IETF Logo Mail Archive

Re: HTTP Proxy-Status Parameter for Next-Hop Aliases

Tommy Pauly <tpauly@apple.com> Fri, 09 December 2022 17:32 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4975C13B4CF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Dec 2022 09:32:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.049
X-Spam-Level:
X-Spam-Status: No, score=-5.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBuFqLYp7A31 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 9 Dec 2022 09:32:12 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B40C15C95F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 9 Dec 2022 09:32:11 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1p3hCY-00DNSM-48 for ietf-http-wg-dist@listhub.w3.org; Fri, 09 Dec 2022 17:30:22 +0000
Resent-Date: Fri, 09 Dec 2022 17:30:22 +0000
Resent-Message-Id: <E1p3hCY-00DNSM-48@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tpauly@apple.com>) id 1p3hCW-00DNQy-R9 for ietf-http-wg@listhub.w3.org; Fri, 09 Dec 2022 17:30:20 +0000
Received: from rn-mailsvcp-ppex-lapp14.rno.apple.com ([17.179.253.33] helo=rn-mailsvcp-ppex-lapp14.apple.com) by mimas.w3.org with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <tpauly@apple.com>) id 1p3hCU-00AIbL-GQ for ietf-http-wg@w3.org; Fri, 09 Dec 2022 17:30:20 +0000
Received: from pps.filterd (rn-mailsvcp-ppex-lapp14.rno.apple.com [127.0.0.1]) by rn-mailsvcp-ppex-lapp14.rno.apple.com (8.16.1.2/8.16.1.2) with SMTP id 2B9HT7X8032764; Fri, 9 Dec 2022 09:30:05 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=JvkLjhpCKt6NXnqbvlErSszegPj/NlZCzLvWuu5bfwk=; b=IBTElkkmiDrBtTU2Z5DM+DXmMOXV+4rt/wDfP7PbRrH5D3wxrIddHsMPqtjG3K/WDXr2 XUVvDv0q1V2G5yRZd7JddeUSqrlD8kQTsRWaPRrtlEJ4A416fU4WVQjahxz1Iigq/LA4 0crmOSRNvHm1pb7P6X/hnTOl1E8MPLsPr8PzLXYAf1IJrg1ZWY2p5I9BJqc071HFII0B j1SzEnIe/z3Cf7TsJjtLiZcbf21tvvS7KGym+5lrVWPcWOjaIvGrsTJK9xOdxqojPquQ hVcvVWVysIak/7428BJiUDZNt2APXrkT2XKrO19GqlaqhnSw2nsG+0xvsm407Td1rGbf uQ==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by rn-mailsvcp-ppex-lapp14.rno.apple.com with ESMTP id 3m93fgrbnr-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 09 Dec 2022 09:30:05 -0800
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) with ESMTPS id <0RMM00U9WWM5UKH0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Fri, 09 Dec 2022 09:30:05 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) id <0RMM01100W68BJ00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 09 Dec 2022 09:30:05 -0800 (PST)
X-Va-A:
X-Va-T-CD: cf81a03552d72e88b2c7c1a9075a2c16
X-Va-E-CD: 672e948c010c95c4450fa5f36ff9cc9f
X-Va-R-CD: d1f0ae016da512962e09a7c2eeacc4da
X-Va-CD: 0
X-Va-ID: be4ac5fc-cd63-4213-996c-2f066a904dec
X-V-A:
X-V-T-CD: cf81a03552d72e88b2c7c1a9075a2c16
X-V-E-CD: 672e948c010c95c4450fa5f36ff9cc9f
X-V-R-CD: d1f0ae016da512962e09a7c2eeacc4da
X-V-CD: 0
X-V-ID: 610ce63c-9450-4b30-970d-53d4759894f6
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.545,18.0.923 definitions=2022-12-09_10:2022-12-08,2022-12-09 signatures=0
Received: from smtpclient.apple ([17.11.54.6]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.20.20220923 64bit (built Sep 23 2022)) with ESMTPSA id <0RMM00VRHWM12400@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 09 Dec 2022 09:30:05 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <A520C156-AC3F-40AF-B360-F65CDBCE7B39@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_13931E5F-A1F6-40C7-A33A-CD3B5AA3A42F"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3731.300.101.1.2\))
Date: Fri, 09 Dec 2022 09:29:51 -0800
In-reply-to: <CAKC-DJj3OWTRjDjp_E9S1BMnRcKPh9oc04Ugh8Hxuty-64CUxQ@mail.gmail.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: Erik Nygren <erik+ietf@nygren.org>
References: <CAKC-DJj3OWTRjDjp_E9S1BMnRcKPh9oc04Ugh8Hxuty-64CUxQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.300.101.1.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.545,18.0.923 definitions=2022-12-09_10:2022-12-08,2022-12-09 signatures=0
Received-SPF: pass client-ip=17.179.253.33; envelope-from=tpauly@apple.com; helo=rn-mailsvcp-ppex-lapp14.apple.com
X-W3C-Hub-DKIM-Status: validation passed: (address=tpauly@apple.com domain=apple.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-11.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1p3hCU-00AIbL-GQ a1936fc80c6db55203ce6f4128aec41d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP Proxy-Status Parameter for Next-Hop Aliases
Archived-At: <https://www.w3.org/mid/A520C156-AC3F-40AF-B360-F65CDBCE7B39@apple.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40649
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Erik,

Thanks for the review! Comments below.

> On Dec 1, 2022, at 9:34 AM, Erik Nygren <erik+ietf@nygren.org> wrote:
> 
> I'd agree that HTTP makes more sense since this seems generally useful for proxies.
> 
> I'd be in-favor of the HTTP WG doing this.  I think it will be important 
> to loop in DNSOP and/or the new DNS Directorate in as well since there
> may be some important corner-cases from them to consider.
> 
> Some thoughts also opened at:
> https://github.com/tfpauly/privacy-proxy/issues/229
> https://github.com/tfpauly/privacy-proxy/issues/230
> 
> 1) Per draft-ietf-dnsop-svcb-https-11 section 3.2 clients MUST send the final TargetName to proxies:
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-11#section-3.2
> Proxies themselves shouldn't be doing SVCB/HTTPS RR lookups to get A/AAAA records.
> As such, draft-pauly-httpbis-alias-proxy-status only needs to look at CNAME chains.

Thanks, I’ve removed the SVCB reference with this PR: https://github.com/tfpauly/privacy-proxy/pull/231
> 
> 2) Is any special handling needed for exposing DNAMEs? Or are those not visible to resolver libraries.  I think the latter, but not sure.

I’ve looked into this, and I believe this shouldn’t expose DNAMEs, from my understanding. The resolver library seems like it would normally just see the address records, or a synthesized CNAME record. Let me know if I’ve missed something there.

> 
> These might also be worth considering, although we might decide they are too much complexity:
> 
> 3) One of the use-cases for draft-pauly-httpbis-alias-proxy-status may be for influencing connection coalescing behaviors. Since some clients use "is the IP address that the proxy is connecting to overlapping with the rrset(s) used by other connections" having the full IP address rrset lists for A and AAAA responses might be worthwhile.

While the connection-coalescing use case is interesting, I think it is more complex and requires a way to request getting full sets of DNS RRs back. The approach of proxy-status is to describe what was connected to, and I don’t think it makes sense to add that information here. I certainly think there’s room for new headers that would allow clients to request specific DNS records from a proxy during CONNECT, but that is a much larger and less clearly scoped direction.

> 4) We may want to allow listing all IP addresses tried before establishing the connection. (eg, a TCP proxy might implement happy eyeballs and/or fail-over between multiple IP addresses.) Knowing which others were tried but not used (when possible) might help for some of the abuse/use cases.
> 
Again, I think this one would be out of scope (especially since this one parameter is now just about aliases). It’s something to consider going forward, though.

Best,
Tommy

> Best, Erik
> 
> 
> 
> 
> 
> 
> > Hello HTTP,
> > 
> > Following up on this discussion, I presented this at Masque at IETF 115, and got the feedback that this would be fit more in HTTP, and also that it should just be a simpler proxy-status parameter to include only the alias name chain (generally, the CNAME chain).
> > 
> > I’ve revised the document, and it’s super short — just defining a “next-hop-aliases” parameter, which is a list of names.
> > 
> > https://www.ietf.org/archive/id/draft-pauly-httpbis-alias-proxy-status-00.html
> https://datatracker.ietf.org/doc/draft-pauly-httpbis-alias-proxy-status/
> > 
> > There was also discussion in the meeting about having more work on broader solutions to get rich and complex DNS information back from proxies, but I’d like to get this simple proxy-status parameter registered separately. I’d appreciate people’s reviews and thoughts.
> > 
> > Thanks,
> > Tommy
> >
> > On Oct 12, 2022, at 4:02 PM, Mark Nottingham <mnot@mnot.net <mailto:mnot@mnot.net?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>> wrote:
> > 
> > Speaking personally -- I don't have any strong feelings either way, as long as appropriate communication happens. If the use cases are for non-MASQUE proxying too (and it seems like they are), that might tilt it slightly towards HTTP.
> > 
> > Cheers,
> > 
> > 
> >> On 11 Oct 2022, at 2:46 am, Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>> wrote:
> >> 
> >> Hi HTTP,
> >> 
> >> I wanted to share this draft with this group, which I’ve initially started discussion on in MASQUE.
> >> 
> >> It’s a simple parameter addition to proxy-status, to let the proxy send back the IP and CNAME/alias chain it used to reach the next hop. This is useful for clients of CONNECT/CONNECT-UDP proxies that want to apply policies to specific IPs and CNAMEs (for tracker detection, cookie rules, etc).
> >> 
> >> In addition to any reviews and feedback on the technical content, we’d like to know if this is something that the HTTPbis WG would like to own, or if it is fine letting the work happen in MASQUE and get review from HTTP.
> >> 
> >> Best,
> >> Tommy
> >> 
> >>> Begin forwarded message:
> >>> 
> >>> From: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:tpauly=40apple.com@dmarc.ietf.org?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>>
> >>> Subject: [Masque] HTTP Proxy-Status Parameter for DNS Information
> >>> Date: October 4, 2022 at 12:29:33 PM PDT
> >>> To: masque@ietf.org <mailto:masque@ietf.org?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>
> >>> 
> >>> Hello MASQUErs,
> >>> 
> >>> I wanted to share this document with this group, since it is mainly applicable to MASQUE-style (CONNECT/CONNECT-UDP) proxies.
> >>> 
> >>> Right now, when a client connects to a TCP or UDP server via the proxy using a hostname in the request, it doesn’t perform its own DNS, and thus doesn’t learn about the IP address of the server it ultimately is connected to, or the CNAME / AliasMode chain that was used to get to the IP address of the server. That’s generally fine, but there are use cases where clients may want to know the IP address or CNAMEs to detect cases where trackers are performing CNAME cloaking, etc.
> >>> 
> >>> So, this is a very simple proposal to define a new, optional proxy-status parameter that can let MASQUE-style proxies tell clients about the IP address and CNAME chain from DNS.
> >>> 
> >>> https://www.ietf.org/archive/id/draft-pauly-masque-dns-proxy-status-00.html
> >>> 
> >>> This certainly does not solve all of the use cases where clients may want to know more DNS details (SVCB/HTTPS records for ECH, alpn support, etc), and I expect more work to be needed for those use cases. However, I believe this extra bit of information is something that is incrementally useful, easy to implement, and simple to define.
> >>> 
> >>> Thoughts and feedback welcome!
> >>> 
> >>> Thanks,
> >>> Tommy
> >>> 
> >>>> Begin forwarded message:
> >>>> 
> >>>> From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>
> >>>> Subject: New Version Notification for draft-pauly-masque-dns-proxy-status-00.txt
> >>>> Date: October 4, 2022 at 11:01:29 AM PDT
> >>>> To: Tommy Pauly <tpauly@apple.com <mailto:tpauly@apple.com?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>>
> >>>> 
> >>>> 
> >>>> A new version of I-D, draft-pauly-masque-dns-proxy-status-00.txt
> >>>> has been successfully submitted by Tommy Pauly and posted to the
> >>>> IETF repository.
> >>>> 
> >>>> Name:		draft-pauly-masque-dns-proxy-status
> >>>> Revision:	00
> >>>> Title:		HTTP Proxy-Status Parameter for DNS Information
> >>>> Document date:	2022-10-04
> >>>> Group:		Individual Submission
> >>>> Pages:		5
> >>>> URL:            https://www.ietf.org/archive/id/draft-pauly-masque-dns-proxy-status-00.txt
> >>>> Status:         https://datatracker.ietf.org/doc/draft-pauly-masque-dns-proxy-status/
> >>>> Html:           https://www.ietf.org/archive/id/draft-pauly-masque-dns-proxy-status-00.html
> >>>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-pauly-masque-dns-proxy-status
> >>>> 
> >>>> 
> >>>> Abstract:
> >>>>  This document defines an HTTP Proxy-Status Parameter that contains
> >>>>  the IP address and CNAME chain received over DNS that was used to
> >>>>  establish the connection to the next hop.
> >>>> 
> >>>> Discussion Venues
> >>>> 
> >>>>  This note is to be removed before publishing as an RFC.
> >>>> 
> >>>>  Source for this draft and an issue tracker can be found at
> >>>>  https://github.com/tfpauly/privacy-proxy.
> >>>> 
> >>>> 
> >>>> 
> >>>> 
> >>>> The IETF Secretariat
> >>>> 
> >>>> 
> >>> 
> >>> -- 
> >>> Masque mailing list
> >>> Masque@ietf.org <mailto:Masque@ietf.org?Subject=Re%3A%20HTTP%20Proxy-Status%20Parameter%20for%20Next-Hop%20Aliases&In-Reply-To=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E&References=%3CBC9076D0-8F74-4D2D-B933-81BE5D1ED52B%40apple.com%3E>
> >>> https://www.ietf.org/mailman/listinfo/masque
> >> 
> > 
> > --
> > Mark Nottingham   https://www.mnot.net/
> >

v2.23.0 | Report a Bug | By Email