On Sat, Oct 12, 2019 at 9:10 PM Patrick McManus <mcma...@ducksong.com> wrote:
> > tldr; imo none of this works if the origin does not have a decent > anonymity set potential. If it does, just reuse esni for that hop rather > than minting something new. > Thank you for the thoughtful response. I think it might be helpful to use a concrete example. The example I have in mind uses CDNs in two distinct ways. Let's say it's an HTML document from "username.example.com" that looks something like this: <html> <body> <img src="[CDNHOST]/foo.jpg"> <img src="[CDNHOST]/bar.jpg"> <img src="[CDNHOST]/baz.jpg"> </body> </html> One use case for CDNs is to serve those jpegs with a TTL. I've often seen servers programmed to switch between CDNs in the HTML (or JSON, etc). So, the ops team for "username.example.com" might have a switch that changes "CDNHOST" from Level3 to Cogent (choose any of the big providers). This provides agility that does not rely on any CDN provider, and doesn't rely on DNS TTLs. That's good, because CDNs often encounter peering issues that are not in their control. This experience might be biased toward social media, where traffic is biased toward newer, popular content. The other use case concerns the HTML document from "username.example.com". This might be served with a zero-length TTL. This is done so that personalized API traffic can be served over private backhaul links, rather than the open Internet. Then, a Point-of-Presence data center will serve the traffic as closely as possible to the client (I know Patrick knows all of this, but I'm trying to be very clear for everyone). Two points from Patrick's message are confusing to me: - "using one v6 per origin (when you've got multiple origins available) isn't a great pattern imo" I meant to describe one IPv6 address per TLD+1 domain, so " username1.example.com" and "username2.example.com" could be served from the same IPv6 origin. It's not clear how to do this with an encrypted SNI from CDN to origin. I understand that some people think ESNI keys are the way to go, but I don't think anyone actually does this right now. - "a few folks do like to authenticate the cdn to the origin with client certs. That's nifty - but overall its pretty unpopular for the same reasons managing distributed keys are always unpopular..." It doesn't seem too complicated to me: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls Maybe it is complicated on the CDN side, but not for the origin. And it seems less complicated than uploading ESNI keys to the CDN. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
