Re: [core] New version of draft-amsuess-core-transport-indication
Christian Amsüss <christian@amsuess.com> Mon, 12 July 2021 08:17 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852203A1335 for <core@ietfa.amsl.com>; Mon, 12 Jul 2021 01:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylmbJfzk2kil for <core@ietfa.amsl.com>; Mon, 12 Jul 2021 01:17:29 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C4583A133C for <core@ietf.org>; Mon, 12 Jul 2021 01:17:28 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (095129206250.cust.akis.net [95.129.206.250]) by prometheus.amsuess.com (Postfix) with ESMTPS id 4878840172; Mon, 12 Jul 2021 10:17:26 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 4C83DD0; Mon, 12 Jul 2021 10:17:25 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:f05c:b262:9dc3:8627]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 0D75126; Mon, 12 Jul 2021 10:17:25 +0200 (CEST)
Received: (nullmailer pid 2310734 invoked by uid 1000); Mon, 12 Jul 2021 08:17:24 -0000
Date: Mon, 12 Jul 2021 10:17:24 +0200
From: Christian Amsüss <christian@amsuess.com>
To: Carsten Bormann <cabo@tzi.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: core@ietf.org
Message-ID: <YOv6lKzxlKou7Ahq@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="GI8W9oeiX6v3C08K"
Content-Disposition: inline
In-Reply-To: <20329.1626040656@localhost> <A63F6CAE-2659-4491-B39A-977DD95CE364@tzi.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/RZH8pgyksEwtMYVE1MrPkj9opyg>
Subject: Re: [core] New version of draft-amsuess-core-transport-indication
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 08:17:34 -0000
On Sun, Jul 11, 2021 at 10:23:43PM +0200, Carsten Bormann wrote: > How important is it for a node to know whether the proxy offered > actually is on-origin (not really a proxy)? On Sun, Jul 11, 2021 at 05:57:36PM -0400, Michael Richardson wrote: > I think that sometimes a thing that's really a forward proxy doesn't really > need/want to confuse clients with this concept. "clients need not make the distinction at all" between same-host and any other proxies. I've introduced the same-host proxy terminology to make it easier to grasp how little a server needs to do to become a proxy for itself. If that's confusing for the client side, it may need reevaluation in the way it is written. > I’m trying to think up how one would set up security (DTLS, OSCORE) to > that proxy. Somehow, 2.2 leaves me a bit hungry here (credentials may > need to be mutual). Mutual credentials are something I have not considered; it's easy for same-host proxies, but an actual proxy would need quite some setup for that. With OSCORE, all the security aspects should be simple and straightforward (except when a proxy wants an *additional* security context on its own, for which a document is upcoming AFAICT). With (D)TLS, a proxy is necessarily trusted, so on its server-side it needs either a way to have a good-for-the-upstream-server certificate (which it could probably obtain even at run time), or a very powerful certificate ("Trust The Proxy. The Proxy is Mother, the Proxy is Father"), which sounds like an aweful thing and maybe shouldn't be condoned at all. (Like, if you can get such a certificate, instead get an ACME account and pull an origin certificate on demand; this is *not* about same-host proxies any more anyway). Mutual (D)TLS authentication through a proxy is even hairier, as again the proxy would need an "I Am All The Clients" certifciate. But well, in a world with (D)TLS and proxies, if you want both then the proxy *does* become ~"by its very nature a man-in-the-middle" (7252 section 11.2 citing 2616 section 15.7). > Obviously, knowing that something “is a proxy” doesn’t mean the client > can suddenly assume it is less-constrained (e.g., with respect to > achievable response-rates and fan-in/fan-outs), power-affluent etc. Yes -- particularly when it is a suitable proxy only for a particular origin. > Maybe those semantics go beyond what we would want to indicate via > web-linking, but I think we should think more about how to make them > available for server/proxy selection. A lot of things could be said about a proxy ("I support FASOR and am close to your origin server, pick me for performance." -- "I have ample cache content, join the hive."); link target attributes can do a lot here, but I'd rather not specify anything here without a very good idea on how they would be used in practice. (For simple administrative information for human consumption, <program-and-version>;rel=impl-info;anchor="the-proxy" would do) Possibly (considering both the hard questions on different-host proxies regarding security, and the distinction question), it'd benefit the document to treat third party proxy services more as an afterthought. Then, the security parts could be made stricter ("Just because it's through a proxy doesn't mean you can compromise on security"). Third party proxies would stay easy where OSCORE/EDHOC is used, and (D)TLS deployments need to go all the way with whichever tools are available there. (In which I do have little experience, never having deployed with them). BR c -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
- [core] New version of draft-amsuess-core-transpor… Christian Amsüss
- Re: [core] New version of draft-amsuess-core-tran… Carsten Bormann
- Re: [core] New version of draft-amsuess-core-tran… Michael Richardson
- Re: [core] New version of draft-amsuess-core-tran… Christian Amsüss