Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)
Jensen Zhang <jingxuan.n.zhang@gmail.com> Wed, 16 February 2022 13:35 UTC
Return-Path: <jingxuan.n.zhang@gmail.com>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B840D3A080B; Wed, 16 Feb 2022 05:35:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OBOFGxeFkhg; Wed, 16 Feb 2022 05:35:06 -0800 (PST)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4389D3A090F; Wed, 16 Feb 2022 05:35:06 -0800 (PST)
Received: by mail-wm1-x335.google.com with SMTP id j9-20020a05600c190900b0037bff8a24ebso3748479wmq.4; Wed, 16 Feb 2022 05:35:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aAkq1dBl0eJFYIRRSWd97RSwBu8Pp8Q+GTknL93UkRw=; b=aN0GTOA2cFGKX/CuQKrDnSrraN5NfDDTry/okmdL3AwJPBFrFs6DerJMdGIh/RN0pY QchaMrq75AQPYaTL4l15WcPBpX/rXayAO1cS8oRpH+urEDy1mxVZ6uw2i6WEb2g+eX57 gUdZKqHtpaDaD2MMhQWQcEiFT+/vqvWPxGqw00LV8tgWJeFa1Hp4Uo9w7IDQ7Z8STaOf ptWkk6Lyj+MNotEW1Xh8oeoHm3hgBiNInpyroc6BsTUHz1pFTfA2nTJT5f6dGzjtPMzI l6Ap1LdYhy6NIRE76tplQSeHrwcWbK1mmD4gdzkIdFHQf78hAyBuZfLz6PVwOYC/h97p yRLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aAkq1dBl0eJFYIRRSWd97RSwBu8Pp8Q+GTknL93UkRw=; b=1w0G8A+Wjh42nA68nJCSgGrPuTkaieqD/YxrQbXYCJvQR63xAT3btk82yhJGUAzVU6 PuTi6Tq40kN78eWfqinoxfWY0xgrV0HZfJwWpo/6sRaxdqpZPubcN+w0a0Eh9vgjrp9b iEOjAEVZTUuU2QNoqcPvrNzw4fbXJTO3nMCHinUza0MdX7RyiNGL8+bMfwnU4oS6WfVM SMbzlu7tBGgYbKY+6DOdPSVQFX7bWqEXvIE66KYrRb4KiH84Ao2Nx1SgXmWg5tiXVHke ins3xtxZp7H19Ig84dQQmKPIBponZQXz5HeH/l0WxGKMFMsXRC0KUpynFc57T/6JwKO6 7w1g==
X-Gm-Message-State: AOAM533IOhljeJkCj0Lp5XAhPKT7JujjtwKOGRzb5DdU0WHqy8mYDRVq 1oSRpcMIgVJMffjcq5nZVKVqbCq0zHTdS89BM8meaIXhZbQ=
X-Google-Smtp-Source: ABdhPJxTiPiRzjyIdHabZGvAqwdtNtx64hj9L3yNcAh83z+6wFMs2d7YsDwFRoewdh9akvKtZOT59doJeDQjtcm8IGw=
X-Received: by 2002:a1c:4c0b:0:b0:37c:505:d460 with SMTP id z11-20020a1c4c0b000000b0037c0505d460mr1736108wmf.101.1645018500573; Wed, 16 Feb 2022 05:35:00 -0800 (PST)
MIME-Version: 1.0
References: <164141825045.20057.16926707907161737534@ietfa.amsl.com> <CAAbpuyq_Tiq+mxohu6L5YwGUsBh51f52fHtqj_00mdgZkY4aag@mail.gmail.com>
In-Reply-To: <CAAbpuyq_Tiq+mxohu6L5YwGUsBh51f52fHtqj_00mdgZkY4aag@mail.gmail.com>
From: Jensen Zhang <jingxuan.n.zhang@gmail.com>
Date: Wed, 16 Feb 2022 21:34:49 +0800
Message-ID: <CAAbpuyrWh5C0oSE7MUetTk8Jn0zuCQi5b581hYNGPFM3Odqhzg@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, alto-chairs <alto-chairs@ietf.org>, IETF ALTO <alto@ietf.org>, draft-ietf-alto-cdni-request-routing-alto@ietf.org
Content-Type: multipart/alternative; boundary="000000000000602d4a05d822b741"
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/Y6aCsQFzNoilMdBnYPuKBOawmlA>
Subject: Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 13:35:10 -0000
Hi Roman, A new version that echoes the replies already provided in this thread is available: URL: https://www.ietf.org/archive/id/draft-ietf-alto-cdni-request-routing-alto-21.txt Status: https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/ Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-alto-cdni-request-routing-alto-21 Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-alto-cdni-request-routing-alto-21.txt Please let us know if they address your concerns. Best regards, Jensen On Tue, Jan 18, 2022 at 10:00 PM Jensen Zhang <jingxuan.n.zhang@gmail.com> wrote: > Hi Roman, > > Many thanks for your comments. See our answers inline. Please let us know > if they address your concerns. > > > On Thu, Jan 6, 2022 at 5:31 AM Roman Danyliw via Datatracker < > noreply@ietf.org> wrote: > >> Roman Danyliw has entered the following ballot position for >> draft-ietf-alto-cdni-request-routing-alto-18: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ >> for more information about how to handle DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> >> https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thanks to Klaas Wierenga for the SECDIR review. >> >> Thanks for addressing my DISCUSS point >> >> ** Section 8. >> For authenticity and integrity of ALTO information, an attacker >> may disguise itself as an ALTO server for a dCDN, and provide >> false capabilities and footprints to a uCDN using the CDNI >> Advertisement service. >> >> -- I don’t follow the intent of the first clause. Why is an _attacker_ >> concerned with the authenticity and integrity of the ALTO information? >> > > This bullet describes the same risk scenario as the one in Sec 15.1 of > RFC7285. > > >> >> -- What role can TLS, an associated server certificate (for the dCDN) and >> configured knowledge of this certificate at the uCDN mitigate some of this >> risk? Shouldn’t the uCDNs only be communicating with a collection of >> known >> dCDNs with which it has some out-of-band negotiated arrangement? >> > > Yes, the uCDNs should only communicate with known dCDNs. But an attacker > can start a man-in-the-middle attack. > About how to configure TLS, does the second last bullet of this section > make it clear? > > >> >> ** Section 8. >> For availability of ALTO services, an attacker may conduct service >> degradation attacks using services defined in this document to >> disable ALTO services of a network. >> >> Again, operating under the assumption that the dCDN (ALTO Server) would >> only be >> working with a known (prearranged) set of uCDNs and they would have >> authenticated somehow (per the DISCUSS), couldn’t repeated requested be >> rate >> limited and after attribution, filtered to minimize impact? >> > > Yes, considering the limited number of authenticated uCDNs, this security > issue may not be that risky. > This bullet just aligns with Sec 15.5 of RFC7285. Do you strongly think we > should remove this one? > > Thanks, > Jensen > > >> >> >> >> _______________________________________________ >> alto mailing list >> alto@ietf.org >> https://www.ietf.org/mailman/listinfo/alto >> >
- [alto] Roman Danyliw's No Objection on draft-ietf… Roman Danyliw via Datatracker
- Re: [alto] Roman Danyliw's No Objection on draft-… Qin Wu
- Re: [alto] Roman Danyliw's No Objection on draft-… Jensen Zhang
- Re: [alto] Roman Danyliw's No Objection on draft-… Qin Wu
- Re: [alto] Roman Danyliw's No Objection on draft-… Jensen Zhang
- Re: [alto] Roman Danyliw's No Objection on draft-… Qin Wu