Last Call Review of draft-ietf-tls-sni-encryption-05
review-ietf-tls-sni-encryption-05-opsdir-lc-romascanu-2019-08-20-00
Request | Review of | draft-ietf-tls-sni-encryption |
---|---|---|
Requested revision | No specific revision (document currently at 09) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2019-09-02 | |
Requested | 2019-08-19 | |
Authors | Christian Huitema , Eric Rescorla | |
I-D last updated | 2019-08-20 | |
Completed reviews |
Opsdir Last Call review of -05
by Dan Romascanu
(diff)
Genart Last Call review of -05 by Meral Shirazipour (diff) Tsvart Telechat review of -05 by Dr. Bernard D. Aboba (diff) |
|
Assignment | Reviewer | Dan Romascanu |
State | Completed | |
Request | Last Call review on draft-ietf-tls-sni-encryption by Ops Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/3ShA_FTDXCE39wEnzMoLulfUNDc | |
Reviewed revision | 05 (document currently at 09) | |
Result | Ready | |
Completed | 2019-08-20 |
review-ietf-tls-sni-encryption-05-opsdir-lc-romascanu-2019-08-20-00
This document targets Informational status. It is Ready from an OPS-DIR perspective and it offers valuable information for operators deploying TLS. It does not define a new protocol, thus a full RFC 5706 OPS-DIR review does not apply. It does however raise a number of operational issues in the deployment of multiplexed servers that rely on the Service Name Information (SNI) TLS extension which is a protocol element transmitted in clear text. Section 3 details the different type of attacks and lists encryption requirements for SNI that would prevent these, but notes that not all can be simultaneously met by implementations and deployments. Section 4 describes the HTTP Co-Tenancy Fronting as a solution that could be deployed in the absence of TLS-level SNI encryption. The HTTP fronting solution can be deployed without modification to the TLS protocol, and does not require using any specific version of TLS. There are however a few issues regarding discovery, client implementations, trust, and applicability which are further discussed. Operators should note that Section 5 states that 'The current HTTP based solutions described in Section 4 only meet some of these requirements. In practice, it may well be that no solution can meet every requirement, and that practical solutions will have to make some compromises.'