IETF Logo Mail Archive

Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)

Jensen Zhang <jingxuan.n.zhang@gmail.com> Wed, 16 February 2022 13:35 UTC

Return-Path: <jingxuan.n.zhang@gmail.com>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B840D3A080B; Wed, 16 Feb 2022 05:35:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OBOFGxeFkhg; Wed, 16 Feb 2022 05:35:06 -0800 (PST)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4389D3A090F; Wed, 16 Feb 2022 05:35:06 -0800 (PST)
Received: by mail-wm1-x335.google.com with SMTP id j9-20020a05600c190900b0037bff8a24ebso3748479wmq.4; Wed, 16 Feb 2022 05:35:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aAkq1dBl0eJFYIRRSWd97RSwBu8Pp8Q+GTknL93UkRw=; b=aN0GTOA2cFGKX/CuQKrDnSrraN5NfDDTry/okmdL3AwJPBFrFs6DerJMdGIh/RN0pY QchaMrq75AQPYaTL4l15WcPBpX/rXayAO1cS8oRpH+urEDy1mxVZ6uw2i6WEb2g+eX57 gUdZKqHtpaDaD2MMhQWQcEiFT+/vqvWPxGqw00LV8tgWJeFa1Hp4Uo9w7IDQ7Z8STaOf ptWkk6Lyj+MNotEW1Xh8oeoHm3hgBiNInpyroc6BsTUHz1pFTfA2nTJT5f6dGzjtPMzI l6Ap1LdYhy6NIRE76tplQSeHrwcWbK1mmD4gdzkIdFHQf78hAyBuZfLz6PVwOYC/h97p yRLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aAkq1dBl0eJFYIRRSWd97RSwBu8Pp8Q+GTknL93UkRw=; b=1w0G8A+Wjh42nA68nJCSgGrPuTkaieqD/YxrQbXYCJvQR63xAT3btk82yhJGUAzVU6 PuTi6Tq40kN78eWfqinoxfWY0xgrV0HZfJwWpo/6sRaxdqpZPubcN+w0a0Eh9vgjrp9b iEOjAEVZTUuU2QNoqcPvrNzw4fbXJTO3nMCHinUza0MdX7RyiNGL8+bMfwnU4oS6WfVM SMbzlu7tBGgYbKY+6DOdPSVQFX7bWqEXvIE66KYrRb4KiH84Ao2Nx1SgXmWg5tiXVHke ins3xtxZp7H19Ig84dQQmKPIBponZQXz5HeH/l0WxGKMFMsXRC0KUpynFc57T/6JwKO6 7w1g==
X-Gm-Message-State: AOAM533IOhljeJkCj0Lp5XAhPKT7JujjtwKOGRzb5DdU0WHqy8mYDRVq 1oSRpcMIgVJMffjcq5nZVKVqbCq0zHTdS89BM8meaIXhZbQ=
X-Google-Smtp-Source: ABdhPJxTiPiRzjyIdHabZGvAqwdtNtx64hj9L3yNcAh83z+6wFMs2d7YsDwFRoewdh9akvKtZOT59doJeDQjtcm8IGw=
X-Received: by 2002:a1c:4c0b:0:b0:37c:505:d460 with SMTP id z11-20020a1c4c0b000000b0037c0505d460mr1736108wmf.101.1645018500573; Wed, 16 Feb 2022 05:35:00 -0800 (PST)
MIME-Version: 1.0
References: <164141825045.20057.16926707907161737534@ietfa.amsl.com> <CAAbpuyq_Tiq+mxohu6L5YwGUsBh51f52fHtqj_00mdgZkY4aag@mail.gmail.com>
In-Reply-To: <CAAbpuyq_Tiq+mxohu6L5YwGUsBh51f52fHtqj_00mdgZkY4aag@mail.gmail.com>
From: Jensen Zhang <jingxuan.n.zhang@gmail.com>
Date: Wed, 16 Feb 2022 21:34:49 +0800
Message-ID: <CAAbpuyrWh5C0oSE7MUetTk8Jn0zuCQi5b581hYNGPFM3Odqhzg@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, alto-chairs <alto-chairs@ietf.org>, IETF ALTO <alto@ietf.org>, draft-ietf-alto-cdni-request-routing-alto@ietf.org
Content-Type: multipart/alternative; boundary="000000000000602d4a05d822b741"
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/Y6aCsQFzNoilMdBnYPuKBOawmlA>
Subject: Re: [alto] Roman Danyliw's No Objection on draft-ietf-alto-cdni-request-routing-alto-18: (with COMMENT)
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2022 13:35:10 -0000

Hi Roman,

A new version that echoes the replies already provided in this thread is
available:

URL:
https://www.ietf.org/archive/id/draft-ietf-alto-cdni-request-routing-alto-21.txt
Status:
https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/
Htmlized:
https://datatracker.ietf.org/doc/html/draft-ietf-alto-cdni-request-routing-alto-21
Diff:
https://www.ietf.org/rfcdiff?url2=draft-ietf-alto-cdni-request-routing-alto-21.txt

Please let us know if they address your concerns.

Best regards,
Jensen


On Tue, Jan 18, 2022 at 10:00 PM Jensen Zhang <jingxuan.n.zhang@gmail.com>
wrote:

> Hi Roman,
>
> Many thanks for your comments. See our answers inline. Please let us know
> if they address your concerns.
>
>
> On Thu, Jan 6, 2022 at 5:31 AM Roman Danyliw via Datatracker <
> noreply@ietf.org> wrote:
>
>> Roman Danyliw has entered the following ballot position for
>> draft-ietf-alto-cdni-request-routing-alto-18: No Objection
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/
>>
>>
>>
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>>
>> Thanks to Klaas Wierenga for the SECDIR review.
>>
>> Thanks for addressing my DISCUSS point
>>
>> ** Section 8.
>>      For authenticity and integrity of ALTO information, an attacker
>>       may disguise itself as an ALTO server for a dCDN, and provide
>>       false capabilities and footprints to a uCDN using the CDNI
>>       Advertisement service.
>>
>> -- I don’t follow the intent of the first clause.  Why is an _attacker_
>> concerned with the authenticity and integrity of the ALTO information?
>>
>
> This bullet describes the same risk scenario as the one in Sec 15.1 of
> RFC7285.
>
>
>>
>> -- What role can TLS, an associated server certificate (for the dCDN) and
>> configured knowledge of this certificate at the uCDN mitigate some of this
>> risk?  Shouldn’t the uCDNs only be communicating with a collection of
>> known
>> dCDNs with which it has some out-of-band negotiated arrangement?
>>
>
> Yes, the uCDNs should only communicate with known dCDNs. But an attacker
> can start a man-in-the-middle attack.
> About how to configure TLS, does the second last bullet of this section
> make it clear?
>
>
>>
>> ** Section 8.
>>       For availability of ALTO services, an attacker may conduct service
>>       degradation attacks using services defined in this document to
>>       disable ALTO services of a network.
>>
>> Again, operating under the assumption that the dCDN (ALTO Server) would
>> only be
>> working with a known (prearranged) set of uCDNs and they would have
>> authenticated somehow (per the DISCUSS), couldn’t repeated requested be
>> rate
>> limited and after attribution, filtered to minimize impact?
>>
>
> Yes, considering the limited number of authenticated uCDNs, this security
> issue may not be that risky.
> This bullet just aligns with Sec 15.5 of RFC7285. Do you strongly think we
> should remove this one?
>
> Thanks,
> Jensen
>
>
>>
>>
>>
>> _______________________________________________
>> alto mailing list
>> alto@ietf.org
>> https://www.ietf.org/mailman/listinfo/alto
>>
>

v2.23.0 | Report a Bug | By Email