Re: [core] New version of draft-amsuess-core-transport-indication

Christian Amsüss <christian@amsuess.com> Mon, 12 July 2021 08:17 UTC

Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852203A1335 for <core@ietfa.amsl.com>; Mon, 12 Jul 2021 01:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylmbJfzk2kil for <core@ietfa.amsl.com>; Mon, 12 Jul 2021 01:17:29 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4583A133C for <core@ietf.org>; Mon, 12 Jul 2021 01:17:28 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by prometheus.amsuess.com (Postfix) with ESMTPS id 4878840172; Mon, 12 Jul 2021 10:17:26 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 4C83DD0; Mon, 12 Jul 2021 10:17:25 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:f05c:b262:9dc3:8627]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 0D75126; Mon, 12 Jul 2021 10:17:25 +0200 (CEST)
Received: (nullmailer pid 2310734 invoked by uid 1000); Mon, 12 Jul 2021 08:17:24 -0000
Date: Mon, 12 Jul 2021 10:17:24 +0200
From: Christian =?iso-8859-1?Q?Ams=FCss?= <christian@amsuess.com>
To: Carsten Bormann <cabo@tzi.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: core@ietf.org
Message-ID: <YOv6lKzxlKou7Ahq@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="GI8W9oeiX6v3C08K"
Content-Disposition: inline
In-Reply-To: <20329.1626040656@localhost> <A63F6CAE-2659-4491-B39A-977DD95CE364@tzi.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/RZH8pgyksEwtMYVE1MrPkj9opyg>
Subject: Re: [core] New version of draft-amsuess-core-transport-indication
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 08:17:34 -0000

On Sun, Jul 11, 2021 at 10:23:43PM +0200, Carsten Bormann wrote:
> How important is it for a node to know whether the proxy offered
> actually is on-origin (not really a proxy)?

On Sun, Jul 11, 2021 at 05:57:36PM -0400, Michael Richardson wrote:
> I think that sometimes a thing that's really a forward proxy doesn't really
> need/want to confuse clients with this concept.

"clients need not make the distinction at all" between same-host and any
other proxies. I've introduced the same-host proxy terminology to make
it easier to grasp how little a server needs to do to become a proxy for
itself.

If that's confusing for the client side, it may need reevaluation in the
way it is written.

> I’m trying to think up how one would set up security (DTLS, OSCORE) to
> that proxy. Somehow, 2.2 leaves me a bit hungry here (credentials may
> need to be mutual).

Mutual credentials are something I have not considered; it's easy for
same-host proxies, but an actual proxy would need quite some setup for
that.

With OSCORE, all the security aspects should be simple and
straightforward (except when a proxy wants an *additional* security
context on its own, for which a document is upcoming AFAICT).

With (D)TLS, a proxy is necessarily trusted, so on its server-side it
needs either a way to have a good-for-the-upstream-server certificate
(which it could probably obtain even at run time), or a very powerful
certificate ("Trust The Proxy. The Proxy is Mother, the Proxy is
Father"), which sounds like an aweful thing and maybe shouldn't be
condoned at all. (Like, if you can get such a certificate, instead get
an ACME account and pull an origin certificate on demand; this is *not*
about same-host proxies any more anyway).

Mutual (D)TLS authentication through a proxy is even hairier, as again
the proxy would need an "I Am All The Clients" certifciate.

But well, in a world with (D)TLS and proxies, if you want both then the
proxy *does* become ~"by its very nature a man-in-the-middle" (7252 section
11.2 citing 2616 section 15.7).

> Obviously, knowing that something “is a proxy” doesn’t mean the client
> can suddenly assume it is less-constrained (e.g., with respect to
> achievable response-rates and fan-in/fan-outs), power-affluent etc.  

Yes -- particularly when it is a suitable proxy only for a particular
origin.

> Maybe those semantics go beyond what we would want to indicate via
> web-linking, but I think we should think more about how to make them
> available for server/proxy  selection.

A lot of things could be said about a proxy ("I support FASOR and am
close to your origin server, pick me for performance." -- "I have ample
cache content, join the hive."); link target attributes can do a lot
here, but I'd rather not specify anything here without a very good idea
on how they would be used in practice.

(For simple administrative information for human consumption,
<program-and-version>;rel=impl-info;anchor="the-proxy" would do)


Possibly (considering both the hard questions on different-host proxies
regarding security, and the distinction question), it'd benefit the
document to treat third party proxy services more as an afterthought.
Then, the security parts could be made stricter ("Just because it's
through a proxy doesn't mean you can compromise on security"). Third
party proxies would stay easy where OSCORE/EDHOC is used, and (D)TLS
deployments need to go all the way with whichever tools are available
there. (In which I do have little experience, never having deployed with
them).

BR
c

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom