Re: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC

Ted Hardie <> Mon, 06 March 2017 17:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D0DC0129634; Mon, 6 Mar 2017 09:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e5tGcs3whLKK; Mon, 6 Mar 2017 09:15:00 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c0f::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 75D44129626; Mon, 6 Mar 2017 09:15:00 -0800 (PST)
Received: by with SMTP id 19so46721300oti.0; Mon, 06 Mar 2017 09:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n56/94pezOe7CfyX0rG4OuSx+0TOxuza6MdZhMPm4Mw=; b=XoahB4jC25vKgJG67PJJePx9Av6yQXKfDGNsAUiJ/VNm5oS1joEwBMX9X+rye82orV fqSkjo7/avjGF/LqLiaY1+7FZhxZ/CuwsriZ8HFlol4EoW2mPuYqdSROppwdxfZY0RzB PjjseHYHvFwX41GPt+QhFOaRgt466dX/HS3JiMTw6OxHeohZc3XkQiLPJDwSXlDjNboo SWUxYZZDaXleDLCeb0XHix56BPl71+TrZoaKU3AVoksSbppV02mvqAW/GyiyJs4f9j5d kDMPU9TJmSTYgxr8H7CfKFFx18q1fuprZFow6aPVDcehuWoTrU0RYZv5DiILVmS6Cw+K DXgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n56/94pezOe7CfyX0rG4OuSx+0TOxuza6MdZhMPm4Mw=; b=Tzr6+s4qsPnTQ9CKC+V2EZ5D5Bh0HK9wSD/+E6z8UzIwL/NmtRLLKYvePx9l8aPJ57 xNcYvW1mAZYsZGS34xDnD8kJpXX3/HgReOT2mvxow+TtWJLaOM6QFi6Pg/dkEKiNzHAX AUO/POvv7ZGG2wDOAeCdFzYfcFDoziF4GtN5Fw7/Kl7D68F6ZNBNJFeMvemVmsB1OSDT NSiTZ0023VOw2tEHSKtjgzQG31c/bQgstXfQQFz349ugl6ZYMDuj9iQAp2uT/85VnNx1 /0rKqbeFqXq/PrTvxbX3bFwRqpbMABUknpoW4DYEIqncE+YC3Khs5FjH3ycbhnvpxAwP CqxQ==
X-Gm-Message-State: AMke39k94tfeQzuZcEDu6MvYmIP9OHq4+y8LC/9OGwidAfpc7G+0nDCRxCd1LRjaaHQl/pSK5DdwZ0t2ksLS7g==
X-Received: by with SMTP id f58mr9350332otc.18.1488820499492; Mon, 06 Mar 2017 09:14:59 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 6 Mar 2017 09:14:29 -0800 (PST)
In-Reply-To: <68cef6ce-f517-4b36-ae91-cc82c6fa4465@OPEXCLILM42.corporate.adroot.infra.ftgroup>
References: <> <787AE7BB302AE849A7480A190F8B933009DEB0B5@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B933009E16627@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B933009E183CF@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B933009E1B2E6@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <> <787AE7BB302AE849A7480A190F8B933009E1BDA0@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <> <68cef6ce-f517-4b36-ae91-cc82c6fa4465@OPEXCLILM42.corporate.adroot.infra.ftgroup>
From: Ted Hardie <>
Date: Mon, 06 Mar 2017 09:14:29 -0800
Message-ID: <>
Subject: Re: Last Call: <draft-hardie-privsec-metadata-insertion-05.txt> (Design considerations for Metadata Insertion) to Informational RFC
To: "" <>
Content-Type: multipart/alternative; boundary="001a113e2d2801b740054a1309d7"
Archived-At: <>
Cc: "" <>, "" <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Mar 2017 17:15:03 -0000

Hi Mohamed,

Replies in-line.

On Mon, Mar 6, 2017 at 1:48 AM, <> wrote:

> ·         A Forward-For header inserted by a proxy does not restore any
> data; it does only reveal data that is already present in the packet issued
> by the client itself.
> That's what restore means here.
> [Med] Then, this needs to be defined in the document. I naively assumed
> that “restored” is used to mean any piece of information that the client
> does not want to insert in a packet, but an on-path device decides to
> inject it despite there is no consent from the client.
What you are describing is more about “maintaining” or “preserving”
> information not restoring it.
The common uses of restore in English all focus on putting something back
that has been lost, so I believe restore is better than "maintain" or
"preserve", which imply something is being carried forward as-is, rather
than being put back after loss.

>   If the information is present as metadata in the packet sent to the
> proxy but would be absent as metadata under normal operation of the proxy,
> adding it back in somewhere else restores the metadata.
> [Med] “normal operation of proxy” is not a standard. A “normal operation
> of proxy” would be to maintain the information sent by the client when
> relaying it to the server. I’m sure you know for instance that SIP B2BUAs
> can do whatever they want!

You're right that the normal operation of a proxy is not a standard, and I
should have said "the normal operation of the protocols used by a proxy".
If the action of the proxy is to start a new TCP connection to an origin
server, for example, the normal operation of TCP is to use the initiator's
IP address.  The loses the IP address of the querying host is implied by
that normal operation(in other words, it elides metadata about any client
that caused this new TCP connection to be createD).

> So origin IP address starts out in the IP header of the original packet
> but gets pushed from that slot when the proxy constructs the onward IP
> packet to the server.  For it to reach the server, it has to be placed
> somewhere else in the onward packet, restoring the lost metadata.
> [Med] The client agreed to send packets with its source IP address (which
> mean consent). Why the proxy would need to an extra channel to get consent
> for relaying the source IP address to a server?

Because the client agreed to send packets to the proxy by putting it in the
destination, and did not agree to general disclosure; you can't infer
onward consent.

> Had it been present in the packet as header value in the HTTP exchange, it
> would not have been stripped by normal operation.  There proxy operation
> forwarding it on would be simply preserving it.
> [Med] This is another question: whether the same or distinct channel can
> be used to communicate the SAME data that was present in the initial packet
> issued by a host.

That depends on the nature of the channel.  Obviously, if you set the
origin clients IP address as the source address, you're going to get a
different result from that spoofing than putting it in a client subnet EDNS
option or forwarded-for header.

·         An address sharing device, under for example DS-Lite (RFC6333),
> that inserts the source IPv6 prefix in the TCP HOST_ID option (RFC7974) is
> not RESTORING any data. The content of that TCP option is already visible
> in the packet sent by the host.
> I agree with the IESG analysis of RFC7974.  It does restore information by
> taking information which normal operation would have elided and restores it.
> [Med] The  implication of what you are saying here is that proxies are
> good because they hide the source IP addresses of host!
Aggregating proxies can have a positive privacy impact, yes.  An observer
seeing traffic from an aggregating proxy to
knows only that some user behind that proxy is looking for information on
sensitive-topic.  To know which user, the observer must have either
suborned the proxy or have a way of observing traffic between hosts and the
proxy.  Both are more expensive and at higher risk of discovery than a
simple tap near

> If the data is taken from a portion of the packet that would not normally
> be forwarded to an upstream host and added to a portion that is forwarded
> to an upstream host, then the device adding the data back in should know it
> is a restoration.
> [Med] That definition is not trivial as mentioned above. I would use
> “preserve” or “maintain” rather than “restore”.
> Please see above.  "Restore" is closer, in my opinion, than either
preserve or maintain.

> If the endpoint sends the data, data will be consistently available in
> that header.  The data changes, of course.
> [Med] I’m not sure to follow you here. What is meant by “consistent
> availability” then? Do you mean the same channel/procedure to communicate
> the information? Or “consistent data”?

I mean that if you define a protocol such that a well-formed message from
the client has the data the server needs, it will be consistently
available.  If you rely on intermediate network devices to add the data, it
may not be available if there is not cooperating network device on path
(e.g. if the DNS resolver does not support the relevant EDNS0 option).

> [Med] Resources may not be restricted to CPU or disk but may be granting
> access to the service (e.g., download a file when a quota per source
> address is enforced). It can be whatever the servers consider to be
> critical for them; it is up to the taste of the service design to
> characterize it. The NEW wording proposed above is technically correct.
> Please reconsider adding it to the draft.
> I did consider it, but I continue to believe that it moves the needle too
> far into simple server preference.  I retained the original PSAP language
> in -07 as a result.
> [Med] emergency is only an example ; other services may exist that impose
> the same trust model.

I think there is a qualitative difference between situations in which the
resources at risk are human lives and those where they are host resources.
That's why the carve out was limited in the GEOPRIV case.

> I also added a note about your extensive review.  While you and I clearly
> have some differences of view, the document has gotten better from your
> engagement with it, and I appreciate your efforts.
> [Med] I reviewed the -07. Although it is better compared to -05, I still
> don’t think it is ready to be published as it is. Thank you for your effort.
And thank you for yours,



> regards,
> Ted