IETF Logo Mail Archive

Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Kevin Ma J <kevin.j.ma@ericsson.com> Wed, 09 December 2015 21:38 UTC

Return-Path: <kevin.j.ma@ericsson.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0562D1B2E01 for <cdni@ietfa.amsl.com>; Wed, 9 Dec 2015 13:38:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKpqQUpVSWlR for <cdni@ietfa.amsl.com>; Wed, 9 Dec 2015 13:38:40 -0800 (PST)
Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F1801B2DFD for <cdni@ietf.org>; Wed, 9 Dec 2015 13:38:40 -0800 (PST)
X-AuditID: c618062d-f79d16d000001b1c-aa-56689ee99617
Received: from EUSAAHC005.ericsson.se (Unknown_Domain [147.117.188.87]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id 96.23.06940.9EE98665; Wed, 9 Dec 2015 22:36:41 +0100 (CET)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC005.ericsson.se ([147.117.188.87]) with mapi id 14.03.0248.002; Wed, 9 Dec 2015 16:38:38 -0500
From: Kevin Ma J <kevin.j.ma@ericsson.com>
To: "Peterson, Jon" <jon.peterson@neustar.biz>, "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>, Niven-Jenkins Ben <ben@niven-jenkins.co.uk>
Thread-Topic: [CDNi] Jon's commet on draft-ietf-cdni-redirection
Thread-Index: AQHRB0Snkq4vCB0pNUWs9BHaBcT/a55tfYGAgACFV4CAAIrmgIAAGj0AgABc0wCAANIKgIAAa4+AgAcwhICACDRggIAHlXwAgB5HeuCAHilkgP//v5FQgABfQ4D//7Ey8IAAB7nT
Date: Wed, 09 Dec 2015 21:38:38 +0000
Message-ID: <F84FB219-2F2A-4276-89CB-36DA36BC2B9B@ericsson.com>
References: <73F3A4F6-FC5D-4BC8-BEEC-82F27BA3641F@tno.nl> <102272CE-9EF0-4959-B9E2-8A2F10147BF7@cisco.com> <853CC284-D147-4A1F-8C47-213775F47768@cisco.com> <D24513A6.162A5C%jon.peterson@neustar.biz> <437C224B-1C0E-4705-8D52-98E139DDD75E@niven-jenkins.co.uk> <D246687E.164DFF%jon.peterson@neustar.biz> <CF0138DC-609E-4A1D-993A-5CC022450CE2@niven-jenkins.co.uk> <D2468554.16520D%jon.peterson@neustar.biz> <46A08C98-7B12-4F98-8826-8E9FE904B83C@niven-jenkins.co.uk> <D247D7A3.168019%jon.peterson@neustar.biz> <EAE2DE25-7D4B-4495-A360-9B2CEEE92B04@niven-jenkins.co.uk> <B76799A9-6DB0-4FD7-A422-43174B0D095F@niven-jenkins.co.uk> <6DF9C32E-A750-4CF6-A613-489225FC5042@cisco.com> <A419F67F880AB2468214E154CB8A556206BEBA0C@eusaamb103.ericsson.se> <D28DAF8A.1753CF%jon.peterson@neustar.biz> <A419F67F880AB2468214E154CB8A556206C0D76E@eusaamb103.ericsson.se> <D28DD340.1754C7%jon.peterson@neustar.biz>, <A419F67F880AB2468214E154CB8A556206C0D9C6@eusaamb103.ericsson.se>
In-Reply-To: <A419F67F880AB2468214E154CB8A556206C0D9C6@eusaamb103.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_F84FB2192F2A427689CB36DA36BC2B9Bericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHIsWRmVeSWpSXmKPExsUyuXRPuO7LeRlhBs9O6lksODeBzeLp7D+s Fv8WnGayONNg6cDiMeX3RlaPJUt+MnnsaHjO7PHz+iTGAJYoLpuU1JzMstQifbsErow/v64z Frz5zlRx7cgDtgbGo8eYuhg5OSQETCRu9j9jh7DFJC7cW8/WxcjFISRwhFHi5eFJ7BDOMkaJ R3d+MYNUsQloSTz++hesW0RgKlDidz2IzSygLLGleS8jiC0sYC8x/9hcNogaB4lV31YwggwS EZjGKLH62wqwBIuAisTXQ/vBBvECNUw4cIAJYtttdompC7+ydDFycHAK+Ekc+l0IUsMIdN73 U2uYIJaJS9x6Mh/qBQGJJXvOM0PYohIvH/9jhahJlpg6ZSIzxHxBiZMzn7BMYBSZhaR9FpKy WUjKIOIGEu/PzWeGsLUlli18DWXrS2z8cpYRWXwBI/sqRo7S4oKc3HQjg02MwFg7JsGmu4Px /nTPQ4wCHIxKPLwfEtLDhFgTy4orcw8xSnAwK4nwhnZmhAnxpiRWVqUW5ccXleakFh9ilOZg URLnZWRgYBASSE8sSc1OTS1ILYLJMnFwSjUwWpxa8Uc8uMTA5+SrazqfomfvELCde+iEIRPD o9s+QQer7pv4FwUbzE9tTZqidcPrHEcp/2mnNkOhRzV+257/C5l7mKHawLJJPvnQ1kWOLx8f KC5fdL23iGNT41b/mfGt11s3P7GWONnt+zci9kBHzVrelnsCwe2bdnh1yXptCJFSbd6ypNlY iaU4I9FQi7moOBEAfVd0sLECAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/cdni/az8Pw8Dic_iFaJiJWTh8_Z5Gfd0>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 21:38:46 -0000

I guess, is the problem that the UA can't tell, or that the redirect fails?  Probably both?  The text I suggested below is more about the latter, though it could certainly be tweeked to also address the former?

Sent from my iPhone

On Dec 9, 2015, at 4:30 PM, Kevin Ma J <kevin.j.ma@ericsson.com<mailto:kevin.j.ma@ericsson.com>> wrote:

Hi Jon,

  Got it.  No ignoring in the UA (the "nonetheless" threw me off); and this RI only supports situations where there are no warnings and no need to ignore anything?.

"
  In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target. When HTTPS is used to connect to the uCDN, if the uCDN uses DNS redirection (in the absence of DNSSEC) to identify the RT to the User Agent, then the new target domain name may not match the domain in the URL dereferenced to reach the uCDN: without operational precautions, this can make a legitimate redirection look like a DNS-based attack to a User Agent and trigger false-negative security warnings. When DNS-based redirection with HTTPS is used, this specification assumes that the RT will be able to successfully complete a TLS handshake with the User Agent; the interface described in this document does not cover situations where the User Agent receiving a false-negative security warning would causes legitimate redirection to fail.

  Note: Operational mechanisms to distribute the required information and/or configuration, such as private keys, to surrogates and request routers in dCDNs are outside the scope of this document.  Further mechanisms to notify User Agents of trusted redirection is also outside the scope of this document.
"

thanx!

--  Kevin J. Ma

From: Peterson, Jon [mailto:jon.peterson@neustar.biz]
Sent: Wednesday, December 09, 2015 3:53 PM
To: Kevin Ma J; Francois Le Faucheur (flefauch); Niven-Jenkins Ben
Cc: cdni@ietf.org<mailto:cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection


No, we shouldn't ever say that a UA should ignore a security warning.

We are saying that this document assumes the UA will never have to ignore a warning because, in any network with a uCDN using HTTPS that does DNS-based redirection, the dCDN will have gotten the keys or whatever beforehand. The fact that if we didn't assume that, we'd incur these problems, is what I have been trying to get the text here to note. We've long had text that talks about the workaround without ever saying what it is working around. We shouldn't expect implementers to just know what they are expected work around, we need to tell them. That's what my text tried to do.

So I would remove that proposed addition saying it is okay to ignore security warnings (the UA will have no way of knowing their legitimacy, that is indeed the problem). The sentence you added to the very end about further mechanisms is fine, though.

Jon Peterson
Neustar, Inc.

From: Kevin Ma J <kevin.j.ma@ericsson.com<mailto:kevin.j.ma@ericsson.com>>
Date: Wednesday, December 9, 2015 at 12:37 PM
To: Jon Peterson <jon.peterson@neustar.biz<mailto:jon.peterson@neustar.biz>>, "Francois Le Faucheur (flefauch)" <flefauch@cisco.com<mailto:flefauch@cisco.com>>, Niven-Jenkins Ben <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>>
Cc: "cdni@ietf.org<mailto:cdni@ietf.org>" <cdni@ietf.org<mailto:cdni@ietf.org>>
Subject: RE: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Hi Jon,

  Thanks for the review and the updated text!  So, the concern that you are highlighting is that the UA, if it (falsely) detects a security warning, is going to need to be able to ignore the warning and keep going?  Is that correct?  If so, maybe we should make that even more explicit.  I'll admit I did not recognize that subtlety from the previous discussions.  I would also suggest that that we break up that last sentence, and if the operational mechanisms should include a mechanism for telling the UA to ignore the error, we should make that explicit, e.g.:

"
  In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target. When HTTPS is used to connect to the uCDN, if the uCDN uses DNS redirection (in the absence of DNSSEC) to identify the RT to the User Agent, then the new target domain name may not match the domain in the URL dereferenced to reach the uCDN: without operational precautions, this can make a legitimate redirection look like a DNS-based attack to a User Agent and trigger false-negative security warnings. When DNS-based redirection with HTTPS is used, this specification assumes that the RT will nonetheless be able to successfully complete a TLS handshake with the User Agent; the User Agent would need to be able to ignore false-negative security warnings generated by the legitimate redirection.

  Note: Operational mechanisms to distribute the required information and/or configuration, such as private keys, to surrogates and request routers in dCDNs are outside the scope of this document.  Further mechanisms to notify User Agents of trusted redirection notifications is also outside the scope of this document.
"

thanx!

--  Kevin J. Ma

From: Peterson, Jon [mailto:jon.peterson@neustar.biz]
Sent: Wednesday, December 09, 2015 2:03 PM
To: Kevin Ma J; Francois Le Faucheur (flefauch); Niven-Jenkins Ben
Cc: cdni@ietf.org<mailto:cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection


While all of this is fine text and sets the stage for what I argue needs to be said, it still doesn't acknowledge that when HTTPS is used, a legitimate DNS-based redirection will look like an attack to a UA unless we do these workarounds. Your second paragraph noted that "the Redirection Target needs to be able to successfully complete the TLS handshake" but it still does not say why you would even need to note that, which is what I've been asking for. I've tried to add a second sentence to it below, and I also modified the rest of the paragraph a bit.

In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target. When HTTPS is used to connect to the uCDN, if the uCDN uses DNS redirection (in the absence of DNSSEC) to identify the RT to the User Agent, then the new target domain name may not match the domain in the URL dereferenced to reach the uCDN: without operational precautions, this can make a legitimate redirection look like a DNS-based attack to a User Agent and trigger false-negative security warnings. When DNS-based redirection with HTTPS is used, this specification assumes that the RT will nonetheless be able to successfully complete a TLS handshake with the User Agent; operational mechanisms to distribute the required information and/or configuration, such as private keys, to surrogates and request routers in dCDNs are outside the scope of this document.

Jon Peterson
Neustar, Inc.

From: CDNi <cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org>> on behalf of Kevin Ma J <kevin.j.ma@ericsson.com<mailto:kevin.j.ma@ericsson.com>>
Date: Friday, November 20, 2015 at 11:31 AM
To: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com<mailto:flefauch@cisco.com>>, Niven-Jenkins Ben <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>>
Cc: "cdni@ietf.org<mailto:cdni@ietf.org>" <cdni@ietf.org<mailto:cdni@ietf.org>>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Hi All,

  I thought I'd propose the alternate text (below), and see if it meets everyone's needs?

thanx!

--  Kevin J. Ma

The Redirection Interface defined in this document is intended to support delegation of HTTP-based traffic, including TLS encrypted HTTPS traffic, via DNS or HTTP redirection.  The User Agent request to the uCDN may be made over HTTP, HTTPS, or DNS.  In the case of an HTTPS request from the User Agent, the TLS session provides authentication of the request router sending the response.  In this case, the user agent may be confident that the HTTP redirection over TLS is genuine. In the cases of HTTP (without TLS) or DNS redirection, there is no inherent authentication of the request router.  In these cases, forged responses could be inserted by an attacker to maliciously redirect the User Agent to an alternate Redirection Target.  In the case of DNS redirection, DNSSEC [ref] could be used to authenticate DNS responses, however, configuration of DNSSEC is outside the scope of this document.

In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target.  If the Redirection Target URL uses HTTPS, the Redirection Target needs to be able to successfully complete the TLS handshake and perform encryption of the TLS channel.  Mechanisms to distribute the required information and/or configuration, such as private keys, to surrogates and request routers in dCDNs are outside the scope of this document.


From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Francois Le Faucheur (flefauch)
Sent: Sunday, November 01, 2015 3:03 AM
To: Niven-Jenkins Ben
Cc: cdni@ietf.org<mailto:cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Hi Ben,

Minor editorial suggestions:

The redirection interface defined in this document enables a uCDN to return to a User Agent a DNS response on behalf of a dCDN. If DNSSEC is deployed, a User Agent can authenticate the DNS responses it receives, enabling it to distinguish between genuine (redirection) responses and malicious (redirection) responses . Without DNSSEC a User Agent is unable to detect a malicious DNS redirect.  HTTPS redirection provides an additional layer of authentication via TLS because in order for the TLS handshake to complete, the server to which the User Agent connects needs to authenticate itself to the User Agent.

Cheers

Francois


On 27 Oct 2015, at 22:14, Ben Niven-Jenkins <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>> wrote:

Hi Jon,

Would the following text address your comments, feel free to wordsmith it to your liking.

===
The redirection interface defined in this document enables a uCDN to return
a DNS response on behalf of a dCDN. If DNSSEC is deployed
User Agents can authenticate the DNS responses they receive, enabling them to distinguish between genuine responses (redirections) and malicious responses (redirections). Without DNSSEC a User Agent is unable to detect a malicious DNS redirect.  HTTPS redirection provides an additional layer of authentication via TLS because in order for the TLS handshake to complete, the server the User Agent connects to must authenticate itself to the User Agent.
===

Thanks
Ben








On 22 Oct 2015, at 08:56, Ben Niven-Jenkins <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>> wrote:

The Redirection Interface defined in this document might be used to redirect a request where the User Agent will subsequently attempt to establish a TLS session with the Redirection Target. In such a case, any surrogate or request router to which the User Agent is redirected needs to be able to successfully complete the TLS handshake and to perform encryption of the TLS channel.

The private key for the host in the RT is needed in order to successfully establish a TLS session. The most widespread mechanism currently used by (non-interconnected) CDNs is for the owner of the host in the RT sharing their private key with their CDN(s) of choice. In cases where the owner of the host is not willing to share their private key, other mechanisms that allow the owner to not share their private key are used, for example Keyless SSL [REF].

CDNI by definition implies that a Content Provider’s content will be delivered by CDNs other than the CDN with which the Content Provider has a direct business relationship. Therefore, while CDNI does not introduce any new technical requirements on dCDNs when establishing TLS sessions, Content Providers may be less willing to have their private key shared with dCDNs than they are with their chosen CDN(s) in a non-interconnected scenario.

Mechanisms to distribute the required information and/or configuration to surrogates and request routers in dCDNs to enable a dCDN to successfully complete TLS handshakes and to perform encryption of the TLS channel for a particular host, such as private keys or the URI/IP address of a key server, are outside the scope of this document.

[REF] https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email