Re: Redirection to Other IP Addresses

Wesley Oliver <> Mon, 29 July 2019 19:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A12A1200B8 for <>; Mon, 29 Jul 2019 12:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.651
X-Spam-Status: No, score=-0.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_VISITOURSITE=2, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, TRACKER_ID=0.1] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Undw0gzAq7Kn for <>; Mon, 29 Jul 2019 12:26:50 -0700 (PDT)
Received: from ( [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A145F1200A3 for <>; Mon, 29 Jul 2019 12:26:50 -0700 (PDT)
Received: from lists by with local (Exim 4.89) (envelope-from <>) id 1hsBGn-0001rU-17 for; Mon, 29 Jul 2019 19:25:17 +0000
Resent-Date: Mon, 29 Jul 2019 19:25:17 +0000
Resent-Message-Id: <>
Received: from ([2603:400a:ffff:804:801e:34:0:4f]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <>) id 1hsBGk-0001qa-E7 for; Mon, 29 Jul 2019 19:25:14 +0000
Received: from ([2607:f8b0:4864:20::429]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <>) id 1hsBGh-0002cx-T2 for; Mon, 29 Jul 2019 19:25:14 +0000
Received: by with SMTP id r7so28525050pfl.3 for <>; Mon, 29 Jul 2019 12:24:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I5gq/25TOhXnjzuJN8NhEQeHG68QfzXYk3HLTZxEh1A=; b=VLWjyle6e79V5WslsS/mim/EAuABKTRt0+KABEFFdPmJK5Z6YGnKVS0w6+WDmAZImX 0y9PEw/r7b1129/1gUabnzi1SwIdSo6qrg0l5jRVKJi+kFmkChiJb33KXelbOqpRtG12 esIPqnXjIinheYhKIvFS6/o/N0ehKSDr4rHPoCSSecBMUvCsQndVq/44OcvYHVr3vErN DVFoeBewEQsnQfirFHE/DDg0Wzlt7x1eowLWf5KHvLn7zR1kHTpVE9IUPsr9Crti+e3H nKPDNPIrLn712+wGp6eAurLpVAV5d87R2CJa4V0F2yJ7AZjE3IZ0IQDiFKzO0T9bZ3w+ XKSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I5gq/25TOhXnjzuJN8NhEQeHG68QfzXYk3HLTZxEh1A=; b=et7Vcvno/HVweiBqoqBLaoFU8alQn2+UIjKw2cQgkqS0lu2NyMsK8RDmys4sg/r5KK kZEHfX328OpB2hmGguAi4DM7YYHjDjNzR2uuEyl8P7ljEFinXyevJPuc+DM8BFwcinD9 tZhu1c20NRLabeWF1hrKjU4z0DTishgv+AUuht9RC0XjA1THgzg3aiYBVxSb2bXN9AJQ Ta7EK4csp+BtE7Ag0v98JxBqbjJaRCR5kciQNkeX2RunnZyl9jLfX2hFNcacXnF9aD8T 9c/v9VPQmJ/DFz13xPkABh82gVawSBHSHbaBnLtZlUOQ6vlsUJiwQQbeIhqfLqPBeplQ 4I8w==
X-Gm-Message-State: APjAAAW9qDTzv4qebNO8o0cvZXh2wcGPmfvU8TMefcJzK4TYPg5yM65X fn1h7B4CZeme/DUSya0zb14/WQuKB4VU/GfU6Lc=
X-Google-Smtp-Source: APXvYqzLtAuKIpgnm9r7yID1cXpAJnxFWhdVtoliM7Ct/Eu1oQrlm6sqcJ0SP3vWmyHRJjpM2QsrVdIxzvn8Br0y3Vc=
X-Received: by 2002:a17:90a:f498:: with SMTP id bx24mr115100213pjb.91.1564428290167; Mon, 29 Jul 2019 12:24:50 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Wesley Oliver <>
Date: Mon, 29 Jul 2019 21:24:29 +0200
Message-ID: <>
To: Bin Ni <>
Cc: Kyle Rose <>, Ben Schwartz <>, "Oliver, Wesley, Vodacom South Africa (External)" <>, Julian Reschke <>, Ryan Hamilton <>, "" <>
Content-Type: multipart/alternative; boundary="00000000000083186c058ed6d8b9"
Received-SPF: pass client-ip=2607:f8b0:4864:20::429;;
X-W3C-Hub-Spam-Status: No, score=-9.0
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_REMOTE_IMAGE=0.01, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: 1hsBGh-0002cx-T2 1cc4a20c6836a85abd188d80f5fa7548
Subject: Re: Redirection to Other IP Addresses
Archived-At: <>
X-Mailing-List: <> archive/latest/36862
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>


What the guys tend to do as well is have specialized dns server entries
geographically, because everyone typically also gets there DNS server handed
to them from the dns server they are consuming. So at peering stations and
internal to ISP, potentially could have different ips, however,
requires a more co-ordinated approach and local buy-in, unless the consumed
DNS server can be configured and made to server different ips base on
knowledge of the geographical
location of the consuming dns server ip.

This is not a silver bullet of obvious reason aswell.

The other previous proposal I wanted to put forth with regards to redirect
was the following, maybe two could be combined.
Below the previous proposal if you didn't see it. It also looks to address
and provide alternative mechanism to avoid using cookies,
for session tracking.

Wesley Oliver <>
Thu, Jun 13, 9:26 AM

I would just like to highlight the following, which I think we could look
at addressing properly and generically across the board.

With regard to the new proposal stand as of march for authentication
session identification,
my understanding is that is drive from the webbrowser client and the server
just accept id provided. It is no longer driven from the server.

I would pref an approach where by it is drive from both client and server,
which means still ensure
that more difficult for hacking, can't just run tought all possible
permutation of client identification tokens and Bruteforce ones way into
end system.

As one of my previous emails to the group was for an approach from driven
from server-side to client-side, which is not that easy to hack and looking
up of session token, versus encryption and description payload, potentially
could be faster, given url and things have max lengths.

Therefore I would like to propose that we look at implemented generic
response forward headers,
which can be used for the server side to client-driven session management
and also for the very old school redirect problems, using the Location
header for security. With microservice was one's single world to handle all
the PCI credit cards and banking information for accounting purposes. It
because increasingly necessary to do handovers into those worlds, to ensure
a high level of security compliance is hand by a single team and all
auditing is in one place for critical information. Which allows design a
generic journey into such infrustature for anyone.

Below is an example of the problems that live everywhere, which we could
generically address with the propose of this simple json self-description
example benefit this line:

Payload of Repsonse...
Headers: ForwardRequestHeaders
CrossOrigin: Status.. (explicit) Allow/Deny
ClientGenerateAuthID:New March Specification(Allow Passing/Deny) (should be
explicit enable only)
CrossOrigin: Status.. (explicit) Allow/Deny
ClientGenerateAuthID:New March Specification (Allow Passing/Deny)(should be
explicit enable only)


The insatitial page/api auth redirect, that looks up the subscriptionId and
generates AuthToken,
Then according to the following containing controls will have to perform
the redirect mechanism in the following way.

I would recommend, to avoid being tripped up any browser, react something
not support or being bugged that
We should just support looking for the param in all places, url, query
string, headers, body, form-body submission.
This way we can use the best redirection mechanism possible, that the
client channel supports.

Remember that the url has a limited length, so placing jet tokens, which
can contain a lot more information in the url, can eventually hit the maxim
url length limit.

1. Hand over from different channels to PCI world:

*a. Breakout (Web Browser) (App)*
- Opens Url to instatial page.
- Performs the redirect using url with path, query params. (contents public
visible) url has limited length.
- (Url/Visible) Header:Location URL, can’t specify forward headers, all
must be in the url
- (Url/Visible) HTML meta refresh tag, all in the url
- (Url/Visible) javascript window.location, all must be in the url.
- (Form-Body/Hidden) render a html webpage and then client side generate a
form that is automatically submitted.
- Else render an html webpage and generate a form that is automatically

- Proxy the request, by acting as pass sought middle man ( but this is not
secure, as opens the door, middle proxy reading the encrypted contents and
fact proxy needs show correct certificate details and spread security now
across many layers, complicating management and much higher risk, not
contained within a single squad, multiple squad have then share security
Therefore, this is not a method that we like to do.

**If the landing page was to redirect again, then the URL/Visible, could be
concealed, because after landing page converted to session state cookie.

*b. WebView( App)*
- Performs the redirect with any one of the methods in a above breakout
- (Url+Headers/Hidden)Request from instatitital page/api auth redirect,
which returns the auth information in the Repsonse,
which we then add the information as headers to the web view url open
request, which react supports, to open the page.
** Benefits there are no flashing pages in the redirect  using instatital
pages as for breakout in a above, looks seamless.

*C. ClientBrowser (Online)*
- One of the methods above in a.
- Even if in a frame, the same problems persist.
- The only other approach is to use background request and javascript to
re-write the contents of a html page element place holder, this is a web
app client service side typically type workflow/mechanism approach. ( more

So I would recommend that if you written a generic landing page that be
able to pulled the specified params from both url path+query string, form
body and headers.

I basically have suggested this for authentication purposes, however, might
as well expanded to to be more generic.
In which can Header:location, can specific request headers under a Repsonse
header called.

CrossOrigin: Status.. (explicit) Allow/Deny
ClientGenerateAuthID:New March Specification
CrossOrigin: Status.. (explicit) Allow/Deny
ClientGenerateAuthID:New March Specification

Kind Regards,

Wesley Oliver

Kind Regards,

Wesley Oliver

On Mon, Jul 29, 2019 at 9:06 PM Bin Ni <> wrote:

> Yes, what we want is a way to force a "deterministic behavior from the
> client", just like all the 30X redirections today.
> Let me give a few more cases in which this can be helpful:
> 1. A client in North America is returned a server IP in Europe by the DNS.
> The server then wants to direct the client to another server in North
> America for better performance.
> 2. The content of a website is hashed to multiple servers based on URL.
> These multiple servers may not even be in the same datacenter. The DNS does
> not have this information and may return any IP to any query of the
> website's hostname.  Each server will calculate the hash for each request
> and redirect client to the correct server that has the content. This is
> quite common for CDN.
> Usually this kind of redirection is applied to large objects, where the
> overhead of one more round trip is negligible.
> Bin
> On Mon, Jul 29, 2019 at 7:48 AM Kyle Rose <> wrote:
>> On Mon, Jul 29, 2019 at 9:46 AM Ben Schwartz <> wrote:
>>> On Mon, Jul 29, 2019 at 3:40 AM Oliver, Wesley, Vodacom South Africa
>>> (External) <> wrote:
>>>> Hi,
>>>> I would like to suggest, that this not be a specific response code,
>>>> like a
>>>> 312 or 302. That it just be a response header, that gets checked by
>>>> Inteligent clients, would then always check for the new address and
>>>> port on which to contact the server,
>>> You're in luck: this is precisely the Alt-Svc header (RFC 7838).  You
>>> can use this today!
>>> Not all clients currently implement full support for this header, but
>>> hopefully that will improve over time.
>> I think the issue OP is raising is that they want some deterministic
>> behavior from the client, dictated by the server. Alt-Svc doesn't do this:
>> it's advisory. As a result, it can be used as an optimization, but some
>> kind of load balancer for the original service is still required for
>> clients that do not react to Alt-Svc (should that population be large
>> enough), or when the target Alt-Svc is down. As long as that's within OP's
>> constraints, I agree Alt-Svc is precisely the right solution.
> --
> Bin Ni
> VP of Engineering
> [image: Quantil]
> Connecting users with's that simple.
> Office: +1-888-847-9851 <(888)%20847-9851>
> [image: Tweeter] <>  [image: Google Plus]
> <>  [image: Linked In]
> <>
> The information contained in this email may be confidential and/or legally
> privileged. It has been sent for the sole use of the intended recipient(s).
> If the reader of this message is not an intended recipient, you are hereby
> notified that any unauthorized review, use, disclosure, dissemination,
> distribution, or copying of this communication, or any of its contents, is
> strictly prohibited. If you have received this communication in error,
> please reply to the sender and destroy all copies of the message. To
> contact us directly, send to QUANTIL, INC. at 1919 S Bascom Ave #600,
> Campbell, CA 95008
> <,+Campbell,+CA+95008&entry=gmail&source=g>,
> or visit our website at <>

Skype: wezley_oliver
MSN messenger: