IETF Logo Mail Archive

Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Ben Niven-Jenkins <ben@niven-jenkins.co.uk> Fri, 16 October 2015 07:49 UTC

Return-Path: <ben@niven-jenkins.co.uk>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 588521B302D for <cdni@ietfa.amsl.com>; Fri, 16 Oct 2015 00:49:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QkzRlvIzHqqs for <cdni@ietfa.amsl.com>; Fri, 16 Oct 2015 00:49:24 -0700 (PDT)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.144]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBFF1B302C for <cdni@ietf.org>; Fri, 16 Oct 2015 00:49:23 -0700 (PDT)
Received: from aputeaux-554-1-37-65.w90-35.abo.wanadoo.fr ([90.35.60.65] helo=[192.168.1.131]) by smtp04.mailcore.me with esmtpa (Exim 4.80.1) (envelope-from <ben@niven-jenkins.co.uk>) id 1ZmzlR-000Ab7-OV; Fri, 16 Oct 2015 08:49:22 +0100
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
In-Reply-To: <D24513A6.162A5C%jon.peterson@neustar.biz>
Date: Fri, 16 Oct 2015 08:49:19 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <437C224B-1C0E-4705-8D52-98E139DDD75E@niven-jenkins.co.uk>
References: <73F3A4F6-FC5D-4BC8-BEEC-82F27BA3641F@tno.nl> <102272CE-9EF0-4959-B9E2-8A2F10147BF7@cisco.com> <853CC284-D147-4A1F-8C47-213775F47768@cisco.com> <D24513A6.162A5C%jon.peterson@neustar.biz>
To: "Peterson, Jon" <jon.peterson@neustar.biz>
X-Mailer: Apple Mail (2.2098)
X-Mailcore-Auth: 9600544
X-Mailcore-Domain: 172912
Archived-At: <http://mailarchive.ietf.org/arch/msg/cdni/Z9TMqiYEKnp90HcgNN4xFRyWDgM>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2015 07:49:26 -0000

Hi Jon,

> On 16 Oct 2015, at 00:52, Peterson, Jon <jon.peterson@neustar.biz> wrote:
> 
> 
> If I recall the substance of my comment was that the cdni-redirection
> mechanism works for HTTPS redirection a lot more securely than for DNS
> redirection, and that the particular problem with DNS redirection when
> using HTTPS (that you will end up seeing a surprising certificate on the
> other side of your TLS connection) should be noted since DNS redirection
> is in scope of cdni-redirection draft. I don't think the problem needs to
> be solved there, but it needs to be acknowledged. Because DNS responses
> are insecure (barring DNSSEC), then using DNS for redirection can
> introduce the problems discussed in draft-fieau-https-delivery-delegation.
> Dropping in a reference to that draft, or summarizing the problem, would
> suffice.

The challenge with writing a paragraph like that is that draft-fieau-https-delivery-delegation misunderstands how DNS works and the security issue it highlights doesn’t exist in practice.

From the slides for draft-fieau-https-delivery-delegation from the last IETF, Section 5 of draft-fieau-https-delivery-delegation states:

“””
   In this case, the DNS resolver,
   when it queries for the hostname associated with the uCDN URL, will
   be served a DNS response (such as CNAME) that will direct the client
   to the dCDN.  However, in an HTTPS environment, this will result in
   the client containing a domain other than the one originally
   specified by the URL inputted by the end user.  Consequently, this
   will almost certainly result in a security failure when the browser
   attempts to negotiate TLS with the web server it contacts, as the
   change in domain name will be indistinguishable from a malicious
   attacker.
“””

How DNS redirection works is that the User Agent does a resolution for foo.example and it gets a response for foo.example. The fact a CNAME is present & resolved by the DNS resolver is invisible to the User Agent (evidenced by the fact the URL bar in the browser doesn’t change domain name/hostname when DNS redirection is performed). Therefore as long as the IP address(es) in the DNS response presents the correct certificate for foo.example and has the correct credentials (e.g. Private key for foo.example) to complete the TLS handshake & encrypt/decrypt traffic on that TLS session the User Agent will not complain. This is how DNS-based HTTPS redirection is done in CDNs today where typically a CSP will provide their certificate & private key to the CDN so the CDN can terminate TLS sessions successfully on the CSP’s behalf. which means if HTTPS redirection is insecure for CDNI then HTTPS redirection used by CDNs in the wild today (without CDNI) is also insecure (which it isn’t).

IMO I think the real problem is a different thing that draft-slovetskiy-cdni-https-delegation-approaches hints at without stating explicitly. That is how far will a CSP trust delegating its credentials (e.g. Private key) given that the consequences of leakage of those credentials are very bad. There are possible solutions to avoid the CSP having to distribute their credentials (e.g. Keyless SSL) but from the perspective of the redirection draft they’re out of scope IMO.

HTH
Ben


> 
> I don't think the text below really captures that. If this is super
> confusing I can send text.
> 
> Jon Peterson
> Neustar, Inc.
> 
> On 10/15/15, 5:25 AM, "Francois Le Faucheur (flefauch)"
> <flefauch@cisco.com> wrote:
> 
>> Hi Jon,
>> 
>> We¹ll wait a couple more days to hear back from you on the point below,
>> and then move the document forward.
>> 
>> Thanks
>> 
>> Francois
>> 
>>> On 7 Oct 2015, at 14:04, Francois Le Faucheur (flefauch)
>>> <flefauch@cisco.com> wrote:
>>> 
>>> Jon,
>>> 
>>> Can you confirm this new rev addresses your comment appropriately?
>>> I believe the text that was added for that purpose is:
>>> ³
>>> 3.1.  Redirection of encrypted traffic
>>> 
>>>     The Redirection Interface defined in this document might be used to
>>> 
>>>     redirect a request where the User Agent will subsequently attempt
>>> to
>>> 
>>>     establish a TLS session with the Redirection Target.  In such a
>>> case,
>>> 
>>>     any surrogate or request router to which the User Agent is
>>> redirected
>>> 
>>>     needs to be able to successfully complete the TLS handshake and to
>>> 
>>>     perform encryption of the TLS channel.  Mechanisms to distribute
>>> the
>>> 
>>>     required information and/or configuration, such as private keys, to
>>> 
>>>     surrogates and request routers in dCDNs are outside the scope of
>>> this
>>> 
>>>     document.
>>> ³
>>> 
>> 
> 
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email