Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Rob Sayre <sayrer@gmail.com> Wed, 09 October 2019 13:04 UTC

MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com>
In-Reply-To: <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 09 Oct 2019 20:04:00 +0700
Message-ID: <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d0922f059479ebc5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p_DMyDhCS1LZrkmFwDO5UDysHPc>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
Precedence: list

On Wed, Oct 9, 2019 at 7:59 PM Salz, Rich <rsalz@akamai.com> wrote:

>
>    - But, if I have Cloudflare (or any CDN) configured for a domain, and
>    the origin is only available via IPv6, the need for a disambiguating SNI in
>    the ClientHello from CDN to Origin is not clear.
>
>
>
> That assumes that there is a one-to-one correspondence between an origin
> and its certificate, which isn’t true.  I might have “api.example.com”
> and “new-api.example.com” at the same IP address.
>

I don't think that's quite what I'm proposing. I'm proposing (optionally)
sending the SNI with a client certificate. I agree that SNI in ClientHello
is needed to choose server certificates for IPv4, for the reason you say.

thanks,
Rob

[TLS] I-D Action: draft-ietf-tls-sni-encryption-0… internet-drafts
[TLS] SNI from CDN to Origin (was I-D Action: dra… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Watson Ladd
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Ben Schwartz
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Martin Thomson
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Patrick McManus
Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre