Dear Christian,I'm not sure on the ALPN side, but form my understanding of ECH: the `ech` param in the SVCB record contains the `public_name`, which is only used as the "Public SNI" for the initial TLS connection. In your example, assuming the connection was intended for `backend.example.com:1337` , then two DNS lookups would be involved:
- 1. Get the A (or AAAA) record of `backend.example.com`- 2. Get the SVCB record for `backend.example.com` (with potential port-prefix mapping).
From the `ech` param, the `public_name` will be used as the SNI when establishing the TLS connection to the initial intended port (on `backend.example.com`, i.e. 1337), and the IP address that `backend.example.com` resolves to. The client does not need to worry about `facing.example.com` other than setting the SNI extension.
Regards, Raghu Saxena On 6/7/25 8:32 AM, Christian Huitema wrote:
I am implementing the ECH draft, and there is something a little unclear.Suppose a backend server "backend.example.com" implementing the application protocol "example" (i.e., not H3). Before connecting, the client looks up the corresponding SVCB record, and finds an ECH parameter stating that the public server is "facing.example.com". How exactly is the client going to find the ALPN used to connect to "facing.example.com"? What about the port number?Yes, the client could do a DNS lookup to find details about "facing.example.com", but should that request be for the SVCB record corresponding to the "example" service, or for the HTTPS record corresponding to H3?Obviously, the practical answer is "connect to `facing.example.com` port number to 443 setting the outer ALPN to H3." But is that the right answer?-- Christian Huitema _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
OpenPGP_0xA1E21ED06A67D28A.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
