- From: Francesca Palombini via Datatracker <noreply@ietf.org>
- Date: Tue, 22 Mar 2022 08:32:00 -0700
- To: "The IESG" <iesg@ietf.org>
- Cc: draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org, i2nsf-chairs@ietf.org, i2nsf@ietf.org, dunbar.ll@gmail.com, dunbar.ll@gmail.com, ietf-http-wg@w3.org
Francesca Palombini has entered the following ballot position for draft-ietf-i2nsf-nsf-monitoring-data-model-16: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-i2nsf-nsf-monitoring-data-model/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thank you for the work on this document. Many thanks to Valery Smyslov for his review: https://mailarchive.ietf.org/arch/msg/art/2XuRUuQaI8ZrVSyuWQn1SHi5dEY/, and to the authors for addressing his comments. Thank you for partially addressing my DISCUSS points with this new version. I do think the question about the Web Attack Alarm was not completely addressed. I am CC'ing the HTTPBIS wg to see if any of the experts there see any red flags here. Francesca ----- Section 6.3.4. FP: It is not clear to me why these specific header fields (and these fields only) are selected to be part of the information about Web Attack Alarm - req-user-agent, cookies. I agree with Ben's DISCUSS point 1. (reported below) and would even add to that that more motivation around which header fields are included and why, would help. I'd also like to know if the HTTPBIS working group has been involved in the discussion, and if not, if they could be to give their expert opinion. Ben's DISCUSS: (1) I'm not sure I understand the motivation for recommending (in ยง6.3.4) that the HTTP Cookie header field be included in a notification about a Web Attack Event. In general, the cookie field can contain very sensitive information, including credentials, and it is very risky to be sending the cookies around outside of their primary protocol context. Perhaps, if we are fully confident that the NSF has correctly identified an attack, it might be useful to send the cookies around, but I think there are still some scenarios (e.g., a compromised end-user browser) where the cookies in an attack request are still confidential information that should not be disclosed. Could we say more about why it is recommended to always include the cookies or weaken the recommendation?
Received on Tuesday, 22 March 2022 15:32:29 UTC