IETF Logo Mail Archive

RE: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC

<mohamed.boucadair@orange.com> Fri, 24 February 2017 08:55 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 211BE129616; Fri, 24 Feb 2017 00:55:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pjmQFCMH3kzd; Fri, 24 Feb 2017 00:55:56 -0800 (PST)
Received: from relais-inet.orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1816129545; Fri, 24 Feb 2017 00:55:55 -0800 (PST)
Received: from opfedar07.francetelecom.fr (unknown [xx.xx.xx.9]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 32DE51C0335; Fri, 24 Feb 2017 09:55:54 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.58]) by opfedar07.francetelecom.fr (ESMTP service) with ESMTP id 1876CC0062; Fri, 24 Feb 2017 09:55:54 +0100 (CET)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM33.corporate.adroot.infra.ftgroup ([fe80::3881:fc15:b4b2:9017%19]) with mapi id 14.03.0319.002; Fri, 24 Feb 2017 09:55:53 +0100
From: mohamed.boucadair@orange.com
To: Ted Hardie <ted.ietf@gmail.com>
Subject: RE: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC
Thread-Topic: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC
Thread-Index: AQHSji4yv8+hFRXjgUOxh4v9Z5bKrKF30bNw
Date: Fri, 24 Feb 2017 08:55:53 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933009E183CF@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <148527996733.12573.15522530300481191993.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B933009DEB0B5@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CA+9kkMC8d9dRGA0mYm-ALbZOnnq6LTLE=56imUFqK9JZ0wC=pw@mail.gmail.com> <787AE7BB302AE849A7480A190F8B933009E16627@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <CA+9kkMBw-QbaDzDanWs6sH-z7rEteofCvp8-d-qSf9J31zJykA@mail.gmail.com>
In-Reply-To: <CA+9kkMBw-QbaDzDanWs6sH-z7rEteofCvp8-d-qSf9J31zJykA@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.5]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933009E183CFOPEXCLILMA3corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/0BXcqZRnbVPdJpcAV192PoYhDGE>
Cc: "draft-hardie-privsec-metadata-insertion@ietf.org" <draft-hardie-privsec-metadata-insertion@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 08:55:58 -0000

Hi Ted,

Please see inline.

Cheers,
Med

De : Ted Hardie [mailto:ted.ietf@gmail.com]
Envoyé : vendredi 24 février 2017 00:40
À : BOUCADAIR Mohamed IMT/OLN
Cc : ietf@ietf.org; draft-hardie-privsec-metadata-insertion@ietf.org
Objet : Re: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC

HI Mohamad,

Thanks for rechecking; some further comments in-line.

On Wed, Feb 22, 2017 at 11:21 PM, <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote:
Hi Ted,

Thank you for the reply and for implementing these changes.

I checked the diff, but I’m afraid the -06 version has the same issues as the ones I reported in January 31.


I did respond to the particular comments and text proposals, so I assume this is the more general issue.  If I understand correctly, you would prefer this document to be structured as a revision to the threat model document or connected to a larger consideration of the issues.  I understand that, and it was considered, but I believe that this format is still the most effective for the narrow issue it addresses.
[Med] That was one of my concerns; not the only one. In Particular, I’m trying to understand how this document will be used in the future to better strengthen forthcoming specifications. Further, the experience I had when advancing some RFCs is that RFC7258 wording can be further enhanced to provide clear guidance. Also, considerations such as the following are missing from the document:
* that data may not be always available to the endhost
* a misbehaving node may be tempted to spoof the data to be injected. A remote device that will use that data to enforce policies will be broken.
* it was reported in the past that some browsers leak the MSISDN and other sensitive data.
From that flow some of your other concerns about audience, at least as I understand.  As written, this is narrow advice for a broad audience: basically, anyone who would consider the form of metadata insertion it describes.  You would, if I understand you, prefer a narrower description of the audience in a larger context.

[Med] The key point here is about the practicality of implementing the advice NOT changing the scope. For example, the document says that it is better that a host is injecting the data but the document does not question whether that supplied data can be trusted or not, or how the consent will be obtained from a user. For example, the document states that the information in a Forward-For header can be supplied by the host itself and then communicated to a remote consumer. This is indeed possible, but because of abusing hosts some servers implement whitelists to trust proxies; see https://meta.wikimedia.org/w/extensions/TrustedXFF/trusted-hosts.txt.

I’m reiterating that most of my comments are still unaddressed in -06.


I realize that the document did not change to address the audience or document integration you preferred; I think there we simply disagree on how to make this advice effective.  I'm sorry that first message apparently did not describe the disagreement effectively.
If I have misunderstood your comments, please accept my apologies. I would be happy of further clarification and suggested text to illustrate your preferences would be especially welcome.
[Med] Sure. Before that, can you please consider rechecking the detailed list of comments available at: https://www.ietf.org/mail-archive/web/ietf/current/msg101629.html. Thank you.

thanks,
Ted Hardie


Cheers,
Med

De : Ted Hardie [mailto:ted.ietf@gmail.co<mailto:ted.ietf@gmail.co>m]
Envoyé : mercredi 22 février 2017 23:09
À : BOUCADAIR Mohamed IMT/OLN
Cc : ietf@ietf.org<mailto:ietf@ietf.org>; draft-hardie-privsec-metadata-insertion@ietf.org<mailto:draft-hardie-privsec-metadata-insertion@ietf.org>
Objet : Re: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC

Hi Mohamed,
Thanks for your review.  I've uploaded a draft -06 with updates from your and other reviews.  Some notes in-line.

On Tue, Jan 31, 2017 at 1:49 AM, <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote:
Dear Ted,

Please find below my general review of the document and also my detailed comments.

* Overall:
- I don't think the document is ready to be published as it is. It does not discuss the usability and implications of the advice. Further, it may be interpreted that a client/end system/user can always by itself populate data that is supplied by on-path nodes (in current deployments). That's assumption is not true for some protocols.
- The purpose of publishing this advice is not clear. For example, how this advice will be implemented in practice? What is its scope?
- I would personally prefer an updated version of RFC7258 with more strict language on the privacy-related considerations. This is more actionable with concrete effects in documents that will required to include a discussion on privacy related matters.

Detailed comments are provided below:

* The abstract says the following:

   The IAB has published [RFC7624] in response to several revelations of
   pervasive attack on Internet communications.  This document considers
   the implications of protocol designs which associate metadata with
   encrypted flows.  In particular, it asserts that designs which do so
   by explicit actions of the end system are preferable to designs in
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   which middleboxes insert them.

I suggest you explicit what is meant by "the end system".

I have updated this to clarify that this is the host/end system not the user.

If you mean the owner/user, then the text should say so. If you mean a client software instance, then bugs/inappropriate default values may lead to (privacy leak) surprises too. It was reported in the past that some browsers inject the MSISDN too.

* Introduction: "To ensure that the Internet can be trusted by users"

Rather « To minimize the risk of Internet-originated attacks targeted at users ».

I've adopted this language.

It's reasonable to claim the Internet can be trusted by users; see how the usage of social networks has become severely twisted for example

I've also considered your point that an updated version of RFC7258 might be a better outlet for advice like this. We did consider several approaches, including incorporating the text in an update to  RFC 3552 or as part of a document describing the full set of companion mitigations to the threats in RFC 7624 (draft-iab-privsec-confidentiality-mitigations would be one approach).  Those are all valid approaches, but it seemed that short, easily read documents tackling a single point might be easier to produce and consume.
Thanks again for your review,
Ted Hardie

v2.23.0 | Report a Bug | By Email