IETF Logo Mail Archive

Re: new version trusted-proxy20 draft

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 24 February 2014 09:02 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C7121A0837 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Feb 2014 01:02:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.749
X-Spam-Level:
X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8lkEoF4zDLx for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 24 Feb 2014 01:02:24 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id D467D1A0743 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 24 Feb 2014 01:02:24 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WHrPf-00074L-L2 for ietf-http-wg-dist@listhub.w3.org; Mon, 24 Feb 2014 09:01:23 +0000
Resent-Date: Mon, 24 Feb 2014 09:01:23 +0000
Resent-Message-Id: <E1WHrPf-00074L-L2@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <ilari.liusvaara@elisanet.fi>) id 1WHrPV-00073V-94 for ietf-http-wg@listhub.w3.org; Mon, 24 Feb 2014 09:01:13 +0000
Received: from emh03.mail.saunalahti.fi ([62.142.5.109]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <ilari.liusvaara@elisanet.fi>) id 1WHrPU-0000pz-4N for ietf-http-wg@w3.org; Mon, 24 Feb 2014 09:01:13 +0000
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 56E7C1888C5; Mon, 24 Feb 2014 11:00:49 +0200 (EET)
Date: Mon, 24 Feb 2014 11:00:49 +0200
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140224090049.GA9816@LK-Perkele-VII>
References: <20140214184207.27936.53657.idtracker@ietfa.amsl.com> <449272CA-71CB-4D7D-B431-A42140346B27@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <449272CA-71CB-4D7D-B431-A42140346B27@ericsson.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Received-SPF: pass client-ip=62.142.5.109; envelope-from=ilari.liusvaara@elisanet.fi; helo=emh03.mail.saunalahti.fi
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: AWL=-2.320, BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1WHrPU-0000pz-4N 4b574bf136f7ffa29c1586580b48ce67
X-Original-To: ietf-http-wg@w3.org
Subject: Re: new version trusted-proxy20 draft
Archived-At: <http://www.w3.org/mid/20140224090049.GA9816@LK-Perkele-VII>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22362
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, Feb 14, 2014 at 06:56:14PM +0000, Salvatore Loreto wrote:
> 
> URL:            http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-01.txt

Some comments:

1) As others have said, unnecressarily admitting to possible attackers
that connections aren't really protected is not a good idea.

2) The downgrade to HTTP/1.1 for proxy setup looks really odd, and
should be over TLS too.

3) Leaving manual configuration aside, there is certain merit to the
idea that network is able to force a proxy. OTOH, the arising security
issues aren't trivial (understatement).

4) One idea would be h2p / h2pxy / h2proxy protocol, which would be
HTTP/2 with some extensions for proxy operation, like additional
response codes, proxy being able to respond for itself, browser being
able to send request to proxy, proxy relaying certificate info, etc...

5) Regarding to usescases, protocol conforming to principle of
least priviledge and accomodiating all or even most of those (goes
up to "Tom's Rural broadband" right now) would likely be hideously
complicated mess of crypto.

6) Because of the last, one is pretty much limited to no trust (CONNECT)
or full trust (GET/POST/PUT).


-Ilari

v2.23.0 | Report a Bug | By Email