IETF Logo Mail Archive

Re: comparing eproxy proposals

Peter Lepeska <bizzbyster@gmail.com> Sun, 19 January 2014 02:37 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 388141AD8E2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 18 Jan 2014 18:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.94
X-Spam-Level:
X-Spam-Status: No, score=-6.94 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_38=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScKGISRGsVkP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 18 Jan 2014 18:37:46 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 9BCE41AD8DB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 18 Jan 2014 18:37:46 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1W4iDl-0006kN-3t for ietf-http-wg-dist@listhub.w3.org; Sun, 19 Jan 2014 02:34:45 +0000
Resent-Date: Sun, 19 Jan 2014 02:34:45 +0000
Resent-Message-Id: <E1W4iDl-0006kN-3t@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <bizzbyster@gmail.com>) id 1W4iDc-0006jV-FX for ietf-http-wg@listhub.w3.org; Sun, 19 Jan 2014 02:34:36 +0000
Received: from mail-vb0-f44.google.com ([209.85.212.44]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <bizzbyster@gmail.com>) id 1W4iDb-0001jW-2B for ietf-http-wg@w3.org; Sun, 19 Jan 2014 02:34:36 +0000
Received: by mail-vb0-f44.google.com with SMTP id f12so1166979vbg.3 for <ietf-http-wg@w3.org>; Sat, 18 Jan 2014 18:34:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9FkI8WZZp2Iax8T3Tl7qretfCiTabPfG++eZ9Dtdk3U=; b=Qj6mP64p4pPfYJ52KBC13yjBG4aWh7YRkpRWkmzDHoUEb2NqWpDLr1CViA45lweO+I mB3uaziJYZwYFpF0rtjpnU8VRRAuusGXzi/3ORm+ADS7LJb/fdPkE1K9st2m8rx6UvH2 xFl0gl7eimdl2ZZM3xMZgFNg2mEDeGWunwv1sHLPKyPkkpcx59b9yQ5/RffpTdbubR2o 7QGLHSBIPw5+bCFadEZ0T2Hv1RBjO9T62oBxGOjLIAHrSd9L2DCBZh26X7TzQUBGUZWE mUSA1uSLgmh2qsCgKaCAisqEG0w9CnayOTzRw1HOYjici0LO9cOPsqL7tgrd+5ayxfn0 kAwQ==
MIME-Version: 1.0
X-Received: by 10.221.34.211 with SMTP id st19mr5824368vcb.5.1390098848741; Sat, 18 Jan 2014 18:34:08 -0800 (PST)
Received: by 10.58.155.232 with HTTP; Sat, 18 Jan 2014 18:34:08 -0800 (PST)
In-Reply-To: <CAP+FsNcj_pVgcvw53K0-9yD3s6t25MY_HtbKxwA1n4xeg-Vdfg@mail.gmail.com>
References: <CANmPAYFm=Vm-L=smSU8XVN6N4fjWWYr=Y0u+Bkg4ryWopZvUbA@mail.gmail.com> <CAP+FsNcj_pVgcvw53K0-9yD3s6t25MY_HtbKxwA1n4xeg-Vdfg@mail.gmail.com>
Date: Sun, 19 Jan 2014 03:34:08 +0100
Message-ID: <CANmPAYHuPsiLUVxOOByRdk1Wr+SqUa=jtsgotRYK6CvVC=qFmg@mail.gmail.com>
From: Peter Lepeska <bizzbyster@gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=209.85.212.44; envelope-from=bizzbyster@gmail.com; helo=mail-vb0-f44.google.com
X-W3C-Hub-Spam-Status: No, score=-3.4
X-W3C-Hub-Spam-Report: AWL=-2.634, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1W4iDb-0001jW-2B f93ad4b85d4b1f4a3e86f6a00bba3ead
X-Original-To: ietf-http-wg@w3.org
Subject: Re: comparing eproxy proposals
Archived-At: <http://www.w3.org/mid/CANmPAYHuPsiLUVxOOByRdk1Wr+SqUa=jtsgotRYK6CvVC=qFmg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/21902
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Roberto,

Sorry if I misrepresented your proposal. I was trying to bring clarity
and it sounds like I may have over-simplified proposals. Re-reading
your draft, it looks like #3 "shared decryption key material" is
described. #4 is only described in section 4.2 of Salvatore's draft.
And in general your doc touches on multiple different ways to do a
trusted proxy, covering some aspects of each of my 3-5 above,
including proposing a null cipher in an end-to-end tunnel. I can
repost without reference to prior drafts so as to avoid my own
misunderstandings of what was intended in them.

"I'm happy to go into individual points if you like, but I don't
really think it matters, All solutions in the space end up being
roughly the same thing with different bikeshed colors :)"

I agree with you only to the extent that the issue of how to establish
trust dwarfs these other considerations. But I think if we come up
with a protocol that allows each node (client, proxy, server) to
express its interest and requirements at runtime on a per object
basis, and to enable a dynamic negotiation, we might find the problem
of trust shrinks a little bit.

Thanks,

Peter

On Sat, Jan 18, 2014 at 11:28 PM, Roberto Peon <grmocg@gmail.com> wrote:
>
>
>
> On Sat, Jan 18, 2014 at 8:54 AM, Peter Lepeska <bizzbyster@gmail.com> wrote:
>>
>> As an exercise, I’ve attempted to define the 5 eproxy schemes that
>> have been proposed up until now. And then compared these schemes to
>> the eproxy GOALS section described here:
>> http://tools.ietf.org/html/draft-vidya-httpbis-explicit-proxy-ps-00.
>>
>> Here are the five proposed HTTP2S eproxy schemes:
>>
>> 1. MITM -- This is the current way TLS is proxied that involves the
>> proxy generating certs to impersonate the content server.
>>
>> 2. Proxy Server TLS Extension -- Described here:
>> http://tools.ietf.org/html/draft-mcgrew-tls-proxy-server-01. Using a
>> proposed extension to TLS, the proxy forwards the server cert to the
>> client so that it can authenticate the content server. I think of this
>> as MITM without impersonation, but I hope that doesn’t misrepresent
>> the proposal.
>>
>> 3. Shared decryption key material -- This idea is described in both
>> http://tools.ietf.org/html/draft-rpeon-httpbis-exproxy-00 and
>>
>> http://tools.ietf.org/html/draft-loreto-httpbis-trusted-proxy20-00#section-4.1.
>> The core concept, in my understanding, is that the proxy is able to
>> see the end-to-end TLS traffic in plaintext b/c the UA exports the
>> session key and uploads it to the proxy.
>>
>> 4. Client forwards plaintext requests to secure proxy -- This idea is
>> also described in both the rpeon exproxy draft and the loreto trusted
>> proxy draft (links above). The concept is that two standard
>> point-to-point (P-t-P) TLS sessions are established between client and
>> proxy and proxy and server and then the browser simply forwards its
>> HTTP2 requests to the proxy over that secure link.
>>
>> 5. Any Node Refusal -- This is the proposal I posted to the mailing
>> list earlier and have re-posted here --
>>
>> https://github.com/bizzbyster/AnyNodeRefusal/wiki/HTTP2S-Eproxy-with-Any-Node-Refusal
>> -- that leverages James’ intra-connection TLS negotiation to establish
>> an unencrypted end-to-end TLS session across two point-to-point
>> encrypted sessions. As the name implies, any node can refuse, data
>> integrity is guaranteed, and the proxy cannot operate in stealth mode.
>>
>> Now to see which goals are met by each proposal...
>>
>> 6.2.  Goals
>>
>>    These are the goals of a solution aimed at making proxying explicit
>>
>>    in HTTP.
>>
>>    o  In the presence of a proxy, users' communications SHOULD at least
>>
>>       use a channel that is point-to-point encrypted.
>>
>> All meet this.
>>
>>    o  Users MUST be able to opt-out of communicating sensitive
>>
>>       information over a channel which is not end-to-end private.
>>
>> All but MITM meet this.
>>
>>    o  Content-providers MAY serve certain content only in an end-to-end
>>
>>       confidential fashion.
>>
>> Only Any Node Refusal meets this.
>>
>>    o  Interception proxies MUST be precluded from intercepting secure
>>
>>       communications between the user and the content-provider.
>>
>> I don’t really understand this one. Isn’t this a question of how you
>> establish trust? That is not defined in any of these schemes.
>
>
> This is saying something very obvious, and thus potentially confusing :)
> Essentially, if you+endpoint believe it should be confidential, then it
> should be confidential.
>
>>
>>
>>    o  User-agents and servers MUST know when a transforming proxy is
>>
>>       interposed in the communications channel.
>>
>> Only Any Node Refusal meets this.
>>
>>
>>    o  User-agents MUST be able to detect when content requested with an
>>
>>       https scheme has been modified by any intermediate entity.
>>
>> Only Any Node Refusal meets this.
>>
>>    o  Entities other than the server or user-agent SHOULD still be able
>>
>>       to provide caching services.
>>
>> I think all meet this except #3 above, Shared Decryption Key Material.
>> I can’t see how that scheme can provide caching services.
>>
>>
>>    o  User agents MUST be able to verify that the content is in fact
>>
>>       served by the content provider.
>>
>> Only Any Node Refusal and Shared Decryption Key Material meet this.
>>
>>    o  A set of signaling semantics should exist which allows the
>>
>>       content-provider and the user to have the appropriate level of
>>
>>       security or privacy signaled per resource.
>>
>> Only Any Node Refusal meets this.
>>
>>    o  Ideally, HTTP URI semantics SHOULD NOT change, but if it does, it
>>
>>       must remain backwards-compatible.
>>
>> All meet this, I believe.
>>
>>    o  Configuration and deployment of proxies should be as easy as
>>
>>       currently used solutions.
>>
>> I think this really depends on how trust is established, which isn’t
>> covered by these proposals.
>>
>>    o  Introduction of explicit proxying MUST NOT require a flag day
>>
>>       upgrade - in other words, it should work with existing client and
>>
>>       content provider implementations during the transition.
>>
>> I don’t think any require this.
>>
>> Conclusion: I think the eproxy spec has to address three difficult
>> things: 1) discovery of proxies, 2) establishing trust, and 3) the
>> runtime requirements of UAs, proxies, and servers as defined by the
>> GOALS section above. All three are really hard problems but I think
>> ANR is a step towards solving #3.
>>
>
> I'm fairly certain that all of these goals are met with the eproxy draft I
> submitted way back when, except for proxy discovery, and trust
> establishment, which I didn't go into since the mechanisms for that were
> likely separate from the mechanisms of the proxying itself.
> I'm happy to go into individual points if you like, but I don't really think
> it matters, All solutions in the space end up being roughly the same thing
> with different bikeshed colors :)
> -=R
>
>>
>> Thanks,
>>
>> Peter
>>
>

v2.23.0 | Report a Bug | By Email