IETF Logo Mail Archive

Re: WGLC: draft-ietf-appsawg-http-forwarded-02.txt - section 5.2

Andreas Petersson <andreas@sbin.se> Fri, 04 May 2012 11:29 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9AA21F8737 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 May 2012 04:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.166
X-Spam-Level:
X-Spam-Status: No, score=-9.166 tagged_above=-999 required=5 tests=[AWL=1.433, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jVFJTKLt5PkU for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 4 May 2012 04:29:26 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id BE9ED21F8731 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 4 May 2012 04:29:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1SQGfE-0000IY-1d for ietf-http-wg-dist@listhub.w3.org; Fri, 04 May 2012 11:27:08 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <andreas@sbin.se>) id 1SQGf3-0000Ge-RM for ietf-http-wg@listhub.w3.org; Fri, 04 May 2012 11:26:57 +0000
Received: from smtp.opera.com ([213.236.208.81]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <andreas@sbin.se>) id 1SQGev-0002jP-Bu for ietf-http-wg@w3.org; Fri, 04 May 2012 11:26:55 +0000
Received: from hetzer (oslo.jvpn.opera.com [213.236.208.46]) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q44BQLwY020624 for <ietf-http-wg@w3.org>; Fri, 4 May 2012 11:26:22 GMT
Date: Fri, 04 May 2012 13:26:20 +0200
From: Andreas Petersson <andreas@sbin.se>
To: ietf-http-wg@w3.org
Message-ID: <20120504132620.319d86ea@hetzer>
In-Reply-To: <96f8809d04c6ec5eb18118e983216f25@treenet.co.nz>
References: <4FA02AEA.1080407@isode.com> <0A15D230-F8D2-498F-894B-86A3C987C456@mnot.net> <96f8809d04c6ec5eb18118e983216f25@treenet.co.nz>
X-Mailer: Claws Mail 3.7.9 (GTK+ 2.24.6; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Received-SPF: none client-ip=213.236.208.81; envelope-from=andreas@sbin.se; helo=smtp.opera.com
X-W3C-Hub-Spam-Status: No, score=-4.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3
X-W3C-Scan-Sig: maggie.w3.org 1SQGev-0002jP-Bu 4dda8f57e8abd4f34475e510a919c35c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: WGLC: draft-ietf-appsawg-http-forwarded-02.txt - section 5.2
Archived-At: <http://www.w3.org/mid/20120504132620.319d86ea@hetzer>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/13517
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1SQGfE-0000IY-1d@frink.w3.org>
Resent-Date: Fri, 04 May 2012 11:27:08 +0000

On Wed, 02 May 2012 14:34:22 +1200
Amos Jeffries <squid3@treenet.co.nz> wrote:
> ** section 5.2
> 
> Now that it is mentioning the X-Forwarded-* class of headers and 
> describing security usage for Forwarded: the document needs a safe 
> mapping from X-Forwarded-For to Forwarded:. I have spent quite a while 
> attempting to iterate the cases and find a safe mapping method for Squid 
> to use mapping the fields of XFF to records in Forwarded:, but there is 
> always one case or other which fails badly.

Section 5.2 doesn't mention X-Forwarded-*.

I think it is a futile effort. In some situation it may be 
possible to find a good way. If you find a solution that works
for you, in your shop, it is of course fine to use it. 
But in general I believe it to be super hard to do it in a good
way -> "implementation specific".


> 
> IMO the mapping should be:
> "
> A recipient of X-Forwarded-For header MUST either, drop all 
> X-Forwarded-For: and Forwarded: headers in the request, or drop the 
> X-Forwarded-For header and place a single obfuscated identifier 
> field-value in the Forwarded: header prior to any other information 
> additions of its own. This must be done before interpreting either 
> header.

Dropping seems strange. I would assume it will be common to add
both headers to be backwards compatible.

> "
> 
> For example:
>   client 1.2.3.4:8765 sending
>     Forwarded: for=[::1]
>     X-Forwarded-For: ...
> 
> becomes:
>    Forwarded: for=[::1], _abc, for="1.2.3.4:8765"

That is not valid syntax.

> 
> 
> This retains the security properties of the XFF header environment 
> because:

I don't think you should use neither XFF nor Forwarded for security,
unless you trust the proxy that adds the header field and knows what
header field that proxy updates. That proxy should probably also drop
previous header fields, but that may also depend on how the values are
used etc.

>   1) Dropping is safe because both these are OPTIONAL headers.

Well, while it is strictly true it is probably undesired to lose that
information.

>   2) Using an obfuscated identifier and retaining the Forwarded: header 
> preserves what information is likely safe but places a blocking step at 
> the position of the un-trustable hop.
> 
> The other X-Forwarded-* headers need a similar security protection 
> fixup in the sections they map into.

To specify in the specification for "Forwarded" how to make a transition
from a header field that is not standardized at all seems both
irrelevant and makes the Forwarded-spec more complex than needed.

If something should be said at all it could be done in a separate
document with informal status.


Best regards,
 Andreas

v2.23.0 | Report a Bug | By Email