Re: Stephen Farrell's Discuss on draft-ietf-httpbis-tunnel-protocol-04: (with DISCUSS and COMMENT)
Amos Jeffries <squid3@treenet.co.nz> Wed, 10 June 2015 00:21 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F53C1A8FD7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 17:21:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvv46c-q2meL for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 9 Jun 2015 17:21:13 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D0A61A900B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 9 Jun 2015 17:21:13 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Z2Ti7-0002Yt-Pf for ietf-http-wg-dist@listhub.w3.org; Wed, 10 Jun 2015 00:17:39 +0000
Resent-Date: Wed, 10 Jun 2015 00:17:39 +0000
Resent-Message-Id: <E1Z2Ti7-0002Yt-Pf@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1Z2Thz-0002Xi-Vr for ietf-http-wg@listhub.w3.org; Wed, 10 Jun 2015 00:17:32 +0000
Received: from 121-99-228-82.static.orcon.net.nz ([121.99.228.82] helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1Z2Thw-0005Nx-Un for ietf-http-wg@w3.org; Wed, 10 Jun 2015 00:17:30 +0000
Received: from [192.168.20.251] (121-99-25-156.bng1.nct.orcon.net.nz [121.99.25.156]) by treenet.co.nz (Postfix) with ESMTP id 5037AE6E62 for <ietf-http-wg@w3.org>; Wed, 10 Jun 2015 12:16:56 +1200 (NZST)
Message-ID: <557781F4.6070304@treenet.co.nz>
Date: Wed, 10 Jun 2015 12:16:52 +1200
From: Amos Jeffries <squid3@treenet.co.nz>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: ietf-http-wg@w3.org
References: <20150608130135.22475.59784.idtracker@ietfa.amsl.com> <0D9D95B0-54F0-47BF-9CC8-11BF4E8D763A@mnot.net> <CABkgnnXbVyVS5-suX9xFO4jmEQqSnO5C+Qu8FMac+hLwZef3uQ@mail.gmail.com>
In-Reply-To: <CABkgnnXbVyVS5-suX9xFO4jmEQqSnO5C+Qu8FMac+hLwZef3uQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-1.469, BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TVD_RCVD_IP=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Z2Thw-0005Nx-Un e0b4f06f69b0af284a700fcc301664eb
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Stephen Farrell's Discuss on draft-ietf-httpbis-tunnel-protocol-04: (with DISCUSS and COMMENT)
Archived-At: <http://www.w3.org/mid/557781F4.6070304@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29743
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 10/06/2015 9:09 a.m., Martin Thomson wrote: > Finally getting^Wmaking some time for this. > > On 8 June 2015 at 18:15, Mark Nottingham <mnot@mnot.net> wrote: >>> Care must be taken when such identifiers may leak personally >>> identifiable information, or when such leakage may lead to >>> profiling or to leaking of sensitive information. If any of >>> these apply to this new protocol identifier, the identifier >>> SHOULD NOT be used in TLS configurations where it would be >>> visible in the clear, and documents specifying such protocol >>> identifiers SHOULD recommend against such unsafe use. >>> >>> That last sentence seems to imply that you ought replicate such >>> guidance here. >> >> Seems reasonable to me. > > Likewise. https://github.com/httpwg/http-extensions/commit/6c7b987 > >>> - I can see situations where I might want to not tell the proxy >>> what protocol I'll be using inside TLS and when TLS1.3 hides >>> ALPM from the proxy (I hope:-) then could there be value >>> registering a "I'm not telling" ALPN value so that a UA >>> wouldn't have to lie to the proxy? >> >> Or the UA could omit the header, or the UA could send the header with no value. > > I think those are better options. Do you think we need to say that > with the other agreed changes already in place? > >>> - I think you ought say what you expect a proxy to do if the >>> ALPN header field and the ALPN TLS extension value do not match >>> and I think that ought say that a CONNECT recipient in such >>> cases SHOULD NOT drop the connection solely on that basis. If >>> they have some policy about it fine, but they shouldn't barf >>> just because there's a different order or spelling or just a >>> different value. >> >> Seems reasonable to me. > > I'll roll that into the point below. > >>> - Replicating values at multiple protocol layers produces a >>> common failure mode where code only uses one copy to do access >>> control or authorization or where two nodes in sequence use >>> different copies, with unexpected behaviour resulting. I think >>> you should call that out in the security considerations section >>> as it keeps happening. >> >> Again, seems reasonable. >> >> I wonder if it would be helpful to explicitly motivate it — i.e., say this header is there to make the information available at the HTTP layer during CONNECT, so that the server can refuse the connection gracefully if they like (e.g., with a 403); without it, the server would have to sniff ALPN in the tunnel and then close the connection rudely. > > I think that we're going to need some review on this change. > > https://github.com/httpwg/http-extensions/commit/a62c60a > Recall the long discussion for March WGLC on this documents -02. That discussions made it clear that: a) this header value was *not* intended to describe the full protocol stack - only an undefined number (1..N) protocol(s) at the top of it. b) TLS was mandatory - except when it wasn't used. (WTF!) c) some values describe whole stacks, some only the leaf protocol. Consider the (multiple) cases of ALPN "http/1.1" - TLS or not?. Which we went over exhaustively earlier. When a proxy MUST inspect the packets in order to understand what the header contains it becomes a waste of bytes. We just go with sniffing. Its way simpler. I stepped out of the discussions on this document when that point became clear. If the header *did* describe the whole protocol stack, it would be wonderful and I'm back in again trying to add support to Squid. Otherwise its just a waste of time for me. Amos
- Stephen Farrell's Discuss on draft-ietf-httpbis-t… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Stephen Farrell
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Martin Thomson
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Amos Jeffries
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Adrien de Croy
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Mark Nottingham
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Barry Leiba
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Martin Thomson
- Re: Stephen Farrell's Discuss on draft-ietf-httpb… Spencer Dawkins at IETF