVrlzegTVFxlfthVstFREeIJ
2nAb2vHxTIddM9wZtPlQhlBr1a4QNXOUoc+pmSUP7PAsPRr0KKt8uyI3lf33759RwJkM
V/4xthMqcNT0Eb0vO3uM7gDO9VLzuIhWYUhALGc2cVrf8VmVdJTcHvxn2aJSkaIW2NpQ
XL+Q==
X-Gm-Message-State: AOAM53270gmGG/V6JiKIUyMbEmllDVhgFabTQdmbPOGMv3tRARJoCElG
Gghaxc90/0cgRZy7mPzITwbFlB4cmQ==
X-Google-Smtp-Source: ABdhPJzpR383nrZB3rBFf5AeTT/cqhM5g3JsGQ0ev7MhEurADiOhhqu0pGGER63W5PKXAJg3p/ohyQ==
X-Received: by 2002:a65:5a0f:: with SMTP id y15mr1350519pgs.6.1593151885207;
Thu, 25 Jun 2020 23:11:25 -0700 (PDT)
Received: from aspen.local (63-140-73-54-rb1.jnu.dsl.dynamic.acsalaska.net.
[63.140.73.54])
by smtp.gmail.com with ESMTPSA id s23sm20521086pfs.157.2020.06.25.23.11.24
for <tls@ietf.org>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Thu, 25 Jun 2020 23:11:24 -0700 (PDT)
To: tls@ietf.org
References: <kbsy4785.3cb5b3af-12b1-4d09-9944-6e4e487b103d@we.are.superhuman.com>
<CAKC-DJjRBZujxoLNtNCTe40Gwta9KbdCORVzJ1V54UTGpYP8xQ@mail.gmail.com>
From: Melinda Shore <melinda.shore@nomountain.net>
Autocrypt: addr=melinda.shore@nomountain.net; prefer-encrypt=mutual; keydata=
mQINBFppZ0gBEADFwxAi5szDOsM/6+CH4pbYTX7D+2gjLY4xEE7ydQcAF1WVLvcWXrpZM0GO
/eA4N1PJ+OT5o8o9zVr7izMJkiLwcnQmxHdlYgZ9E+Cm8hDtMyEPBQwsYTkE5kpbGCmBAZ+W
rHNHjvDg366uZQHzJejenB1/V4+rxMZs1Ak34Az2MVOz9Doecaiadpw3NpH3+1VXY/qilqnM
lznINSANqD0ktxB/CVKjxl3/K5JnVnLp0h2kiUqt19hQPX2JmLcgaHzu+Ceb34/HZWhs0CiF
c4auhQ3A9PcccOprQh6IGW1xo6RP3OEbeRFqeovgBWS+DIWzMIM0a3G2LDid0889QYwEv0zZ
RPDCcF3g15mlkeUUmwKQ6eAagPyTqLtTiOKULqy9bQahyX2eqlySrF+HqlwGeNoG+A4l1Z2Y
S7NCBLPIzUk2RuSKMBaKw86ORzvg2Advrw4bdv7kbDkArGzywky61SEB/q+GqR466mekXx2F
O+m8RuoSnWrBsKvD/bhELHcneorIBleGz+VL7i5adU0rIydG3jPTfUeXoCZIeNx1LannxnAR
ihKdh5+FE26WiiK6VmZWkvFjaPFwWGjvAsi82Pd9QgHhnG/XzINpXw/3HF4wtBTU5nIExMzC
+FbJxCPq1kXpqSxJqg7hgUFvD5jUD9lpN5Br/S2dUgJj95bbPQARAQABtCxNZWxpbmRhIFNo
b3JlIDxtZWxpbmRhLnNob3JlQG5vbW91bnRhaW4ubmV0PokCVAQTAQoAPgIbAwUJCWdTAAUL
CQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBE9oLZMqF5b4IPI0wN+4kXKadtuPBQJaaXRaAAoJ
EN+4kXKadtuPVioP/3nVzx33yjiEtqLKTEHwofnLT15CV5wAcGa0DTbqgiomVKzSRkkhbF3Z
KIHYrnjVpTcYJuW+PmFSIjNizNVr+vvjNP6ptRqx5orWmK4EBe/B9mrpmIshxUwkYr46uwN4
h06xJS3KCzhfhSsnesH5vlGBkUod0+nQhbSLyLRpxmaKaeAl4dxFSBLU0vUJMLH8PXTZVNof
5Yo+ThqCzu1pwOkBQ8gST2J6zdy4PjU9ENQ9RLAamlAG/6rGHEKLFcnUpEg7Tcu1hSzAsqR8
kjX2Prpu4A9DyLCjTOvfOPQa8WjZy18ZdYOxuPxdrTazeCRVJIvYRflhBCZb744jhMyfAiSW
eckwRBVSCnBuvWBJl9Ua1wp8SOUXXhgGI8WGvSkvul6kKSkHQKDggd4cojAhxWLfvmjxn5pz
0BNbvrEBGqgWwO1ZMuJpmv3P8YK5Aytsl85NZoMMUJIDxEQhBUgYz5QTQANBKPi8RsfOntho
rhzXLqnPPQcE4Xf9O9XIyy077F0JoyiPx74Zsl1dTxmT73pezpfhKUQR7/QlmJ/FAADpb6SO
V0tlgBtR6FAZToBYPDiss57AcKM1zzyJ7sHIZkxQelykYSet6hp2WGcwMXQveWqFMQ4fiGQx
XNEPO+KZKNj+0sfINzSLP88O5TniM/l/JrjZZNT/lVAQDTdkCBGyuQINBFppZ0gBEACgZuM1
8ghzSuhuv+n0kWyWCeEWrx9Ey03EgFj5alBt55+OLv3dOsdyBHJxjtd0cZS1XaKZlgr1YZ0O
pQNv/Wyy8uSW2BZ6hyG1SKN9/1MmfJLNnjjxaBQP4yaMwDdS3wX7hoWY19IpVPZHYDR35FAg
SnG/s6we+IOITM1TJoOJs4+ygeK5dC7LfRoj+lkEHYrTcglYVuwsyK2FNz/sF8kJW1fEZHM6
6phSbhCvwbECWbb4eDGXbKZY92W1RTQ5U5td8DMLXyYipQphrcoeRXpb18DbOnE0WwIQV0yB
gc/rTiUt/wVjasd1RrsCPBQC/uJ+ZHknvr2MoxIWBBsRtKYHG66aOL+nDV8X1miuF6j4cztv
gmdqrwPHpAKVxhfwd/G4suNBunYw4/kAV9b2+eidX5em3NtPPNl/qNjsmEHQGn/5JKRHRvQs
0yuigXDhN2N0keoHrbGCE8kyA/d83L7E9d95hsf3JxpRzmeaTze+NpcIaX5uXdKOaCBjLtx1
tOrDA4XX7Y3nY+waKZYa3RvC7yulFJiKfYWDSriWeQXcXj06p8H6vF6sy9LeX9xRRjTI7qDH
FxwuMQIKGqgufXtxu0pxxcMqXTEUPZnxUWUvuFjjYvEmtO92+Ot/NuotV8JvRPwg2OnYjMJo
dU1X7hzEs8djtgZG+t3FEGK3i1EJUQARAQABiQI8BBgBCgAmFiEET2gtkyoXlvgg8jTA37iR
cpp2248FAlppZ0gCGwwFCQlnUwAACgkQ37iRcpp2248krg/9H896KtAQCAV0RcV3QqZ75iY5
pCxpRyxAaR0PjE5jiYV5gUHPCKtr9UPZt4Bi+bzNLQ2KJK6Rx4XNf5lQWopEo1IxtOiFPjkr
QIpNkYmFWyOGpKpSIDhgsJpswZqxPDLpo+59GNlSUG6v3sMAnx+Gvtvqczkvg6UPDN/JYK75
BIGoCGZMyor1B0EmRYj98LdwjT95dQZXjZvWBDeIx+NxUZKoA7AlR/xgsN3PHGq4SApMLL0R
/qbiLIzUPnTPt5sBs0peflVvMrtgIMiZ9FdYPE+VWy5+X2AmeFg6Zl5W76HQUP6eYZQV5abZ
+iiW9lY1TmqsqpTIDu/ZMy7pLknxV5E1vQy+wsihluDYydaQ4HWoNaY7QFb+x7TsvjJRi+cH
7By4jxohTWUuaukuMmT0eEaesWJSraAmxsffqJwDpsi0chZskuXjEm9gX6rY7MhzOZl7Vz9F
+6MYTtTmT1mpkLAMWf1/JuKUCfnSAHRlDxUOAG6QSJoHWAGqYy3XiF9bN63yQ6xllloSbbMv
P9VW0e/iFKMKEIvfIvAg0IrlPcfKAGuuT1axwIU7da/N7LOcXyDDSEUuSzvXL/BkWyjxuLzd
LY6eTvC6ZT/fA5iS/PAUj0WbrWNrHQtQ5OY2+al2v6JdLu/w6IZJCBpTosOAOzzmre+31fk1
HKwqd9xRxC8=
Message-ID: <87e6e635-d1ec-9f36-41c3-339774f510ca@nomountain.net>
Date: Thu, 25 Jun 2020 22:11:21 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAKC-DJjRBZujxoLNtNCTe40Gwta9KbdCORVzJ1V54UTGpYP8xQ@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="nUHavNkaxh1gRrxVJIlQYozIPKEP4Eyyc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iotDpeZw_11I2yCPcQ-x3NW25eE>
Subject: Re: [TLS] Network Tokens I-D and TLS / ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jun 2020 06:11:28 -0000
On 6/25/20 3:29 PM, Erik Nygren wrote: > One quick comment is that binding tokens to IP addresses is strongly > counter-recommended. > It doesn't survive NATs or proxies, mobility, and it is especially > problematic in IPv6+IPv4 dual-stack environments. There's been a bunch of past work done developing similar sorts of protocols, and for what it's worth I wrote up a mechanism for using address tags and address rewrites, but unfortunately Cisco decided to patent it. Anyway, there are ways of dealing with this problem that don't require binding the address to the token ("all technical problems can be solved by introducing a layer of indirection"). Melinda -- Melinda Shore melinda.shore@nomountain.net Software longa, hardware brevis
- [TLS] Network Tokens I-D and TLS / ESNI Yiannis Yiakoumis
- Re: [TLS] Network Tokens I-D and TLS / ESNI Erik Nygren
- Re: [TLS] Network Tokens I-D and TLS / ESNI Yiannis Yiakoumis
- Re: [TLS] Network Tokens I-D and TLS / ESNI Melinda Shore
- Re: [TLS] Network Tokens I-D and TLS / ESNI Christian Huitema
- Re: [TLS] Network Tokens I-D and TLS / ESNI Yiannis Yiakoumis
- Re: [TLS] Network Tokens I-D and TLS / ESNI Christian Huitema
- Re: [TLS] Network Tokens I-D and TLS / ESNI Yiannis Yiakoumis
- Re: [TLS] Network Tokens I-D and TLS / ESNI Ben Schwartz
- Re: [TLS] Network Tokens I-D and TLS / ESNI Yiannis Yiakoumis
- Re: [TLS] [Network-tokens] Network Tokens I-D and… Tom Herbert
- Re: [TLS] Network Tokens I-D and TLS / ESNI Ben Schwartz
- Re: [TLS] Network Tokens I-D and TLS / ESNI Watson Ladd
- Re: [TLS] [Network-tokens] Network Tokens I-D and… Tom Herbert
- Re: [TLS] [Network-tokens] Network Tokens I-D and… Michael Richardson