Re: Demultiplexing HTTP and DNS on the same listener [New Version Notification for draft-dkg-dprive-demux-dns-http-02] from Martin Thomson on 2017-05-04 (ietf-http-wg@w3.org from April to June 2017)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 4 May 2017 11:44:22 +1000
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>, DNS Privacy Working Group <dns-privacy@ietf.org>
Message-ID: <CABkgnnX4xjoCQcVEwGnkOd7zO8+cCG14GmHD6+4_vfr0_L9NsQ@mail.gmail.com>

On 4 May 2017 at 11:26, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> hm, it sounds like that won't work for h2, given Patrick's point that h2
> isn't client-speaks-first.  Right?  If we tried to do something like
> "h2|dns", it seems like it would introduce a potential latency hit for
> any h2-specific client that proposed it, because the server couldn't
> send its first frame unsolicited.  I know you can't speak for Mozilla,
> but would you imagine firefox opting into this for normal http/2
> connections?

Patrick owns that decision and could tell you.

The cost would be on the DNS-enabled client, who would have to detect
and ignore any h2 preface from a server for that protocol.

> For http/1.x, the draft is arguing that using an ALPN label is
> unnecessary -- so if that's right, what would we gain from a new ALPN
> label over using the existing HTTP/1.1 mechanism (i.e., either no ALPN
> or the ALPN token "http/1.1")?

Upthread we see several reasons why that argument might not be valid.

> It looks to me like the new ALPN label introduces costs:
>
>  * implementations on both server and client need to specify it
>
>  * client implementations need to verify that it was chosen, and fail if
>    not

I would have thought that these are benefits.

>  * network monitors can see that it was offered and discriminate against
>    the offerer at least (TLS 1.3), and in some cases the established
>    connections (TLS 1.2 and earlier).

A lot depends on the population size.  If this were enabled in a
sizeable chunk of the browser market, then the TLS 1.3 option goes
away.  Note that you only create the full exposure if you decide to
implement this at a server without also implementing TLS 1.3.

> What are the benefits of introducing a new ALPN label for demuxing
> HTTP/1.1 from DNS?

Certainty, primarily.  A clear signal that both peers agree to use the
same protocol.  It might also reduce ossification effects, but I
haven't gamed that out.

Received on Thursday, 4 May 2017 01:44:59 UTC