Eric Rescorla's Discuss on draft-ietf-httpbis-cdn-loop-01: (with DISCUSS and COMMENT) from Eric Rescorla on 2018-12-20 (ietf-http-wg@w3.org from October to December 2018)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 20 Dec 2018 05:19:47 -0800
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-httpbis-cdn-loop@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, Tommy Pauly <tpauly@apple.com>, tpauly@apple.com, Patrick McManus <mcmanus@ducksong.com>
Message-ID: <154531198708.18983.3168853259323074744.idtracker@ietfa.amsl.com>

Eric Rescorla has entered the following ballot position for
draft-ietf-httpbis-cdn-loop-01: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-cdn-loop/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D12072


This seems like can be easily fixed, but I do think it needs to be
fixed.

DETAIL
S 2.
>      header if necessary).
>   
>      The token identifies the CDN as a whole.  Chosen token values SHOULD
>      be unique enough that a collision with other CDNs is unlikely.
>      Optionally, the token can have semicolon-separated key/value
>      parameters, to accommodate additional information for the CDN's use.

I don't know how to understand "unique enough" as a conformance
requirement. I think you need to specify something specific here, like
"globally unique" or some other scope. I don't insist that you provide
a construction algorithm, though obviously that would be good.


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

S 1.
>      in a "loop" accidentally; because routing is achieved through a
>      combination of DNS and forwarding rules, and site configurations are
>      sometimes complex and managed by several parties.
>   
>      When this happens, it is difficult to debug.  Additionally, it
>      sometimes isn't accidental; loops between multiple CDNs be used as an

can be used


S 2.
>      CDN-Loop = #cdn-id
>      cdn-id   = token *( OWS ";" OWS parameter )
>   
>      Conforming Content Delivery Networks SHOULD add a value to this
>      header field to all requests they generate or forward (creating the
>      header if necessary).

Can this header only go in a request?


S 3.
>      through configuration) and servers (including intermediaries) SHOULD
>      NOT use it for other purposes.
>   
>   3.  Security Considerations
>   
>      The threat model that the CDN-Loop header field addresses is a

As Alissa points out, this also potentially leaks the CDN you use,
even if that would otherwise be hidden. For instance, suppose that a
request goes A -> B -> C but B is hidden (doesn't add anything to the
headers). If you know B's token, then you can tell if this is the case
or not., by injecting it yourself and seeing if you get service. Seems
like you should document this.

Received on Thursday, 20 December 2018 13:20:10 UTC