IETF Logo Mail Archive

Re: New Draft: draft-ohanlon-transport-info-header

"Piers O'Hanlon" <piers.ohanlon@bbc.co.uk> Thu, 05 December 2019 16:58 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6E2D12002F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 5 Dec 2019 08:58:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.152
X-Spam-Level:
X-Spam-Status: No, score=-2.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, PDS_BTC_ID=0.499, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWnR8UWZUcMp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 5 Dec 2019 08:58:51 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71A0C120091 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 5 Dec 2019 08:58:51 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1icuQC-0006sl-NP for ietf-http-wg-dist@listhub.w3.org; Thu, 05 Dec 2019 16:56:08 +0000
Resent-Date: Thu, 05 Dec 2019 16:56:08 +0000
Resent-Message-Id: <E1icuQC-0006sl-NP@frink.w3.org>
Received: from uranus.w3.org ([128.30.52.58]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <piers.ohanlon@bbc.co.uk>) id 1icuQ8-0006qe-LN for ietf-http-wg@listhub.w3.org; Thu, 05 Dec 2019 16:56:04 +0000
Received: from www-data by uranus.w3.org with local (Exim 4.92) (envelope-from <piers.ohanlon@bbc.co.uk>) id 1icuQ8-0006ni-Hr for ietf-http-wg@listhub.w3.org; Thu, 05 Dec 2019 16:56:04 +0000
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <piers.ohanlon@bbc.co.uk>) id 1icq9g-0003b9-8r for ietf-http-wg@listhub.w3.org; Thu, 05 Dec 2019 12:22:48 +0000
Received: from mailout1.telhc.bbc.co.uk ([132.185.161.180]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <piers.ohanlon@bbc.co.uk>) id 1icq9e-000874-KL for ietf-http-wg@w3.org; Thu, 05 Dec 2019 12:22:48 +0000
Received: from BGB01XI1012.national.core.bbc.co.uk (bgb01xi1012.national.core.bbc.co.uk [10.161.14.16]) by mailout1.telhc.bbc.co.uk (8.15.2/8.15.2) with ESMTP id xB5CMhgm006732; Thu, 5 Dec 2019 12:22:43 GMT
Received: from BGB01XI1016.national.core.bbc.co.uk (10.161.14.79) by BGB01XI1012.national.core.bbc.co.uk (10.161.14.16) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 5 Dec 2019 12:22:43 +0000
Received: from BGB01XUD1009.national.core.bbc.co.uk ([10.161.14.7]) by BGB01XI1016.national.core.bbc.co.uk ([10.161.14.79]) with mapi id 14.03.0408.000; Thu, 5 Dec 2019 12:22:43 +0000
From: Piers O'Hanlon <piers.ohanlon@bbc.co.uk>
To: Patrick McManus <mcmanus@ducksong.com>
CC: Lucas Pardue <lucaspardue.24.7@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: New Draft: draft-ohanlon-transport-info-header
Thread-Index: AQHVoSMuoLeOCPH9y0O/3xVovjDbQaeXJimAgACSr4CABBncAIAAM2KAgAAYdACAABEIgIABh3wAgAk1jwCABJ59gA==
Date: Thu, 05 Dec 2019 12:22:42 +0000
Message-ID: <643C0098-5C8A-4068-AB36-9FF587408261@bbc.co.uk>
References: <CAFWWCs4jSRbrK_-5mxM8w4YexYNKRuwGGJSK4iNrhr4en2Q=_w@mail.gmail.com> <CALGR9ob+EgQwC=VK80PPRWxABxi3AeLUpGXk=wzBK57H0OUzJw@mail.gmail.com> <CAFWWCs5u=qAjmhPek17YqN=AmVJgyCXEVkfP2RsQ5uM-DBZc0A@mail.gmail.com> <CAOdDvNrKSPwxNPDYW_0rqc78Zu4NJW9E49qGFt+nv7v3cUgTXg@mail.gmail.com> <CAFWWCs7XqVjOcNyt75P7enHXkAV3WzM8TDZLmUUaiDHFdT3QQQ@mail.gmail.com> <CAOdDvNo2dC77aQJif_351SR70J=judm+eKupm64=fSCY8212PA@mail.gmail.com> <FC0A337E-C794-446A-B587-36FA4F57820D@bbc.co.uk> <CAOdDvNoJyKia5KLHi-1dg7jX6ShJUPycnZwnazSFa4wf0qvLig@mail.gmail.com> <8D432349-23EA-4D6D-9C10-7AFF2B88418B@bbc.co.uk> <CAOdDvNp0GKs5NNs2LkJkiAyWMYbc2DOAKAAxXLMjeSDVLBMHqQ@mail.gmail.com>
In-Reply-To: <CAOdDvNp0GKs5NNs2LkJkiAyWMYbc2DOAKAAxXLMjeSDVLBMHqQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.19.161.211]
X-TM-AS-Product-Ver: SMEX-12.5.0.1300-8.2.1013-24054.007
X-TM-AS-Result: No-30.740500-8.000000-10
X-TMASE-MatchedRID: u6ojmU07PKw4HKI/yaqRmya1MaKuob8PHTzSJQBZgdFfAMuSbANx/fmv 83Rzid1pbVckZPXz24wi+mzzU0WgiNh8848Kmd8CdrpCZsJVIIUJt7y5PKd1X8OtrkhuZC9W37N DIE8N+wUM1uAoS31c84qD3pKpOaa1RpYY54qZBhASEYfcJF0pRZl/lu28zzkB0D1Db1ffDOAXQU 5a094togWN8DFMX6ahtDFt6k765ZHTrrk6HnoRbzDfgfM3Zc/RRrwOEu9BoTIC+1d6IZvk1sRrv jvFKTaxS6uf9rYVokEJ2ADO4Ptdc7vq0qBVtRnYdAg4yd14qAR7NIjco1DV8kYx760ONDcWnFqT WUo/GE1fl5gG+lhgMYrQmiPSel1ruGrSqZc7MeTDg+U1NSmcufT3/K+ej/Doc/T3GfQUvxkyoJR NWYUu4IvP7e/XRXTKCVh2qhrmB66GncEDL6PRx5RrnSy7UTtbEjUQ5RU6WJJ/sUNganJerfeDX+ 4OWCzvf81tsWTtEcHxMR+TAJHcSbNUVnqixiMOwrUhv0kAAvGZYYkt8na3t0SWNkzz9pRuHTDLp ytxpmljBW4rszFyQLbj3dapTQAiTfNurK6ZZFtGypC5CVFOH4EcpMn6x9cZQQ1XgvCe7sFF5DPw MYClwH59WvmNSlBqm0ky5DD25FY3KXWd30Ii3dIFVVzYGjNKWQy9YC5qGvz6APa9i04WGCq2rl3 dzGQ1A/3R8k/14e0=
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
X-TMASE-Result: 10--30.740500-8.000000
X-TMASE-Version: SMEX-12.5.0.1300-8.2.1013-24054.007
Content-Type: text/plain; charset="utf-8"
Content-ID: <1E9B13A8AEA58C438B135A779A1E0B29@bbc.co.uk>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: c91d45b2-6e10-4209-9543-d9970fac71b7
Received-SPF: pass client-ip=132.185.161.180; envelope-from=piers.ohanlon@bbc.co.uk; helo=mailout1.telhc.bbc.co.uk
X-W3C-Hub-Spam-Status: No, score=-5.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, PDS_BTC_ID=0.499, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1icq9e-000874-KL f24ea434b55ab48c668820412f791d82
X-caa-id: 3c43d0bd40
X-Original-To: ietf-http-wg@w3.org
Subject: Re: New Draft: draft-ohanlon-transport-info-header
Archived-At: <https://www.w3.org/mid/643C0098-5C8A-4068-AB36-9FF587408261@bbc.co.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37202
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> On 2 Dec 2019, at 13:50, Patrick McManus <mcmanus@ducksong.com> wrote:
> 
> 
> 
> On Tue, Nov 26, 2019 at 12:12 PM Piers O'Hanlon <piers.ohanlon@bbc.co.uk> wrote:
> 
> Sure - I guess I didn’t put it very well - I was trying to say that the Transport-Info header would be only be transferred between that CDN edge and the client - it’s a hop-by-hop heade'''
> 
> h2 doesn't have hop to hop headers. it has per stream frames though.
>  
Yes I didn’t mention "hop-by-hop" headers in the draft as they aren’t in H2/3, but with many CDN deployments there are still multiple hops between the origin and the client.

> r - for the last last hop.
> 
> how does one know they are the last hop?
> 
The idea is that the header would be deployed by CDNs at the last server entity that peers, at a transport level, with the client. These edge servers facing the client are typically known/configurable by the CDN operators. The server that inserts the metrics starts the parameter list with an ID. In the draft we say that the header should only be inserted by an edge node, but we might need to add that existing Transport-Info headers may be removed, though there was some interest during the HTTPBIS session that it might be useful to retain info on other hops. The client would need to trust that the header was from the last hop - it could perform some sanity checks (e.g. compare with other measurements) to see if the information is useful before relying upon it.

> what have you have described the side channel isn’t clear to me?
> > 
> > 
> > obviously the HTTP protocol is aware of this sharing - indeed it initiates it! but the ramifications of it are generally opaque to the semantics of HTTP exchanges (roughly expressed by headers and messages). So perhaps what you want is better carried in the protocol (e.g. as a frame).. if you are proposing exposing it to content it needs to be scrutinized for the same reason that it is useful. This can be subtle - see CRIME and BREACH for example.
> > 
> Yes I had considered that frame based transport might be better but what is also required is to extract the transport/flow information for that stream - but if one could do that then it would potentially be ok to transport it in a header as the issue is that there is access to shared state.
> 
> there is a significant difference between information available to the protocol implementation and information in the semantic header layer which is available to javascript. The latter is held to a higher level of isolation due to the security model of javascript.
>  
Sure - It’s also down to client type so for a non-browser client then they may have access to the whole stack so they could potentially get the  tcp_info from the client socket and use the TCP metrics directly (that is apart from the server only metric such as snd_cwnd). So the utility of the transport-info header type metrics would be less in that situation, although there are apps with differing levels as of access to network state so frame level info could be useful. I guess RTT can be obtained using PING frames as mentioned in the H2 rfc7540#section-10.8 but the TCP measured (s)RTT would be better, and the server cwnd would be useful.

> Also for H2/3 since this is an issue about transport rate the fact padding is used on each connection
> 
> padding is not really a common thing at scale and there is some controversy over how helpful it is. 
> 
> means that there is always going to be some uncertainty introduced by padding in such attack. Such an attack where one flow to try to learn about another flow it would need to calculate it’s own portion of the flow so it could subtract it from the total flow rate provided by the header but’s going to be limited by not knowing about the padding.
> 
> 
> I think your best argument is going to be that this side channel isn't very meaningful for what you are reporting - but arguing that there isn't a side channel is not going to work out well long term. The attacker is always better motivated and more clever than your defense. Here's a fun one: https://www.usenix.org/node/217606 from ietf 106
Agreed - There are some impressive side channel attacks out there. I wasn't trying to say there is no side channel but just that similar information may be gleaned by other means (e.g. measuring the incoming traffic) that mean that this header shouldn't significantly add the threat model. There is also already shared state between sessions that share an origin (e.g. cookies, and other headers). We will add further details to the security considerations to address this. But I think we need to lay out which metrics we’ll support and probably keep it limited. We could possibly have a way for mechanism to extension but that would need further consideration. 

>  
> Another potential mitigation technique would be to add some noise to the measurements which would make it harder for collusion to occur with coordinated attacks. The choice of the level of noise could be a function of the number of flows the server knows are sharing the connection, or maybe just some randomness so that two simultaneous requests don’t obtain the same result - although in practice they’re not going to obtain the same result as the connection parameters are constantly changing, although such random noise could mitigate attempts to compare trends.
>

v2.23.0 | Report a Bug | By Email