IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Kazuho Oku <kazuhooku@gmail.com> Tue, 05 March 2019 03:17 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64A22130E09 for <tls@ietfa.amsl.com>; Mon, 4 Mar 2019 19:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqIrtKXwFy-3 for <tls@ietfa.amsl.com>; Mon, 4 Mar 2019 19:17:35 -0800 (PST)
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E66DB127133 for <tls@ietf.org>; Mon, 4 Mar 2019 19:17:34 -0800 (PST)
Received: by mail-lf1-x144.google.com with SMTP id d26so5091345lfa.1 for <tls@ietf.org>; Mon, 04 Mar 2019 19:17:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=byBRAiOxZvgHIfzXyJag2vMA9pAeL85dWeFBgYso/zs=; b=FTci8/V2sMzJiG2CLZnUf86h7sTor+VMHWMExMNseFmZJgwGdaennSusl/X+k1hXaB h0Rl5QCwpfAVcz4RtCvyP6IOse2kFjmQoZqXVQgpyMr0qM5opIkBCTjzi+uE5orKG9LY M5Km5CY2m5gAohqSs4/77r2q+UFdYms8cVthDQyyFKGq/58ZbH3FmS9BquoXoSwkJS34 1YN/D8u7PfhMwllL+pLxA4iGiy42bhvqqhcGPzxD/w2/QKP9mfqQazsgRn4LhNJ8C0sT NP6x1UbHSfr28pssU9LbtSjzW9S50V2OkcyAXKVF94w+S/eTcicPUo00uXnXkpibAMqK N26A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=byBRAiOxZvgHIfzXyJag2vMA9pAeL85dWeFBgYso/zs=; b=EqdPSsLCysybFYUq3FWEfq+ulSlGUvLWy2MqhXWamrL/5c3PvNFwzhcjoNfAshtm1v PDUwzEqlFyss9XBvpn5aArIuiZ7Sg0JLwX2UeFqOvUg8qssS3vjsJcjqrDPi+tsssHsO 7jR81MoeSQPxJLYhVazcAg4mFSStp93N6n9QZ9QekxgWdtejxTIEYm0dTLtxCYAh9TQK +SmNNvJDjME+nvU4cnx6+ycrzeHmGRMwLCoAs5bio+dkB6Mr0bXfHOgG9/FZKRVYiFL/ O+biM45g9oUuTbCJ3YSHAnnp+m9UtOSPHpzHixOYGlKDXgBd6UpdFd3/bW01vsNJVnTv xepw==
X-Gm-Message-State: APjAAAVvvurRVP6LFe3bTT+ixwPbc0eyr0Cwoxx9mgDnuS9XGo5sIh5s /yTlP/5s39M+tT0GQWDJkdz1k6KwKM+FQXlzLKU=
X-Google-Smtp-Source: APXvYqw45BTm+LI7B6GZYeLRjU1gNiq6H4hYGBYu6WYWWwdxcHsp6aDjYaruSYtkgPq0VlAEkCodC2z1Ht1+1HuX7/s=
X-Received: by 2002:ac2:5228:: with SMTP id i8mr3237204lfl.162.1551755853048; Mon, 04 Mar 2019 19:17:33 -0800 (PST)
MIME-Version: 1.0
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com> <CANatvzwz4+4KiLhBmeKw2HQ_D8SukcGj0UtfeDuMhTME3Yfy5w@mail.gmail.com> <CAO8oSX=iNGima95b7-+0d=oypDrcXOU1XoXRt6cUySdP-KumtA@mail.gmail.com>
In-Reply-To: <CAO8oSX=iNGima95b7-+0d=oypDrcXOU1XoXRt6cUySdP-KumtA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Tue, 05 Mar 2019 12:17:22 +0900
Message-ID: <CANatvzw2ENo9BZJZCDtJsmjcL_33BzBf+xSr+-+DAB8TG53Rrw@mail.gmail.com>
To: Christopher Wood <christopherwood07@gmail.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/svQNo9t1__zrq38otxrzX42CJBU>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 03:17:37 -0000

2019年3月2日(土) 1:57 Christopher Wood <christopherwood07@gmail.com>:
>
> On Wed, Feb 27, 2019 at 11:34 PM Kazuho Oku <kazuhooku@gmail.com> wrote:
> >
> > Hi Chris,
> >
> > Thank you for writing down the PRs describing possible designs that we
> > might adopt. I think it helps a lot in understanding the details and
> > making accurate comparisons.
> >
> > My comments inline.
> >
> > 2019年2月27日(水) 8:19 Christopher Wood <christopherwood07@gmail.com>:
> > >
> > > Hi folks,
> > >
> > > Below are two PRs that seek to address the multi-CDN issue discussed
> > > on this list and in meetings:
> > >
> > >    1. https://github.com/tlswg/draft-ietf-tls-esni/pull/136
> > >    2. https://github.com/tlswg/draft-ietf-tls-esni/pull/137
> > >
> > > #136 implements the combined or stapled record approach discussed
> > > several times, most recently in [1]. It includes these via an ESNIKeys
> > > extension.
> >
> > Reading the PR, I think that there is a mild privacy concern. The
> > issue with the unified record proposal is that it incentivizes the
> > operators to create more ESNI records possibly using different keys,
> > which is against the design principle of ESNI: provide anonymity set
> > by using the least number of keys.
> >
> > Retaining address resolution unbundled with ESNI incentivizes the
> > operator to use less number of keys; for example they might just use
> > one key at a time. That would be a nice property to have, especially
> > in terms of transparency. It would help third parties verify that an
> > operator is actually providing an anonymity set (rather than just
> > pretending to use ESNI).
>
> I don't quite agree with this. Operators can already use different
> keys across records if they so choose. That said, given the concern,
> we could add advisory text suggesting that operators use as few ESNI
> keys as possible to cover addresses.

Having a guidance sounds sufficient to me.

>
> > Also, I would like to point out that it is only when one key is used
> > by each of the provider at a given time that it would be possible to
> > use ESNI from a network that blocks DoH or DoT; a user can write the
> > IP addresses of services he/she wants to access in the hosts file, and
> > supply the ESNI key to the client he/she uses. Such a hack becomes
> > difficult under the unified approach, where operators could synthesize
> > different keys based on various conditions.
>
> Good point!
>
> >
> > At the least, if we are to adopt #136, I think we should change the
> > definition of record digest included in the ClientHello extension so
> > that it does not cover the "address_set" extension of the ESNI record.
> > Otherwise, we would be exposing to the wire the fingerprint of the set
> > of IP addresses contained in the DNS response the client received
> > through a secure channel, whereas in the split record approach you
> > only leak the ESNI key being used and the IP address the client has
> > chosen.
>
> I'm not sure this is an issue. Clients that use HappyEyeballs will
> already reveal the set of addresses by attempting to connect to them.

Using happy eyeballs does not always mean that the clients are
exposing all the addresses in the address_set. IIUC, a client does not
eyeball between multiple addresses belonging to the same address
family.

> > As much as I like the idea of bundling IP addresses and ESNI key, I am
> > concerned if the requirement to bundle different types of records is a
> > requirement specific to ESNI. If not, I think we should (in the long
> > term) try to create a generic solution, while in the short time we
> > could rely on a more limited mechanism as proposed in #137.
>
> In my view, since these are both extensions, they can both proceed in
> parallel. If some operators can support #136, and can do so without
> creating many ESNI keys, then I think it's worth including. Operators
> for which this is not a concern do not need to support the extension,
> right?

I think the idea of using extensions is a nice approach to move
forward. I won't oppose to having an "option" to change the way the
address is being resolved, as long as it does not hinder the
standardization of the draft without the feature.
>
> > > #137 builds on this design with a mechanism that lets
> > > clients detect and recover from A/AAAA and ESNI mismatch (if desired).
> > > It is certainly more complex in several respects. A third variant,
> > > which is not (yet) in PR form, is a simplification of #137 wherein
> > > ESNIKeys addresses are only used as filters, instead of filters *or*
> > > complete addresses.
> >
> > I think using IP address blocks to limit the validity of the ESNI key
> > is a fine approach. I do not oppose to having a name-based filter if
> > it's impossible for certain operators to apply the IP address-based
> > filtering approach.
>
> Indeed -- that's the only reason the name exists.
>
> Best,
> Chris



--
Kazuho Oku

v2.23.0 | Report a Bug | By Email