Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
"Salz, Rich" <rsalz@akamai.com> Thu, 10 October 2019 16:15 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 529BA1200E0 for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 09:15:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FWo7pXJMtZG for <tls@ietfa.amsl.com>; Thu, 10 Oct 2019 09:15:03 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E2F61200C3 for <tls@ietf.org>; Thu, 10 Oct 2019 09:15:03 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x9AG2KxK031671; Thu, 10 Oct 2019 17:15:02 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=7jI5JGXrfK+RnDkdfJsDIKvOljVUPhf9nkcEJDm8yxU=; b=cA3nJMszDdgNpIJ/NZMJJBAYO9VrkTA0OVpaxEBjGThc7Iy/sw7LaO6S+3Vs2tflrlgo +fDZE6/Nl25KVSl2LkD8AdFzP7WCWd3WaVe0cImVKmW18/kfOL5t3lxpywy6NcgMAUbH u23GUI8DBFC8tWQJ1MbfcZmHQ1Xcltpg65AhGyqcCGSG+SqyOgjPVKu0I9V7SSTFWuDw DCbVwoOLduOsY9vwDGz2hGKNA5qxiYC5edg8lMDnCauzheJQG+lN+OcXq7iaxRibZquu Lk/6YTN8lLQ5xrfGuduJAp2wq/prnWSlo3jnGlvwLHwvMR/O0ykkLFRDNdprY6pal8U0 4A==
Received: from prod-mail-ppoint7 (prod-mail-ppoint7.akamai.com [96.6.114.121] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2vejtvh0gf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 10 Oct 2019 17:15:01 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x9AG4jVJ029448; Thu, 10 Oct 2019 12:15:01 -0400
Received: from email.msg.corp.akamai.com ([172.27.165.114]) by prod-mail-ppoint7.akamai.com with ESMTP id 2veph0pkc0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 10 Oct 2019 12:15:00 -0400
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.165.119) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.165.122) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 10 Oct 2019 11:14:58 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.165.119]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.165.119]) with mapi id 15.00.1473.005; Thu, 10 Oct 2019 11:14:58 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Watson Ladd <watsonbladd@gmail.com>
CC: Rob Sayre <sayrer@gmail.com>, Eric Rescorla <ekr@rtfm.com>, "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
Thread-Index: AQHVfeEan68Gaya+/0+PCTwF7OLHjKdRDe0AgAEeEACAABjcAIAARAMA///HFYCAAEduAIAAASmAgAABBID//74fAIAARG0AgAAAdACAAQ9OAIAAbsyAgABG7AD//78mgA==
Date: Thu, 10 Oct 2019 16:14:57 +0000
Message-ID: <A987F56A-3C3F-4397-8C9C-4F1B80D14CEF@akamai.com>
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <CABcZeBMLaiPuXhgrExTkdhfaOU_m4g-c+Lq-YmHsKiHyB0jDRw@mail.gmail.com> <CAChr6SznAYZDHFPNHX8Uoyo-Fnx8_uMxCOda1zf37Cxnb5A4WQ@mail.gmail.com> <7F634AD9-5909-41B0-AB08-D6FA6AB0C816@akamai.com> <CACsn0c=VC0cpK_PBxv9MtALX5RmDfsfsz2y_6sXshxmVv5RY9w@mail.gmail.com>
In-Reply-To: <CACsn0c=VC0cpK_PBxv9MtALX5RmDfsfsz2y_6sXshxmVv5RY9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191003
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.36.161]
Content-Type: multipart/alternative; boundary="_000_A987F56A3C3F43978C9C4F1B80D14CEFakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-10_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=607 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910100148
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-10_05:2019-10-10,2019-10-10 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 adultscore=0 priorityscore=1501 impostorscore=0 phishscore=0 spamscore=0 mlxlogscore=592 malwarescore=0 lowpriorityscore=0 suspectscore=0 mlxscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910100148
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/q8RLqbU-De2-O-MpCDi2o-IttIg>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 16:15:06 -0000
* At least one customer of the CDN I work for (namely my own website) uses an IP address. Sure, I get it. Which is why I said “in our experience.” :) * Shared hosting behind a CDN does exist where clients of the service provider are signed up to the CDN, and it might be interesting to use ESNI there but the privacy risks are less extreme absent a global passive adversary. Protecting client to shared infrastructure is what ESNI aims to do. The real point of this note: strong +1 for this.
- [TLS] I-D Action: draft-ietf-tls-sni-encryption-0… internet-drafts
- [TLS] SNI from CDN to Origin (was I-D Action: dra… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Kyle Rose
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Paul Yang
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Christian Huitema
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Watson Ladd
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Ben Schwartz
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Martin Thomson
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Eric Rescorla
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Salz, Rich
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Patrick McManus
- Re: [TLS] SNI from CDN to Origin (was I-D Action:… Rob Sayre