Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Rob Sayre <sayrer@gmail.com> Wed, 09 October 2019 07:23 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1764D1200E3 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 00:23:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZiCZo1Pgqnw for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 00:22:59 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 489D3120074 for <tls@ietf.org>; Wed, 9 Oct 2019 00:22:59 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id z19so2847335ior.0 for <tls@ietf.org>; Wed, 09 Oct 2019 00:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2waZdYWFheO3F8Me5OOPoErcQbjo60uk3c8vLMFalLI=; b=h6t5EiVolgFNxD1X8BNp5Y7rdMpyGFUe7ShMtKTZE4+dEI6SevlvKcwlAbUNxemwdI AK4XKOl2AQKCVe8W93hA9kHuIw31PxW1JVVUqM6xYCaPcMEbvGWzDZe5Dw/9o5c83+3G kp8F/fHjbfVqd5FEOPJXfJ0x+UdAVi4JbEAukxiHLV9UBaTUbKO+VnzDDQ7T4h5Oby7h lcVieK/8BtaEB4oEAax6yQhalWw4m9/UDIcqGdwbnc6JXvQgo+FSx6ODZ6uItc26YdtD 5BvlNOnmOGLLbkKNSIxmgpTbkhGYFOdJ5LkYF2HuCX3Yfz2rV6Zz3LfD/xQa7Q6nQ1Vi BqIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2waZdYWFheO3F8Me5OOPoErcQbjo60uk3c8vLMFalLI=; b=UEQxCmerL0NVWZuNjuu/9B/rMs1dEQFTEbenQKp6xoFuDDHrAHfdpv2JqYGeJzDEM9 /671Z29kQgNnXrMKrgfwFrOoAPYNa+VPfhSxaegOdWP4vBmPJNmo1Ps8mLgyCKXZCyFq MS6j/utRhnAYBvD5faqLgmiH6/rX9V3rAT806XzeFzx2qFPlFfea5h0DiAMKTkFNYqyO Ytrdgs2NoR4O5dQnnl0p0HiSf+//lL1Cdj9qEIcjGIFybkL9QDNThoWo+7S1OxALHC7x qeCJ2NGYslMGTWvLscz/UAk8ei/hFxs5jNKMMak3tm6wqFnNORjtu4RYR+qwprPO26tc fDaQ==
X-Gm-Message-State: APjAAAV4TlXcPfrbZX+4x1qI6peoEm/tRUhKuwPFJuyRz7gjNSwRH01c JoLMaZNpLUJ5VUgkH8lguBo0LtqJx5p45aMmiKY=
X-Google-Smtp-Source: APXvYqyODGgnvEX6UMgAKsZqKmPNid+oU+maGrwmfh1YnQQgemCAiWzgb8E30yJCTyayg6ta+KVoLpsTNeoSyqufLKg=
X-Received: by 2002:a92:d987:: with SMTP id r7mr1912982iln.254.1570605778391; Wed, 09 Oct 2019 00:22:58 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com>
In-Reply-To: <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 9 Oct 2019 14:22:46 +0700
Message-ID: <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000080da9705947527ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u2-StsAdoNUM_UV5xhPzxH1GgKg>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 07:23:01 -0000

On Wed, Oct 9, 2019 at 1:19 AM Salz, Rich <rsalz@akamai.com>; wrote:

>
>    - One issue not covered in this document is SNI encryption from CDNs
>    to Origin servers.
>
>
>
> I think deliberately so.  User-agent to origin (where sometimes the origin
> is a CDN or other intermediary) is the main case.
>

Well, TLS is a transport layer protocol. I think my suggestion might apply
to any client that's sending a certificate.

A link from CDN to Origin is just a particularly easy-to-deploy use case,
since client certificates are already in wide use and IPv6 tends to work
flawlessly.

thanks,
Rob