IETF Logo Mail Archive

Re: [TLS] Network Tokens I-D and TLS / ESNI

Erik Nygren <erik+ietf@nygren.org> Thu, 25 June 2020 23:29 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABEB3A104A for <tls@ietfa.amsl.com>; Thu, 25 Jun 2020 16:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7G-jQ8c0EIF8 for <tls@ietfa.amsl.com>; Thu, 25 Jun 2020 16:29:41 -0700 (PDT)
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF7493A0C28 for <tls@ietf.org>; Thu, 25 Jun 2020 16:29:40 -0700 (PDT)
Received: by mail-wr1-f49.google.com with SMTP id j94so7679339wrj.0 for <tls@ietf.org>; Thu, 25 Jun 2020 16:29:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=G/ei7ok1javvv0vzZRneivS4oF3zGOmAdQS+eaRkFeU=; b=iDW6S8CNG3BX9hBh9YY9Tj6sc6Gi2G5WqscGoEVQnO1YbMu+ZzsQoQrs3+7ktvw8DG 11dg/Gel6vm5JsuAUOqt13tx3NIA1Fn7DjDdEWDr1hlHLFUQ1GTXAzUvLpnRbLiqPnah xT3jNj++cmnIDHTIV/LwISJ6+xGgPqupolPVmeene/KgVwXFNWRnHWTs1TtPDkPQ1lFS xrWrNSvPg6P8wI+dAZqFbD/YZsWKgbuHy21poeNlkcNC2F+wVwY4gIr8sebDa6Y7bwAd JbTJE+zglYZDtWwCzix+jd8mqwal1mNWVh3XlChLRJxI/N+ojVOx0nEr/jQqD34pPjcg AxLQ==
X-Gm-Message-State: AOAM5307guwMAHr3IotVa7hJgNvf8pJ45dB2wdvAwTeZ10MolxckU5+d 9qU3Q3YPXLnZB1jqiq33nRzR9+s9OsWH0XaxQ0I=
X-Google-Smtp-Source: ABdhPJxdbD68V9QeL9McdTmGT+emLjri72Cxzr/V6dJeFcMuAfNA69Za+u9OoCIrcYrIL2VsUNaUYUpzSocqi/LQnXA=
X-Received: by 2002:a5d:4bd2:: with SMTP id l18mr599867wrt.119.1593127779116; Thu, 25 Jun 2020 16:29:39 -0700 (PDT)
MIME-Version: 1.0
References: <kbsy4785.3cb5b3af-12b1-4d09-9944-6e4e487b103d@we.are.superhuman.com>
In-Reply-To: <kbsy4785.3cb5b3af-12b1-4d09-9944-6e4e487b103d@we.are.superhuman.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Thu, 25 Jun 2020 19:29:27 -0400
Message-ID: <CAKC-DJjRBZujxoLNtNCTe40Gwta9KbdCORVzJ1V54UTGpYP8xQ@mail.gmail.com>
To: Yiannis Yiakoumis <yiannis@selfienetworks.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005b2c0405a8f0f7fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/k5kQedg_3DQU5abrYLPZAGUe4XI>
Subject: Re: [TLS] Network Tokens I-D and TLS / ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2020 23:29:43 -0000

One quick comment is that binding tokens to IP addresses is strongly
counter-recommended.
It doesn't survive NATs or proxies, mobility, and it is especially
problematic in IPv6+IPv4 dual-stack environments.
(Even in IPv6-only, privacy addressing causes problems here.)  Even if you
have a way to convert tokens over
for your set of IP addresses (eg, to deal with dual-stack) that still may
not help enough with NAT environments.

      Erik


On Thu, Jun 25, 2020 at 4:29 PM Yiannis Yiakoumis <
yiannis@selfienetworks.com> wrote:

> Hi all,
>
> I wanted to briefly introduce network tokens <https://networktokens.org>
> into this list, how they relate with TLS and ESNI, and kindly ask anyone
> that is interested to share feedback and join the discussion.
>
> Network tokens is a method for endpoints to explicitly and securely
> coordinate with networks about how their traffic is treated. They are
> inserted by endpoints in existing protocols, interpreted by trusted
> networks, and may be signed or encrypted to meet security and privacy
> requirements. Network tokens provide a means for network operators to
> expose datapath services (such as a zero-rating service, a user-driven QoS
> service, or a firewall whitelist), and for end users and application
> providers to access such services. Network tokens are inspired and derived
> by existing security tokens (like JWT and CWT), borrowing several of their
> security and privacy properties, and adjusting them for use in a networking
> context.
>
> There are two ways that network tokens relate with TLS:
>
>    1. They can support ESNI adoption: in a world where ESNI is widely
>    adopted, network tokens can enable use cases where endpoint-network
>    coordination is required, without having to go back to plaintext SNI that
>    everyone can read.
>    2. Network tokens are embedded as TLS handshake extensions (among
>    others).
>
> We are shooting for a BoF in November, and are very much interested into
> feedback around the concept, use cases, what we need to do to make network
> tokens adopted as a TLS handshake extension, and folks that are interested
> to get involved in the effort!
>
> Links to an IETF I-D, a mailing list, and initial implementation are
> available at https://networktokens.org  .
>
> Best,
> Yiannis
>
> =====================
> Yiannis Yiakoumis
> Co-Founder & CEO
> https://selfienetworks.com | +1-650-644-7857
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email