IETF Logo Mail Archive

Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

"Peterson, Jon" <jon.peterson@neustar.biz> Thu, 10 December 2015 00:09 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 476651A1BD4 for <cdni@ietfa.amsl.com>; Wed, 9 Dec 2015 16:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.266
X-Spam-Level:
X-Spam-Status: No, score=-102.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5_2lt1SD9-3 for <cdni@ietfa.amsl.com>; Wed, 9 Dec 2015 16:09:08 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82DA81A1BD1 for <cdni@ietf.org>; Wed, 9 Dec 2015 16:09:08 -0800 (PST)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tBA0447n004884; Wed, 9 Dec 2015 19:09:04 -0500
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 1yp6xttkhb-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 09 Dec 2015 19:09:04 -0500
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.186]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0158.001; Wed, 9 Dec 2015 19:09:03 -0500
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Kevin Ma J <kevin.j.ma@ericsson.com>, "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>, Niven-Jenkins Ben <ben@niven-jenkins.co.uk>
Thread-Topic: [CDNi] Jon's commet on draft-ietf-cdni-redirection
Thread-Index: AQHRB0Sd6BAt8jKfVkKtIgZAGUcIrZ5tCBuAgAD6vYCAABV5AIAAj6oA///nZQCAAUd4gP//9hmAgAel+oCACDRggIAHlXwAgB6cjICAHU4xgIAAoKYA//9+LwAAEgY7gAAAVWMA//9/zQCAAJ71AP//hSOA
Date: Thu, 10 Dec 2015 00:09:03 +0000
Message-ID: <D28DFCD6.1754F5%jon.peterson@neustar.biz>
References: <73F3A4F6-FC5D-4BC8-BEEC-82F27BA3641F@tno.nl> <102272CE-9EF0-4959-B9E2-8A2F10147BF7@cisco.com> <853CC284-D147-4A1F-8C47-213775F47768@cisco.com> <D24513A6.162A5C%jon.peterson@neustar.biz> <437C224B-1C0E-4705-8D52-98E139DDD75E@niven-jenkins.co.uk> <D246687E.164DFF%jon.peterson@neustar.biz> <CF0138DC-609E-4A1D-993A-5CC022450CE2@niven-jenkins.co.uk> <D2468554.16520D%jon.peterson@neustar.biz> <46A08C98-7B12-4F98-8826-8E9FE904B83C@niven-jenkins.co.uk> <D247D7A3.168019%jon.peterson@neustar.biz> <EAE2DE25-7D4B-4495-A360-9B2CEEE92B04@niven-jenkins.co.uk> <B76799A9-6DB0-4FD7-A422-43174B0D095F@niven-jenkins.co.uk> <6DF9C32E-A750-4CF6-A613-489225FC5042@cisco.com> <A419F67F880AB2468214E154CB8A556206BEBA0C@eusaamb103.ericsson.se> <D28DAF8A.1753CF%jon.peterson@neustar.biz> <A419F67F880AB2468214E154CB8A556206C0D76E@eusaamb103.ericsson.se> <D28DD340.1754C7%jon.peterson@neustar.biz> <A419F67F880AB2468214E154CB8A556206C0D9C6@eusaamb103.ericsson.se> <F84FB219-2F2A-4276-89CB-36DA36BC2B9B@ericsson.com> <D28DE286.1754D9%jon.peterson@neustar.biz> <A419F67F880AB2468214E154CB8A556206C0DD8A@eusaamb103.ericsson.se>
In-Reply-To: <A419F67F880AB2468214E154CB8A556206C0DD8A@eusaamb103.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
x-originating-ip: [192.168.128.182]
Content-Type: multipart/alternative; boundary="_000_D28DFCD61754F5jonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-12-10_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1512090407
Archived-At: <http://mailarchive.ietf.org/arch/msg/cdni/jYP7R0vrdsqNAv5J62QV5lXhqMg>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 00:09:10 -0000

No, we really cannot say in our specification text that we assume the UA will (or even should) continue despite the presence of security warnings - my email was just being snarky by pointing out that users in fact tend to do that, but that is a bad thing, and it is our job as spec authors to prevent them from being in that position. I think we're shifting the focus here too much to the warnings themselves and not to the problem that is causing the warnings. The problem causing the warnings is that in this HTTPS case, the DNS redirect insecurely directs you to another domain, and that HTTPS should fail when that happens, if the domain does not hold the keying material that the UA expects.

The proper, long-term way to actually fix this is either to use DNSSEC, or to give up DNS redirection entirely and just use HTTPS. In that case the UA securely learns that it should negotiate TLS with the RT's domain instead of the original domain. But we're not going to tell people they have to do that.

The immediate solution (i.e. workaround) is "operational mechanisms" that we assume here, but do not detail - that is, the uCDN giving away its private key to all relevant devices in all dCDNs that could conceivably be RTs. All of your partners/competitors can now impersonate you: enjoy! That is why this is just a workaround.

The mid-term way to address this is the problem space that draft-fieau is trying (I think, anyway) to shape.

Are we home yet? Here's some proposed edits:

  In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target. When HTTPS is used to connect to the uCDN, if the uCDN uses DNS redirection to identify the RT to the User Agent, then the new target domain name may not match the domain in the URL dereferenced to reach the uCDN: without operational precautions, and in the absence of DNSSEC, this can make a legitimate redirection look like a DNS-based attack to a User Agent and trigger false-negative security warnings. When DNS-based redirection with HTTPS is used, this specification assumes that any RT can complete the necessary TLS handshake with the User Agent. Any operational mechanisms this requires, e.g., private key distribution to surrogates and request routers in dCDNs, are outside the scope of this document. Further mechanisms to notify User Agents of trusted redirection are also outside the scope of this document.

Jon Peterson
Neustar, Inc.

v2.23.0 | Report a Bug | By Email