Re: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS)

Hi all,

I have been holding a DISCUSS on the document below, which selects only specific HTTP header fields to be part of its Web Attack Alarm event. You can see more of my concerns/uncertainty in the DISCUSS comment below, which affects Section 6.3.4 of .

As I havenít had any reaction from the working group, I understand HTTP experts here donít see any red flags with this specific use of headers, and I will be releasing the document in the next week or so.


From: iesg <> on behalf of Francesca Palombini via Datatracker <>
Date: Tuesday, 22 March 2022 at 16:33
To: The IESG <>
Cc: <>, <>, <>, <>, <>
Subject: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS)
Francesca Palombini has entered the following ballot position for
draft-ietf-i2nsf-nsf-monitoring-data-model-16: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Thank you for the work on this document.

Many thanks to Valery Smyslov for his review:, and to
the authors for addressing his comments.

Thank you for partially addressing my DISCUSS points with this new version. I
do think the question about the Web Attack Alarm was not completely addressed.
I am CC'ing the HTTPBIS wg to see if any of the experts there see any red flags



Section 6.3.4.

FP: It is not clear to me why these specific header fields (and these fields
only) are selected to be part of the information about Web Attack Alarm -
req-user-agent, cookies. I agree with Ben's DISCUSS point 1. (reported below)
and would even add to that that more motivation around which header fields are
included and why, would help. I'd also like to know if the HTTPBIS working
group has been involved in the discussion, and if not, if they could be to give
their expert opinion.


(1) I'm not sure I understand the motivation for recommending (in ß6.3.4) that
the HTTP Cookie header field be included in a notification about a Web
Attack Event.  In general, the cookie field can contain very sensitive
information, including credentials, and it is very risky to be sending the
cookies around outside of their primary protocol context.  Perhaps, if we
are fully confident that the NSF has correctly identified an attack, it
might be useful to send the cookies around, but I think there are still some
scenarios (e.g., a compromised end-user browser) where the cookies in an
attack request are still confidential information that should not be
disclosed.  Could we say more about why it is recommended to always include
the cookies or weaken the recommendation?

Received on Friday, 8 April 2022 13:33:31 UTC