One quick comment is that binding tokens to IP addresses is strongly counter-recommended. It doesn't survive NATs or proxies, mobility, and it is especially problematic in IPv6+IPv4 dual-stack environments. (Even in IPv6-only, privacy addressing causes problems here.) Even if you have a way to convert tokens over for your set of IP addresses (eg, to deal with dual-stack) that still may not help enough with NAT environments.
Erik On Thu, Jun 25, 2020 at 4:29 PM Yiannis Yiakoumis < yian...@selfienetworks.com> wrote: > Hi all, > > I wanted to briefly introduce network tokens <https://networktokens.org> > into this list, how they relate with TLS and ESNI, and kindly ask anyone > that is interested to share feedback and join the discussion. > > Network tokens is a method for endpoints to explicitly and securely > coordinate with networks about how their traffic is treated. They are > inserted by endpoints in existing protocols, interpreted by trusted > networks, and may be signed or encrypted to meet security and privacy > requirements. Network tokens provide a means for network operators to > expose datapath services (such as a zero-rating service, a user-driven QoS > service, or a firewall whitelist), and for end users and application > providers to access such services. Network tokens are inspired and derived > by existing security tokens (like JWT and CWT), borrowing several of their > security and privacy properties, and adjusting them for use in a networking > context. > > There are two ways that network tokens relate with TLS: > > 1. They can support ESNI adoption: in a world where ESNI is widely > adopted, network tokens can enable use cases where endpoint-network > coordination is required, without having to go back to plaintext SNI that > everyone can read. > 2. Network tokens are embedded as TLS handshake extensions (among > others). > > We are shooting for a BoF in November, and are very much interested into > feedback around the concept, use cases, what we need to do to make network > tokens adopted as a TLS handshake extension, and folks that are interested > to get involved in the effort! > > Links to an IETF I-D, a mailing list, and initial implementation are > available at https://networktokens.org . > > Best, > Yiannis > > ===================== > Yiannis Yiakoumis > Co-Founder & CEO > https://selfienetworks.com | +1-650-644-7857 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls