Re: ID draft-petersson-forwarded-for-02.txt

On Fri, 18 Nov 2011 19:12:52 +1300
Amos Jeffries <squid3@treenet.co.nz> wrote:
> Firstly, why the case for "unknown", "hidden" and obscured tokens.  
> Essentially "hidden" overlaps with obscured, except the cases where it 
> overlaps with "unknown". Would you agree with making it "_hidden", and 
> mentioned as an example case in 6.4 ?

Agree, we can mention "_hidden" as an example for obfuscated a token.


> The other thing, is that by name it appears superficially to be an 
> upgrade of X-Forwarded-For from Squid. Giving it a lot of consideration 
> as such I have come down to the conclusion that the cases where they are 
> a great danger of corrupting each other are many and the ways they can 
> be used together are few.
> 
> I propose mandating that the X-Forwarded-For header MUST NOT be sent by 
> any software sending the Forwarded-For header. Probably under security 
> considerations since XFF is use securtiy checks very often.  It seems 
> fairly safe to hash the XFF header and insert an obscured _hash token 
> into Forwarded-For marking a point where the data chain became broken. 
> Then erasing the received XFF header.
> 
> As far as I can tell all other possible avenues of importing the XFF 
> relay trail into Forwarded-For lead to header corruption one way or 
> another as the request hops between chains of new and old software (new 
> being the Forwarded-For aware proxies). If anyone has other ideas for a 
> safe algorithm I'd welcome the input.
> 
> AYJ
> 

Both X-Forwarded-For and Forwarded will likely be emitted when you have
no idea about the log capabilities at the receiving end.
Forcing the X-Forwarded-For to be removed will make the upgrade path
harder. 
You should probably be allowed to prepend (after a comparison with
Forwarded) the X-Forwarded-For entries to the Forwarded, though.
You should not trust neither X-Forwarded-For or
Forwarded for security checks unless you have a certain level of
control for the whole chain. If you have that control you should also
know what headers are being sent.


 /Andreas Petersson

Received on Tuesday, 22 November 2011 14:36:04 UTC