Re: Last Call: <draft-ietf-httpbis-cdn-loop-01.txt> (CDN Loop Prevention) to Proposed Standard from Julian Reschke on 2018-12-02 (ietf-http-wg@w3.org from October to December 2018)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 2 Dec 2018 15:51:03 +0100
To: ietf@ietf.org
Cc: draft-ietf-httpbis-cdn-loop@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, alexey.melnikov@isode.com
Message-ID: <747ae3fc-a5e4-65d3-e5bc-b26c3f5ef77c@gmx.de>

Hi there,

here's my feedback, mainly editorial:

> 1.  Introduction
> ...
>    This specification defines the CDN-Loop request header field for HTTP
>    to enable secure interoperability of forwarding CDNs.  Having a
>    header that is guaranteed not to be modified by other CDNs that are
>    used by a shared customer helps give each CDN additional confidence
>    that any purpose (debugging, data gathering, enforcement) that they
>    use this header for is free from tampering due to how that customer
>    configured the other CDNs.

Please use "header field" consistently.

> 1.1.  Relationship to Via
> 
>    HTTP defines the Via header field in [RFC7230], Section 5.7.1 for

s/[RFC7230], Section 5.7.1/Section 5.7.1 of [RFC7230]/

>    "tracking message forwards, avoiding request loops, and identifying
>    the protocol capabilities of senders along the request/response
>    chain."
> 
>    In theory, Via could be used to identify these loops.  However, in
>    practice it is not used in this fashion, because some HTTP servers
>    use Via for other purposes - in particular, some implementations
>    disable some HTTP/1.1 features when the Via header is present.

It would be nice if this came with pointers to related bug reports so 
the reader could have a glance.

> 2.  The CDN-Loop Request Header Field
> 
>    CDN-Loop: FooCDN, barcdn; host="foo123.bar.cdn"
>    CDN-Loop: baz-cdn; abc="123"; def="456", anotherCDN
> 
>    Note that the token syntax does not allow whitespace, DQUOTE or any
>    of the characters "(),/:;<=>?@[]{}".  See [RFC7230], Section 3.2.6.

s/.  See [RFC7230], Section 3.2.6./([RFC7230], Section 3.2.6)./

>    Likewise, note the rules for when parameter values need to be quoted
>    in [RFC7231], Section 3.1.1.

s/[RFC7231], Section 3.1.1/Section 3.1.1 of [RFC7231]/

> 5.2.  Informative References
> 
>    [loop-attack]
>               Chen, J., Jiang, J., Zheng, X., Duan, H., Liang, J., Li,
>               K., Wan, T., and V. Paxson, "Forwarding-Loop Attacks in
>               Content Delivery Networks", ISBN 1-891562-41-X,
>               DOI 10.14722/ndss.2016.23442, February 2016,
>               <http://www.icir.org/vern/papers/cdn-loops.NDSS16.pdf>.

The thing being cited is not the same thing as ISBN 1-891562-41-X (which 
appears to be the publication in which the paper appears). I believe it 
would be best to drop the ISBN number.

Best regards, Julian

Received on Sunday, 2 December 2018 14:51:37 UTC