IETF Logo Mail Archive

Re: [Netconf] SSE and HTTP/2 in restcon-notif

Kent Watsen <kwatsen@juniper.net> Mon, 01 October 2018 18:01 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCE2130E77 for <netconf@ietfa.amsl.com>; Mon, 1 Oct 2018 11:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.157
X-Spam-Level:
X-Spam-Status: No, score=-3.157 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.456, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-cA9CowBqaq for <netconf@ietfa.amsl.com>; Mon, 1 Oct 2018 11:01:19 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9201130E6B for <netconf@ietf.org>; Mon, 1 Oct 2018 11:01:19 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w91HsVde018115; Mon, 1 Oct 2018 11:01:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=bOfXRjqj+elkJba33SpafNtlT39aG7FCcNZ15yy96kc=; b=K030TJbet5XVroC9x/fcyqlrxSIFk8FefYb8WbLKhoHuADdU+wzRtg1YThF6spZLPeMk 6PDm7E4G9kuvWPznlw3Sc18JM9Jo9+f/s62JGCyu39eejztv0XjOX1PigtxVM2M6IbLW KeNnbVEf4MVmVjo70Y0LhuH4tgWHWO8CK3kpyJ0Z93tMCt92kPfLJUmH6hLXXeTyW4oq ehxEvqjXB7Z4QVulnJ87/MKeMqpyjeseJHrSK0Mq+wMpMdaUrwjUKAK4HuZvjLavLuIn e8zyxqW+kqDcuoscjcTJhlbmzfX3n61sfJ9i86gF7FdiqDjCFKx34kQV0RpujYtPQ+Ti tQ==
Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp0087.outbound.protection.outlook.com [216.32.180.87]) by mx0a-00273201.pphosted.com with ESMTP id 2mum52rj2u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 01 Oct 2018 11:01:08 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4379.namprd05.prod.outlook.com (20.176.78.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.16; Mon, 1 Oct 2018 18:00:59 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::8574:3388:660d:e495]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::8574:3388:660d:e495%5]) with mapi id 15.20.1207.018; Mon, 1 Oct 2018 18:00:59 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Andy Bierman <andy@yumaworks.com>, Qin Wu <bill.wu@huawei.com>
CC: Netconf <netconf@ietf.org>, "rrahman=40cisco.com@dmarc.ietf.org" <rrahman=40cisco.com@dmarc.ietf.org>
Thread-Topic: [Netconf] SSE and HTTP/2 in restcon-notif
Thread-Index: AQHUVpLBkBpJSSIQbkWRq5O8cMUK2aUEmdsAgAAMawCAAGaPgIACgpcAgALhzYA=
Date: Mon, 01 Oct 2018 18:00:59 +0000
Message-ID: <6E59E89D-B00C-4E8A-A3EA-970553C2F40E@juniper.net>
References: <B51DAF9C-4294-44BF-9138-7145E61F42AB@juniper.net> <20180927.224854.1626742691261140238.mbj@tail-f.com> <CABCOCHSrEiibcUp99ho60FJr37RDLho+H14oc4htELjSHZqKvg@mail.gmail.com> <B8F9A780D330094D99AF023C5877DABA9B055E63@nkgeml513-mbx.china.huawei.com> <CABCOCHRyuU712k+QHD0Ke5VF5bj7wSyHAcWxGyDsgT6NKA1ing@mail.gmail.com>
In-Reply-To: <CABCOCHRyuU712k+QHD0Ke5VF5bj7wSyHAcWxGyDsgT6NKA1ing@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.2.180910
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4379; 6:GxChyZxW/cu0XpdShlV7wopd8y13etIcRC/B0KoJ7Nq83FAdxiX9js3ysSFkxp8f6TFAQJPYdL7X1eWZKLYhX0he/hJNukyCiHOoceHgieUPj9yCi7+gFN2OGYssB2DyNL6eU5UFkN9mlsIXyY4AJKxCMoh7eaw7j2foCDHJZ4jFMsRdyHXlbLATOhxuEjP7y6+vJO3nvJ/fm1qBl1Q1o8Wbx9Zg23KvY6kP98M8ppQo6B6Tshk3vpNF6XnLpztIqnDmmSvd+LGZGBFlV2Ngya34fztfJV55T7WOGmwAkN0eJxFewOtI7F0kc1Kd87CWy8HGoB8ddGzQU9RxF34SVslrdBgQ/ScBjRlqXXpFW8n39uL73MyubbbOgqzaD/AKtHQf0pi7mE/61tzBRb7oDD7nKdwNLRSQIXuGsi4x6dp3VASAxTIEY7vlCP0HBTFKZ4bx0HsfpOB0556oxtXfCA==; 5:gszfWipFhNkZytHEhvbMeNseljgkafKlxs4ue5v9XWq2Lb3rXgBVGEFvCAU5HMrxa1y/Obu7ENBUcZY0seKqxjSGWksU7Jo02kU5BO5ug36lLCRZ20+vDribZ9lZzIrCvS8ibI54kU0kSl+nH0Leo1Gk64FvBhwvswuHBBuW9W4=; 7:7BYGr6HM/7k51AJ2y+/DydfQXUMIlhq8ioWNhjo1ipCjwEmmOQOBuW1p6nWbu85bvGEFpmx5RNIWBgSPVzW1SJ3AAUIDIsq694kZilIGAAdveGfksOGvCy1Z2SZVeqNWOGRRvYqjHxd+hpqwWy5L/+I6KZwP3iNC51w4N7rMTm1PMZZ64RLgugoCErMgXkxh638CqE5N4zkL/6wRIIIgpAfAiPwJM8OljdLCu2I8rAUT3a/Ui+eDf6kSpVFuwavS
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 4c983de1-8676-4966-0943-08d627c7d7cd
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4379;
x-ms-traffictypediagnostic: DM6PR05MB4379:
x-microsoft-antispam-prvs: <DM6PR05MB4379D529353E3F5D2120C48FA5EF0@DM6PR05MB4379.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231355)(944501410)(4982022)(52105095)(6055026)(149066)(150057)(6041310)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(201708071742011)(7699051); SRVR:DM6PR05MB4379; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4379;
x-forefront-prvs: 0812095267
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(136003)(39860400002)(376002)(346002)(189003)(199004)(7736002)(86362001)(82746002)(186003)(54906003)(99286004)(26005)(66066001)(83716004)(33656002)(71200400001)(71190400001)(478600001)(6246003)(5660300001)(25786009)(5250100002)(6506007)(8676002)(105586002)(110136005)(106356001)(81166006)(81156014)(58126008)(36756003)(8936002)(97736004)(76176011)(11346002)(102836004)(14454004)(4326008)(2906002)(6486002)(2616005)(3846002)(6116002)(305945005)(6436002)(486006)(93886005)(229853002)(446003)(256004)(53936002)(2900100001)(476003)(68736007)(6512007)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4379; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: RLhYjlBvjw+JAPVCFpDx9q2ev46yCuUbZzWH7aiU0ufAOKhh5rj7BwzJHipPNOJdJQ7RGRGgZSLR17IjM1Up7YKtNCw2+srXSHqmwTt4R3m0ml+qv6QI4fdLihgijqAtywMp1Kpargoulv6zzqHYQGTyoyB7zNmyrIcKn7rTDly9+XUhipekb1RM2QfyPNnfbdTn/RBxKOvHi0L+7XtTmShYi6jdkxzDwOURRQXRQWqNPF8OwfnsOQ4K3O6zUgtIEERx97ZyB1BQXrfNLXnhupSw3JjozQcMnbd1/gIFJocFc3QOVcpNX4hqygDuQRjyuHLxqnREJ9uXF7yV8dTl9L/q3pVZ7HZPhDCcBczEQS8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <396F935DE4EB6F4399F8E3FB6A7A30F5@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c983de1-8676-4966-0943-08d627c7d7cd
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2018 18:00:59.1327 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4379
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-10-01_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=767 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810010171
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/NchQeCUIh3s2kuNs_ABGrDfc510>
Subject: Re: [Netconf] SSE and HTTP/2 in restcon-notif
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Oct 2018 18:01:21 -0000


> It should also be clear in this draft that the "uri" leaf contents
> are implementation-specific and MAY be predictable by a client 
> application. Query parameters MAY be defined for use with the GET
> operation on this URI.

I recommend against this.  

Going back to my "how does the server ensure only said client 
accesses the resource?", I've been thinking that the simplest
thing would be for the server to generate a cryptographically
random URI.  This would defend against both brute-force and
side-channel attacks.  As the URI is always communicated over
TLS (both when sent to the client, and in all the client's
subsequent HTTP requests), the URI is never exposed.  SecDir
should be fine with this.  Thoughts?

FWIW, I'm distinguishing between the URI that should be 
receiver-specific, and the subscription/id that may be shared 
by multiple receivers.


Kent // contributor

v2.23.0 | Report a Bug | By Email