IETF Logo Mail Archive

Re: [Http-grease] Brief review of Greasing HTTP (draft-nottingham-http-grease-00)

Mark Nottingham <mnot@mnot.net> Tue, 08 September 2020 06:01 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: http-grease@ietfa.amsl.com
Delivered-To: http-grease@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D98D3A00D2 for <http-grease@ietfa.amsl.com>; Mon, 7 Sep 2020 23:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=L67Lgvom; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=jsqk7Xfj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7yk5PnVubnk for <http-grease@ietfa.amsl.com>; Mon, 7 Sep 2020 23:01:37 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FFDF3A12D2 for <http-grease@ietf.org>; Mon, 7 Sep 2020 23:01:37 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B91625C00AB; Tue, 8 Sep 2020 02:01:36 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Tue, 08 Sep 2020 02:01:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=6 /P1c9wwpKfiF9UfoUpSwORxWzhQ8hCQMozrP2ztw7Y=; b=L67LgvomEqedk/Fyt UZjTWcrX1bGAamOlqzsQl1AisIq0md3kDJG7KU3SmDUvI2ngASpxanr9gRlbIKEG 197e2OjEl75iTUn6NdYuX7BPdRSTKReiqvkenyA5Chm2oFbsUJ8Qs//QE8OlYDip POrPqvLV24fKU1c/EcpxcishYHFT/l/76dsaV05gmTkjoUHYSU3J95fwf+ysNHyB TdYMsGYEBHTsVt76XHF9AcChSJGInoN2rAAkOvJSNqb7T0SAOuYxGCvq9CVaBqdK paPrrKqVkxMDnPuln4tFesx3jdi/KXMbykV7vO/WIPlVFr6oZxWlrPDWU/BsnHHQ OD6jQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=6/P1c9wwpKfiF9UfoUpSwORxWzhQ8hCQMozrP2ztw 7Y=; b=jsqk7XfjESKrq3NtvaqQuDlqEB3NiJ6znPPZJZ6w15fZfJ2hjnmrnn9Om bi7v8c+VG+7dr2/5YyPIlCEagi5QNeuhPoMp4Gskhr8JJ8kUnLKm4dl2uWVBZ7xi UIbSHRFIgufI2HEZB2Oc1sVhNHR0knQed1BhyS0EfP0roimECEYgfzpS9kS9EGC1 Jy3ToplTBM/Z+MyozV+xVJu5H4MwoDosZVUDsME7efVNeW2nrqp7g9aYrIQBL5Qh OZLsYIgovbeCjR6my5ztzxqbv36OYfUkknSSIhKMnDJufTjOKjFZtPEVppQFZEK3 hLZiq4ut9Kx23eHVbc9dURgbB0ZJA==
X-ME-Sender: <xms:Px5XX3e9pMQp0C2N2kqpoo8YiIPEoQgJAAMJ44Sf913LcfD9XD_vJA> <xme:Px5XX9OxB-BCsikRJN2dYf3fW9pbWHr89mDS_-xBnsW8WJ65KINKA_VpqPhoSaRr2 TyG-poUjJMTUINjbA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrudehuddguddttdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enogfuuhhsphgvtghtffhomhgrihhnucdlgeelmdenucfjughrpegtggfuhfgjfffgkfhf vffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcupfhothhtihhnghhhrghmuceomh hnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvghrnhepheekveegfefhiedvffel veffudeuteeugeevffektdduffdutdejffduveehtdefnecuffhomhgrihhnpehgihhthh husgdrihhopdhhthhtphhrvghquhgvshhthhgvrgguvghrshgsvghinhhgshgvnhhtrggt rhhoshhsthhhvgifihhrvgdrohhnvgdpihgvthhfrdhorhhgpdhmnhhothdrnhgvthenuc fkphepudduledrudejrdduheekrddvhedunecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:Px5XXwih7izpn_T5Z72CHbpotPpoZJz_5ZI01RG36NjYMXTD6W6O8A> <xmx:Px5XX48siy5czHS-qEW2jCHm1t4fGNNEL3sAlAbbudn7uok2O4SBeg> <xmx:Px5XXzs3Yi3Szr8UsFosd6YscoGyVy6RCRFY6zd4cVxf1WXIomHlvQ> <xmx:QB5XX87QSDeHDZ8MfTwcPzARdl1B1Ot_4vxvQXazxldP9dU1HhClZg>
Received: from [192.168.7.30] (119-17-158-251.77119e.mel.static.aussiebb.net [119.17.158.251]) by mail.messagingengine.com (Postfix) with ESMTPA id 422A6328005E; Tue, 8 Sep 2020 02:01:34 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20200811141323.GA13680@leander>
Date: Tue, 08 Sep 2020 16:01:31 +1000
Cc: http-grease@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2AEB9E8A-3FCF-466C-B302-A23524F39860@mnot.net>
References: <20200811141323.GA13680@leander>
To: Christian Folini <christian.folini@netnea.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-grease/JzjUUvhvYJ85CHSsNz8-SHdiork>
Subject: Re: [Http-grease] Brief review of Greasing HTTP (draft-nottingham-http-grease-00)
X-BeenThere: http-grease@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion about ensuring flexibility in HTTP extensions \(\"grease'\)" <http-grease.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-grease>, <mailto:http-grease-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-grease/>
List-Post: <mailto:http-grease@ietf.org>
List-Help: <mailto:http-grease-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-grease>, <mailto:http-grease-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 06:01:40 -0000

Hey Christian (et al),

Thanks for the review; I want to incorporate your (excellent) feedback, but before that, I think the draft probably needs a bigger rewrite, because I've been thinking about it and talking to people about it in the background.

One of the big takeaways from those discussions was that it's unlikely implementations will be able to coordinate greasing in a meaningful way, because of how different their shipping schedules and distribution models can be. Having said that, most of the folks I talked to seemed to recognise the necessity of doing something here, and were willing (even eager) to help out. Because of various constraints, however, it's likely that any greasing we'll see will be mostly in nightly and beta releases for the immediate future.

So, I suspect the draft currently over-states the value of coordinated action between the clients; while it's valuable for a client to not be the only one 'sticking their neck out', there doesn't need to be such a high degree of choreography between them (so we can probably drop the process bits).

What I think we need is:

1. Data

More understanding of what and how extension points are starting to 'rust' -- e.g., what characters or strings cause requests to be rejected?

The obvious way to do this is spidering live sites, but that's a pretty involved project, with less-than-certain results (especially if WAFs etc. are selective about the request URLs they apply filters to).

Another way to be more effective with the resources we have would be to add some rigour to how implementations collect bug reports. E.g., if browsers had a tag / label in their bug queues for ossification, it should be simple to combine them into a single data feed.

2. Air cover for greasing

Implementations that start greasing need something that they can point to to explain what they're doing, why they're doing it, and to help give them some moral authority (ideally). A HTTP WG document is the logical thing here, I think.

3. Lightweight coordination

So that implementations can tell folks what they're greasing, both so that greasers can align efforts where it makes sense, and greasees (?) get a heads-up.

This mailing list should be able to serve that function.


Does that make sense to everyone, and is anything missing? I'm willing to rewrite the draft along the 'air cover' theme, and if implementations tag their ossification bugs, I'd be willing to try to write tools to take advantage of that.

Cheers,



> On 12 Aug 2020, at 12:13 am, Christian Folini <christian.folini@netnea.com> wrote:
> 
> Hi there,
> 
> The Summer holidays kept me from reviewing this draft document earlier, but
> here we go.
> 
> Link and version: https://mnot.github.io/I-D/http-grease/ v00, July 7, 2020.
> 
> 
> I'm taking the perspective of a co-lead of the OWASP ModSecurity Core Rule Set
> project (CRS), a popular WAF rule set used by quite a few vendors for their
> offerings.
> 
> Intro:
> 
> The high-flying explanation of what "greasing" actually means, could be a bit
> more explicit. Maybe even a section "What is greasing?"  It would help with
> the readability (-> and consequently adoption) of the document.
> 
> I read the doc several times and I got it the 2nd time I read it. But it was
> all a bit puzzling at first sight.
> 
> 
> What to Grease?
> 
> The doc explains how HTTP response headers are greased daily by the various
> server implementations themselves.
> 
> The argumentation is a bit thin in this regard, since there is an equally
> large number of custom HTTP request headers being sent across the wire. One
> would need to explain why the situation with these request headers is
> different from the situation with the response headers.
> 
> 
> 
> How to Grease?
> 
> There is this passage "an implementation determined to control input values
> can anticipate grease values and allow them, ...". I think it is very
> important to see and anticipate this.
> 
> This is especially true when you read it together with the non-idempotency
> restriction in the chapter about the greasing process. It's very attractive
> to focus on idempotent methods with the restrictive rules and to ignore
> everything else.
> 
> CRS does not do this, but I reckon several vendors have such rules in place in
> order to reduce false positives already. The grease process described makes
> such a behavior even more attractive. Fighting this from the start will be
> important.
> 
> 
> Security considerations
> 
> I like this section a lot. These considerations are real and even naming them
> adds to the quality of the document.
> 
> 
> Appendix A. Bootstrapping the HTTP Grease Process
> 
> "Broadly speaking, HTTP servers accept these extensions, unless they have a
> Web Application Firewall (WAF) installed."
> 
> This depends on the rule set.
> 
> Proposed better wording: 
> "Broadly speaking, HTTP servers accept these extensions, unless they have a
> Web Application Firewall (WAF) installed, which denies them."
> 
> "WAF vendors" 
> 
> The CRS project does not necessarily see itself as a "vendor".  I reckon we 
> see ourselves as WAF developers. A more inclusive wording would help to
> address everybody.
> 
> "Therefore, a successful greasing strategy needs to include
> most or all major clients, and their actions need to be
> coordinated."
> 
> This makes a lot of sense, but if you look at it in a practical way, then it
> means that a coordinated greasing effort affects users of different clients in
> a similar way. That could mean that users from client A migrate to B and users
> of client B migrate to A.  This gives the clients an incentive to minimize the
> impact of the greasing effort.  The process described above allows the clients
> to make several decisions.  They could be tempted to minimize the greasing for
> minimal impact on their users.  That would undermine the effectiveness of the
> greasing process.
> 
> "As a a result, when greasing begins, it will be necessary to have long lead
> times between announcement and sending.  Likewise, initial grease values are
> more likely to succeed (building confidence and engagement) if they are static
> and simple."
> 
> This is very good.  It may be worthwhile to do a new CRS (point-)release
> between announcement and sending.  This would give deployers an incentive to
> update quickly, which would be beneficial for our project and maybe others
> too.
> 
> 
> 
> All in all I like the document, its brevity and the direction it is taking.
> I find it a wee bit odd that it describes a process and then also its
> first exercise. But I reckon that's no big deal.
> 
> Best regards,
> 
> Christian Folini
> 
> 
> -- 
> Simplicity is prerequisite for reliability.
> -- Edsger W. Dijkstra
> 
> -- 
> Http-grease mailing list
> Http-grease@ietf.org
> https://www.ietf.org/mailman/listinfo/http-grease

--
Mark Nottingham   https://www.mnot.net/

v2.23.0 | Report a Bug | By Email