Re: Follow-up on draft-ietf-netconf-http-client-server

TL;DR;  Is client-auth to a web proxy mandatory?

Thanks,
Kent


> On Jul 21, 2020, at 12:40 PM, Kent Watsen <kent+ietf@watsen.net> wrote:
> 
> Thank you all for your earlier comments regarding draft-ietf-netconf-http-client-server <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server>.
> 
> The draft is now almost ready for WGLC (which will be CC-ed here as well), but there remains one item for which your guidance is needed (see bottom).
> 
> First, as a recap, one of the primarily takeaways from before was that proxies can be supported both at the TCP-level (i.e., via SOCKS) and at the HTTP-level (i.e. via a Web Proxy).
> 
> In order to support TCP-level proxies, the “tcp-client-grouping”, which is defined in another draft (draft-ietf-netconf-tcp-client-server <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server>), now defines optional configuration enabling any TCP-client to initiate a connection via a proxy.  FWIW, here is a direct link to the "tree diagram” <https://tools.ietf.org/html/draft-ietf-netconf-tcp-client-server-07#section-3.1.2.1>  illustrating this.
> 
> In order to support HTTP-level proxies, *this* draft was modified to introduce a new “proxy-connect” configuration stanza that, in effect, is the complete configuration for another HTTP-client connection.  Here’s a direct link to the “tree diagram” <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.1.2.2> and here is a fully-populated example <https://tools.ietf.org/html/draft-ietf-netconf-http-client-server-04#section-2.2> (see 2nd example).
> 
> Does everything appear to be in order so far?
> 
> Now, for the question, do Web Proxies require client-auth?  More specifically:
> when an HTTP client is connecting to a Web Proxy via HTTP, is HTTP-level auth (i.e. Basic) mandatory or optional?
> when an HTTP client is connecting to a Web Proxy via HTTPS, is TLS-level and/or HTTP-level auth mandatory or optional?
> 
> Thanks,
> Kent
>