IETF Logo Mail Archive

Re: [TLS] Two Multi-CDN proposals

Christopher Wood <christopherwood07@gmail.com> Thu, 28 February 2019 00:54 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A77012D829 for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 16:54:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cm1D57laeEjS for <tls@ietfa.amsl.com>; Wed, 27 Feb 2019 16:54:54 -0800 (PST)
Received: from mail-yw1-xc35.google.com (mail-yw1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F242126C15 for <tls@ietf.org>; Wed, 27 Feb 2019 16:54:54 -0800 (PST)
Received: by mail-yw1-xc35.google.com with SMTP id x21so9732335ywx.11 for <tls@ietf.org>; Wed, 27 Feb 2019 16:54:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=F1ukMzSCQEEp5aQgkX8jUhC1paNE2IjaOxHdu1apFU8=; b=Gx4zEaR8XBr22dPIe5lKjHJJHC2Rc7VUYHbao59ve8nes2MDcM5mPjWp8JsDTZhxXY pmbP/0Bc4IFtPJJPAT/WOCoDGQ3gt/785MIG5Cd1j9PqNL7b6iVh6UzWr3qh4WjhAmjm B1VRW5FibgwFzHRSYAztFwqK27aZj8vReYmh+3lOBdF7BYjaWSQV0wFFoHrslbJYXzh/ aTepLLHrN+5VBsyOqRCv41XUOHgMkrOCWd0AlNUn72IaVR3ueYctlRYePxr5jyr1kS8m 8kzTLQJFj2vNf5qKq2CXXciFbfMp8Ic1fMndFy6XwG6UqWmzpwH4qa3UrEPS6iaqtKhf cYVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=F1ukMzSCQEEp5aQgkX8jUhC1paNE2IjaOxHdu1apFU8=; b=Vz/bK9kAhjlY8cgBiSJUFntdvLi42f0thGW1akK3ga+7yhZHf8pQicPdSyicg7VJjq 17EuI5ccloIyaiwCGfEU8PeOnL+8/FCLwLXrdDTqSlDUDqpBD6N5qR8bxH0eBvVnRjV+ vWW7nTykZGSHSrkQouhmzFPfLVe7MkUkqv9dRKaA9XZs3adIt7L2kYEBpMSO7rcUdrpk JTBeBYBoFHWOyhGRaisnBzXEm+IBx1DZTcj2d6Bya1vqZnRCohnzanpjZZW9XL77gbqQ j3Tu8hngJsew6gwuudVJ+ABGnj/KaSfumc4hvFn0SCUIS98z/0YWgVlpxMiAapzAZBSH udeQ==
X-Gm-Message-State: AHQUAuYoQVBh2O+wY20lvb79j94xt7wWcravopMi3spkWEP8iBUYMToF iEtKam6wG0VcuC1MbnMsW+uhOgrNuh/47YYNgZ+28Mh8NZ8=
X-Google-Smtp-Source: AHgI3IYNhZhwDGxHdyWQwujcbpVchF9Cn6burWU3AQo+kYvvOs/Mx8lut62OavILghfL/OvUVld890AnAP8JX2SGXso=
X-Received: by 2002:a25:7650:: with SMTP id r77mr4419275ybc.206.1551315292906; Wed, 27 Feb 2019 16:54:52 -0800 (PST)
MIME-Version: 1.0
References: <CAO8oSX=sPoLo78oX4qEEyeuck7CxM_uAqYPHEsY7BuYqBUaorg@mail.gmail.com> <CY4PR22MB098340D8B4C6FD7D9EB9C32EDA750@CY4PR22MB0983.namprd22.prod.outlook.com>
In-Reply-To: <CY4PR22MB098340D8B4C6FD7D9EB9C32EDA750@CY4PR22MB0983.namprd22.prod.outlook.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Wed, 27 Feb 2019 16:54:41 -0800
Message-ID: <CAO8oSXms6juQVMP339mh3Z1K1sL5GahaeV5rbbN59HOrGwsuXg@mail.gmail.com>
To: Mike Bishop <mbishop@evequefou.be>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/z841-LRpR3IFGBRvXus923gnwT4>
Subject: Re: [TLS] Two Multi-CDN proposals
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2019 00:54:56 -0000

On Wed, Feb 27, 2019 at 4:36 PM Mike Bishop <mbishop@evequefou.be> wrote:
>
> Despite the additional complexity of #137, I think it's probably the better approach (and I would be fine with the simplification, if that makes it more palatable).  Particularly when multi-CDN is used, there's a lot of logic involved in generating the "right" A/AAAA record in response to a request.  #136 essentially lets the ESNIKeys result override the A/AAAA, which means ESNIKeys needs to be equally tailored and duplicate all the existing logic for a new record type.  In #137, the ESNIKeys essentially contains enough information to check that the A/AAAA results came from the same entity as the ESNIKeys result but leaves the DNS complexity where it already exists.  (It has the option to override, and removing that would be the simplification.)
>
> The tripping point of #137, however, is that it may need a recovery path (i.e. a second A/AAAA resolution) in case the records come from mismatched providers.  We don't currently have data on how often that would happen -- whether it's 10% or 0.001% of the time would make a big difference.

Thanks, Mike! I agree with the technical descriptions of both approaches.

Since each design uses an extension, could we pursue them
simultaneously? I'm not sure we must necessarily choose one or the
other here. (Perhaps I should have emphasized that in my original
message. Oops.)

Best,
Chris

v2.23.0 | Report a Bug | By Email