Re: [CDNi] Erik Kline's Discuss on draft-ietf-cdni-uri-signing-21: (with DISCUSS)
Phil Sorber <sorber@apache.org> Thu, 25 February 2021 06:11 UTC
Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6A33A13C6 for <cdni@ietfa.amsl.com>; Wed, 24 Feb 2021 22:11:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.897
X-Spam-Level:
X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjJ95VV7rcLP for <cdni@ietfa.amsl.com>; Wed, 24 Feb 2021 22:11:47 -0800 (PST)
Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0B3B3A13C5 for <cdni@ietf.org>; Wed, 24 Feb 2021 22:11:46 -0800 (PST)
Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 52AAE647D4 for <cdni@ietf.org>; Thu, 25 Feb 2021 06:06:34 +0000 (UTC)
Received: (qmail 51711 invoked by uid 99); 25 Feb 2021 06:06:33 -0000
Received: from ec2-52-204-25-47.compute-1.amazonaws.com (HELO mailrelay1-ec2-va.apache.org) (52.204.25.47) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Feb 2021 06:06:33 +0000
Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) by mailrelay1-ec2-va.apache.org (ASF Mail Server at mailrelay1-ec2-va.apache.org) with ESMTPSA id B1F4C3E878; Thu, 25 Feb 2021 06:06:33 +0000 (UTC)
Received: by mail-ot1-f52.google.com with SMTP id s3so4665473otg.5; Wed, 24 Feb 2021 22:06:33 -0800 (PST)
X-Gm-Message-State: AOAM533lG11AO/ZJzv0gMAo/14oErZqAIQHm+SfExzkiYjI/UBemhT6x aDST9ObUTYSbBvbcZ0ldiCYkcaC/+APpCN10D2w=
X-Google-Smtp-Source: ABdhPJwrgHlfGzorILB4RuFaFvjFSxTJM7/kG0Ssqea2u4pcpgQ826cVpsK9N1C8CrgzhVKFqK3Jz57AfUlj7E+NpQ8=
X-Received: by 2002:a9d:b90:: with SMTP id 16mr1047302oth.304.1614233193348; Wed, 24 Feb 2021 22:06:33 -0800 (PST)
MIME-Version: 1.0
References: <161421761865.9253.4878110004580140276@ietfa.amsl.com>
In-Reply-To: <161421761865.9253.4878110004580140276@ietfa.amsl.com>
From: Phil Sorber <sorber@apache.org>
Date: Wed, 24 Feb 2021 23:06:22 -0700
X-Gmail-Original-Message-ID: <CABF6JR3DnMkCP9OUG0bOb63VcKNXMCKtQ_uxYHL+k+ztjQZeNg@mail.gmail.com>
Message-ID: <CABF6JR3DnMkCP9OUG0bOb63VcKNXMCKtQ_uxYHL+k+ztjQZeNg@mail.gmail.com>
To: Erik Kline <ek.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-cdni-uri-signing@ietf.org, cdni-chairs@ietf.org, "<cdni@ietf.org>" <cdni@ietf.org>, Kevin Ma J <kevin.j.ma@ericsson.com>
Content-Type: multipart/alternative; boundary="00000000000013060d05bc22f462"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/EKoudSIJIWY5Y5G4bJEf-ddzJgM>
Subject: Re: [CDNi] Erik Kline's Discuss on draft-ietf-cdni-uri-signing-21: (with DISCUSS)
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 06:11:49 -0000
Thank you for this thorough review. I have added my responses below. On Wed, Feb 24, 2021 at 6:47 PM Erik Kline via Datatracker <noreply@ietf.org> wrote: > Erik Kline has entered the following ballot position for > draft-ietf-cdni-uri-signing-21: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Apologies for piling on, but I want to second Eric Vyncke's Discuss. The > use of Client IP addresses is more problematic than one might suspect from > a reading of this document. > > RFC 8305 Happy Eyeballs means for a dualstack client and a dualstack CSP or > CDN there are no guarantees that the address family will be the same. > > Furthermore, a client using RFC 8981 (4941bis) IPv6 temporary addresses > might > change source address (even with every request) so an exact match would > not be > recommended. > > To make matters even more complicated, a mobile client might make the CSP > request on Wi-Fi, walk out of range, and complete a subsequent CDN request > via its mobile provider network (or vice versa). So, even using a fairly > short CIDR length for truncation may not work since the origin network can > be > completely different between requests. > > The latter behaviour can also be trigger by connection migration > transports, > like MPTCP and (soon) QUIC. > Yes, there are definitely caveats to using the Client IP for validation. This is really just something that some CSPs want now, but hopefully they will use something like this in a limited fashion. Perhaps there can be value in using this with signed token renewal where the Client IP is only validated on the first round trip. When combined with jti and a short JWT lifetime, you can be reasonably assured that the chain would only be able to continue for the correct user. If the IP had already changed by that point, the client visible failure would be at the very beginning instead of interrupting some long playing media. > > I think one solution might include relaxing all the MUSTs in section > 2.1.10. > Instead, perhaps some text that clarifies the presence of reliability > issues > with Client IPs and recommends that CDNs be develop a more sophisticated > policy (or avoid using this altogether and prefer to use other claims). > Including the Client IP for logging purposes might be helpful, but being > too > strict about verifying it can lead to client-visible failures. > I think additional guidance could be useful, but I don't think we can relax the validation. Content owners really want to know how it will be validated if they are including it in the first place. And as this is duplication of a legacy feature, it really makes sense to have it behave as similarly as possible. Principle of least surprise. > > Alternatively, UAs need to be augmented to know that when a cdniip is part > of the claim that it must try to keep the source IP address the same for > subsequent requests, recognizing, as section 7 does, that NAT can make this > impossible. I'm not sure this is a workable option, though. > We wanted to make this essentially invisible to the UA by leveraging existing behavior. I suspect that if we could relax that requirement, we'd go a completely different route than anything discussed in this document.
- [CDNi] Erik Kline's Discuss on draft-ietf-cdni-ur… Erik Kline via Datatracker
- Re: [CDNi] Erik Kline's Discuss on draft-ietf-cdn… Phil Sorber
- Re: [CDNi] Erik Kline's Discuss on draft-ietf-cdn… Erik Kline