On Wed, May 3, 2017 at 11:15 AM, Daniel Kahn Gillmor <[email protected]> wrote:
> Hi HTTP folks-- > > I've just pushed a revision to a recent individual submission about a > technique for hiding DNS traffic that makes use of HTTP: > > https://datatracker.ietf.org/doc/draft-dkg-dprive-demux-dns-http/ Cool idea. One concern might be compatibility with other similar mechanisms. For example, there are protocols such as Netscaler Client IP: https://www.citrix.com/blogs/2016/04/25/how-to-enable-client-ip-in-tcpip-option-of-netscaler/ or HAProxy's Proxy Protocol: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt Where proxies may insert their own pre-amble on the connection, to pass on something like an L4 X-Forwarded-For. Sometimes the backends behind these proxies have to accept traffic directly too, and they fingerprint the first few bytes to determine whether it's a direct HTTP connection, or a proxied request. I haven't thought through it, but it might get a little complicated doing two levels of demuxing, and it might not even be possible in some cases. -- Colm
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
