IETF Logo Mail Archive

Re: New Version Notification for draft-thomson-http-replay-00.txt

Martin Thomson <martin.thomson@gmail.com> Wed, 26 July 2017 01:49 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BE31321A8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 25 Jul 2017 18:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.502
X-Spam-Level:
X-Spam-Status: No, score=-6.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LF7L-2I1JjFf for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 25 Jul 2017 18:49:09 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0171321A6 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 25 Jul 2017 18:49:09 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1daBPR-0007oF-4Y for ietf-http-wg-dist@listhub.w3.org; Wed, 26 Jul 2017 01:46:45 +0000
Resent-Date: Wed, 26 Jul 2017 01:46:45 +0000
Resent-Message-Id: <E1daBPR-0007oF-4Y@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <martin.thomson@gmail.com>) id 1daBPI-0007nN-J0 for ietf-http-wg@listhub.w3.org; Wed, 26 Jul 2017 01:46:36 +0000
Received: from mail-io0-f174.google.com ([209.85.223.174]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <martin.thomson@gmail.com>) id 1daBPH-0006Hp-9z for ietf-http-wg@w3.org; Wed, 26 Jul 2017 01:46:36 +0000
Received: by mail-io0-f174.google.com with SMTP id j32so41914564iod.0 for <ietf-http-wg@w3.org>; Tue, 25 Jul 2017 18:46:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pWp2RbeSjf3dXjxHr3xLkvg1I7bhZv+BEvsjik81rZE=; b=ATxUgzrHIj7te4bR7gM0YZJS/2tJxT4IoZ+8DitVI/R/ROAAtf/jAQT0FDHSo2/RkF FPhGdlwkMO7pqg1V+Th+6v7Pf3JHRxIwLXwLFFuIjDnNwDKm+HitYJBL5M8Ou1XeU4xz Jzf07iIBftfYCSUoIFG+w9cWVGDyG+N/fy0mvp8pAl50JQdrw5xUW44uHTOPEbcx1bdl NDKizJBNqd5Y7FqzWVjfbkcUZqb6r4kDJrZiP/8e9G/CkjcsClk6Uh5ROoNpeBYSQ/Rg WELLXZmLqaZsHjJNi40VQMn5C10TppG5pfuSTvtLw/MGWOsIYz51S4EILTo7vm/xwW7F mS1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pWp2RbeSjf3dXjxHr3xLkvg1I7bhZv+BEvsjik81rZE=; b=a1FJaPRqyt21bPFjsPyWM+cPbc3gcYscj5dQARP/4SooSQuT/6sSLP2/Qz6gZw/Kt0 WX4CxI5slzZXm0ZFDAfPjq84tq3l2UJzAlf7skGLn7y8omlFL8LK/TKhwZFIQokCj77b pF56rixmDpuuCY21Xij/xg/nYZJCrAHDhVD/F25IXpV9SslhSGCe0N59N64PuuEkbAac cV82CJVAUtlYQNaCrI9xDhb3pN948L1br4HOpq+6hifEZFQDWRWcflEON32M+YAoSL2X EA6UEO2qSk1/H+pen5i+w/ITYiyaINACUAgApKBh1n8n0UMbX7CcICeysGMj9Op+ChK5 TTjA==
X-Gm-Message-State: AIVw111EBCCl+Nn2tgzc7k5ejUkof7yl/Fogn9lQqob0qjwYvfNPsn5c e9OZmIQyL8REoTNIx+kNoB3X3egESw==
X-Received: by 10.107.181.77 with SMTP id e74mr11180894iof.74.1501033574192; Tue, 25 Jul 2017 18:46:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.42 with HTTP; Tue, 25 Jul 2017 18:46:13 -0700 (PDT)
In-Reply-To: <aecbb68c-6fb1-52af-032d-fbd4997776b1@akamai.com>
References: <149811425736.30341.16596521802774811431.idtracker@ietfa.amsl.com> <CABkgnnX6CUnMYU8OzLuq+XmeQuocpGm+zntEkJ71xb_Mh670eQ@mail.gmail.com> <MWHPR21MB014129FFB934EB1275A0639387DB0@MWHPR21MB0141.namprd21.prod.outlook.com> <MWHPR15MB14559FC79A1208E87B7714DDB6A60@MWHPR15MB1455.namprd15.prod.outlook.com> <CANatvzxX9wQKqOQZ81O45psWAR7+eg+2cP9i3qQ3XoOxbf=BPg@mail.gmail.com> <MWHPR15MB145573BAA3E2821EDAE3B67BB6A60@MWHPR15MB1455.namprd15.prod.outlook.com> <20170721162620.w4pux4q7h3ebn3kt@LK-Perkele-VII> <MWHPR15MB1455B7B5826FD620A907E8C9B6A40@MWHPR15MB1455.namprd15.prod.outlook.com> <CANatvzxmeYd--vJn2V+frA2Niq4LRuo9ct=pMsAa689+a8_iOA@mail.gmail.com> <CABkgnnU8X+K-K4Dkwo271Wm1ZmbQtxzhM7bR7PuKXOvBiaUS-w@mail.gmail.com> <CANatvzzEJMsHM2_yk7ON3u0bDoqrEHcwDd0Y+tZW_BWz3wkzbA@mail.gmail.com> <CANatvzw64WwksUnyzMWyF9LoPvYMdZP-THUb9NnsoxHCbeku+Q@mail.gmail.com> <b3c87af0-2ec6-eedf-864a-30f04dd21d14@akamai.com> <CANatvzyByFbmcEdw=aZc3v_rRvX6Fyq4q2Wiov=O0FkNQAYpog@mail.gmail.com> <aecbb68c-6fb1-52af-032d-fbd4997776b1@akamai.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 26 Jul 2017 11:46:13 +1000
Message-ID: <CABkgnnV2OM=HsQ9QbsLuTwtvvrBn8KV6yfyXBBdLhtjukO3+-g@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Kazuho Oku <kazuhooku@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.223.174; envelope-from=martin.thomson@gmail.com; helo=mail-io0-f174.google.com
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: AWL=1.187, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1daBPH-0006Hp-9z 7fbd398a31c607e627a763bb7cbcaf7b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Version Notification for draft-thomson-http-replay-00.txt
Archived-At: <http://www.w3.org/mid/CABkgnnV2OM=HsQ9QbsLuTwtvvrBn8KV6yfyXBBdLhtjukO3+-g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34164
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I'm inclined to side with Ben on this one.  The principles I've been
using to assess this design is mutual consent.  If the intermediary
retries a request without the knowledge of the client, that violates
that principle.  A retry will look like a completely new request when
it hits the origin and it therefore won't trigger any special defense
mechanisms.  The main reason to let the client do the retry is to
allow it to reassess the risks before retrying.

On 26 July 2017 at 02:06, Benjamin Kaduk <bkaduk@akamai.com> wrote:
> On 07/25/2017 10:30 AM, Kazuho Oku wrote:
>
> Hi Benjamin,
>
> Thank you for your response.
>
> 2017-07-25 21:27 GMT+09:00 Benjamin Kaduk <bkaduk@akamai.com>:
>
> This part I do not agree with, in particular the intermediary making the
> decision to re-send the request without the early-data header.  I believe
> that this decision must be left in the hands of the original client, and do
> not think the latency concern justifies deviating from that.
>
> Could you please clarify the reason that an intermediary should not be
> allowed to retry a request (that has once been rejected by 4NN) when
> receiving an 1-RTT confirmation from client, without setting the
> early-data header?
>
> To me, the behavior is identical to a server that postpones a request
> (that was received as 0-RTT data) until it sees a ClientFinished.
> Which is a behavior you state as permissible.
>
>
>
> In the general case, the request can be different when generated for the
> retry versus the initial request.  This is quite obvious for the token
> binding draft proposal in
> https://tools.ietf.org/html/draft-ietf-tokbind-tls13-0rtt-02 but I doubt
> that's the only possible case.  Granted, the token binding case is not
> especially applicable to the proxy case being discussed here since the proxy
> would need to be involved in handling token binding for that to work.  But I
> hope it helps to illustrate that the client should retain control over how
> the request is retried and that the proxy may not have all the information
> necessary to automatically retry.
>
> -Ben

v2.23.0 | Report a Bug | By Email