IETF Logo Mail Archive

Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

"Peterson, Jon" <jon.peterson@neustar.biz> Wed, 09 December 2015 19:03 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2CF1B2D36 for <cdni@ietfa.amsl.com>; Wed, 9 Dec 2015 11:03:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.265
X-Spam-Level:
X-Spam-Status: No, score=-102.265 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctLfJmPam-ui for <cdni@ietfa.amsl.com>; Wed, 9 Dec 2015 11:03:08 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C4711AC3E7 for <cdni@ietf.org>; Wed, 9 Dec 2015 11:03:01 -0800 (PST)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tB9J2s4J002981; Wed, 9 Dec 2015 14:02:56 -0500
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 1yp6xthy48-14 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 09 Dec 2015 14:02:56 -0500
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.186]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0158.001; Wed, 9 Dec 2015 14:02:44 -0500
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Kevin Ma J <kevin.j.ma@ericsson.com>, "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>, Niven-Jenkins Ben <ben@niven-jenkins.co.uk>
Thread-Topic: [CDNi] Jon's commet on draft-ietf-cdni-redirection
Thread-Index: AQHRB0Sd6BAt8jKfVkKtIgZAGUcIrZ5tCBuAgAD6vYCAABV5AIAAj6oA///nZQCAAUd4gP//9hmAgAel+oCACDRggIAHlXwAgB6cjICAHU4xgA==
Date: Wed, 09 Dec 2015 19:02:43 +0000
Message-ID: <D28DAF8A.1753CF%jon.peterson@neustar.biz>
References: <73F3A4F6-FC5D-4BC8-BEEC-82F27BA3641F@tno.nl> <102272CE-9EF0-4959-B9E2-8A2F10147BF7@cisco.com> <853CC284-D147-4A1F-8C47-213775F47768@cisco.com> <D24513A6.162A5C%jon.peterson@neustar.biz> <437C224B-1C0E-4705-8D52-98E139DDD75E@niven-jenkins.co.uk> <D246687E.164DFF%jon.peterson@neustar.biz> <CF0138DC-609E-4A1D-993A-5CC022450CE2@niven-jenkins.co.uk> <D2468554.16520D%jon.peterson@neustar.biz> <46A08C98-7B12-4F98-8826-8E9FE904B83C@niven-jenkins.co.uk> <D247D7A3.168019%jon.peterson@neustar.biz> <EAE2DE25-7D4B-4495-A360-9B2CEEE92B04@niven-jenkins.co.uk> <B76799A9-6DB0-4FD7-A422-43174B0D095F@niven-jenkins.co.uk> <6DF9C32E-A750-4CF6-A613-489225FC5042@cisco.com> <A419F67F880AB2468214E154CB8A556206BEBA0C@eusaamb103.ericsson.se>
In-Reply-To: <A419F67F880AB2468214E154CB8A556206BEBA0C@eusaamb103.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
x-originating-ip: [192.168.128.182]
Content-Type: multipart/alternative; boundary="_000_D28DAF8A1753CFjonpetersonneustarbiz_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-12-09_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310000 definitions=main-1512090313
Archived-At: <http://mailarchive.ietf.org/arch/msg/cdni/u2xYWAO2vWRqejQQN4K2qvkB0bQ>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 19:03:11 -0000

While all of this is fine text and sets the stage for what I argue needs to be said, it still doesn't acknowledge that when HTTPS is used, a legitimate DNS-based redirection will look like an attack to a UA unless we do these workarounds. Your second paragraph noted that "the Redirection Target needs to be able to successfully complete the TLS handshake" but it still does not say why you would even need to note that, which is what I've been asking for. I've tried to add a second sentence to it below, and I also modified the rest of the paragraph a bit.

In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target. When HTTPS is used to connect to the uCDN, if the uCDN uses DNS redirection (in the absence of DNSSEC) to identify the RT to the User Agent, then the new target domain name may not match the domain in the URL dereferenced to reach the uCDN: without operational precautions, this can make a legitimate redirection look like a DNS-based attack to a User Agent and trigger false-negative security warnings. When DNS-based redirection with HTTPS is used, this specification assumes that the RT will nonetheless be able to successfully complete a TLS handshake with the User Agent; operational mechanisms to distribute the required information and/or configuration, such as private keys, to surrogates and request routers in dCDNs are outside the scope of this document.

Jon Peterson
Neustar, Inc.

From: CDNi <cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org>> on behalf of Kevin Ma J <kevin.j.ma@ericsson.com<mailto:kevin.j.ma@ericsson.com>>
Date: Friday, November 20, 2015 at 11:31 AM
To: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com<mailto:flefauch@cisco.com>>, Niven-Jenkins Ben <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>>
Cc: "cdni@ietf.org<mailto:cdni@ietf.org>" <cdni@ietf.org<mailto:cdni@ietf.org>>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Hi All,

  I thought I'd propose the alternate text (below), and see if it meets everyone's needs?

thanx!

--  Kevin J. Ma

The Redirection Interface defined in this document is intended to support delegation of HTTP-based traffic, including TLS encrypted HTTPS traffic, via DNS or HTTP redirection.  The User Agent request to the uCDN may be made over HTTP, HTTPS, or DNS.  In the case of an HTTPS request from the User Agent, the TLS session provides authentication of the request router sending the response.  In this case, the user agent may be confident that the HTTP redirection over TLS is genuine. In the cases of HTTP (without TLS) or DNS redirection, there is no inherent authentication of the request router.  In these cases, forged responses could be inserted by an attacker to maliciously redirect the User Agent to an alternate Redirection Target.  In the case of DNS redirection, DNSSEC [ref] could be used to authenticate DNS responses, however, configuration of DNSSEC is outside the scope of this document.

In all three of the above cases, either HTTP or HTTPS could be used to connect to the Redirection Target.  If the Redirection Target URL uses HTTPS, the Redirection Target needs to be able to successfully complete the TLS handshake and perform encryption of the TLS channel.  Mechanisms to distribute the required information and/or configuration, such as private keys, to surrogates and request routers in dCDNs are outside the scope of this document.


From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Francois Le Faucheur (flefauch)
Sent: Sunday, November 01, 2015 3:03 AM
To: Niven-Jenkins Ben
Cc: cdni@ietf.org<mailto:cdni@ietf.org>
Subject: Re: [CDNi] Jon's commet on draft-ietf-cdni-redirection

Hi Ben,

Minor editorial suggestions:

The redirection interface defined in this document enables a uCDN to return to a User Agent a DNS response on behalf of a dCDN. If DNSSEC is deployed, a User Agent can authenticate the DNS responses it receives, enabling it to distinguish between genuine (redirection) responses and malicious (redirection) responses . Without DNSSEC a User Agent is unable to detect a malicious DNS redirect.  HTTPS redirection provides an additional layer of authentication via TLS because in order for the TLS handshake to complete, the server to which the User Agent connects needs to authenticate itself to the User Agent.

Cheers

Francois


On 27 Oct 2015, at 22:14, Ben Niven-Jenkins <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>> wrote:

Hi Jon,

Would the following text address your comments, feel free to wordsmith it to your liking.

===
The redirection interface defined in this document enables a uCDN to return
a DNS response on behalf of a dCDN. If DNSSEC is deployed
User Agents can authenticate the DNS responses they receive, enabling them to distinguish between genuine responses (redirections) and malicious responses (redirections). Without DNSSEC a User Agent is unable to detect a malicious DNS redirect.  HTTPS redirection provides an additional layer of authentication via TLS because in order for the TLS handshake to complete, the server the User Agent connects to must authenticate itself to the User Agent.
===

Thanks
Ben






On 22 Oct 2015, at 08:56, Ben Niven-Jenkins <ben@niven-jenkins.co.uk<mailto:ben@niven-jenkins.co.uk>> wrote:

The Redirection Interface defined in this document might be used to redirect a request where the User Agent will subsequently attempt to establish a TLS session with the Redirection Target. In such a case, any surrogate or request router to which the User Agent is redirected needs to be able to successfully complete the TLS handshake and to perform encryption of the TLS channel.

The private key for the host in the RT is needed in order to successfully establish a TLS session. The most widespread mechanism currently used by (non-interconnected) CDNs is for the owner of the host in the RT sharing their private key with their CDN(s) of choice. In cases where the owner of the host is not willing to share their private key, other mechanisms that allow the owner to not share their private key are used, for example Keyless SSL [REF].

CDNI by definition implies that a Content Provider’s content will be delivered by CDNs other than the CDN with which the Content Provider has a direct business relationship. Therefore, while CDNI does not introduce any new technical requirements on dCDNs when establishing TLS sessions, Content Providers may be less willing to have their private key shared with dCDNs than they are with their chosen CDN(s) in a non-interconnected scenario.

Mechanisms to distribute the required information and/or configuration to surrogates and request routers in dCDNs to enable a dCDN to successfully complete TLS handshakes and to perform encryption of the TLS channel for a particular host, such as private keys or the URI/IP address of a key server, are outside the scope of this document.

[REF] https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email