Hello Daniel, thank you for writing this down. The draft is great. And it's awesome that it's accompanied with an actual running code.
A have just a few notes after reading the draft for the first time: - For the sake of simplicity, I would suggest dropping the part about HTTP/0.9. I don't think it's worth the effort keeping it supported. - The Section 3 (Overview of initial octets) is a little bit chaotic and scattered. Maybe it would be more readable if you just provided pointers to specification of the protocols without providing much details, then shown the initial octets (or headers) side by side without analysing the content, and in the end walked by the bytes from the beginning while discussing the values. - I love how simple the algorithm is in the end. And the proof is great. Cheers, Jan On Tue, Apr 25, 2017 at 2:48 AM, Daniel Kahn Gillmor <[email protected]> wrote: > Hi all-- > > I just pushed an individual submission that folks in DPRIVE might be > interested in: > > https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ > > It describes how a TLS server can offer both HTTPS and DNS-over-TLS on > the same port because valid initial messages from each protocol are > always distinguishable by the server. > > I have a functional implementation listening on TCP port 443 on > dns.cmrg.net right now, if anyone wants to experiment with it. Consider > all the possibilities of this terrible layering violation! > > Both of these commands works just fine: > > wget -O- https://dns.cmrg.net/ > > kdig +tls +tls-ca +tls-hostname=dns.cmrg.net @dns.cmrg.net:443 > www.ietf.org > > I believe my analysis of DNS and HTTP message framing is correct, but if > that's not the case, i hope someone will helpfully correct me. > > Constructive criticism is welcome on-list, and minor editorial cleanup can > be made as merge requests to https://gitlab.com/dkg/hddemux or by > private e-mail. Please send flames by private e-mail only :) > > --dkg > > > > ---------- Forwarded message ---------- > From: [email protected] > To: Daniel Kahn Gillmor <[email protected]> > Cc: > Bcc: > Date: Mon, 24 Apr 2017 17:01:37 -0700 > Subject: New Version Notification for draft-dkg-dprive-demux-dns-http-00.txt > > A new version of I-D, draft-dkg-dprive-demux-dns-http-00.txt > has been successfully submitted by Daniel Kahn Gillmor and posted to the > IETF repository. > > Name: draft-dkg-dprive-demux-dns-http > Revision: 00 > Title: Demultiplexing Streamed DNS from HTTP > Document date: 2017-04-24 > Group: Individual Submission > Pages: 16 > URL: > https://www.ietf.org/internet-drafts/draft-dkg-dprive-demux-dns-http-00.txt > Status: > https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ > Htmlized: https://tools.ietf.org/html/draft-dkg-dprive-demux-dns-http-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-dkg-dprive-demux-dns-http-00 > > > Abstract: > DNS over TCP and traditional HTTP are both stream-oriented, client- > speaks-first protocols. They can both be run over a stream-based > security protocol like TLS. A server accepting a stream-based client > can distinguish between a valid stream of DNS queries and valid > stream of HTTP requests by simple observation of the first few octets > sent by the client. This can be done without any external > demultiplexing mechanism like TCP port number or ALPN. > > Implicit multiplexing of the two protocols over a single listening > port can be useful for obscuring the presence of DNS queries from a > network observer, which makes it relevant for DNS privacy. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > dns-privacy mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dns-privacy > _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
