Re: [CDNi] Éric Vyncke's Discuss on draft-ietf-cdni-uri-signing-22: (with DISCUSS)
Andrew Ryan <andrew@andrewnryan.com> Mon, 15 November 2021 14:04 UTC
Return-Path: <anr1@anr1.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B89B3A0C60 for <cdni@ietfa.amsl.com>; Mon, 15 Nov 2021 06:04:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=andrewnryan.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMJYrOxQVrNt for <cdni@ietfa.amsl.com>; Mon, 15 Nov 2021 06:04:52 -0800 (PST)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B7F53A0C63 for <cdni@ietf.org>; Mon, 15 Nov 2021 06:04:52 -0800 (PST)
Received: by mail-qt1-x836.google.com with SMTP id t11so15617686qtw.3 for <cdni@ietf.org>; Mon, 15 Nov 2021 06:04:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andrewnryan.com; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=F1IQpyWN9dcuQNn4v1B+KSBwPo7spv5jSfNsWAn1UiI=; b=zKd0VcJuXmWn04YPBYPpk8V//HnJpD1MChOp0TMCvqcdQs3co2tqjPB1cxGCMo4wy2 kqBm0MNa1VLphDTcHFOtqi7ihcdLLq6cGkLzWCSXRGR72XvBuXDPcwonW9MdiZwppm+R Wr0yejBnr4pqJLREHQuAPeufusbAL7g0daEGI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=F1IQpyWN9dcuQNn4v1B+KSBwPo7spv5jSfNsWAn1UiI=; b=cMsTF7lVElieb0sbSxV6arD36jG8GYQoPpXjCDLnGZBze7nVnUVIoYP5mYS0jwQsFC xuFt1YshB8qwr3NwZVRNjwQA9+WJ+a7K3rQXFZIuJ5zeB9mDRKpwTaPWVKOc7YV3ijj1 wKmE0tsS9GJP/yE9ZXo72r2Lyn7onrqxekJkJE7vVXna89P00RYauLrt5vhmFKG+xU4o BTCfPD8XsPZhHGDJtkwO9vpFbQeH1B+6sF38E5AnzLPYf19vMRgCrXxH3j4F16NKZfAe px+hP8VnCvR/4Dr7UfpZdZ92JQaJh41PaToKP0u3etCnNvgDpfojaNR9WjqV9E/NvBre f06g==
X-Gm-Message-State: AOAM533OCOw2OWRPk3TmRAJRUTHoKunFNhqelzuTaWm2KQHomzVT9R5G nFyYdPz8LZ2z+yTnyILSXl5d5LxJai8d9A==
X-Google-Smtp-Source: ABdhPJw+cR04XP7wkR8/FFqU91sut5mWk2joiEOin1xhb/D+34r7z2422Gmxb1g2gYaNh8/n3+I0pA==
X-Received: by 2002:a05:622a:4c:: with SMTP id y12mr40082711qtw.21.1636985089330; Mon, 15 Nov 2021 06:04:49 -0800 (PST)
Received: from [192.168.1.179] (cpe-72-231-224-210.buffalo.res.rr.com. [72.231.224.210]) by smtp.gmail.com with ESMTPSA id t18sm5995008qtw.64.2021.11.15.06.04.48 for <cdni@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Nov 2021 06:04:48 -0800 (PST)
Message-ID: <33095d81-f26b-07c6-df8e-5563c72b0dcd@andrewnryan.com>
Date: Mon, 15 Nov 2021 09:04:47 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: cdni@ietf.org
References: <163698097601.25884.10279368995590596035@ietfa.amsl.com>
From: Andrew Ryan <andrew@andrewnryan.com>
In-Reply-To: <163698097601.25884.10279368995590596035@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/NCmIB4cZD9KEXxF9JkfDGURrN8g>
Subject: Re: [CDNi] Éric Vyncke's Discuss on draft-ietf-cdni-uri-signing-22: (with DISCUSS)
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Nov 2021 14:04:58 -0000
Éric, Please find some of my thoughts inline about this. > -- Section 2.1.10 -- > About "Client IP (cdniip) claim", I really wonder whether this could be used in > real life as some IPv4 Carrier-Grade NAT (CGN) have a large pool of "public" > IPv4 addresses that could select different public IPv4 addresses if badly > designed. I have encountered customers in the CDN space who have requested and used client IP in their URL hashing. Use cases ranged from internal development environments to HLS video streaming. There are many reasons where client IP breaks down, but in some cases, it is also something clients have uses cases for. If the largest reason for removing support for the client IP is because there are caveats in it's usage, it seems that allowing it and noting the caveats is the more flexible approach and may help with adoption of the spec, particularly for folks who are using it in their URL hashing workflow today. > How will it work with dual-stack UAs where some connections could be > over IPv4 and some over IPv6 ? Now to mention a dual-home (Wi-Fi & mobile data) > UA ? Or what if the dCDN is between the UA and the CGN (assuming that the uCDN > or CSP are upstream of the CGN) ? Your examples here are some of the caveats to using client IP. The signing entity needs to be fully aware that client IP may not remain constant over the course of a client session or it may see an IP address when creating the hash that differs completely from the IP the client ultimately winds up hitting an endpoint with. These are situations that we can highlight to help the entity creating the hashes to make informed decisions about using client IP. > > Also, "If the received signed JWT contains a Client IP claim" uses singular > rather than "one or several" In some models I have seen the ability to use subnet masks or cidr ranges to allow a block of IPs, once again though it is up to the entity creating the hashes to decide which elements they want to include. One model may work well for one entity and not for another. Thank you very much Andrew Ryan On 11/15/2021 7:56 AM, Éric Vyncke via Datatracker wrote: > Éric Vyncke has entered the following ballot position for > draft-ietf-cdni-uri-signing-22: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thank you for the work put into this document. > > Thank you for fixing all my previous COMMENTs in the -22 revision. > > I am afraid that I need to keep my DISCUSS about the cdniip even with the > addition of a paragraph at the end of section 2.1.10... This paragraph > ressembles to an application statement but it it really light. Why did the > authors select not to use RFC 8174 normative language “NOT RECOMMENDED” ? > > The section 7 (security considerations) is still very light on the IP address > sharing. > > -éric > > == DISCUSS == > > -- Section 2.1.10 -- > About "Client IP (cdniip) claim", I really wonder whether this could be used in > real life as some IPv4 Carrier-Grade NAT (CGN) have a large pool of "public" > IPv4 addresses that could select different public IPv4 addresses if badly > designed. How will it work with dual-stack UAs where some connections could be > over IPv4 and some over IPv6 ? Now to mention a dual-home (Wi-Fi & mobile data) > UA ? Or what if the dCDN is between the UA and the CGN (assuming that the uCDN > or CSP are upstream of the CGN) ? > > Also, "If the received signed JWT contains a Client IP claim" uses singular > rather than "one or several" > > I also noted that Section 7 (security considerations) puts some restrictions on > the usefulness of cdniip. > > I would welcome some applicability statements on the use of cdniip. > > > > > > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > https://www.ietf.org/mailman/listinfo/cdni
- [CDNi] Éric Vyncke's Discuss on draft-ietf-cdni-u… Éric Vyncke via Datatracker
- Re: [CDNi] Éric Vyncke's Discuss on draft-ietf-cd… Andrew Ryan