IETF Logo Mail Archive

Re: Introducing a Session header...

Phillip Hallam-Baker <hallam@gmail.com> Fri, 20 July 2012 20:00 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE41811E80E0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Jul 2012 13:00:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.027
X-Spam-Level:
X-Spam-Status: No, score=-9.027 tagged_above=-999 required=5 tests=[AWL=1.572, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVkZOk9G2h7g for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Jul 2012 13:00:46 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 881BC11E80DC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 20 Jul 2012 13:00:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SsJN3-0007ZD-RP for ietf-http-wg-dist@listhub.w3.org; Fri, 20 Jul 2012 20:00:17 +0000
Resent-Date: Fri, 20 Jul 2012 20:00:17 +0000
Resent-Message-Id: <E1SsJN3-0007ZD-RP@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <hallam@gmail.com>) id 1SsJMs-0006i8-HO for ietf-http-wg@listhub.w3.org; Fri, 20 Jul 2012 20:00:06 +0000
Received: from mail-vc0-f171.google.com ([209.85.220.171]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <hallam@gmail.com>) id 1SsJMr-00046d-1Z for ietf-http-wg@w3.org; Fri, 20 Jul 2012 20:00:06 +0000
Received: by vcdd16 with SMTP id d16so3138588vcd.2 for <ietf-http-wg@w3.org>; Fri, 20 Jul 2012 12:59:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=UCb+yAi8ZTEWYNVJePgvhKsEDedAF7dpFSQmr8VeV78=; b=a44YiIW4ILVfHzzD0+6JbjvHUsYo0sM/y5W9TqOyIwurSoSze9S/GAB/l24Vjk7JwP D1coq46V1SpcTsIEU/hnx6HMZZ+YGZ0iyrGcCBy98ZbP4u8OpTAwuerjmBBh+rVb7dRu xSjGWTpzoJTHW6qsU5Z2wXrnpwxShzphzqN8c4mQcJH2oK7rHEQYqXprU3Je5ABDtSqP zX4z4QVLK6Vbm1KqVIeCz0ZuylBzD9ceXLKFqdlGrhvWOt4zD6Wms8pk3jLQhaHLWLyJ 5lKMbe7MA5YqTSKSFpWe3YQSQjkU76sZ+KdFVwCBkWZP+kjo09n9ajRRTUCQ7GZafINY nhxA==
MIME-Version: 1.0
Received: by 10.52.240.178 with SMTP id wb18mr4832729vdc.100.1342814378945; Fri, 20 Jul 2012 12:59:38 -0700 (PDT)
Received: by 10.58.116.233 with HTTP; Fri, 20 Jul 2012 12:59:38 -0700 (PDT)
In-Reply-To: <20120720193838.GD26154@1wt.eu>
References: <CAP+FsNcWPw6j68Y9g9HfAWxZu-83W4p1cX0OTd4Fngky=PdvgA@mail.gmail.com> <23396.1342803363@critter.freebsd.dk> <CAP+FsNeTBU8+-h85Bp1smqXsNBdYiL74y2HqVeE3qUiSmS8iuA@mail.gmail.com> <CABP7RbfSHZ494pmFSYFyX_g7M3YQyuG0GM4RZ2NJJ22nVMTvig@mail.gmail.com> <20120720193838.GD26154@1wt.eu>
Date: Fri, 20 Jul 2012 15:59:38 -0400
Message-ID: <CAMm+Lwg-kKbBFkd+JSfZkW-tFaZvM2==HH6dwj+ESZU4B1eNfQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: James M Snell <jasnell@gmail.com>, Roberto Peon <grmocg@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, HTTP Working Group <ietf-http-wg@w3.org>, Philippe Mougin <pmougin@acm.org>
Content-Type: text/plain; charset="ISO-8859-1"
Received-SPF: pass client-ip=209.85.220.171; envelope-from=hallam@gmail.com; helo=mail-vc0-f171.google.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1SsJMr-00046d-1Z 8b951f3fbc26868449d427b260a212e7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Introducing a Session header...
Archived-At: <http://www.w3.org/mid/CAMm+Lwg-kKbBFkd+JSfZkW-tFaZvM2==HH6dwj+ESZU4B1eNfQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/14679
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Perhaps what we could do is to define a TLS extension that could carry
a session ID (possibly even a session authenticator) enclair. This
would:

1) Decrease disincentives to use TLS (i.e. difficulties using it with
load balancers)

2) Provide an incentive to upgrade to support the new session ID scheme.


Given that TLS is regularly supported through a front end box type
approach, it would of course be necessary to still carry the session
id as a HTTP header in addition.


On Fri, Jul 20, 2012 at 3:38 PM, Willy Tarreau <w@1wt.eu> wrote:
> On Fri, Jul 20, 2012 at 11:18:43AM -0700, James M Snell wrote:
>> Indeed, not to mention the fact that terms like "session" are painfully
>> overloaded. Collecting the list of requirements is a good next step, I
>> think, but we need to be clear on the language used to avoid further
>> confusion.
>>
>> Today, the term "Session" can refer to:
>>
>> 1. The TCP / TLS Connection
>> 2. The concept of routing "Stickiness"
>> 3. Application-level state that persists across multiple http requests, and
>> multiple TCP connections.
>>
>> Cookies, quite unfortunately, have been abused in a variety of ways to
>> implement #2 and #3, generally because there is no protocol-level mechanism
>> provided to support those cases, developers have largely just hacked it in.
>
> Exactly.
>
>> So if we're talking about specific requirements, I would argue that we:
>>
>> A. We need a protocol-level concept of a "Routing Token" to address #2. The
>> use of this mechanism is strictly to provide intermediaries with a method
>> of establishing a generally-persistent routing path for all requests
>> originating from the same client. This token is NOT intended to be used to
>> identify or access shared application state. In fact, it is questionable as
>> to whether this routing token should be visible to the application layer at
>> all. The token could, theoretically, be transmitted entirely in the clear
>> without risk of inappropriate disclosure of sensitive information.
>
> Indeed, and that's what's being done with cookies nowadays, except it
> requires that LBs decipher TLS only to get this cookie ! That's why there
> have been some thoughts about reusing the IPv6 flow label for this [1] [2].
>
>> The one
>> caveat, however, is that there must be a mechanism to protect the integrity
>> of the token. For instance, a form a DoS attack could be carried out by
>> intercepting and changing the routing token, breaking the stickiness of the
>> route or redirecting traffic to an unintended destination.
>
> This example is often given but we regularly need to show that it does not
> really exist in practice. Even if you made it unpredictable or whatever,
> it's trivial for a client to always stick to the same token once obtained.
> Cookies already suffer from this and this is not what is exploited for DDoS
> attacks, what is targetted is weaknesses in the parsers (eg: slowloris),
> and huge amounts of more or less valid requests to try to overwhelm the
> first point (hence the LB). Attackers have no business wasting their time
> enumerating server identifiers to try the domino effect on them, the domino
> effect happens by itself if they're overloaded anyway.
>
>> B. While we need a more reliable Application-level mechanism to deal with
>> #3 (essentially an evolved form of the Cookie mechanism) it does not need
>> to be defined at the protocol level. This is something that can be done
>> orthogonally to any work being done within the protocol. That's not to say
>> we cannot make use of potential new capabilities of HTTP/2.0 to deliver
>> that "more reliable mechanism", just that we do not need to completely
>> define the mechanism within HTTP/2.0.
>
> I tend to agree with a grain of salt. There are some places where you
> find content delivery servers behind the LB and a small farm of login
> servers. The LB then relies on the presence (or even freshness) of the
> application session cookie to decide what farm to send the request to.
> It's not critical because anyway such an architecture needs provisions
> for letting the content server redirect to the login farm when it does
> not know the session. That said, we're possibly at the frontier between
> what is pure routing at low cost and what is L7 processing which will
> always exist anyway with its associated costs.
>
>> Reasonable?
>
> Seems reasonable to me at least.
>
> Willy
>
> [1] http://tools.ietf.org/html/draft-carpenter-flow-label-balancing-01
> [2] http://tools.ietf.org/html/draft-tarreau-extend-flow-label-balancing-00
>
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email