IETF Logo Mail Archive

Re: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document

"Francois Le Faucheur (flefauch)" <flefauch@cisco.com> Mon, 12 May 2014 13:11 UTC

Return-Path: <flefauch@cisco.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86C31A0706 for <cdni@ietfa.amsl.com>; Mon, 12 May 2014 06:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.551
X-Spam-Level:
X-Spam-Status: No, score=-9.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cAR0Ia5CUACg for <cdni@ietfa.amsl.com>; Mon, 12 May 2014 06:11:29 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by ietfa.amsl.com (Postfix) with ESMTP id 8EF441A031E for <cdni@ietf.org>; Mon, 12 May 2014 06:11:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30606; q=dns/txt; s=iport; t=1399900282; x=1401109882; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=iEirt5FwtnbOICVRljjt7y3M9MdMfje+vMgTgYjqDHE=; b=RV4mP2G7Q2aPaIxQOzoVJ0sTzLP2Uj8ph3xjkppHWY6yuyNvuBpDjCgd B8Msn8dTbbHwVruTj9BGWMfDy7ntrI29UnYh/oMgXK2wlX9Paa6+h4ZPL 3rV+ttelMfB61ciG+HNlIhUuFYLJNOlemsLy/PsGZWxClvzm35vAmw2nd Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApUFAL3HcFOtJV2Y/2dsb2JhbABZgkJET1iFSbckgUIBhzsBgRYWdIIlAQEBBAEBASpBCxACAQgRAwECIQEGBycLFAkIAgQOBQmIOA3OfBeNcA4CAgE+DAEEBgEGgyWBFQSBV5dxgTyRS4FCgXRtgUI
X-IronPort-AV: E=Sophos;i="4.97,1035,1389744000"; d="scan'208,217";a="43049431"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-2.cisco.com with ESMTP; 12 May 2014 13:11:21 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s4CDBLoj024191 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 12 May 2014 13:11:22 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.76]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0123.003; Mon, 12 May 2014 08:11:21 -0500
From: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>
To: "iuniana.oprescu@orange.com" <iuniana.oprescu@orange.com>
Thread-Topic: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document
Thread-Index: AQHPafo7Fm/bsUFZ3ka0x9geqEbs1Zs1dykAgAdD7yCAAIwZAA==
Date: Mon, 12 May 2014 13:11:20 +0000
Message-ID: <0F9E0105-612C-4360-930A-1DCB8E03C97E@cisco.com>
References: <CE2B6E63-3F1F-40D2-8880-B9DD0798A855@cisco.com> <BDC9627D-FE53-4A6B-95AD-4D678F72F74E@cisco.com> <D0F7064D-D074-4098-AF9D-61E4BDFE3ABB@cisco.com> <0DB89F92-A961-4EF9-B94C-2787B0E4BDAA@cisco.com> <28257_1399889438_53709E1E_28257_9427_13_8F0D2F5E4AAB7249BC7339A3E944DEDD2284B99CB5@PMEXCB1D.intranet-paris.francetelecom.fr>
In-Reply-To: <28257_1399889438_53709E1E_28257_9427_13_8F0D2F5E4AAB7249BC7339A3E944DEDD2284B99CB5@PMEXCB1D.intranet-paris.francetelecom.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.161.200]
Content-Type: multipart/alternative; boundary="_000_0F9E0105612C4360930A1DCB8E03C97Eciscocom_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cdni/7L2mPyor4oCvbg7d8pMxygXCxKQ
Cc: "draft-leung-cdni-uri-signing@tools.ietf.org" <draft-leung-cdni-uri-signing@tools.ietf.org>, "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 13:11:36 -0000

On 12 May 2014, at 12:10, <iuniana.oprescu@orange.com<mailto:iuniana.oprescu@orange.com>> <iuniana.oprescu@orange.com<mailto:iuniana.oprescu@orange.com>> wrote:

Hello IETF-ers,

As previously stated, the current version of the draft is a good starting point.

After a quick chat with one of my colleagues, there are a few aspects that we’d like to mention:


1.       It seems that all CSPs share the same format of the URI signing, which might be a disadvantage as they often seem to have various specific methods. I know we are trying to achieve interoperability, but maybe it would be worth adding another parameter to give more flexibility in the choice of signing method (other than VER that doesn’t seem well suited for this purpose).

If DNS redirection is used, then the dCDNs will see the initial signature applied by the CSP. So the URI signature spec defined by CDNI has to be used by the CSP themselves. I agree that every CSP have their own way to do that today. But to me it means we don;t have much chance of including in our spec the necessary flavors to avid change at the CSP. Given that situation, I think our best bet to maximise interoperability is to define one simple mandatory approach to implement and that all CDNs would support.

If HTTP redirection is used, then the uCDN woudl perform URI resigning. So each CSP can use its own URI signing algorithm (as long as they agree with the uCDN) and then the CDNI URI signing scheme is applied when redirecting to dCDN.



2.       For the objects presented in Section 5.4, I am not sure of my understanding of the set of dCDNs sharing a symmetric key with the uCDN. Can that be a security issue where a dCDN can spoof another dCDN that’s using the same key?

If DNS redirection is used, then all dCDNs need to understand the original signature. If the signature uses symmetric keys , then all dCDNs need to use that same shared key. This is a property of that deployment scenario (ie DNS/symmetric). But yes the security implications need to be discussed.

If HTTP redirection is used, then the expected mode of operator will be that the uCDN performs re-signing after URI rewrite, in which case a different a different symmetric key can be used for each dCDN.

3.       There seems to be a need to include the scenario in which there are several users on a home LAN that are behind a box that does NAT. It would be good to have a way to differentiate each individual request coming from the devices on the same network.

To be picky, maybe the example used in the draft could use an IP address that is in line with RFC 6761 instead of the classic private 10.0.0.1.

Agreed,

Thanks for the review and comments.

Francois


-- iuniana


De : CDNi [mailto:cdni-bounces@ietf.org] De la part de Francois Le Faucheur (flefauch)
Envoyé : mercredi 7 mai 2014 15:53
À : cdni@ietf.org<mailto:cdni@ietf.org>; draft-leung-cdni-uri-signing@tools.ietf.org<mailto:draft-leung-cdni-uri-signing@tools.ietf.org>
Objet : Re: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document

All,

I incorrectly thought the poll deadline was May 5th, but it was set to May 12th in my poll message below. So just to make sure we are not preventing anyone from posting their feedback, let’s hold off on the announcement below until May 12th. We’ll revaluate the decision then based on additional feedback.

Cheers

Francois

PS: I guess going on holidays can make one lose the notion of time ...

On 7 May 2014, at 15:42, Francois Le Faucheur (flefauch) <flefauch@cisco.com<mailto:flefauch@cisco.com>> wrote:


Folks,
In addition to the support expressed in London, we’ve heard as a result of the list poll:
* statements of strong support (Kevin, Matt, Scott, Daryl)
* a statement of conditional support (Ben)
* no objection/concern.
So we (WG Chairs) confirm adoption of draft-leung-cdni-uri-signing as a WG document, conditioned to resolution of Ben’s comments.

To draft authors,
Please continue the discussion (on the WG mailer) with Ben to converge on how to best address his comments, and then post a new version of the draft as draft-ietf-cdni-uri-signing-00.

Cheers

Francois

On 25 Apr 2014, at 16:51, Francois Le Faucheur (flefauch) <flefauch@cisco.com<mailto:flefauch@cisco.com>> wrote:


Folks,

Just to be clear, this is a follow up from Daryl’s earlier message of 25 April (http://www.ietf.org/mail-archive/web/cdni/current/msg01837.html), which issued a similar request. We did not received much feedback so would like to give another opportunity for more feedback.

Francois

Begin forwarded message:


From: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com<mailto:flefauch@cisco.com>>
Subject: [CDNi] Poll for adoption of draft-leung-cdni-uri-signing-05 as a WG document
Date: 25 April 2014 16:30:08 CEST
To: "cdni@ietf.org<mailto:cdni@ietf.org>" <cdni@ietf.org<mailto:cdni@ietf.org>>

Folks,

During the London meeting:
* authors confirmed that they believe the latest version of draft-leung-cdni-uri-signing resolved the issue related to draft-ietf-appsawg-uri-get-off-my-lawn-04.txt.
* WG chairs agreed to take to the list the question of adopting draft-leung-cdni-uri-signing-05 as a WG document to ensure it gets sufficient review.

This message is to encourage review of draft-leung-cdni-uri-signing-05 (http://tools.ietf.org/id/draft-leung-cdni-uri-signing-05.txt) and sollicite feedback on adopting it as a WG document to address the corresponding milestone on our charter.
Please do so by end of 12 May (ie within the next 2 weeks).

Francois & Daryl, CDNI WG Chairs



For convenience, quote from IETF-89 CDNI WG meeting minutes :
"
Daryl (as chair): This is a deliverable on our charter, but not many people have read the draft yet, so will take question for WG adoption to the list to give people time to read it.
“


For convenience, relevant excerpt from the CDNI WG charter (http://tools.ietf.org/wg/cdni/charters):
“
The working group will focus on the following items:
<…>
 - A specification for "CDNI URI Signing". This document will specify a
   mechanism that allows interconnected CDNs to support access control
   by signing content URIs. This may involve extensions to the CDNI
   interfaces (e.g. CDNI Metadata interface, CDNI Logging interface).

<…>

Goals and Milestones:
<…>
 Sep 2014 - Submit specification of URI Signing for CDNI to IESG as Proposed Standard
"
_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email