IETF Logo Mail Archive

Re: [TLS] ESNI and Multi-CDN

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 18 December 2018 21:55 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EF51129BBF for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:55:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8a8dIUFTgJxe for <tls@ietfa.amsl.com>; Tue, 18 Dec 2018 13:55:30 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 752CC126F72 for <tls@ietf.org>; Tue, 18 Dec 2018 13:55:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id A67DAC3F79; Tue, 18 Dec 2018 23:55:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id OYizG9TZVrxv; Tue, 18 Dec 2018 23:55:28 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 064252308; Tue, 18 Dec 2018 23:49:28 +0200 (EET)
Date: Tue, 18 Dec 2018 23:49:28 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Ben Schwartz <bemasc@google.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20181218214928.GD592@LK-Perkele-VII>
References: <CAHbrMsCDR4oQzJhkcF05+wSKEoDEnACLH8D-os34xoNE9hyWHQ@mail.gmail.com> <20181218211435.GB592@LK-Perkele-VII> <CAHbrMsAVNua0TDinVZr7zaO5R_MYSOVwzKDvb1GzeXXvgRJQ9g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAHbrMsAVNua0TDinVZr7zaO5R_MYSOVwzKDvb1GzeXXvgRJQ9g@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vEq1vobj8WrbAScLssJ-lxufQfg>
Subject: Re: [TLS] ESNI and Multi-CDN
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 21:55:33 -0000

On Tue, Dec 18, 2018 at 04:26:45PM -0500, Ben Schwartz wrote:
> On Tue, Dec 18, 2018 at 4:14 PM Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote:
> > > I'd like to propose a solution to the ESNI + Multi-CDN problem (which has
> > > been discussed a lot on this list already).  My suggestion is that we
> > > define the ESNI DNS record format as optionally including "stapled"
> > A/AAAA
> > > records.
> > >
> > > Server operators would have the option to publish an ESNI record that
> > only
> > > contains an ESNIKeys structure (like the current TXT record), or to
> > publish
> > > an ESNI record that also includes IPv4 and/or IPv6 addresses.  (A
> > > Sufficiently Advanced authoritative DNS server would generate such
> > records
> > > automatically.)  This kind of address stapling would only be required of
> > > CDN operators who want to support multi-CDN deployments.
> > >
> > > Clients would issue A, AAAA, and ESNI queries in parallel (as with the
> > > current TXT record).  If an ESNI record exists, and it contains IP
> > > addresses, the client discards the results of the A or AAAA query.
> >
> > I do not think this will work:
> >
> > - The CDNs need control of ESNIkeys
> > - If you hand them this control, you can hand over address control at
> >   the same time.
> > - Now you are in HTTP service discovery territory.
> >
> > I am not saying that HTTP service discovery is undesirable (it is one
> > of those perennial topics that are not seemingly bad ideas but never
> > seem to get done).
> >
> 
> Sorry, I don't understand.  What are you saying will not work?
> 
> This proposal is not HTTP-related, nor is it any kind of service
> discovery.  A CDN necessarily controls both the addresses and ESNIKeys;
> this proposal just stores that info in one RR instead of two.
 
What I meant is that one must be able to redirect the ESNI lookup
somehow to the CDN itself. Otherwise updating the ESNI keys is too
hard due to excessive coordination required. And if you can somehow
redirect the ESNI lookup, you could redirect the address lookup using
the same mechanism.

And what that results is a service discovery mechanism. And turns
out that HTTP is pretty much the only widely used protocol that does
not have service discovery mechansim (e.g., SMTP uses MX, XMPP uses
SRV, etc..).



-Ilari

v2.23.0 | Report a Bug | By Email