- From: Francesca Palombini <francesca.palombini@ericsson.com>
- Date: Fri, 8 Apr 2022 13:33:16 +0000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- CC: "draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org" <draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org>
- Message-ID: <HE1PR07MB42175BE689C78F3E567B384798E99@HE1PR07MB4217.eurprd07.prod.outlook.com>
Hi all, I have been holding a DISCUSS on the document below, which selects only specific HTTP header fields to be part of its Web Attack Alarm event. You can see more of my concerns/uncertainty in the DISCUSS comment below, which affects Section 6.3.4 of https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-monitoring-data-model-16 . As I haven’t had any reaction from the working group, I understand HTTP experts here don’t see any red flags with this specific use of headers, and I will be releasing the document in the next week or so. Francesca From: iesg <iesg-bounces@ietf.org> on behalf of Francesca Palombini via Datatracker <noreply@ietf.org> Date: Tuesday, 22 March 2022 at 16:33 To: The IESG <iesg@ietf.org> Cc: draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org <draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org>, i2nsf@ietf.org <i2nsf@ietf.org>, dunbar.ll@gmail.com <dunbar.ll@gmail.com>, i2nsf-chairs@ietf.org <i2nsf-chairs@ietf.org>, ietf-http-wg@w3.org <ietf-http-wg@w3.org> Subject: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS) Francesca Palombini has entered the following ballot position for draft-ietf-i2nsf-nsf-monitoring-data-model-16: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-i2nsf-nsf-monitoring-data-model/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for the work on this document. Many thanks to Valery Smyslov for his review: https://mailarchive.ietf.org/arch/msg/art/2XuRUuQaI8ZrVSyuWQn1SHi5dEY/, and to the authors for addressing his comments. Thank you for partially addressing my DISCUSS points with this new version. I do think the question about the Web Attack Alarm was not completely addressed. I am CC'ing the HTTPBIS wg to see if any of the experts there see any red flags here. Francesca ----- Section 6.3.4. FP: It is not clear to me why these specific header fields (and these fields only) are selected to be part of the information about Web Attack Alarm - req-user-agent, cookies. I agree with Ben's DISCUSS point 1. (reported below) and would even add to that that more motivation around which header fields are included and why, would help. I'd also like to know if the HTTPBIS working group has been involved in the discussion, and if not, if they could be to give their expert opinion. Ben's DISCUSS: (1) I'm not sure I understand the motivation for recommending (in §6.3.4) that the HTTP Cookie header field be included in a notification about a Web Attack Event. In general, the cookie field can contain very sensitive information, including credentials, and it is very risky to be sending the cookies around outside of their primary protocol context. Perhaps, if we are fully confident that the NSF has correctly identified an attack, it might be useful to send the cookies around, but I think there are still some scenarios (e.g., a compromised end-user browser) where the cookies in an attack request are still confidential information that should not be disclosed. Could we say more about why it is recommended to always include the cookies or weaken the recommendation?
Received on Friday, 8 April 2022 13:33:31 UTC