Re: Eric Rescorla's Discuss on draft-ietf-httpbis-cdn-loop-01: (with DISCUSS and COMMENT)

Hello EKR,

> On 21 Dec 2018, at 12:19 am, Eric Rescorla <> wrote:

> S 2.
>>     header if necessary).
>>     The token identifies the CDN as a whole.  Chosen token values SHOULD
>>     be unique enough that a collision with other CDNs is unlikely.
>>     Optionally, the token can have semicolon-separated key/value
>>     parameters, to accommodate additional information for the CDN's use.
> I don't know how to understand "unique enough" as a conformance
> requirement. I think you need to specify something specific here, like
> "globally unique" or some other scope. I don't insist that you provide
> a construction algorithm, though obviously that would be good.

There are relatively few CDNs, and they're pretty aware of each other. I'm not convinced a strict / algorithmic means of identifying them will add value; consider the name spaces of things like HTTP headers, and how little the registry is actually used, and how few collisions problems we actually encounter. Also, I wanted this field to be someone flexible so that a CDN could choose to use multiple tokens if it wanted to; e.g., some use a hierarchy, others use multiple "networks" with different configurations.

If this text is causing so much heartburn, I suggest we just remove the sentence (and probably remove "as a whole.").

> S 1.
>>     in a "loop" accidentally; because routing is achieved through a
>>     combination of DNS and forwarding rules, and site configurations are
>>     sometimes complex and managed by several parties.
>>     When this happens, it is difficult to debug.  Additionally, it
>>     sometimes isn't accidental; loops between multiple CDNs be used as an
> can be used

Already fixed.

> S 2.
>>     CDN-Loop = #cdn-id
>>     cdn-id   = token *( OWS ";" OWS parameter )
>>     Conforming Content Delivery Networks SHOULD add a value to this
>>     header field to all requests they generate or forward (creating the
>>     header if necessary).
> Can this header only go in a request?


> S 3.
>>     through configuration) and servers (including intermediaries) SHOULD
>>     NOT use it for other purposes.
>>  3.  Security Considerations
>>     The threat model that the CDN-Loop header field addresses is a
> As Alissa points out, this also potentially leaks the CDN you use,
> even if that would otherwise be hidden. For instance, suppose that a
> request goes A -> B -> C but B is hidden (doesn't add anything to the
> headers). If you know B's token, then you can tell if this is the case
> or not., by injecting it yourself and seeing if you get service. Seems
> like you should document this.

It leaks the CDN the origin configures to the origin -- what attack are you concerned about here?

Mark Nottingham

Received on Thursday, 20 December 2018 23:28:01 UTC