IETF Logo Mail Archive

Re: Alt-Svc: alternatives assigned by alternatives

Mark Nottingham <mnot@mnot.net> Tue, 19 August 2014 23:47 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F46A1A6FC1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Aug 2014 16:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.57
X-Spam-Level:
X-Spam-Status: No, score=-7.57 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPqo-L1vme8k for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Aug 2014 16:47:15 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBA801A005E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 Aug 2014 16:47:15 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1XJt4r-0001kb-PJ for ietf-http-wg-dist@listhub.w3.org; Tue, 19 Aug 2014 23:44:33 +0000
Resent-Date: Tue, 19 Aug 2014 23:44:33 +0000
Resent-Message-Id: <E1XJt4r-0001kb-PJ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1XJt4Z-0001Rf-V8 for ietf-http-wg@listhub.w3.org; Tue, 19 Aug 2014 23:44:15 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1XJt4Y-0006V1-W8 for ietf-http-wg@w3.org; Tue, 19 Aug 2014 23:44:15 +0000
Received: from [192.168.1.55] (unknown [118.209.123.236]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 9503222E1F4; Tue, 19 Aug 2014 19:43:50 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAOdDvNpoukYVVJrx9gEvcotZVKwOfH+5304vH3k2guCEehqBFw@mail.gmail.com>
Date: Wed, 20 Aug 2014 09:43:49 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B3B559D-E1BC-41E6-83C1-CB6ACC583BD5@mnot.net>
References: <31EDC8DE-12EC-4923-A022-5A04037B044F@mnot.net> <CAOdDvNpoukYVVJrx9gEvcotZVKwOfH+5304vH3k2guCEehqBFw@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
X-Mailer: Apple Mail (2.1878.6)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-3.8
X-W3C-Hub-Spam-Report: AWL=-3.071, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1XJt4Y-0006V1-W8 1c39469732df882d525fe964be0e7358
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-Svc: alternatives assigned by alternatives
Archived-At: <http://www.w3.org/mid/9B3B559D-E1BC-41E6-83C1-CB6ACC583BD5@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/26665
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

OK. The one thing that gave me pause was that if I alt-svc to another domain even briefly, I'm giving it "ownership" of that client, potentially in perpetuity.

OTOH, if it's on a different host, they'll also need to have a valid cert for my origin, and that has its own set of checks and balances.

Cheers,


 
On 19 Aug 2014, at 11:37 pm, Patrick McManus <mcmanus@ducksong.com> wrote:

> 
> On Tue, Aug 19, 2014 at 3:39 AM, Mark Nottingham <mnot@mnot.net> wrote:
> Thinking a bit more about Alt-Svc, I'd like to see more clarity around when and how it's OK to cache (and later use) an alternative service you discover.
> 
> 1) You get an alt-svc (frame or header) from an origin
> 2) You get an alt-svc (frame or header) from an alternative service
> [..]
> If not, I think we need to limit #2 in some fashion. What I'd propose is that when you learn about an alternative from an origin, its freshness lifetime cannot exceed the original provided by the origin. That is, in the scenario above, other.example.net would only be valid for the original 60s period, regardless of what it tried to update; it could redirect traffic to another alternative during that 60s window, but not beyond it.
> 
> I don't think we need this. Both hosts are the same origin (I enjoyed the term original origin), just hosted at different locations - alt-svc is a novel way for directing and choosing the next-protocol to use when talking to one of those. They're just CNAMEs with a alpn token, right? And if they are both trusted then there isn't a logical difference in who can update the ttl. Its even plausible that the set of hosts that make up the origin are all configured exactly the same - i.e. unaware of which is the original origin.
> 
> I think the strongest argument in favor of scoping who can update a alt-svc is that a MITM attacker can attack you once and then capture your traffic in perpetuity without having to perform another attack against the original origin by updating the value.
> 
> But the proposed mitigation doesn't solve that - it just means the original attack needs to insert a ma=1year header to set a max-age so large that  the effect is the same.
> 
> So I favor allowing any host authoritative for a transaction to also update the corresponding alt-svc value.
> 
> -P
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/

v2.35.0 | Report a Bug | By Email | System Status