One quick comment is that binding tokens to IP addresses is strongly
counter-recommended.
It doesn't survive NATs or proxies, mobility, and it is especially
problematic in IPv6+IPv4 dual-stack environments.
(Even in IPv6-only, privacy addressing causes problems here.) Even if you
have a way to convert tokens over
for your set of IP addresses (eg, to deal with dual-stack) that still may
not help enough with NAT environments.
Erik
On Thu, Jun 25, 2020 at 4:29 PM Yiannis Yiakoumis <
yian...@selfienetworks.com> wrote:
> Hi all,
>
> I wanted to briefly introduce network tokens <https://networktokens.org>
> into this list, how they relate with TLS and ESNI, and kindly ask anyone
> that is interested to share feedback and join the discussion.
>
> Network tokens is a method for endpoints to explicitly and securely
> coordinate with networks about how their traffic is treated. They are
> inserted by endpoints in existing protocols, interpreted by trusted
> networks, and may be signed or encrypted to meet security and privacy
> requirements. Network tokens provide a means for network operators to
> expose datapath services (such as a zero-rating service, a user-driven QoS
> service, or a firewall whitelist), and for end users and application
> providers to access such services. Network tokens are inspired and derived
> by existing security tokens (like JWT and CWT), borrowing several of their
> security and privacy properties, and adjusting them for use in a networking
> context.
>
> There are two ways that network tokens relate with TLS:
>
> 1. They can support ESNI adoption: in a world where ESNI is widely
> adopted, network tokens can enable use cases where endpoint-network
> coordination is required, without having to go back to plaintext SNI that
> everyone can read.
> 2. Network tokens are embedded as TLS handshake extensions (among
> others).
>
> We are shooting for a BoF in November, and are very much interested into
> feedback around the concept, use cases, what we need to do to make network
> tokens adopted as a TLS handshake extension, and folks that are interested
> to get involved in the effort!
>
> Links to an IETF I-D, a mailing list, and initial implementation are
> available at https://networktokens.org .
>
> Best,
> Yiannis
>
> =====================
> Yiannis Yiakoumis
> Co-Founder & CEO
> https://selfienetworks.com | +1-650-644-7857
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
