[TLS] Representing IP addresses in SNI -- proposed draft

Wed, 27 Jul 2022 11:39:26 -0700 

Following discussions in ADD around the DDR draft (as well as in UTA
around Martin Thomson's PR to add IP address SANs to 6125-bis),
I wrote up a draft on how IP addresses might be represented in SNI:

      https://datatracker.ietf.org/doc/draft-nygren-tls-ip-in-sni/

There are at least three different ways we could do it, but this draft
proposes what seems to be the least bad while also talking about the
other alternatives.  (I suspect we'd want to move the alternatives
to an appendix or remove entirely from a final version.)

Is this interesting to the working group?
While IP address SANs have a bunch of corner cases and gaps,
they do seem to be picking up new uses.

What motivated me to realize we need to solve this is that
draft-ietf-add-ddr uses IP SANs in a new way.  Rather than the
client connecting to an IP address and expecting to see a SAN
(where returning a cert associated with the IP address containing
a SAN that the client connected to is straight-forward),
DDR has clients connecting to a different IP and then
expects to find an original IP also in the SAN list.
This means that for an ISP with a large number of IPs
(or using a services who operates DoH service on-behalf
of many entities), you'd need to quickly/wastefully burn through IPv4
addresses to enable a unique cert per original IP.

    Erik


---------- Forwarded message ---------
From: <internet-dra...@ietf.org>
Date: Wed, Jul 27, 2022 at 2:20 PM
Subject: New Version Notification for draft-nygren-tls-ip-in-sni-00.txt
To: Erik Nygren <erik+i...@nygren.org>, Rich Salz <rs...@akamai.com>



A new version of I-D, draft-nygren-tls-ip-in-sni-00.txt
has been successfully submitted by Erik Nygren and posted to the
IETF repository.

Name:           draft-nygren-tls-ip-in-sni
Revision:       00
Title:          Representing IP addresses in TLS Server Name Indication
(SNI)
Document date:  2022-07-27
Group:          Individual Submission
Pages:          7
URL:
https://www.ietf.org/archive/id/draft-nygren-tls-ip-in-sni-00.txt
Status:         https://datatracker.ietf.org/doc/draft-nygren-tls-ip-in-sni/
Htmlized:
https://datatracker.ietf.org/doc/html/draft-nygren-tls-ip-in-sni


Abstract:
   This specification provides a mechanism for clients to send IP
   addresses in a TLS Server Name Indication (SNI) extension as part of
   TLS handshakes, allowing servers to return a certificate containing
   that subjectAltName.  This is done by converting the IP address to a
   special-use domain name.




The IETF Secretariat

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to