Re: SNI requirement for H2 from Willy Tarreau on 2015-04-03 (ietf-http-wg@w3.org from April to June 2015)

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 3 Apr 2015 22:26:32 +0200
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Roberto Peon <grmocg@gmail.com>, Nicholas Hurley <hurley@mozilla.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20150403202632.GQ15429@1wt.eu>

Hi Martin,

On Fri, Apr 03, 2015 at 12:58:20PM -0700, Martin Thomson wrote:
> On 3 April 2015 at 12:25, Willy Tarreau <w@1wt.eu> wrote:
> > On Fri, Apr 03, 2015 at 12:06:36PM -0700, Roberto Peon wrote:
> >> Does anyone recall why 6066 has no SNI for IP literals? (It could be an
> >> empty SNI field or the SNI could indicate the IP literal)?
> >
> > I find it surprizing as well, given that NAT/reverse proxy is very common
> > in front of servers and that the address specified in the URL bar (hence in
> > the SNI if it were sent) would be authoritative and would not necessarily
> > match the one the server sees on the local socket.
> 
> I don't believe that anyone bothered to define it.  SNI was (and still
> largely is) designed to solve the virtual hosting problem.  Clearly
> you don't have that problem if you have an IP address.

You definitely can in fact eventhough that's not very common. I used to
work for a customer where all internal applications were referenced by
their IP address because for many years there was no DNS. And it's
perfectly valid to do virtual hosting with IP addresses as well, what
happens there is the following :

                 load balancer

                 +-------------+
     ----------> | 10.0.0.1:80 |
  clients        |             | ----------> 10.1.1.1:8000  (srv1)
     ----------> | 10.0.0.2:80 |
                 |             | ----------> 10.1.1.2:8000  (srv2)
     ----------> | 10.0.0.3:80 |
                 +-------------+

So the servers only see the "public" IP address in their host header
field (the 10.0.0.X ones) and route to the correct application thanks
to this.

I'm seeing well how that can be transposed to TLS using SNI. Maybe
the reason why it's not supported in this case is to avoid emitting
IP-based certs, I don't know. But the use case is valid even if rare,
and if there are workarounds (eg: declare hostnames in a DNS).

> As for using AUTH48, I think that all we need to do is add a "...if a
> domain name is used." clause or something like that

Yes, that would make sense to fix the issue reported by Nicholas.

> The problem with
> this is that it would require Specification Track Manager approval.

I trust you on this, I don't know the process :-)

Cheers,
Willy

Received on Friday, 3 April 2015 20:26:59 UTC