IETF Logo Mail Archive

Re: new draft trusted-proxy20-00

Salvatore Loreto <salvatore.loreto@ericsson.com> Tue, 11 February 2014 12:51 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF2DE1A00EE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Feb 2014 04:51:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.45
X-Spam-Level:
X-Spam-Status: No, score=-7.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8H4NDtDh-1K for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 11 Feb 2014 04:51:52 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id B05E41A0008 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 11 Feb 2014 04:51:52 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1WDCnc-0007ZR-B5 for ietf-http-wg-dist@listhub.w3.org; Tue, 11 Feb 2014 12:50:52 +0000
Resent-Date: Tue, 11 Feb 2014 12:50:52 +0000
Resent-Message-Id: <E1WDCnc-0007ZR-B5@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <salvatore.loreto@ericsson.com>) id 1WDCnT-0007XW-8l for ietf-http-wg@listhub.w3.org; Tue, 11 Feb 2014 12:50:43 +0000
Received: from sessmg20.ericsson.net ([193.180.251.50] helo=sessmg20.mgmt.ericsson.se) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <salvatore.loreto@ericsson.com>) id 1WDCnM-0001Ho-OH for ietf-http-wg@w3.org; Tue, 11 Feb 2014 12:50:43 +0000
X-AuditID: c1b4fb32-b7f4c8e0000012f5-90-52fa1c86a97b
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg20.mgmt.ericsson.se (Symantec Mail Security) with SMTP id 68.F2.04853.68C1AF25; Tue, 11 Feb 2014 13:50:14 +0100 (CET)
Received: from ESESSMB109.ericsson.se ([169.254.9.236]) by ESESSHC023.ericsson.se ([153.88.183.87]) with mapi id 14.02.0387.000; Tue, 11 Feb 2014 13:50:13 +0100
From: Salvatore Loreto <salvatore.loreto@ericsson.com>
To: Adrien de Croy <adrien@qbik.com>
CC: Peter Lepeska <bizzbyster@gmail.com>, Yoav Nir <synp71@live.com>, HTTP Working Group <ietf-http-wg@w3.org>, Robert Skog <robert.skog@ericsson.com>, Hans Spaak <hans.spaak@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>
Thread-Topic: new draft trusted-proxy20-00
Thread-Index: AQHPDfpPS9MaNnQqpU+9bZcfoFcMKZqCskYAgANg5YCAADNMgIAp3G+A
Date: Tue, 11 Feb 2014 12:50:13 +0000
Message-ID: <7E90D9F1-CBD4-4006-B503-94E37104E2A8@ericsson.com>
References: <eme32fa5b9-bfa9-45e5-a17f-65c266de05af@bodybag>
In-Reply-To: <eme32fa5b9-bfa9-45e5-a17f-65c266de05af@bodybag>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <ED0CF61282290D4188010225EA9CA582@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupikeLIzCtJLcpLzFFi42KZGfG3RrdN5leQwa+bahYN68+zW0xYfJ/J 4nDLLCaLVytvsjqweOycdZfdo+NWA6tH48vDjB5H5+1nDWCJ4rJJSc3JLEst0rdL4Mq48fwi U8Frk4rNDd+YGhj/anYxcnJICJhIzN9zgAXCFpO4cG89WxcjF4eQwAlGieXvtjBBOEsYJSa+ /MwMUsUmYCbx/OEWMFtEQEXi3o+PbCA2s8AHRoneHTogtrCApkTT926gZg6gGi2Jm1etIMrd JA4d2gi2jEVAVaJlaQ9YK6+AvcT81W+ZQGwhARuJ1937wGxOAVuJTSvvgtmMQMd9P7WGCWKV uMStJ/OZII4WkFiy5zwzhC0q8fLxP1YIW0li7eHtLBD1OhILdn+COtNaYumHT4wQtrbEsoWv mSFuEJQ4OfMJywRG8VlIVsxC0j4LSfssJO2zkLQvYGRdxShZnFpcnJtuZKCXm55bopdalJlc XJyfp1ecuokRGJ8Ht/w22sF4co/9IUZpDhYlcd7rrDVBQgLpiSWp2ampBalF8UWlOanFhxiZ ODilGhg53Dfq9lh9y2+pf9mzMTiFTffz/u2vHOy6Sk7Wl8fnbk95eXTNNc+muG2cWlbLX299 +PzFJWeb2evS9IX+x58Iu+Zdfsmk4YxTA3NVTULhseOLbujx8Un/qri2zkDpDkvftn6HRP0q x/mnLflSuXluebWESB/dNXepyi6fhw/3qck2H4l+f1yJpTgj0VCLuag4EQDL3MponQIAAA==
Received-SPF: pass client-ip=193.180.251.50; envelope-from=salvatore.loreto@ericsson.com; helo=sessmg20.mgmt.ericsson.se
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: AWL=-3.117, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1WDCnM-0001Ho-OH 18f4b0146cec8611284b9880aedaa528
X-Original-To: ietf-http-wg@w3.org
Subject: Re: new draft trusted-proxy20-00
Archived-At: <http://www.w3.org/mid/7E90D9F1-CBD4-4006-B503-94E37104E2A8@ericsson.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/22178
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Jan 15, 2014, at 11:34 PM, Adrien de Croy <adrien@qbik.com> wrote:

> 
> What I would expect in this mechanism, is that you wouldn't get the Client Hello blocked unless the proxy was asserting that it must be used.

exactly what we are trying to achieve in the modified proposal we are working on for the new version of the draft

/Salvatore

> 
> Otherwise you'd need 2 different types of response - 1 "you must use me", or 2 "you can try again and I won't block it next time honest"
> 
> In case 1, the user gets to choose between
> 
> 1. I will trust the proxy; or
> 2. I will not use the internet
> 
> which is a perfectly reasonable choice IMO.  Just like the EULA page on many a software installer.
> 
> Cheers
> 
> Adrien
> 
> ------ Original Message ------
> From: "Peter Lepeska" <bizzbyster@gmail.com>
> To: "Yoav Nir" <synp71@live.com>
> Cc: "Salvatore Loreto" <salvatore.loreto@ericsson.com>; "HTTP Working Group" <ietf-http-wg@w3.org>; "Robert Skog" <robert.skog@ericsson.com>; "Hans Spaak" <hans.spaak@ericsson.com>; "John Mattsson" <john.mattsson@ericsson.com>
> Sent: 16/01/2014 07:31:03
> Subject: Re: new draft trusted-proxy20-00
> 
>> More questions:
>> 
>> "The proxy intercept and does not forward the ClientHello message,
>>   instead it returns a signed error message ("Here be proxies")
>>   containing a certificate identifying the proxy. "
>> 
>> What happens if the client decides that it does not trust the proxy?
>> Does it send a new ClientHello that the proxy forwards? How does the
>> proxy distinguish between the first ClientHello that it does not
>> forward and the second ClientHello that it does forward?
>> 
>> Or, on the other hand, is trusting the proxy required to use the
>> network in the use case for this new mechanism?
>> 
>> Thanks,
>> 
>> Peter
>> 
>> 
>> 
>> But taking a step back, it seems like you are proposing a way for a
>> proxy to advertise its presence for HTTPS connections. D
>> 
>> On Mon, Jan 13, 2014 at 9:55 AM, Yoav Nir <synp71@live.com> wrote:
>>> Hi, Salvatore
>>> 
>>> Thanks for writing this. A few comments:
>>> 
>>> Section 3.1 has the HTTP proxy indicate its presence by intercepting the
>>> ClientHello and returning an error. There are some issue here:
>>> 
>>>  * An explicit proxy does not have to be on the data path, and in fact
>>>    it usually isn't. While MitM proxies have to intercept, clients open
>>>    connections to explicit proxies, so they're likely to reside in a
>>>    data-center (sometimes even in the cloud). Blocking HTTP(S) falls to
>>>    a network firewall. In other words, a MitM proxy usually needs to be
>>>    co-located with the firewall, but not so for an explicit proxy.
>>>  * I don't get how the firewall is supposed to redirect the client to
>>>    the proxy. The third paragraph says "The error could for e.g. be
>>>    sent using the TLS Alert protocol, but this requires registration of
>>>    a new error type." I didn't understand whether this is what you are
>>>    recommending (at least for this solution) or whether there are other
>>>    options. It should be noted that in order for the firewall to be
>>>    able to send TLS alerts, it has to MitM at least TCP, as the browser
>>>    thinks it is opening a connection with the server. If we were
>>>    specifying the Internet from scratch, we could define an ICMP
>>>    message that can be sent to the browser in response to the TCP-SYN
>>>    packet. I'm not sure how well that would work, and whether the
>>>    operating systems that we're using even have APIs to tell the
>>>    application what the content of the ICMP was, so I guess we're stuck
>>>    with firewalls impersonating servers at the TCP layer.
>>> 
>>> Section 4.1 describes tunneling by using the HTTP CONNECT method, but then
>>> the connection between the UA and the proxy is described at an HTTPS2
>>> connection, and the proxy seems to have access to the request frames.
>>> Specifically, a decryption key is passed in an HTTP2 frame. To add to the
>>> confusion, the title of this section is "Tunneling". The CONNECT method does
>>> go with the term "Tunneling", but then the TLS session is between the UA and
>>> the server, while the proxy only sees TLS records and cannot read any of the
>>> HTTP2 frames, which may share a TLS record, or span several TLS records.
>>> With tunneling, the proxy does little more than moving packets back and
>>> forth.
>>> 
>>> The alternative to tunneling, that is sort-of described in section 4.2 is
>>> the use of a GET method. In this case the client really opens an HTTPS(2)
>>> connection to the proxy, and then sends a GET method for resource
>>> "https://server.example.com/resource.html". The server has a totally
>>> separate TLS connection with the server and tunnels the requests back and
>>> forth. If the proxy can reply to a request from its own cache, it may do so.
>>> If it is configured to inspect the content to filter out inappropriate
>>> content, it can do that as well. *This* is a trusted proxy. A proxy with
>>> tunneling does not need to be trusted any more than the Internet does.
>>> 
>>> Lastly, section 4.2 says that the UA "tunnels" all requests towards the same
>>> web server in a single connection. In fact, the UA can tunnel all of its
>>> requests towards all servers in the world through this connection.
>>> Similarly, the proxy could unify the traffic for several UAs into a single
>>> connection with the server. This would work for normal servers, but do we
>>> know that no servers make any assumptions about requests based on TCP
>>> connection? I know they shouldn't - that's what HTTP cookies are for - but
>>> it's possible that some do.
>>> 
>>> Yoav
>>> 
>>> 
>>> 
>>> On 10/1/14 1:51 PM, Salvatore Loreto wrote:
>>>> 
>>>> Hi there,
>>>> 
>>>> we have submitted a new draft with the aim to continue the discussion on
>>>> explicit and trusted proxy as intermediary of HTTP2S traffic:
>>>> 
>>>> http://www.ietf.org/internet-drafts/draft-loreto-httpbis-trusted-proxy20-00.txt
>>>> 
>>>> 
>>>> The document proposes a method for an user agent to automatically
>>>> discover (using the TLS Alert) and configure a proxy via a secure HTTP2.0
>>>> session.
>>>> 
>>>> Moreover the document also draft two alternative mechanisms that allow
>>>> the presence of HTTP2.0 secure proxies for TLS protected traffic when an
>>>> user-agent
>>>> is requesting an http resource.
>>>> 
>>>> br
>>>> Salvatore
>>> 
>>> 
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email