Re: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document

["Brandenburg, R. (Ray) van" <ray.vanbrandenburg@tno.nl>]

Hi Iuniana, Francois,


From: Francois Le Faucheur (flefauch) [mailto:flefauch@cisco.com]
Sent: maandag 12 mei 2014 15:11
To: iuniana.oprescu@orange.com
Cc: Francois Le Faucheur (flefauch); cdni@ietf.org; draft-leung-cdni-uri-signing@tools.ietf.org
Subject: Re: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document


On 12 May 2014, at 12:10, <iuniana.oprescu@orange.com<mailto:iuniana.oprescu@orange.com>> <iuniana.oprescu@orange.com<mailto:iuniana.oprescu@orange.com>> wrote:


Hello IETF-ers,

As previously stated, the current version of the draft is a good starting point.

After a quick chat with one of my colleagues, there are a few aspects that we'd like to mention:


1.      It seems that all CSPs share the same format of the URI signing, which might be a disadvantage as they often seem to have various specific methods. I know we are trying to achieve interoperability, but maybe it would be worth adding another parameter to give more flexibility in the choice of signing method (other than VER that doesn't seem well suited for this purpose).

If DNS redirection is used, then the dCDNs will see the initial signature applied by the CSP. So the URI signature spec defined by CDNI has to be used by the CSP themselves. I agree that every CSP have their own way to do that today. But to me it means we don;t have much chance of including in our spec the necessary flavors to avid change at the CSP. Given that situation, I think our best bet to maximise interoperability is to define one simple mandatory approach to implement and that all CDNs would support.

If HTTP redirection is used, then the uCDN woudl perform URI resigning. So each CSP can use its own URI signing algorithm (as long as they agree with the uCDN) and then the CDNI URI signing scheme is applied when redirecting to dCDN.

Agree that in the DNS case CSP might have to adjust. At the same time, I see this fact having a benefit to CSP as well, even outside the context of CDNI. Since there is currently no standardized method for conducting URI Signing, (small) CSPs currently have the problem of having to maintain different (CDN-mandated) URI Signing mechanism for each CDN they work with. Having a well standardized method that is supported among CDNs might benefit such CSPs.


2.      For the objects presented in Section 5.4, I am not sure of my understanding of the set of dCDNs sharing a symmetric key with the uCDN. Can that be a security issue where a dCDN can spoof another dCDN that's using the same key?

If DNS redirection is used, then all dCDNs need to understand the original signature. If the signature uses symmetric keys , then all dCDNs need to use that same shared key. This is a property of that deployment scenario (ie DNS/symmetric). But yes the security implications need to be discussed.

That's an interesting attack vector that I didn't consider before. I agree we need to discuss this in the draft.

If HTTP redirection is used, then the expected mode of operator will be that the uCDN performs re-signing after URI rewrite, in which case a different a different symmetric key can be used for each dCDN.

3.       There seems to be a need to include the scenario in which there are several users on a home LAN that are behind a box that does NAT. It would be good to have a way to differentiate each individual request coming from the devices on the same network.

Of course it would be great if we could differentiate between users behind a NAT. At the same time, I currently don't see a way to do that in a standardized manner within the IETF. I'm aware of various proprietary mechanisms for doing this, but they all rely (partly) on client-side behavior, which is out-of-scope here. Do you see any possibilities that I am missing? The best option I see is to work together with other SDOs, notable MPEG (DASH), to fix this.

To be picky, maybe the example used in the draft could use an IP address that is in line with RFC 6761 instead of the classic private 10.0.0.1.

Agreed,

Yes. Will fix this.

Thanks,

Ray

Thanks for the review and comments.

Francois



-- iuniana


De : CDNi [mailto:cdni-bounces@ietf.org] De la part de Francois Le Faucheur (flefauch)
Envoyé : mercredi 7 mai 2014 15:53
À : cdni@ietf.org<mailto:cdni@ietf.org>; draft-leung-cdni-uri-signing@tools.ietf.org<mailto:draft-leung-cdni-uri-signing@tools.ietf.org>
Objet : Re: [CDNi] Adoption of draft-leung-cdni-uri-signing as a WG document

All,

I incorrectly thought the poll deadline was May 5th, but it was set to May 12th in my poll message below. So just to make sure we are not preventing anyone from posting their feedback, let's hold off on the announcement below until May 12th. We'll revaluate the decision then based on additional feedback.

Cheers

Francois

PS: I guess going on holidays can make one lose the notion of time ...

On 7 May 2014, at 15:42, Francois Le Faucheur (flefauch) <flefauch@cisco.com<mailto:flefauch@cisco.com>> wrote:



Folks,
In addition to the support expressed in London, we've heard as a result of the list poll:
* statements of strong support (Kevin, Matt, Scott, Daryl)
* a statement of conditional support (Ben)
* no objection/concern.
So we (WG Chairs) confirm adoption of draft-leung-cdni-uri-signing as a WG document, conditioned to resolution of Ben's comments.

To draft authors,
Please continue the discussion (on the WG mailer) with Ben to converge on how to best address his comments, and then post a new version of the draft as draft-ietf-cdni-uri-signing-00.

Cheers

Francois

On 25 Apr 2014, at 16:51, Francois Le Faucheur (flefauch) <flefauch@cisco.com<mailto:flefauch@cisco.com>> wrote:



Folks,

Just to be clear, this is a follow up from Daryl's earlier message of 25 April (http://www.ietf.org/mail-archive/web/cdni/current/msg01837.html), which issued a similar request. We did not received much feedback so would like to give another opportunity for more feedback.

Francois

Begin forwarded message:



From: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com<mailto:flefauch@cisco.com>>
Subject: [CDNi] Poll for adoption of draft-leung-cdni-uri-signing-05 as a WG document
Date: 25 April 2014 16:30:08 CEST
To: "cdni@ietf.org<mailto:cdni@ietf.org>" <cdni@ietf.org<mailto:cdni@ietf.org>>

Folks,

During the London meeting:
* authors confirmed that they believe the latest version of draft-leung-cdni-uri-signing resolved the issue related to draft-ietf-appsawg-uri-get-off-my-lawn-04.txt.
* WG chairs agreed to take to the list the question of adopting draft-leung-cdni-uri-signing-05 as a WG document to ensure it gets sufficient review.

This message is to encourage review of draft-leung-cdni-uri-signing-05 (http://tools.ietf.org/id/draft-leung-cdni-uri-signing-05.txt) and sollicite feedback on adopting it as a WG document to address the corresponding milestone on our charter.
Please do so by end of 12 May (ie within the next 2 weeks).

Francois & Daryl, CDNI WG Chairs



For convenience, quote from IETF-89 CDNI WG meeting minutes :
"
Daryl (as chair): This is a deliverable on our charter, but not many people have read the draft yet, so will take question for WG adoption to the list to give people time to read it.
"


For convenience, relevant excerpt from the CDNI WG charter (http://tools.ietf.org/wg/cdni/charters):
"
The working group will focus on the following items:
<...>
 - A specification for "CDNI URI Signing". This document will specify a
   mechanism that allows interconnected CDNs to support access control
   by signing content URIs. This may involve extensions to the CDNI
   interfaces (e.g. CDNI Metadata interface, CDNI Logging interface).

<...>

Goals and Milestones:
<...>
 Sep 2014 - Submit specification of URI Signing for CDNI to IESG as Proposed Standard
"
_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni


_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.




Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. TNO aanvaardt geen aansprakelijkheid voor de inhoud van deze e-mail, de wijze waarop u deze gebruikt en voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

 

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.