IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Mike Bishop <mbishop@evequefou.be> Sat, 02 March 2019 07:03 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C6D131178 for <tls@ietfa.amsl.com>; Fri, 1 Mar 2019 23:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4ZEmGONzRnh for <tls@ietfa.amsl.com>; Fri, 1 Mar 2019 23:03:26 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740118.outbound.protection.outlook.com [40.107.74.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA53F13116C for <tls@ietf.org>; Fri, 1 Mar 2019 23:03:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B4Q3kPHOFEZUipEGRIc83nFVMO8NOrEk8M75rBlDC98=; b=dD5LuTbq6uldtdA5YX9xTK6PNttxQOdWSh+8q+dAFXG2B5dz28YklgakOxLxxKKPzYiMRiTA/lylXKEukmIeNQcuoRYr2Xu+8OIx2o1s3SHI+ex4QAT2JwEwBVTeT+SpyOWC+qt4JEKAlHF1P+98kPw4aeKCqquIYuvzKEhmNII=
Received: from CY4PR22MB0983.namprd22.prod.outlook.com (10.171.164.151) by CY4PR22MB0120.namprd22.prod.outlook.com (10.169.187.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.16; Sat, 2 Mar 2019 07:03:22 +0000
Received: from CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::76:e309:d27f:23e6]) by CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::76:e309:d27f:23e6%2]) with mapi id 15.20.1665.015; Sat, 2 Mar 2019 07:03:22 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Eric Rescorla <ekr@rtfm.com>, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
CC: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Two Multi-CDN proposals
Thread-Index: AQHUzrgq/mj86VpJpU6F+CUABXSdh6X0azAAgAAE8gCAAAPrgIAADGqAgACI74CAAlSjMIAAQ1EAgAADaQCAAAsvAIAANyPA
Date: Sat, 02 Mar 2019 07:03:22 +0000
Message-ID: <CY4PR22MB0983DDBEC2B214D7EB1A261EDA770@CY4PR22MB0983.namprd22.prod.outlook.com>
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com> <0b19d021-8101-23ee-2899-450d103a8906@cs.tcd.ie> <CABcZeBN0mf7VFCKKdg9gH0=tCS7eLZz6M5_WJdaNG7XrJeyESw@mail.gmail.com> <0b854704-8f93-f9ad-c067-67f7f73cbbbf@cs.tcd.ie> <CABcZeBM61u=DtjQh+NkQF47MLyZS4EyuGBjDnsfjxz-z5kfjoQ@mail.gmail.com> <1eaaebf3-6e8a-ae84-0ab3-f977295c0721@cs.tcd.ie> <CY4PR22MB09831CBC251393EE334905D4DA760@CY4PR22MB0983.namprd22.prod.outlook.com> <CAO8oSX=2N=_wvf3L=o6ou=zJaSHE4zpgQDK38QO99+ausYmEpQ@mail.gmail.com> <CAFDDyk_57De_xkXQmhfL_GdojMG0j-=RBhoTFReiCHyArobYWQ@mail.gmail.com> <CABcZeBPgcTyfA3GHkzcrXPO=dnj1Ea+U4fwcg=4mw6BbO-WkSA@mail.gmail.com>
In-Reply-To: <CABcZeBPgcTyfA3GHkzcrXPO=dnj1Ea+U4fwcg=4mw6BbO-WkSA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2601:600:8080:701:c2c:9b09:2508:4bf8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c66ae0d0-d1ac-4172-7899-08d69edd28d3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:CY4PR22MB0120;
x-ms-traffictypediagnostic: CY4PR22MB0120:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR22MB0120DEC1455717CCC6E04CFCDA770@CY4PR22MB0120.namprd22.prod.outlook.com>
x-forefront-prvs: 09645BAC66
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(346002)(39830400003)(376002)(366004)(189003)(199004)(52314003)(51914003)(6436002)(5660300002)(790700001)(2906002)(105586002)(229853002)(106356001)(606006)(508600001)(97736004)(966005)(8936002)(236005)(6306002)(55016002)(14454004)(68736007)(53936002)(4326008)(53386004)(71200400001)(71190400001)(6116002)(8676002)(14444005)(256004)(52536013)(46003)(110136005)(561944003)(54896002)(9686003)(25786009)(86362001)(486006)(33656002)(81156014)(6246003)(446003)(11346002)(81166006)(186003)(99286004)(7736002)(74482002)(476003)(316002)(93886005)(74316002)(102836004)(6506007)(53546011)(76176011)(7696005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR22MB0120; H:CY4PR22MB0983.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-exchange-diagnostics: 1;CY4PR22MB0120;23:OGxuQm/UO6Muk0jsBtsQBg2srEfMLkYkdGQfwtxsuv1Bojs2nnyD8EeACswzkNqUUUBHnKzbIqLIVJZvU81+KyrAt+daJuS9Lvr5+zs0ulQZrWDgaTC9lwLnHKo4Za42Q3aHFzlZNN2HRnvM2pGz8skDFidvFyfMWoCZmzqSQ+ZWIZXsYSjZU9rUGNUqpD8ZAeOEjvjZUaUtFeG5XQms4m73xCvS3RSwf4RGVYvDZlaoN3ULOv3q3hCprLcPRPGzfnW+PcZ2eXf2B76+LJjZnkFewHuudCjYaXn4lDvW1Dx9aaQz9yx94Qh7CHROoueYrrwducDnPTcprY9hY5DPM9trZmnjMv/dK9WyeNejaEZYsjNorumS8RKRvnHjmYs4deAW+R1V5Fv+jpvjI1HLJYL5J3YMpDPkLNGMS/hKSWXJhvNJtaQ+Vd2ajZkiQb3DWJpESBarQai+U3fBVSN+A4KvpKaxfErtskRHzULaKWM5BR+y9Fy7WWPxvkDn27YZNxDFdfPWBSRiur4634qzXUpo1iE3pQzWQgNfZDJ+UUS2xVRs86dbyDDOySdcfKx1cAhlo2yZwJ0uKOOCR/qWqE0/1//LQBL7UfJcb5R4n093a69V+sA1SLWUcz6SpqLuteH8gkbF4qlMVgF4fqrgjjuV6tU2sW8VTBnzkulBTCvvrAD+mXkf/+R1dbxWWU8SU85e1vgw69ugpweIx1cBC/F5nY9yaBQh+YAwtsApxWs963DAsJg3OioqiuzmWO07n0DJr4bgVXDDuY//ZYCzGqcJ7kG4E8Sej/3GObJJWdvazlC84F3Z7I28I8D1pnOzQJp86yCg5unvPm7c8peATco0FmbN8FbCG9cm8HtyvCiV3EEQWfzM64SBYGSUgQH9jACEO4D67NE5pk0UD/7ZKerP+DDy6Q2xzu/6ULj3jtv36rYNlabsuXlzrQNCgQ4qJnXwjCrqHOOgm7gZxZyiMgX+9aPXfpo3yVS32KlavYBuJmmkr0HKRe0W8iSbEjjRzMJRv5sY6m3rbAkYgDxEBpeT+bXQS/J8XuB1sVUfWsnO8tayZyn1tJztnbEcSSYzP1qzIe7zANTSLTnzjg9bDHs/z4EZjVY/vEvFRaVTVqwL7FWqM3vSp6uCrW8T0rPvbH8J57fc/QzAaLoUoUK0SOsWYxDVfQujHpLVpEcp3SPrrPqf4VYjQJdEED21L/Okn84RR41WMrqemfrGlT4MvO9dZpZvgMqMCH/NDMlAHjHyEajmahwqYwlNph9xEdaqPPqmASMpflwosrai4mCb8GBKFp3hr9hzBU1fxbtrn8wG6PHp1zQKi5tOpX25Ulz3MOBDKN+LLC/hegH0GnrEjKmBIxw8oLB9J31Syzi/GoGl7ts8mGRQjFqJd/TWggmtOkh5snUxfhpHf8gZq8Mlpw==
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PLrTJurFl1EbBLYTaEXeKCT/MYbRukF/BZkFZ+Nfy4+cceJJtif8glslF3iCYDhY5DO4vwszJfZN8osehg2/ktBpXxPNrP8Jtnq+WK0lXwLPe/muXI2emPAf/vCORCbnX2+vQuToHtf90MEv+VxSmAGE6h/mcy0ZGv0EwXWyG5nPcOFiLkHBUOnOOEmwrdB2V2YcoTf5BUdo7Cqlm+TVbDy5YEpJPu65AY6u8C4d/R1Fh0tLhoj/Z8rIEUd61IxAREJdQVj8wlvocB/pAy5NZDKGxkkw5Ii9kRLmtIHinQBgid3DYTR7HOu3iau1x54iy1pvbsOpNTRAHRES2REYiZgPm5EVOIo8Qnfbp4ZBtGQ7Ds89fjKapNlU67EzBHV3zXvbnPWksa/qTtBh/M5LTnkPMzHTjYTlPzDdWfZmQKY=
Content-Type: multipart/alternative; boundary="_000_CY4PR22MB0983DDBEC2B214D7EB1A261EDA770CY4PR22MB0983namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: c66ae0d0-d1ac-4172-7899-08d69edd28d3
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2019 07:03:22.7200 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR22MB0120
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Fz68GPpd2Y7WFVZ_53jfE9XY4yM>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2019 07:03:30 -0000

Totally agree that we want to avoid the extra DNS round-trip as often as possible.  However, I see the options in the opposite light – if all you need is #136, then you can put exact addresses into #137 and get the same behavior.  The question is whether the additional capabilities of #137 are safe and needed.  Depending how much later #137 is added, we may wind up needing to support both, which would be… suboptimal.

I think what will swing the needle on safety – how often there’s divergence – lies in how the record is positioned.  Two problems with the current approach that I see:

  *   Correct me if I’m wrong, but I don’t believe the alias is allowed to have subdomains.  If www.example.com<http://www.example.com> is a CNAME, then _esni.www.example.com cannot exist, can it?
  *   Even presuming that it did, or that it weren’t a subdomain, it would follow its own CNAME chain which might not lead to the correct provider.

If, however, the ESNIKeys RRType is resolved by following the CNAME from the host, it depends on how often two queries for two different RRTypes on the same hostname follow different CNAME chains.  We have a ready-made way to test that – A and AAAA.  I have an idea where we can get some data on that.

From: TLS <tls-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Friday, March 1, 2019 7:19 PM
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Cc: <tls@ietf.org> <tls@ietf.org>
Subject: Re: [TLS] Two Multi-CDN proposals


On Fri, Mar 1, 2019 at 6:39 PM Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org<mailto:40cloudflare.com@dmarc.ietf.org>> wrote:


On Fri, Mar 1, 2019 at 6:27 PM Christopher Wood <christopherwood07@gmail.com<mailto:christopherwood07@gmail.com>> wrote:
On Fri, Mar 1, 2019 at 3:19 PM Mike Bishop <mbishop@evequefou.be<mailto:mbishop@evequefou.be>> wrote:
>
> Stephen, there are a couple complicating factors here where I think we all have varying knowledge gaps.
>
> There are two major ways of pointing to a CDN:  Direct A/AAAA records and CNAMEs.  The easiest way to handle key update complexities on the part of the CDN(s) is simply to CNAME the ESNI query for your domain to their ESNI record, but you can certainly directly host your CDN’s keys in your domain if you prefer.  Nothing should preclude that.
> The issue we’re trying to address is when the ESNI record and the A/AAAA record follow different CNAME chains and you get the records from different hosts.  Of course, if we move to an ESNI RRType with the same hostname (see #105), there’s hopefully a single CNAME chain that gets cached at the resolver and used when looking up both queries.  If they remain separate hostnames, it seems like it gets much easier for them to diverge.
> It’s my understanding that DNSsec doesn’t play well with returning a subset of all extant RRs for a given name+type.  However, some CDNs return DNS results tailored to the user’s location; the load-balancing servers will (in some cases) return CNAMEs to different targets based on the desired traffic share.  That’s not a behavior that maps well to DNSsec as I understand it.  You mention DNSsec signing your domain as part of why you have issues with the proposal, but I think this is an open issue beyond ESNI or these PRs.
>
> Maybe someone better-steeped in DNS/DNSsec can help us figure out how all that should work, and I agree with you that there are definitely bumps here we need to iron out – maybe those are just questions to answer, or maybe changes to the structure of the record are warranted.
>
> However, these PRs are primarily about what information should be in these records and how clients make use of it.  I disagree with you that we have to resolve both questions at the same time.  Let’s agree on content first, and spent some time separately with DNS folks to see whether the content can be more pleasantly arranged.

Thanks all for the discussion so far! Focusing strictly on the content
of the records and not the formatting, as Mike suggests, we
essentially have the following:

- #137 gives clients a way to detect A/AAAA+ESNI mismatch and recover,
at the cost of another sequential DNS query for ESNI. In this change,
A/AAAA records still control where traffic goes.
- #136 never requires clients to send a second DNS query for ESNI
since clients ignore the A/AAAA results. In this change, ESNI records
dictate routing.

With #137, clients willing to send a second DNS query will get ESNI
for all supporting providers. Clients unwilling to send a second DNS
query will only get ESNI for those providers which ensure that their
A/AAAA and ESNI records very rarely mismatch. With #136, clients only
get ESNI for those providers capable of building ESNI records with
correct addresses. In theory, these providers should be the same ones
that could ensure A/AAAA and ESNI record matching.

Given this, the discussion seems to hinge on the following question:
Are operators comfortable with the risks of letting ESNI records
control routing. If so, #136 is probably a better design for said
operators. If not, then #137 is probably required.

Thanks for the summary, Chris.

Speaking for Cloudflare, we prefer the method described in #136 and would be willing to implement ESNI records this way.

I have sympathy for organizations with a preference for #137 for debuggability reasons, but I would rather avoid situations in which the client needs to do an additional DNS query if avoidable.

I would support the option to include either extension based on operator preference.

This more or less aligns with my views.

From my perspective, we know that #136 is safe, although it may be inconvenient for some operators, and it's not clear to me that #137 can be made to work without frequently incurring another serialized DNS query. If we had some evidence to the contrary, I would be somewhat more favorable to #137, though I would probably still prefer #136 for reasons of simplicity, especially as we can always add #137 later if it proves viable..

-Ekr



Note that this does not mean we must choose between #136 and #137
right now. We can do both (after possibly simplifying #137!), use
them, and see what works best in practice.

Anyway, I hope this summary accurately captures the differences and
possible tradeoffs.

Best,
Chris

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email