IETF Logo Mail Archive

Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Rob Sayre <sayrer@gmail.com> Fri, 11 October 2019 16:57 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52F4412001A for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 09:57:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhOKN-05953b for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 09:57:34 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7608120013 for <tls@ietf.org>; Fri, 11 Oct 2019 09:57:33 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id a1so22981163ioc.6 for <tls@ietf.org>; Fri, 11 Oct 2019 09:57:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=m6mjEBYUjLQItiOX8ZaIrXdTrQJOpBBWOlUJ+Tq+s7s=; b=Q7r8hF/cXz2I0ZrGFBBpiN1UkXotBbOikJG84UwLS6uy+BFT4XQavGUQz2wIdtW34S I4voEPJmNd1UGYCXZ7FHmz4udBTVQqyCvTtelU+6fLLjWibMKp30LId2SCawBNBp+9wk EZVJSDRuxcFamRqSVv5UmMvDt3+Z+QHUJcJ0sjRFyKbEd3cHR9JOFUFpUTtI5tyj6cN5 yij/hlEuhhvAgqBlsq7Fui6JW+vpgppwg7JEO3ZauYsY2cHxzYufH6uYe8uHhHzBuhhG S3ZM3imoYc3LtCnIIk9hIf0QlM2QGs0h6k7twgcHCXD4QfO5iqlvOKVmB4Sa1v4/DTR3 QTkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m6mjEBYUjLQItiOX8ZaIrXdTrQJOpBBWOlUJ+Tq+s7s=; b=qBsdZE8faKfOCGhXzkPRDs1cPB3hnLgY77bw6JfiUJf/YYPmLdrHU4CraC4V8PfS9/ mXzVkilnndkj1zZT3/ibXlajMXHxqcZjvcHKF7kIzzR7qU6+dkrDeYxdo323B3dB1jM+ nP6sL/X7I5S1GrhuksKoevjP3wDQKT5MT5zuILjN82cmdFupL+T0qMeTZ+MyUQPTi1GN 6UohuDM9sbqkW7bOGs69WQDDT7ao15hbkWadVvHUHI5Izw+LUBOwKLUjBrCDT5xyLMGA 332O72tg7vFlMfnGd2cjQXfg34wHsd3zfpHB9s0Rvmf5+nBqKWNI3WTFqTRx9DT65P63 gimQ==
X-Gm-Message-State: APjAAAXcIkyog7LFJsm4JePJ0vjUnVeUyU/79qx9MigdbmfzezemmgWg 1FXz7zDVsl2w5+4iN85sVWlEM0pOqwtCOCktyC6uEvqHAD4GKhr8
X-Google-Smtp-Source: APXvYqxWZgdB2CAupWMUo1ZzfYa98Ninafar4Nx+y9vqAA6TdqgwHYm9hfKUGVhNT2hEDC8esCqr6e7Ms8z/JHe+Vmg=
X-Received: by 2002:a05:6638:928:: with SMTP id 8mr18391231jak.124.1570813053016; Fri, 11 Oct 2019 09:57:33 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <CABcZeBMLaiPuXhgrExTkdhfaOU_m4g-c+Lq-YmHsKiHyB0jDRw@mail.gmail.com> <CAChr6SznAYZDHFPNHX8Uoyo-Fnx8_uMxCOda1zf37Cxnb5A4WQ@mail.gmail.com> <CABcZeBPoyb5sF+ddH8OU_78eJF5sD2df-+ScHRb1xTYhHRHS0w@mail.gmail.com> <CAChr6SyM_yX36p2W_-seE-9kuJ99RTYEHY_vCRNFjLx3utjogw@mail.gmail.com> <CABcZeBPkQjsRr83PYyvhGF8ByeC1gGFWQgofrf=dZmfAfm7UJg@mail.gmail.com> <CAChr6SxSP7LbYkK50-KJu4H4VLLyHpuuK_+N_WZs5Ky5PNnM+Q@mail.gmail.com> <CAHbrMsCiC_2PJNuvYMO+owJC=zJgbYzEZD1kkW38c8yw+qe0nQ@mail.gmail.com> <9832ebfb-7c1f-4ce1-9bf3-d98845aad671@www.fastmail.com> <CAChr6SzAvAcyebuDCGzHeuSMqUQE5mC-XjTx2EwFb-OF65b-aw@mail.gmail.com> <CABcZeBMSGv3q_zYZzzYtWfhuM0C2diLU6i7Z6m7E2+3zbmyoJg@mail.gmail.com> <CAChr6Sw4Z2qsgVNUzjHkLeodtk7ZomkC3cbTwtQ59NbiaWCwfA@mail.gmail.com> <D0B30308-AF91-4597-9057-337D402FCF63@akamai.com>
In-Reply-To: <D0B30308-AF91-4597-9057-337D402FCF63@akamai.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 11 Oct 2019 23:57:14 +0700
Message-ID: <CAChr6SzQDSGLrF1DUuMJpxexuWUsCAq8+DE9Ajp8a1B7maQfhQ@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000008a4210594a56ad4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/irMQOGZKpoViE3rd7-CEtSuHTU0>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 16:57:38 -0000

On Fri, Oct 11, 2019 at 11:03 PM Salz, Rich <rsalz@akamai.com> wrote:

> *>*The SNI and the host header often have to match (or at least have a
> known mapping), because the origin server might want to prevent domain
> fronting.
>
>
>
> More likely the CDN.  Amazon and Google used to do this but stopped (
> https://www.theverge.com/2018/4/30/17304782/amazon-domain-fronting-google-discontinued).
> I don’t see how the origin is involved.
>
>
>
> > My goal is to keep the SNI encrypted on the wire from CDN to Origin (I
> understand that the SNI is visible to the CDN).
>
>
>
> Use DNS entries for the origin then ESNI works.  If you follow your “IPv6
> uniquely identifies the origin” assumption, then ESNI is pointless.
>

Hello,

I would like to reiterate the use case:

How does a request of the form "username.example.com" get through a CDN to
an Origin while leaving the SNI encrypted on the wire?

It sounds like you're saying the domain name should change from the CDN to
the Origin, but that doesn't seem like something that's automatically
supported or interoperable.

I also disagree with the argument that ESNI is pointless when “IPv6
uniquely identifies the origin”.

thanks,
Rob

v2.23.0 | Report a Bug | By Email