Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Christian Huitema <huitema@huitema.net> Wed, 09 October 2019 15:18 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 007B212083B for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 08:18:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-4RwTY8xg7E for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 08:18:28 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B11BB1201CE for <tls@ietf.org>; Wed, 9 Oct 2019 08:18:27 -0700 (PDT)
Received: from xse354.mail2web.com ([66.113.197.100] helo=xse.mail2web.com) by mx62.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1iIDjH-0007Pm-VB for tls@ietf.org; Wed, 09 Oct 2019 17:18:26 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 46pHrd01gVz6yWw for <tls@ietf.org>; Wed, 9 Oct 2019 08:17:21 -0700 (PDT)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1iIDiK-0006tB-SG for tls@ietf.org; Wed, 09 Oct 2019 08:17:20 -0700
Received: (qmail 15596 invoked from network); 9 Oct 2019 15:17:20 -0000
Received: from unknown (HELO [192.168.1.101]) (Authenticated-user:_huitema@huitema.net@[172.58.46.231]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 9 Oct 2019 15:17:20 -0000
To: Rob Sayre <sayrer@gmail.com>, Paul Yang <kaishen.yy@alipay.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com> <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com> <80F168B0-7F30-4FDA-BD0F-4C787802F0D5@akamai.com> <CAChr6SyV+qMFs56THZzBxNv5vkQTeBJdG9GtutvVMcyP2CxN7w@mail.gmail.com> <CABcZeBNtv-4=dtrArZwnJHSohrbsrtG53_ynSZdcMp=YeWc9iA@mail.gmail.com> <CAChr6SzCONU2yA87QGNhsx7=5Zn82v1_euBJ-kbRci4vJ32oUw@mail.gmail.com> <83192EC8-6A24-4638-80AC-6D2AF9C68BBB@akamai.com> <CAChr6SwdP7iA=ZYg+xa3Ye-b97sekw6=qwJZu2w0n1ZZC9wG+Q@mail.gmail.com> <E679DBE6-CEC8-486B-A2EA-EEED38D4E4C8@alipay.com> <CAChr6SzRZJ4g=TDwM2jjhp8S_Oyk+kQ0VNEsd3FYV2xVBn-sNw@mail.gmail.com> <8D9F60B9-E507-4465-B761-BAD37B6E1156@alipay.com> <CAChr6SzLn57ak5wgWUyW=wpcG09n1PtsOXVWZ0TBmj+r7TOF2A@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <15062b36-8691-24e8-9764-2976d4fac0fe@huitema.net>
Date: Wed, 09 Oct 2019 08:17:19 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1
MIME-Version: 1.0
In-Reply-To: <CAChr6SzLn57ak5wgWUyW=wpcG09n1PtsOXVWZ0TBmj+r7TOF2A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------530FE494E176D333B47EC3A4"
Content-Language: en-US
X-Originating-IP: 66.113.197.100
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.13)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0ezqdolHG91LK5q2HN6uCHCpSDasLI4SayDByyq9LIhVAavk0w1k7hSo vuZkBsBUlETNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4Z1rKFPBF8ocIvRqqrC5ObSgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+e8hb1lxHddBtWcfnl7xl+wmdySlZou9qHIGOZDEEo7O2nS6C1mWTD2n8BB0gTSSfDtw+Ut ziY+nbU7qa50sEXj8hEv6ylbrSataIASdByf+qyWDcKgIew/Pqmv8CiR0A+Ffy7fEg460Hn2xYnW avStyzAiWbbj13U46jbWFIz21cHX/YzWyFk7762whX3QQ+5uhkPm88V7ziklAaTl19sU919xeAvO xjeQEcL5lNmXdGd9U9Oojh2QY0MMPWjRsTVhMmX9VvKuj6psZloQqgYBwH0r+197ykuYmDR9wbL2 DBEuqNMl4E+tMKMsv/A3u4xFRxF9LSHNsZFl22lrRRn/H0knlMgOQTVp+x1fo2EPmz5tsQu9R3vp aAMkTA7gTKoJngF7rJQgeWTjF5V/EGvRVCQJzA8QlRu9fnFLFjLKYRO8u0ag4+i9kLOW9cRnakdu 2lX9U0U/jnlrPw5p8im8gM5yDzctcfgaSyAJ9MhDntZcYflIMbaTJGx1xg/L1K0Za/sGUQBejHG7 Mb8LDrziJwCelAgxI3HE4I5TUXrjZoeSHJmh7APCufmViWgq3Ajcs8I0sS2QA06J2qo5iDoVZuM7 jUXIESohoO51xWmU8arIkot+L4UUUitD9p2Q4zPGipiYlbVUQHv2ETe39daw2fa5Z8JMyvt2otFY eJV5EEl45oFndAaW0zhwtclwNLITiSzBvtjMqHJKbcoJ3LAWa8Mrc8quJ4btPpt/2FLuFDHRLWyH Qs+3RVQ97CmIM68WJB4pGe8YrEHjBXb8vVkXYd/jKzjiuDYHz/0WYr1rU3B7HfKjI1eYNYaA4ur2 /Is=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yyX-odYCKBVtYwLQ67ev5dM50VY>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 15:18:31 -0000

I struggle a bit to understand how this thread is related to the SNI
Encryption Requirements document. Rob, you raise the question of using
and possibly hiding the SNI when using TLS to protect communication
between servers. That's a fine debate, but I don't see how this specific
usage of TLS and SNI affects the draft or change the requirements on SNI
encryption mechanics. We also have an interesting process issue, because
this draft already went through WG last call, IETF last call, and IESG
review. At this stage, it would take a huge issue to stop the presses
and rework the document.

-- Christian Huitema

On 10/9/2019 7:20 AM, Rob Sayre wrote:
>
>
> On Wed, Oct 9, 2019 at 9:17 PM Paul Yang <kaishen.yy@alipay.com
> <mailto:kaishen.yy@alipay.com>> wrote:
>
>
>
>>     On Oct 9, 2019, at 9:46 PM, Rob Sayre <sayrer@gmail.com
>>     <mailto:sayrer@gmail.com>> wrote:
>>
>>     On Wed, Oct 9, 2019 at 8:43 PM Paul Yang <kaishen.yy@alipay.com
>>     <mailto:kaishen.yy@alipay.com>> wrote:
>>
>>
>>         From my understandings, either IPv4 or IPv6 should have
>>         nothing to do with the concept “virtual host”
>>
>>
>>     Hi Paul,
>>
>>     That is correct. However, the scarcity of IPv4 addresses is one
>>     major factor driving the need for virtual hosts.
>
>     Yes, that’s right. So even IPv6 addresses are enormous enough to
>     hold every domain name, we still can’t assume it’s all used in
>     this way in practice. An administrator can always configure the
>     origin server as hosting multiple domain names on one IPv6
>     address. It may not be very reasonable for doing so, but it could
>     be done in that way. Actually popular web servers as NGINX
>     supports such kind of configurations, for instance.
>
>     For TLS protocol, when being used between an IPv6 CDN node and an
>     origin server, the SNI still need to be present in ClientHello to
>     address the above circumstance; otherwise, the IPv6 origin may
>     fail to choose the right host/certificate to finish the handshake.
>
>
> Hello,
>
> I agree that it needs to be possible to include the SNI in
> ClientHello, but not required.
>
> thanks,
> Rob
>  
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls