Re: Genart last call review of draft-ietf-httpbis-cdn-loop-01 from Mark Nottingham on 2018-12-17 (ietf-http-wg@w3.org from October to December 2018)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 18 Dec 2018 10:53:44 +1100
To: Joel Halpern <jmh@joelhalpern.com>
Cc: gen-art@ietf.org, draft-ietf-httpbis-cdn-loop.all@ietf.org, ietf@ietf.org, ietf-http-wg@w3.org
Message-Id: <BEF06AF3-42E3-4795-B3DE-3FDC3AD947A2@mnot.net>

Hi Joel,

Thanks for the review.

> On 4 Dec 2018, at 5:45 am, Joel Halpern <jmh@joelhalpern.com> wrote:
...
>    This depends upon CDNs which have not been upgraded not stripping this
>    header.  While I can believe that is a reasonable assumption, it seems that
>    a paragraph explaining that it is the case, and if possible what experience
>    leads us to think it is the case, would be helpful.

I've added:

"""
Note that if a CDN that does not implement this specification allows customers to remove or modify the CDN-Loop header field, that CDN could become an attack vector against other CDNs, even if they do implement it.
"""

>    This document says that it is to protect against attackers causing loops. 
>    If the attacker is an external customer, the advice in the security
>    considerations section makes sense.  The other apparent attack would be an
>    attacker in the network who strips the information each time it comes past.
>     I believe the reason this is only an apparent attack is that such an
>    attacker could almost as easily simply generate additional messages instead
>    of producing a loop.  If I have inferred this correctly, it seems useful to
>    state it.

CDN back-end connections are increasingly protected by HTTPS. Also, most back-end connections are over transit that's unlikely to meddle in these ways (unless a state actor is involved).

Even so, the spec already says:

"""
The threat model that the CDN-Loop header field addresses is a customer who is attempting to attack
a service provider by configuring a forwarding loop by accident or malice.
"""

.... which seems to address your concern. I'm wary of enumerating the attacks which this header doesn't prevent, since it's a necessarily open list. Inserting requirements like "back-end connections SHOULD be over HTTPS" are more appropriate for a general spec defining what a CDN is (and we're not there yet; this spec is a baby step towards that :).

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 17 December 2018 23:54:13 UTC