Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

[frederic.fieau@orange.com]

Hi Guillaume, Kevin,

Thanks for your reviewing and the proposed changes.
I tried to take into account your remarks as much as I could in a new version I just submitted.


Kevin,
The questions you asked regarding security and privacy are very relevant but would maybe need to be discussed all together. In the meantime, I added them in the last version.

Regards,
Frederic


De : Kevin Ma [mailto:kevin.j.ma.ietf@gmail.com]
Envoyé : lundi 25 octobre 2021 06:06
À : Guillaume Bichot <Guillaume.Bichot@broadpeak.tv>
Cc : FIEAU Frédéric INNOV/NET <frederic.fieau@orange.com>; cdni@ietf.org
Objet : Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

Hi Guillaume,

  I agree with both of your comments: there is no need for section 5, and the FCI payload type needs to be registered.

Hi Frederic,

  In addition to Giullaume's comments, I'm not sure I see a need for section 7.  The periodicity property could be defined as an integer in the generic metadata object definition.  Does it need a simple data type redefinition?

  For the security considerations, is there anything in the metadata itself that needs to be discussed?  This is passing around metadata for managing creds and configuring a security feature.  Are there concerns about using this incorrectly or limitations on how this can safely be used?  The privacy section is also missing.  Are there any concerns with sharing the information that is in the metadata?  Is the metadata safe to redistribute, or is it something that is only valid between adjacent CDNs?

  Wrt Section 10, Comments and Questions, to whom is the question directed?  Is this a FAQ?  If so, it might be better stated as an affirmative assertion up front in the introduction?

  The introduction talks about a registry for delegation methods, but there is no registry created in the IANA considerations?  Is the registry going to contain the valid values for the FCI advertisement, e.g., AcmeStarDelegationDelegationMethod?  If so, that could be made clearer in section 4.  I would ask, however, if we need the FCI.SupportedDelegationMethods capability at all?   The AcmeStarDelegationDelegationMethod is going to have a corresponding MI.AcmeStarDelegationMethod metadata object, and the FCI already has an FCI.Metadata capability that advertises metadata payload types.  So if a dCDN advertises MI.AcmeStarDelegationMethod in FCI.Metadata, it would be the same as advertising AcmeStarDelegationDelegationMethod in FCI.SupportedDelegationMethods; we don't really need the latter?

  Note: section 8.1 talks about the MI payload but the encoding link points to the FCI payload definition.

thanx!

--  Kevin J. Ma


On Mon, Oct 11, 2021 at 10:16 AM Guillaume Bichot <Guillaume.Bichot@broadpeak.tv<mailto:Guillaume.Bichot@broadpeak.tv>> wrote:
Frederic,
there is small mistake in your draft and may be missing registration tasks.

Section 5.1 Extension to HostMetadata object and section 5.2 Extension to PathMetadata object

Strictly speaking, you do not extend the HostMetadata or the PathMetadata object. Instead, you propose to create a new Generic Metadata object. Therefore, you do not need 5.1 or even 5.2 either. Both MI.HostMetatada and MI.PathMetadata objects have a property (metadata) that refers to a list (an array) of generic metadata objects (MI.GenericMetadata).

So instead you should just remove these subsections. I think they bring confusion as there is nothing specific regarding  5.1  versus 5.2.   As any other MI generic metadata object, the AcmeStarDelegationMethod configuration object can be attached to a host name or to host name + a path pattern.

In you 5.1 example, you indicate "hostmetadata" as a property to the MI.HostMetadata object which does not exist indeed. The correct name is "metadata".

Your new object should be describe like this :

Following the example above, the MI.HostMetadata can be modeled
           for ACMEStarDelegationMethod as:

                   {
               "metadata": [
                       {
                   "generic-metadata-type": "MI.AcmeStarDelegationMethod",
                   "generic-metadata-value": {
                      "star-proxy": "10.2.2.2",
                      "acme-server" : "10.2.3.3",
                      "credentials-location-uri": "https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ucdn.com_credentials&d=DwIFAw&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=c_x5S7bwh6JWaEEwARG0xZ8OLIYNYAEkb0z-xR_XbLI&s=KTnh0aLbZNxM3zWC4ydGNFUzGBoWs7J-NDNl89xI8As&e= ",
                      "periodicity": 36000,
                      "CSR-template": Json/Text of the CSR template (see 4.2)
                       }}]
                   }

Section 8
I think you must also register a new FCI payload type as well as a new CDNI Supported Delegation Methods.

Guillaume

Guillaume Bichot
Principal Engineer, Head of Exploration
broadpeak
m: +33 685 597 666    p: +33 222 740 350
guillaume.bichot@broadpeak.tv<mailto:guillaume.bichot@broadpeak.tv>

Broadpeak, S.A.S.|Registered offices at 15 rue Claude Chappe, Zone des Champs Blancs, 35510 Cesson-Sévigné, France | Rennes Trade Register: 524 473 063
This e-mail and its attachments contain confidential information from Broadpeak S.A.S and/or its affiliates (Broadpeak),  which is intended only for the person to whom it is addressed. If you are not the intended recipient of this email,
please notify immediately the sender by phone or email and delete it. Any use of the information contained herein in any way, including, but not limited to, total or partial disclosure, reproduction, or dissemination, by persons other than the intended recipient(s) is prohibited, unless expressly authorized by Broadpeak. Broadpeak, S.A.S. and its affiliates respect privacy laws, and is committed to the protection of personal data. Emails and/or attachments thereof exchanged between us may include your personal data which may be processed by Broadpeak and/or its affiliates according to applicable privacy laws & regulations. In compliance with Regulation (EU) 2016/679 (GDPR) and applicable implementation in local legislations, you can exercise at any time your rights of access, rectification or erasure of your personal data, as well as your rights to restriction, portability or object to the processing.
For such purpose, or to know more about how Broadpeak processes your personal data, you may contact Broadpeak by mail (Headquarters address listed here) or by email (privacy@broadpeak.tv<mailto:privacy@broadpeak.tv>).
Local authority :  Commission Nationale Informatique et Libertés (CNIL): 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 or www.cnil.fr<http://www.cnil.fr>



-----Original Message-----
From: CDNi <cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org>> On Behalf Of frederic.fieau@orange.com<mailto:frederic.fieau@orange.com>
Sent: Wednesday, October 6, 2021 5:40 PM
To: FIEAU Frédéric INNOV/NET <frederic.fieau@orange.com<mailto:frederic.fieau@orange.com>>; cdni@ietf.org<mailto:cdni@ietf.org>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

Hi all,

A quick recap of the main changes:
- Removed sections related to the "Delegated Credentials" delegation method
- Added FCI meta data to sync CDNs on the delegation methods that are supported
- Added a HostMatch pattern to trigger a delegation method


Regards,
Frederic

-----Message d'origine-----
De : CDNi [mailto:cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org>] De la part de frederic.fieau@orange.com<mailto:frederic.fieau@orange.com> Envoyé : mercredi 15 septembre 2021 16:08 À : cdni@ietf.org<mailto:cdni@ietf.org> Objet : Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

Hi all,

I posted a new version of the draft-ietf-cdni-interfaces-https-delegation.
This last version only includes support for the ACME-STAR method for now and adds FCI metadata for delegation methods negotiation between CDNs.

Please feel free to review and comments.

Regards,
Frederic



-----Message d'origine-----
De : CDNi [mailto:cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org>] De la part de internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> Envoyé : vendredi 10 septembre 2021 16:01 À : i-d-announce@ietf.org<mailto:i-d-announce@ietf.org> Cc : cdni@ietf.org<mailto:cdni@ietf.org> Objet : [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Content Delivery Networks Interconnection WG of the IETF.

        Title           : CDNI extensions for HTTPS delegation
        Authors         : Frederic Fieau
                          Emile Stephan
                          Sanjay Mishra
        Filename        : draft-ietf-cdni-interfaces-https-delegation-06.txt
        Pages           : 10
        Date            : 2021-09-10

Abstract:
   The delivery of content over HTTPS involving multiple CDNs raises
   credential management issues.  This document proposes extensions in
   CDNI Control and Metadata interfaces to setup HTTPS delegation from
   an Upstream CDN (uCDN) to a Downstream CDN (dCDN).


The IETF datatracker status page for this draft is:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cdni-interfaces-https-delegation%2F&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=BHhqMqIpAXerqLsl%2B7LZXOrFdYUkpCcdmkuerx0RTdQ%3D&amp;reserved=0

There is also an HTML version available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-cdni-interfaces-https-delegation-06.html&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=zhCZArN81bLaL8K7Q226vnNTGCR8Q%2Fb0CAnM8rMEmpE%3D&amp;reserved=0

A diff from the previous version is available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-cdni-interfaces-https-delegation-06&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4QAiMS2XZMJrM69hHR1mkmDv3UpcBoDlSRAGPl9CgFE%3D&amp;reserved=0


Internet-Drafts are also available by anonymous FTP at:
https://eur02.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ietf.org%2Finternet-drafts%2F&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GcL79D%2BP86q%2F6HUya2HoF5o4AyUv7kBntEqr%2FpQ%2BNo0%3D&amp;reserved=0


_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UYyQ0zXCnhLnBNmUsjPooYwJKTLDH63%2FcmSGlDMW%2FtU%3D&amp;reserved=0

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UYyQ0zXCnhLnBNmUsjPooYwJKTLDH63%2FcmSGlDMW%2FtU%3D&amp;reserved=0

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UYyQ0zXCnhLnBNmUsjPooYwJKTLDH63%2FcmSGlDMW%2FtU%3D&amp;reserved=0

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.