[Anima] chain of redirections for Cloud Registrar
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 13 June 2021 02:22 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E9A33A2B3E for <anima@ietfa.amsl.com>; Sat, 12 Jun 2021 19:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkIN94sv1NLo for <anima@ietfa.amsl.com>; Sat, 12 Jun 2021 19:22:31 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0A4F3A2B3F for <anima@ietf.org>; Sat, 12 Jun 2021 19:22:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 625C138B16; Sat, 12 Jun 2021 22:23:29 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id G7JAezbozF-g; Sat, 12 Jun 2021 22:23:29 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id DDA2F38B14; Sat, 12 Jun 2021 22:23:28 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1DFF478B; Sat, 12 Jun 2021 22:22:28 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org, max pritikin <pritikin@cisco.com>
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 12 Jun 2021 22:22:28 -0400
Message-ID: <6572.1623550948@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/2iPkp8i_oqrEHFAUX9VbbbFls6M>
Subject: [Anima] chain of redirections for Cloud Registrar
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2021 02:22:36 -0000
Owen, Rifaat, and WG,
In writing the Security Considerations section of draft-ietf-anima-brski-cloud,
I realized that there is a case we have been thinking about, but that we
didn't clearly write down.
We support two methods of redirect: 307 redirect and voucher based redirect.
The first method allows a Pledge to find a BRSKI capable Registrar at which
it starts the normal voucher-request/voucher process.
The second method allows the Cloud Registrar to process a voucher request
and then redirect the Pledge to an EST-only capable Registration Authority.
The questions are two:
1) do we allow multiple layers of 307 redirect? This can be pretty powerful
as it allows a manufacturer to just know which regional distributor they
resold to, and the distributor knows which VAR, etc.
If so, I guess we need to establish some limit to how many redirects we allow.
BRSKI says some things at section 5.6 about limiting redirects to one.
My opinion is that this restriction should not apply.
I think that the section 5.6 which says:
In order to avoid infinite redirect loops, which a malicious registrar
might do in order to keep the pledge from discovering the correct
registrar, the pledge MUST NOT follow more than one redirection (3xx
code) to another web origin. EST supports redirection but requires user
input; this change allows the pledge to follow a single redirection
without a user interaction.
"another web origin" --- I guess I don't know what this means.
Does it mean redirecting from https://one.example/foo to https://two.example/bar,
or does it refer to https://one.example/foo to https://one.example/bar etc.
In non-cloud enrollment, the join proxy forces the pledge to a particular
destination, so the "one.example" can't meaningfully change to
"two.example" (although both could be on the same TLS port.
{actually, it occurs to me that we don't say what the pledge should put
into the Host: header, and this issue hasn't come up for me, because I
seldom get to test via a real join proxy. The corollory is that actually
Registrars can not use HTTP Host: virtual hosting, *or* SNI Virtual Hosting,
because they must accept all values of Host:}
2) do we allow for one or more 307 redirect, followed by a voucher based
est-domain redirect to an EST server?
It seems like a good idea to me.
--
Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] chain of redirections for Cloud Registrar Michael Richardson
- Re: [Anima] chain of redirections for Cloud Regis… Michael Richardson
- Re: [Anima] chain of redirections for Cloud Regis… Carsten Bormann
- [Anima] BRSKI redirect Q (was: Re: chain of redir… Toerless Eckert
- Re: [Anima] chain of redirections for Cloud Regis… Toerless Eckert
- Re: [Anima] BRSKI redirect Q (was: Re: chain of r… Michael Richardson
- Re: [Anima] chain of redirections for Cloud Regis… Michael Richardson