Re: [TLS] Network Tokens I-D and TLS / ESNI

Erik Nygren <> Thu, 25 June 2020 23:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7ABEB3A104A for <>; Thu, 25 Jun 2020 16:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7G-jQ8c0EIF8 for <>; Thu, 25 Jun 2020 16:29:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EF7493A0C28 for <>; Thu, 25 Jun 2020 16:29:40 -0700 (PDT)
Received: by with SMTP id j94so7679339wrj.0 for <>; Thu, 25 Jun 2020 16:29:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G/ei7ok1javvv0vzZRneivS4oF3zGOmAdQS+eaRkFeU=; b=iDW6S8CNG3BX9hBh9YY9Tj6sc6Gi2G5WqscGoEVQnO1YbMu+ZzsQoQrs3+7ktvw8DG 11dg/Gel6vm5JsuAUOqt13tx3NIA1Fn7DjDdEWDr1hlHLFUQ1GTXAzUvLpnRbLiqPnah xT3jNj++cmnIDHTIV/LwISJ6+xGgPqupolPVmeene/KgVwXFNWRnHWTs1TtPDkPQ1lFS xrWrNSvPg6P8wI+dAZqFbD/YZsWKgbuHy21poeNlkcNC2F+wVwY4gIr8sebDa6Y7bwAd JbTJE+zglYZDtWwCzix+jd8mqwal1mNWVh3XlChLRJxI/N+ojVOx0nEr/jQqD34pPjcg AxLQ==
X-Gm-Message-State: AOAM5307guwMAHr3IotVa7hJgNvf8pJ45dB2wdvAwTeZ10MolxckU5+d 9qU3Q3YPXLnZB1jqiq33nRzR9+s9OsWH0XaxQ0I=
X-Google-Smtp-Source: ABdhPJxdbD68V9QeL9McdTmGT+emLjri72Cxzr/V6dJeFcMuAfNA69Za+u9OoCIrcYrIL2VsUNaUYUpzSocqi/LQnXA=
X-Received: by 2002:a5d:4bd2:: with SMTP id l18mr599867wrt.119.1593127779116; Thu, 25 Jun 2020 16:29:39 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Erik Nygren <>
Date: Thu, 25 Jun 2020 19:29:27 -0400
Message-ID: <>
To: Yiannis Yiakoumis <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="0000000000005b2c0405a8f0f7fe"
Archived-At: <>
Subject: Re: [TLS] Network Tokens I-D and TLS / ESNI
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jun 2020 23:29:43 -0000

One quick comment is that binding tokens to IP addresses is strongly
It doesn't survive NATs or proxies, mobility, and it is especially
problematic in IPv6+IPv4 dual-stack environments.
(Even in IPv6-only, privacy addressing causes problems here.)  Even if you
have a way to convert tokens over
for your set of IP addresses (eg, to deal with dual-stack) that still may
not help enough with NAT environments.


On Thu, Jun 25, 2020 at 4:29 PM Yiannis Yiakoumis <> wrote:

> Hi all,
> I wanted to briefly introduce network tokens <>
> into this list, how they relate with TLS and ESNI, and kindly ask anyone
> that is interested to share feedback and join the discussion.
> Network tokens is a method for endpoints to explicitly and securely
> coordinate with networks about how their traffic is treated. They are
> inserted by endpoints in existing protocols, interpreted by trusted
> networks, and may be signed or encrypted to meet security and privacy
> requirements. Network tokens provide a means for network operators to
> expose datapath services (such as a zero-rating service, a user-driven QoS
> service, or a firewall whitelist), and for end users and application
> providers to access such services. Network tokens are inspired and derived
> by existing security tokens (like JWT and CWT), borrowing several of their
> security and privacy properties, and adjusting them for use in a networking
> context.
> There are two ways that network tokens relate with TLS:
>    1. They can support ESNI adoption: in a world where ESNI is widely
>    adopted, network tokens can enable use cases where endpoint-network
>    coordination is required, without having to go back to plaintext SNI that
>    everyone can read.
>    2. Network tokens are embedded as TLS handshake extensions (among
>    others).
> We are shooting for a BoF in November, and are very much interested into
> feedback around the concept, use cases, what we need to do to make network
> tokens adopted as a TLS handshake extension, and folks that are interested
> to get involved in the effort!
> Links to an IETF I-D, a mailing list, and initial implementation are
> available at  .
> Best,
> Yiannis
> =====================
> Yiannis Yiakoumis
> Co-Founder & CEO
> | +1-650-644-7857
> _______________________________________________
> TLS mailing list