Re: New Version Notification for draft-cdn-loop-prevention-00.txt from Mark Nottingham on 2018-07-03 (ietf-http-wg@w3.org from July to September 2018)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 3 Jul 2018 12:34:38 +1000
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, "Ludin, Stephen" <sludin@akamai.com>, Nick Sullivan <nick@cloudflare.com>
Message-Id: <917E6E0A-65C0-4D92-85CD-E168D39BDDEF@mnot.net>

Hi Martin,

> On 3 Jul 2018, at 9:46 am, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> Did you want to hint at what you might do when you receive one of
> these things?  That is, is there a 5xx-series status code that a CDN
> might use if it recognizes itself in the header field?

I think that's entirely up to the CDN and its configuration by customers.

> As Patrick mentioned, Via is abused in ways that can be fairly
> invasive.  Aside from the obvious question of how this time it will be
> different, which might be addressed with more text

Based on the discussion so far, I think a FAQ might help, yes.

> , are there some missing privacy considerations?

Such as? It's only a request header. I suppose the CDN could put sensitive information in the payload if it wanted to, but that's no different from any other header field that allows extensibility, or unregistered fields. Did you have something else in mind?

Cheers,



> On Mon, Jul 2, 2018 at 5:04 PM Mark Nottingham <mnot@mnot.net> wrote:
>> 
>> (Co-author hat on)
>> 
>> For interest / discussion. This is a proposal for a minimal mechanism to avoid loop attacks and misconfigurations against CDNs. Feedback appreciated.
>> 
>> Cheers,
>> 
>> 
>> Begin forwarded message:
>> 
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for draft-cdn-loop-prevention-00.txt
>> Date: 27 June 2018 at 2:12:46 pm AEST
>> To: "Stephen Ludin" <sludin@akamai.com>, "Mark Nottingham" <mnot@fastly.com>, "Nick Sullivan" <nick@cloudflare.com>
>> 
>> 
>> A new version of I-D, draft-cdn-loop-prevention-00.txt
>> has been successfully submitted by Mark Nottingham and posted to the
>> IETF repository.
>> 
>> Name: draft-cdn-loop-prevention
>> Revision: 00
>> Title: CDN Loop Prevention
>> Document date: 2018-06-27
>> Group: Individual Submission
>> Pages: 5
>> URL:            https://www.ietf.org/internet-drafts/draft-cdn-loop-prevention-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-cdn-loop-prevention/
>> Htmlized:       https://tools.ietf.org/html/draft-cdn-loop-prevention-00
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-cdn-loop-prevention
>> 
>> 
>> Abstract:
>>  This specification defines the CDN-Loop request header field for
>>  HTTP.
>> 
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Tuesday, 3 July 2018 02:35:07 UTC