Thanks for the explanation! ________________________________ From: Nick Sullivan <[email protected]>
... > A concrete example might help. Suppose "Proxywerks" is a large > fronting/CDN-style deployment serving millions of domains from one shared ECH > pool. All of those domains use the same ECHConfig with > public_name="proxywerks-ech.com<https://urldefense.com/v3/__http://proxywerks-ech.com__;!!Bt8RZUm9aw!68eUhVj7opCd-QMf1oGbKSe4IpGGOaE4OD2Vvxm6CGso-GdV7doBIhzzPWvBYPVf8PFRXUV4BSwnSu8EXU_xNNs$>". > The actual serving footprint is a large and changing set of shared edge > addresses across multiple Proxywerks ASNs plus some BYOIP space, borrowed > regional ISP IPs, Thanks, this helps to clarify the use case. In this example, the Proxywerks ASN and BYOIP spaces are slow to change and trivial to enumerate, so I don't think they contribute much to the value of this proposition. If we imagine that Proxywerks also has dynamic arrangements in which IP addresses are borrowed from many different ISPs, that could make enumeration more challenging and potentially justify this proposal. However, in my experience: * These kinds of borrowed IPs are usually limited to use in a particular region, and are not available in the regions under threat. * These IP addresses are slow to change. * These IP addresses are easy to identify via forward or reverse DNS. Perhaps a more compelling example would be a "virtual CDN" that doesn't own any hardware or IP space. Instead, it rents a variable number of virtual machines, each with an accompanying (presumed unpredictable) IP address, from a shared public cloud provider, and makes them available via fast-changing DNS answers. I don't know of a deployment like that today, but it seems like an architecture where the CDN's server IP addresses might not be trivial to identify. > and all of those IPs are also used for many unrelated origins. If Proxywerks is serving other origins from the same IP addresses, and wants them to be indistinguishable from ECHConfig Foo to an attacker, why doesn't it just give those other origins ECHConfig Foo too? I don't understand this justification, but I also think it is unnecessary. The proposal can be justified by preventing trivial distinction between traffic that is inside Proxywerks' network and traffic that is outside of it, if we are willing to assume that this is not already obvious from the server IP addresses. --Ben Schwartz
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
