Re: [TLS] Multi-CDN and ESNI
Patrick McManus <mcmanus@ducksong.com> Wed, 24 October 2018 15:37 UTC
Return-Path: <mcmanus@ducksong.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED07612D4E8 for <tls@ietfa.amsl.com>; Wed, 24 Oct 2018 08:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=R+XrZSav; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=MndS1gMu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6llCYrqmiomE for <tls@ietfa.amsl.com>; Wed, 24 Oct 2018 08:37:17 -0700 (PDT)
Received: from outbound2n.ore.mailhop.org (outbound2n.ore.mailhop.org [54.186.218.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81D8E128BCC for <tls@ietf.org>; Wed, 24 Oct 2018 08:37:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540395437; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=RnuuF8LtOW+eP20WfNz3Hb6oEJu9XQC+kWJ2VHXRyKABK2/ktbHzQwVCGC5Zk8Ic6suR6j9hT7d/D U7MX6m19/u8nFCNycaeVeU/yaXQXuC3MUT9m6nYSLzDM0LwcnBQ8lNAAYbzLgKzUxXwY3PWw4moQbI eE1zPVukm5Gn5djIiMZYa90iDw6exiFUJMIqSHfojnFIcxwT5e7FkWmCOICo0MJxV7hZADiVGXvg2K BOujAuNEhaEou+tLNXpQiqC+xNL62N9Tnq+5A2DQ8AHNFj0x1ES+pH5h/Z3A/OugNroQ6dCKPzVm4K vn88gNmwq6zFxkEvbpoQK5pwVUWpDqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=ZLtBLo3wZXDEexshGhNfsomb8A/gXIdtGDyF+i87lDU=; b=RPvjqalEO049C2fMkyQBRy6cknz7jM5bv55wMz/l/Fii3MaA9PHbCKAW8prxkdNLh5eS/aQn5EIDg VusWyV9pQmQlB1q0ocuHo55qSTPiPvbkjtUdNKD3rymTeWC4n8dBwOoiFyPzZmqGaamaKj0QPEAUFq MN6ub8nlz8ulwsT3iuqc+p3O8adifho9DnWampgnVYvtA7PfzmI4ti3Z22PV1H1nBaaXEdGkCODHdd PLTrrCZl/07NdXxYtdiC1xI8EHRFs1VvQQlYGKTabVqXkf2hSHZA5afn7ShAWeBF+SNlL7jNYMdbyY v+VvF+oBktUHY8/Astnxqp1au3Q9bzg==
ARC-Authentication-Results: i=1; outbound2.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.45; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=ZLtBLo3wZXDEexshGhNfsomb8A/gXIdtGDyF+i87lDU=; b=R+XrZSavILGCXGMs1VL8tnmBfj+YL+7yThcaQEP1G0MYCLHes6OgbNYmHlUKgDgoSzP2cSuyFs2BM KznkTxwD+7ftv8fu00IEVhcMMAqo3XbvdNozT45IrGmKV3TAhbPAF225a6WwUMXAwm4VU8x8S+JEzf UbOeQUgSh0i4qE/Q=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=ZLtBLo3wZXDEexshGhNfsomb8A/gXIdtGDyF+i87lDU=; b=MndS1gMudtwL3otwGDJA/Md7fdOoS0TDGwn+iDieT7nyFTon0WLRzI2xnz1qaOJ0HQzj9H+bSmUz4 BVvO99aNpTyE5ocJhVdypb6HQoexz17zBO6R8WjA+ga0oNIZuy8tvFdxVb42+Ce216o+jFSven4hii 4xiful9XzJ89XBQHJqX+E+aYFbIUMYpl1cZksDR9SXIYhnXXN0Yv+XGEFiQoYjo5XPgfIbMXdyZXGn ZzdGlIoJhk0biH3RgnR3Sssq0VELQ+gqv8k70wpucpzcRIoXbNKqq590/m2GvOQeeljWJCFmRGuggd IJeQAXLDcf55yU40TLIEcMpPkRvVi4w==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: ae8d2b89-d7a2-11e8-a630-335f030b21f2
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.45
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f45.google.com (unknown [209.85.210.45]) by outbound2.ore.mailhop.org (Halon) with ESMTPSA id ae8d2b89-d7a2-11e8-a630-335f030b21f2; Wed, 24 Oct 2018 15:37:15 +0000 (UTC)
Received: by mail-ot1-f45.google.com with SMTP id w18so2526217otk.0 for <tls@ietf.org>; Wed, 24 Oct 2018 08:37:15 -0700 (PDT)
X-Gm-Message-State: AGRZ1gLOp07PD5w0GJCkE9E4JLEPVJcBKU+sJzqqVbgi19+Na9WvUqNi BD8e7tbMIhVr+UbgBhHND8LEA6SXGICXvJwFsek=
X-Google-Smtp-Source: AJdET5d9gIwvEj4OwDsT7QZ0o5r/UO9YgvbrFGqDb39bznL2tLF4fBzPvGzj8kboBVz25YNfbzvFa5+qK3SxyIbf1F8=
X-Received: by 2002:a9d:4a09:: with SMTP id h9mr1928953otf.254.1540395434571; Wed, 24 Oct 2018 08:37:14 -0700 (PDT)
MIME-Version: 1.0
References: <DDE6F8E9-6635-4D69-8028-83D49E9D7437@akamai.com> <CAOdDvNpmLdHQj2yE3tNNbjxCqOZMqTriODwG6setC9ajJmx2pQ@mail.gmail.com> <CAFDDyk9dSW0Ts6kQpRwWN4d7GiaNDkMo4Dmyg9iEUro6Ecp1_Q@mail.gmail.com>
In-Reply-To: <CAFDDyk9dSW0Ts6kQpRwWN4d7GiaNDkMo4Dmyg9iEUro6Ecp1_Q@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Wed, 24 Oct 2018 11:37:03 -0400
X-Gmail-Original-Message-ID: <CAOdDvNpd+UONQfs8zNVMAMkPAf=0ys9ZM6rX24e+bR_MbaAgVQ@mail.gmail.com>
Message-ID: <CAOdDvNpd+UONQfs8zNVMAMkPAf=0ys9ZM6rX24e+bR_MbaAgVQ@mail.gmail.com>
To: Nick Sullivan <nick@cloudflare.com>
Cc: "Patrick R. McManus" <mcmanus@ducksong.com>, "Salz, Rich" <rsalz@akamai.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b0ffb50578fb42a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sMmHL3zItgVJKX1XO4stjnhkJLk>
Subject: Re: [TLS] Multi-CDN and ESNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 15:37:22 -0000
Hey Nick, On Tue, Oct 23, 2018 at 8:45 PM Nick Sullivan <nick@cloudflare.com> wrote: > This line of commentary describes one instance of a more general situation > that is unrelated to the multi-provider case: what happens when you connect > to a server that doesn't know the ESNI key you're using? This can even > happen on a single provider due to DNS caching issues, for example. > > The two cases are related and there are two features missing from the > current ESNI draft that might be useful to mitigate these scenarios: > 1) Allow multiple simultaneous ESNI keys. The DNS provider could present > ESNI keys from multiple HTTPS providers (perhaps as different DNS records) > and the client could choose to send multiple entries in its ESNI extension, > each encrypted to a different key. This would likely solve the multi-CDN > scenario at the cost of some clienthello bloat. > I would like to see this feature, but I don't think it addresses this problem.. consider load balancer L, CDN A and CDN B. In a world in which L is aware of A and B (duh) but not ESNI, and A wants to deploy ESNI but B has not yet done so. You have the likely situation where at some point you've got an address record for B but a key for only A and you run into hard failure. even if A and B both want to do ESNI they need to be aware of each other and coordinate key rotations somehow to synthesize records - or else you end up spf like includes (please no). Requiring cross provider coordination seems like assuming knowledge the providers don't reliably have and probably could't reliably maintain. You could boot the problem to cusomter configuration but.. 1] esni is so much better as automatic infrastructure so CDNs can just turn it on and 2] origin names may not wish to disclose all of their providers to each other. > 2) Allow in-band distribution of ESNI keys if the server does not know the > ESNI key sent by the client. The server could prove ownership over a > specific long-term "fallback key" advertised in the ESNI record (or maybe a > fallback domain) when sent a TLS connection for which no ESNI extensions > can be decrypted, then in-band send back a new ESNI public key that the > client could use to send the SNI in a follow-up message. It's also possible > that handshake encryption alone is enough. This might require some TLS > message gymnastics, but doesn't seem impossible. I've heard more well-baked > versions of this idea batted around by others. (note that this incurs at > least one additional round-trip, but considering that a server not having > the active ESNI key should be rare, it is likely ok) > > My concern would be a legacy TLS stack. The problematic case is when the lookup for ESNI yields a key, but the host at the end of the A record has never heard of it (or perhaps even heard of TLS 1.3). These are different orgs, so its totally possible and inevitable in the sense that there are no flag days. How does that work with this scheme? This is tricky because the failure mode is so painful. provider A can essentially break provider B by deploying ESNI - externalizing some of its own risk. A and B don't have a super reliable way of knowing about each other to even make sane risk judgments. > To comment specifically on your proposals, Patrick, I don't see #3 as a > workable solution since many authoritative DNS providers hide the fact that > a CNAME is used when returning A/AAAA records. This obfuscates the > indirection that would be necessary to do what you propose, and it does it > for a good reason (saving round trips on DNS resolution). Furthermore, > intermediate values of CNAME chains seems like a brittle mechanism to rely > on for policy enforcement. > > Roughly, this is inspired by what krb does with canonical names in practice. And it makes logical sense - the key applies to the canonical name, not the alias. That said - this is a pain point I agree. I'm glad you brought up flattening - I know of a handful of orgs that do that. But do any of them do it across administrative domains or just as optimizations to their own 'zone files'? I understood it to be the latter, and I don't think that would really be a problem here as long as it was consistent across rrtypes. another thought, Kazuho had mentioned reverse lookups at some point. Definitely too painful for the normal case, but perhaps plausible as a fallback? Doing a reverse lookup of the address record to obtain the canonical key for the address (and absence of a reverse-lookup key means that host doesn't really do ESNI so proceed the old way). it would be backwards compatible but I worry both that its too fragile itself (IP addressing can be pretty disjoint from http operations) and perhaps too much of a time penalty to bear given the 'externalization' problem. But let's throw it out there. > Nick > > On Tue, Oct 23, 2018 at 2:28 PM Patrick McManus <mcmanus@ducksong.com> > wrote: > >> Definitely agree this is something that needs to be addressed.. >> >> As Mike notes, the fundamental issue is that there are 2 pieces of >> information that are statefully related (the key and address) but obtained >> statelessly from each other and can therefore come from un-coordinated >> sources. 2 CDNs are commonly un-coordinated sources.. but I've seen this >> with other kinds of cloud providers too. All of which should be target >> audiences of ESNI (because they terminate a variety of hostnames on a >> smaller number of addresses). >> >> fwiw there is a muddled github issue open on this in the old >> individual-draft repo: >> https://github.com/ekr/draft-rescorla-tls-esni/issues/35 .. which I'll >> re-open when the tls-wg repo starts being used for this draft. >> >> I see three solution spaces. >> >> 1] As Rich suggests, you can coordinate the uncoordinated sources to have >> one keying record to rule them all. I suspect that's actually not good for >> anonymity unless it somehow had a normalized global set .. and given the >> one way nature of a CNAME pointer, I feel like this would be really fragile. >> >> 2] you could scope the keys to only be valid for certain addresses by >> putting the valid addresses in the key record. This wouldn't help you do >> ESNI when they didn't match, but at least you could avoid hard failure. (or >> you could ignore the addressing record but that might be a bridge too far?) >> >> 3] My preferred approach, you could scope the keys to the same >> intermediate name. So if www.example.com -> cname www.cdn-a.com -> ESNI >> record www.cdn-a.com we could make a rule that the ESNI record would >> only apply to address records with a final intermediate of www.cdn-a.com. >> (I'm presuming we'll shift from TXT to ESNI RRTYPE without a prefix, but I >> don't think it matters for this..).. when there is a mismatch you could use >> the addressing intermediate as a place to try a new ESNI query from.. >> That's a perf penalty, but its only paid in the hopefully rare case where >> these things are unsyncd. >> >> #3 is admittedly a bit non traditional, but I spent a bit of time looking >> at the features of DNS APIs that already have the necessary surface to make >> a query for a new RRTYPE... and the cname intermediates are indeed >> generally available.. its true of getdns, res_query, the IOS and MacOS >> interfaces, DnsQuery* on windows, and of course the custom dns stacks in >> cronet/android and firefox/doh could do it. >> >> I hope to work this into a PR.. my first attempt wasn't very readable, >> but I'll try again tomorrow. >> >> -P >> >> >> >> >> >> >> On Tue, Oct 23, 2018 at 1:59 PM Salz, Rich <rsalz@akamai.com> wrote: >> >>> I think perhaps we need to take a step back and explain something that >>> might not be well-known outside the community of CDN’s and their >>> customers. It is not uncommon for (admittedly larger) origins to use >>> multiple CDN’s, and to switch among them. This can be done on a per-request >>> basis, because of things like contractual arrangements that make one >>> preferable, or it can be done globally but switched in a matter of seconds >>> because of a short TTL on the www.example.com entry. >>> >>> >>> >>> The issues that Mike discusses impact on this, somewhat negatively. >>> >>> >>> >>> A quick hack thought is to allow multiple entries in the TXT record, >>> forcing a wee bit more work on the CDN. >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >
- [TLS] Multi-CDN and ESNI Mike Bishop
- Re: [TLS] Multi-CDN and ESNI Salz, Rich
- Re: [TLS] Multi-CDN and ESNI Patrick McManus
- Re: [TLS] Multi-CDN and ESNI Nick Sullivan
- Re: [TLS] Multi-CDN and ESNI Patrick McManus
- Re: [TLS] Multi-CDN and ESNI Salz, Rich
- Re: [TLS] Multi-CDN and ESNI Patrick McManus
- Re: [TLS] Multi-CDN and ESNI Erik Nygren