IETF Logo Mail Archive

Re: [CDNi] Ben Campbell's Discuss on draft-ietf-cdni-logging-25: (with DISCUSS and COMMENT)

Francois Le Faucheur <flefauch@gmail.com> Wed, 01 June 2016 15:50 UTC

Return-Path: <flefauch@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 913D812B026; Wed, 1 Jun 2016 08:50:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jWzF1iD4BTCg; Wed, 1 Jun 2016 08:50:25 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B50412D508; Wed, 1 Jun 2016 08:50:25 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id a136so189289141wme.0; Wed, 01 Jun 2016 08:50:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3bN9OpvJ0Q98C8AF2expflFi+GgMBEAuFwuKlZyzeHk=; b=a5xuMVoUILLatPIC9o6VGHXcLS2GrCDiZ+24cyAFmTtAD7CFaw45iNSbNGKlvH/du8 NSPpV0OB9LhcxDrVeHTRl18S9Ay+mZjGuObMar2bYrDBgSN+MK/l1tGBVY5jRQxMzaWK M+uETs4+9kMtIn07mBOa0ASJu0oizNlpTizunPkwgZL2to0znt7wi+cIQ6lW3joUEV/i M9lS/5D6U6h8Jdvo4Zxj56mlJEbSyFyAuwY1NnhNFBEBY1e2LNKpvQSsTb3veYd0rz81 kgIUHtSRbW8pdE924FUFNJP1bN3HUXDOfA9I/ZA3Y5jCmFP+EDlWl5PPcMRlV7NqCmY6 xiaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3bN9OpvJ0Q98C8AF2expflFi+GgMBEAuFwuKlZyzeHk=; b=TU3DRyIg0TwBvITA2dbuCxEggNDhCkkLerRmyoLI3YGONsF+sAlPA1b91ZT7CZbc8M Iwt4eKX2/7zcduRJy4ZxqDL+j08poAIfIEFjWUt3qbQNkp7SQyDBGzvSb17MQHjk3tFY 0bjF56vpP19BRY5RWvHaJWJ8Ugxcof+KqKwRkjq/HkV7omWSg2r62s+OwDOXaPPqztBL zfxnaxPTqWaXv+74Voc15qEP6+kGJF77Z2a3ZIM1zIaduiTE8w4453pTtK9xMalHNWvM YMyrsIVwCmyOcV8O4yTD8qlOH+go9qVcAG5+S8a3a6fQp0Stc5G31W72yA3rAiM/r48x G2zA==
X-Gm-Message-State: ALyK8tLqrMmr9KOCEXIUoCAlIlfhuro27IyPEH/kpZluBmMnO7I7NEyblNoo1RVh+8cW6w==
X-Received: by 10.28.96.10 with SMTP id u10mr23806900wmb.93.1464796223623; Wed, 01 Jun 2016 08:50:23 -0700 (PDT)
Received: from [192.168.1.21] (125.216.113.78.rev.sfr.net. [78.113.216.125]) by smtp.gmail.com with ESMTPSA id y76sm35689575wmd.3.2016.06.01.08.50.21 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 01 Jun 2016 08:50:22 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Francois Le Faucheur <flefauch@gmail.com>
In-Reply-To: <20160518223257.14733.37895.idtracker@ietfa.amsl.com>
Date: Wed, 01 Jun 2016 17:50:20 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <C19521D9-03B0-4FFE-96DB-118EF5FA46D4@gmail.com>
References: <20160518223257.14733.37895.idtracker@ietfa.amsl.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cdni/yY3tnzCrEpzxNhZUBY6f30bcLKk>
Cc: draft-ietf-cdni-logging@ietf.org, cdni-chairs@ietf.org, The IESG <iesg@ietf.org>, cdni@ietf.org
Subject: Re: [CDNi] Ben Campbell's Discuss on draft-ietf-cdni-logging-25: (with DISCUSS and COMMENT)
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 15:50:27 -0000

Ben and all,

Thanks for the review and comments. Please see proposed resolution below:

> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> While the security and privacy bits are much improved from earlier
> versions, I think I have found some holes. I assume these are not
> intentional, and it's entirely possible I have misread some things. But I
> would like to make sure they are considered prior to progressing.
> 
> - 3.4.1, c-groupid: The privacy-related guidance about c-groupids
> indentifying individual clients (in the several bullet list entries with
> "-" bullets) seems contingent on the MAY in the parent (with the "+"
> bullet.) The parent says that you MAY structure the field so that parts
> identify the aggregate and one part aggregates the individual, with the
> sub-bullets following an "In this case..." clause. I assume the guidance
> is intended to apply even when an implementation doesn't structure
> c-groupid that way (or at all.) 

Yes. I tweaked the text to make that clearer i.e.

s/In that case/In the case where the aggregate is chosen so that it contains a single client/


> 
> - 7.1: This section seems to effectively say that various protections are
> required when they are required. But it doesn't give advice on when they
> may be required. (For example, when c-groupid can be mapped to individual
> client addresses.)

I am tired of discussing the word smithing around use of TLS. So I aligned the text to cdni-control-triggers which effectively makes protection required all the time (i.e. MUST use TLS, unless some other protection is used). This has passed IESG approval in the context of cdni-control-triggers, so it should be equally acceptable to all for cdni-logging, and it will ensure consistency across CDNI I-Ds.
So it now reads:

“
TLS MUST be used by the server-side and the client-side of the CDNI
   Logging feed, as well as the server-side and the client-side of the
   CDNI Logging File pull mechanism, including authentication of the
   remote end, unless alternate methods are used for ensuring the
   security of the information exchanged over the LI interface (such as
   setting up an IPsec tunnel between the two CDNs or using a physically
   secured internal network between two CDNs that are owned by the same
   corporate entity).
"

> 
> - 7.3: "Making detailed CDNI logging
>   information known to the uCDN does not represent a particular privacy
>   concern because the uCDN is already exposed at request redirection
>   time to most of the information that shows up as CDNI logging
>   information (e.g., enduser IP@, URL, HTTP headers - at least when
>   HTTP redirection is used between uCDN and dCDN)."
> 
> I agree this is mostly true for HTTP redirection. But as you mention, the
> assertion seems to fall down for DNS redirection, where the uCDN may have
> considerably less information. I think some different guidance for that
> case may be needed.

I will come back to this one once I have digested the associated thread.

> 
> -- "Transporting
>   detailed CDNI logging information over the HTTP based CDNI Logging
>   Interface does not represent a particular privacy concern because it
>   is protected by usual IETF privacy-protection mechanism (e.g.,TLS)."
> 
> I don't find normative text that says privacy-sensitive information MUST
> be protected. Just that information that needs to be protected MUST be
> protected. The reader is left to infer that privacy-sensitive information
> is covered by that. (See previous comment about 7.1). Without something
> explicit there, I think it highly likely that some people will
> rationalize that their deployments don't need protection for one reason
> or another.

With the new text, the information MUST always be protected. So the question goes away.


> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> - 3.3, 2nd to last paragraph: What does it mean to reject a logging file?
> Does it mean to simply ignore it, or does it imply some notice back the
> source of the file that there's a problem? (I tend to think of "reject"
> as implying the latter in a protocol, in contrast to words like "drop" or
> "ignore”.)

The CDNI Logging File Pull protocol is a simple HTTP transfer of the CDNI Logging File from dCDN to uCDN, so there is not backwards channel that can be used for the uCDN to notify the dCDN that a CDNI Logging File (that was successfully transmitted via HTTP) is actually not a valid CDNI Logging File. 
So, the text has been updated to say “ignore” instead of reject.

I also replaced “reject” by “Ignore” in 3.4:
"the implementation MUST ignore those HTTP Request Logging Records"


> 
> - 3.4.1, 3rd "-" bullet: "The algorithmic mapping and variation over time
> MAY allow
>               the uCDN ... to reconstruct the actual client IPv4 or IPv6
> address"
> 
> Is that intended to be a 2119 MAY or a statement of fact? If the former,
> it seems to directly contradict the NOT RECOMMENDED in the next "-"
> bullet..

It is a statement of fact (and an improper use of the 2119 “MAY”).
Text has been updated so it reads:
"The algorithmic mapping and variation over time can, in some cases, allow the uCDN ... to reconstruct the actual client IPv4 or IPv6 address”.

v2.23.0 | Report a Bug | By Email