Re: Question regarding HTTP/2, SNI, and IP addresses

Hi Martin,

Thank for pointing me to the bis document. I think the text in draft-ietf-httpbis-http2bis makes things clear. I think the bis document will be very useful for the discussions in 3GPP. My updated understanding is then:

- IP addresses without domain names are ok to use in HTTP/2
- SNI is not required unless a domain name is used.
- For domain names, use of SNI is required for both TLS 1.2 and TLS 1.3

Cheers,
John

From: Martin Thomson <mt@lowentropy.net>
Date: Tuesday, 22 June 2021 at 03:08
To: ietf-http-wg@w3.org <ietf-http-wg@w3.org>
Subject: Re: Question regarding HTTP/2, SNI, and IP addresses

On Fri, Jun 18, 2021, at 22:30, John Mattsson wrote:
> Am I correct in my understanding that:
>
>  * HTTP/2 (RFC 7540) requires support of sending the target domain name
> in SNI for both TLS 1.2 and TLS 1.3.
>  * IP addresses cannot be sent in SNI.
>  * IP addresses are not domain names..
>  * Therefore, HTTP/2 with HTTPS requires domain names and cannot be
> used with IP addresses only.

The revision says:

> The TLS implementation MUST support the Server Name Indication (SNI) [TLS-EXT] extension to TLS. If the server is identified by a domain name [DNS-TERMS], clients MUST send the server_name TLS extension unless an alternative mechanism to indicate the target host is used.

-- https://protect2.fireeye.com/v1/url?k=b9a701cc-e63c388f-b9a74157-861fcb972bfc-24435a99407b9eb3&q=1&e=fb3a5f03-fc79-46c7-b7aa-641b06dd2dd0&u=https%3A%2F%2Fhttpwg.org%2Fhttp2-spec%2Fdraft-ietf-httpbis-http2bis.html%23section-9.2-2

Is that clearer?  There is also similar updates to the HTTP core documents.

The intent was never to prohibit the use of IP addresses as authority.  That you might interpret the text that way is just an error.