Re: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS)

Francesca Palombini <francesca.palombini@ericsson.com> Fri, 08 April 2022 13:36 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE6D63A1BF2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 8 Apr 2022 06:36:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.76
X-Spam-Level:
X-Spam-Status: No, score=-7.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aD88EyTsGa4l for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 8 Apr 2022 06:36:25 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A13CB3A1BF0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 8 Apr 2022 06:36:21 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ncok2-00024F-MJ for ietf-http-wg-dist@listhub.w3.org; Fri, 08 Apr 2022 13:33:34 +0000
Resent-Date: Fri, 08 Apr 2022 13:33:34 +0000
Resent-Message-Id: <E1ncok2-00024F-MJ@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <francesca.palombini@ericsson.com>) id 1ncojz-00022v-Cn for ietf-http-wg@listhub.w3.org; Fri, 08 Apr 2022 13:33:31 +0000
Received: from mail-db8eur05on2044.outbound.protection.outlook.com ([40.107.20.44] helo=EUR05-DB8-obe.outbound.protection.outlook.com) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <francesca.palombini@ericsson.com>) id 1ncojx-0006gC-LF for ietf-http-wg@w3.org; Fri, 08 Apr 2022 13:33:31 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n46IR5gc0ojImW1PcVsG5YGskXY54msuuqt5yDJYdSYw6nSC1qPcYSgGH/lYmsKFmSDO9sBFMUpaVEzncRI+FvAf+PA9Ak9vdMkx5jBbqxTqKEj9LYUFEz7cWq8+/HIp7alMckMKTHpKZRNNEC+OKfHxxciJ5/ebJbz62iP1r7AGdjtpAu9dq1Z6mu6P/in51zWHHI9PEYPWHV3SPUMBQ0KIkQoIxDiFT7Rz1iqotbSq5qqt2jjJwoobAh3RC8T9W74gh1ei9mgDyBD4WVpe5p09UVHCyyJA9l+duXCCujw24gxkq9TIZA6+8g1NpCYZeG7O38fdXuF/4RHNxuNLOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vJIfrCa+C/1CHhHglB0GksKDoNx1F9pcKeLz1qQTn14=; b=ULj7TknLzoCN6hzbL7xDs+NuzaVG3IGZ0pw1I9jUw/efdHAMD0uKbQ1hX6QuUlY4+nFUXa4tVXx3quVklYsmodxpUPgiSckBEdayV4sVQzV86J5gSGSE6X9AeWzcrb8ZU33RCYo2uogn2wruGzaDgSMLkfopzCmHNbZebKWRy7C9GKFQ9zumekPFqJkGhxAw4yyOXqGgfqmKa6FhmGT71Ag1k/w8iiRrhws7z8fjL5r705gmO0uUEetvAIUGgTsyore4K/sBj7krIRtAwFHlHtDMHln0BbVgiNGIFesasxRuxsjn8IkgUL5+AbwDsmqrPya11IJZDPKBqYHqhH+jVQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vJIfrCa+C/1CHhHglB0GksKDoNx1F9pcKeLz1qQTn14=; b=kE/O+M1/CxGigAG9dWreCaryzgVSfEDq0gHQg7sa5SsMye6Ct6yLwaFEKYWJHPl8+lU/jTFGmdPkej51g8GKwqrMamTe5v6H5x3XKfgClDJWBylhPwNZgz6aL5giDm2dgLkMw7gk07ew/2g0m0pdgbiFWYgL/LeCci19RF82M0Y=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by PR3PR07MB6668.eurprd07.prod.outlook.com (2603:10a6:102:67::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.19; Fri, 8 Apr 2022 13:33:16 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::5c96:9284:fd99:5332]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::5c96:9284:fd99:5332%3]) with mapi id 15.20.5144.019; Fri, 8 Apr 2022 13:33:16 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
CC: "draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org" <draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org>
Thread-Topic: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS)
Thread-Index: AQHYPgIjxx68AtenWEqoYPB9JKubu6zmHC6C
Date: Fri, 8 Apr 2022 13:33:16 +0000
Message-ID: <HE1PR07MB42175BE689C78F3E567B384798E99@HE1PR07MB4217.eurprd07.prod.outlook.com>
References: <164796312007.30472.14029146901477564823@ietfa.amsl.com>
In-Reply-To: <164796312007.30472.14029146901477564823@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5aa88809-2d24-477e-62be-08da196456bb
x-ms-traffictypediagnostic: PR3PR07MB6668:EE_
x-microsoft-antispam-prvs: <PR3PR07MB66688000ED100CF073C057F498E99@PR3PR07MB6668.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0dbjxudurTWYzPH6gNL2Hly4evlpoFIY73BdSSzTWlq/vVvnpjhKSo+kHvQQMXQhAZ0m5mPQ5a48Dtp7IROGnDlCmMohv6aJZRUTnpxbReki+yQTUNtJl2+ku9p28Xc266FJeWX87EqI8rsdsZTVGq/qHa8csToIwTCkVODwx3RqPKHcdwweymyWIgcYuXqKP9WziQfZbyZzs6Y3MUfutch8PwK8w+6FkGpUJiW9M+mF0aKlQKkW16lzZQmuFBwpsSIg2jCXzam+kiyZxxVhrTUg38ZZkbq6hSjCAdFq0SnaHxax6RyYpIt6gNysAoOrZ99WEZk5RgRDHJ5klTvEncjW24uSTAXaSaq07WiTRkXJIWwCdeZSBJMxLBsF3Epe/iKzjToqZ+fcfje09oNobavna3hnPdAuk2jihM6gJjFPMblPX801MPn2nVGjRkVv65eMnSbg12/ejq4+qBztcXIoFhKOJs55+xzvwpH8TLFbuqS8ygfBdCUofdR5Ea/zUBtm2vVFIIGVFigxFoxs7UpPOFOTrZ9fBS4QzZ+yzOzj4uO58PmefrLA/iYk5alje+Q99CvXi2awS27d0sHF3Hmy2dvbUTu6C8Wjk6QURgolOgaiHycTEioumFhIzKofwREnv7u2v/TEgv9E20vzBZf3jG1biKCxzbYIz0eVbku1q6fH9dcC8j97tIpC1lfQ0zGB7vNA9oFdGWHqrb2qa0Y+R5xnPldQpHE7gQbIGs0KzhFeL2iz7v81s2PERHDSbzQ8bT+mOGbPo3+Gd7/oFYL+g584wnCOBan0Jw3sxWM1hZmse3QuVnG8fFf4ZNeFeInHribOQvJXFEYX1ng+19kv06+cWi+Z3HyRMVZ6i8R354nj6E4XOVwkL8tIOLif
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:HE1PR07MB4217.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230001)(4636009)(366004)(82960400001)(44832011)(91956017)(52536014)(8676002)(7696005)(966005)(4326008)(66946007)(166002)(186003)(33656002)(2906002)(5660300002)(122000001)(8936002)(76116006)(9686003)(66556008)(53546011)(55016003)(6506007)(71200400001)(316002)(83380400001)(66574015)(6916009)(508600001)(38100700002)(38070700005)(66476007)(86362001)(66446008)(64756008);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?Xb9brfCoeN6IXGXsLISdo5+YdUV9KCU6M+1tN6chyWRgd7Nj02HXtPML?= =?Windows-1252?Q?AzaOLRnJz6iBWJfMxtLryg231KQtV+3B5zvs84ze3QxxtOIPX3GFxKME?= =?Windows-1252?Q?+lvNnYV9Apb+3aGmd4P6q14vBh94OsKXJW7bDygo5BHLUNKvkiWTucOB?= =?Windows-1252?Q?uImZPqgG6Ij6/nDRARcyuTHrQH9P+n70pdHDMyygwOxO23GlXTjqQfL7?= =?Windows-1252?Q?EYhASCncGlXkhEWmnUCUhekkgMsUI8V4bC8oY7Cq1JofmgpmF99+fskt?= =?Windows-1252?Q?O1Sl3lZUVrmQukL5Lfc5OWQvU/zlCm882IAGnLekKu/HpM/WMswKUfHF?= =?Windows-1252?Q?6G/II26cJ65G9F0LeesErqIws5B0WYI9Vd2JRY5z85oY2qsG5sCRpIQG?= =?Windows-1252?Q?Tvu1laFplFet7yzguEIceWYVqSStisFE/VSnJ+KWydcJt4MXE9lXcquN?= =?Windows-1252?Q?ACqqFFmPP8X/JzARYyJ5YIg8NLllcizoqAO6q+Im1fClefz3I8rPK/hx?= =?Windows-1252?Q?dk70AZ+voEhL0hJD0LLmFYDP7evJxiEVewobinQrzKpk136A7yGjhdYo?= =?Windows-1252?Q?wROH9XhP3sfCCaLFktoBUTlP5jQsq2K0c89xY1Rq5drQ1jYcBNYNgOfy?= =?Windows-1252?Q?FUg8eOEGX/EIQNbyT4lS19xvg/ECRTMk6ImGsyImULnoEXi8wIfsgrH1?= =?Windows-1252?Q?J/LRA6RHu1lxwnB8EQ0ky7RDec9aVuD5i1gMxqjZotW10nEH2Ul0KFKn?= =?Windows-1252?Q?YYKLlBzIeWk7QkcXyfksvrNtbX9o6fwkZuqJ6eYgWXgVRN7zAWz/USuz?= =?Windows-1252?Q?I/ZoF8qGE1te2K5FakHdx7d0nYm1K9IwkuBcsXD5Rt3YqIjT4qd+OXNA?= =?Windows-1252?Q?1+38rSuLufeHbsZo147s1lu/ma4LgPEFGTUUskljW6opPdaeJS3jLkWL?= =?Windows-1252?Q?zYV+/uBFNOKqAPdFDpgN1PC+JqRS5k+8wD9Pv/EA5/426ZA6qAnzbtdE?= =?Windows-1252?Q?iKc66q+gSy+utjRN8JbqfAqrnWwFmYukZflN/ptmLzrb4pdLeYEMSm/A?= =?Windows-1252?Q?UXZ9pkfnEIVNTswvac0GNntDXEOd2iIa9PqQ4egPZJlEvk7e7XmHQnEt?= =?Windows-1252?Q?xHURynEHrrC2J7lTTe/o+HhYcG0cZRMIpWj5Tu5iHIhaaZFamUovIS4E?= =?Windows-1252?Q?wdzzdjY6Wn9B6w1V58DJ5zX94oh9FmURTsuNqMfaeG90ml4cO58ZbJQC?= =?Windows-1252?Q?zzipe5oOW2H1eTiPDbX37a/ujYW6ZVvbxtofXSwHuRawMEu0Y2rFpXSL?= =?Windows-1252?Q?BBmvbWwnB0SlH6f3UOFHpgzjN7hj7sXDlwNLvDQGFH0/tR/d51cvvTXq?= =?Windows-1252?Q?vKjG9zVSPmMy9bHSpKWo1wdxS3N40dC43Wo9xYZ3JQj/QLnAbZzAYdK7?= =?Windows-1252?Q?MZPL39h4iS1/gZhSTm4UYnysJ1WcxjJuaXT8dfvPQNNYyhb3ynE88QwN?= =?Windows-1252?Q?WWDL+cTY/n0dulYgZnkcTqQVdszFT+n8wzzTKcBn8xm0z6+Y+dvcR0on?= =?Windows-1252?Q?yqMkY2v5tUNtJVLU1z5q/KJNVz1z1UnBYGfnRadTlpn0Hkc2i7Zqo1tj?= =?Windows-1252?Q?c56MsFRXAUhe/SrFysnj0R+Wcol/Djgog37jAr1oqkS/pXMA13p3n8I6?= =?Windows-1252?Q?BNsXiT3srrTeHgpaC15Od9JzD0kmoo4wfQ23NFs761KqBvT2NFXFXxl/?= =?Windows-1252?Q?ts3/qWGztKj890aueQTsCTsHZZUOXLqO9N2Lhk8E8OMl/UdfmawNbEnD?= =?Windows-1252?Q?s2Bq/br7zt6dGUDrTsd1FaAaA5bvEMcUNMYi8xIPDI9n/hwOspIlIO2n?= =?Windows-1252?Q?amFM3HxsqlsUENHF2xkAHhhmDHWT84MhhqX+SQrZznyNkPde4K+pCEra?= =?Windows-1252?Q?hh53wtOI?=
x-ms-exchange-antispam-messagedata-1: pv0YL/9W3IwHzmiofP8FADKJEPYP5l/p1kQ2B+os02TnvdCY63IqTPyEDkXHH6R89F5xGtl62Pr5Aw==
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB42175BE689C78F3E567B384798E99HE1PR07MB4217eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5aa88809-2d24-477e-62be-08da196456bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2022 13:33:16.5923 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: quVCBvdGN3A/g214/YySwDzHCAfltp/VTuCFreKS3uvvlccEf/F8IHGIOYNED1rXMZ6vTA5mQa6wmKuzLHxiNgQ2nK6SMJjUXg8RUTqn0Y618BSVtllKw2NWVohPc2mB
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3PR07MB6668
Received-SPF: pass client-ip=40.107.20.44; envelope-from=francesca.palombini@ericsson.com; helo=EUR05-DB8-obe.outbound.protection.outlook.com
X-W3C-Hub-DKIM-Status: validation passed: (address=francesca.palombini@ericsson.com domain=ericsson.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1ncojx-0006gC-LF d402de9aa36503a7822c45295276b07e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS)
Archived-At: <https://www.w3.org/mid/HE1PR07MB42175BE689C78F3E567B384798E99@HE1PR07MB4217.eurprd07.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39979
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi all,

I have been holding a DISCUSS on the document below, which selects only specific HTTP header fields to be part of its Web Attack Alarm event. You can see more of my concerns/uncertainty in the DISCUSS comment below, which affects Section 6.3.4 of https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-monitoring-data-model-16 .

As I haven’t had any reaction from the working group, I understand HTTP experts here don’t see any red flags with this specific use of headers, and I will be releasing the document in the next week or so.

Francesca

From: iesg <iesg-bounces@ietf.org> on behalf of Francesca Palombini via Datatracker <noreply@ietf.org>
Date: Tuesday, 22 March 2022 at 16:33
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org <draft-ietf-i2nsf-nsf-monitoring-data-model@ietf.org>rg>, i2nsf@ietf.org <i2nsf@ietf.org>rg>, dunbar.ll@gmail.com <dunbar.ll@gmail.com>om>, i2nsf-chairs@ietf.org <i2nsf-chairs@ietf.org>rg>, ietf-http-wg@w3.org <ietf-http-wg@w3.org>
Subject: Francesca Palombini's Discuss on draft-ietf-i2nsf-nsf-monitoring-data-model-16: (with DISCUSS)
Francesca Palombini has entered the following ballot position for
draft-ietf-i2nsf-nsf-monitoring-data-model-16: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-i2nsf-nsf-monitoring-data-model/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Thank you for the work on this document.

Many thanks to Valery Smyslov for his review:
https://mailarchive.ietf.org/arch/msg/art/2XuRUuQaI8ZrVSyuWQn1SHi5dEY/, and to
the authors for addressing his comments.

Thank you for partially addressing my DISCUSS points with this new version. I
do think the question about the Web Attack Alarm was not completely addressed.
I am CC'ing the HTTPBIS wg to see if any of the experts there see any red flags
here.

Francesca

-----

Section 6.3.4.

FP: It is not clear to me why these specific header fields (and these fields
only) are selected to be part of the information about Web Attack Alarm -
req-user-agent, cookies. I agree with Ben's DISCUSS point 1. (reported below)
and would even add to that that more motivation around which header fields are
included and why, would help. I'd also like to know if the HTTPBIS working
group has been involved in the discussion, and if not, if they could be to give
their expert opinion.

Ben's DISCUSS:

(1) I'm not sure I understand the motivation for recommending (in §6.3.4) that
the HTTP Cookie header field be included in a notification about a Web
Attack Event.  In general, the cookie field can contain very sensitive
information, including credentials, and it is very risky to be sending the
cookies around outside of their primary protocol context.  Perhaps, if we
are fully confident that the NSF has correctly identified an attack, it
might be useful to send the cookies around, but I think there are still some
scenarios (e.g., a compromised end-user browser) where the cookies in an
attack request are still confidential information that should not be
disclosed.  Could we say more about why it is recommended to always include
the cookies or weaken the recommendation?