Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

Brian Campbell <bcampbell@pingidentity.com> Tue, 29 October 2019 21:56 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 322931200F7 for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 14:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7JVon-rMiIv for <oauth@ietfa.amsl.com>; Tue, 29 Oct 2019 14:55:57 -0700 (PDT)
Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B39212001E for <oauth@ietf.org>; Tue, 29 Oct 2019 14:55:56 -0700 (PDT)
Received: by mail-lf1-x144.google.com with SMTP id v8so11687101lfa.12 for <oauth@ietf.org>; Tue, 29 Oct 2019 14:55:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jOAokZg54zwslNVdHm5rkaiQCL0ysMnNeg/iy4IZQOM=; b=YyOIrYtXKsOdiOiSaTPhBg1vTTV+qzAGvsWRwORrJPzHxpsQmh0gE66KNR4dB7YHY6 dehcsHPFSQ1RTZjTJQhjcMS0adcBXmkkq6nSlPHIbzO5KFNSDiSyc2/Nvb9HgxiQL3Zh MhKOLgEKDPP9dT+3qmDquQXmvjLbZggCIjaqU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jOAokZg54zwslNVdHm5rkaiQCL0ysMnNeg/iy4IZQOM=; b=IgDm4FNYiBmgCY4YaswdawyfxD4QLx612Ep0OMy2Ks7EF07pTZiRvBMhleY/LhUCPT bjsBMaZc3eDLHJTuSauGm1GRXkVUM5VRDwcgaO9ifFbAGBGiNkH1gyTtSH2m1Nk/VEKV JOTR/alllNdqJj5jkZgYSKcnSmoqJGW3f5tmtBzhZuBws8UnVqZIW6EiCLDJTOKWhbqq M+pvx7QX/zod2wTy1iI6rJ7BdJV4DgHXPBbbhegsJu+dG0i+hEAN5jle7UcwAGvi8z9H eEnBdg/4cYihXnsHrBEv51yNYH7+uf2fhqL04kDjeUJjkmMxhhUqybX411eIlJruxxMA zXVg==
X-Gm-Message-State: APjAAAWtmZYtzsPrBlR71xZuPVmnlSgyuCVLPmfDjCaecHnJV2uhQoCh 01Z7ystFBrqOsBvREc29D/gN1yosbx514qt5O3EgPbjuc5Hqmp7wTAiSCtSgXhoInns4Qrk5XeL g9WhpV2xp6n9Z5w==
X-Google-Smtp-Source: APXvYqzgTRDfNunDvnY7b22zVdRKs4tWYWcGopSVjuwQ2OyWUIGPtQx7duA3n/oRbgsvKReMTwyXcWW0xptCbe9ZhE0=
X-Received: by 2002:a19:c6d6:: with SMTP id w205mr3533484lff.17.1572386154663; Tue, 29 Oct 2019 14:55:54 -0700 (PDT)
MIME-Version: 1.0
References: <85D42AA1-FF57-4383-BACB-57C5AA32CFAC@lodderstedt.net> <CAEKOcs2gkM3Henz5nS04_EuBQXWWbJU5K02ErP0rnVZXmjxXJQ@mail.gmail.com> <20191021020546.GZ43312@kduck.mit.edu> <CA+k3eCS7pf3wXBkpbXE0AXKUGogo0YcHd8oWfiBfkPB5axGQQw@mail.gmail.com> <8A8B8892-9D16-4210-BC13-47B5D7859976@mit.edu> <20191024170326.GO69013@kduck.mit.edu> <CAGL6epJZtTXKSGFj0BfhF3kd_Z-z2xzOWXOPEKXc5m18Z4L1uA@mail.gmail.com> <CA+k3eCS8VuCfy4XeqYmLuuLK=rLvHsonSZj4i9O11U-mcua9Pg@mail.gmail.com> <CAGL6epKTV5hXqm2-qgUyG-iA90eLu49GjOKeyLcfsn2naTSV5w@mail.gmail.com> <CA+k3eCQ87n4m--nBc+PX7qE727fqA6vM=meEJZxwfnbpJ2dOsw@mail.gmail.com> <CAGL6epJQbVDrAKB+zNAPuaG0+uLxF3HijEE6=vgYaeXxB_2PXQ@mail.gmail.com> <CA+k3eCQbku0V6z2wCM084FW342dY6=_H7mEv6U3sHCDgefkxXA@mail.gmail.com> <E03CD445-39E8-4262-97BE-E0EE11231A63@forgerock.com> <2B2ACEE8-7B48-4E2D-94DA-AF3DA86DE809@mit.edu>
In-Reply-To: <2B2ACEE8-7B48-4E2D-94DA-AF3DA86DE809@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 29 Oct 2019 15:55:27 -0600
Message-ID: <CA+k3eCRmmZJQjk-WGmpYZeyTvQR0SttRUZeh7FDT-=ikzOUwAA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Neil Madden <neil.madden@forgerock.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032ed28059613aed2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NfEdycwmWmqsdHyTOoZNUIFC8gc>
Subject: Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 21:56:00 -0000

+1 to pretty much everything Justin said there.

With some facilitating assistance from Ben it looks like there's now an
agenda slot for this in the upcoming secdispatch meeting in Singapore. I'll
attempt to articulate the situation and see if there's interest in finding
a home for the perspective work. Folks that'll be in Singapore and
interested in the topic would be encouraged to attend to the secdispatch
meeting during the Afternoon Session III 1710-1840 on Tuesday.


On Tue, Oct 29, 2019 at 1:13 PM Justin Richer <jricher@mit.edu>; wrote:

> I would argue that making this standard would actually increase the
> likelihood of developers getting this right, as now instead of following
> some copy-pasted recipe for NGINX or Apache that they found on the web,
> they could turn on a standard setting that would take care of both
> stripping out incoming headers and injecting the appropriate values. And
> all of that can be covered in the security considerations with a bunch of
> normative text on top to make sure inbound headers are stripped. What
> you’re describing below is clever, but ultimately it’s just a small bit of
> obscurity more than anything real.
>
> The way things are today, you’ve got to not only pick a header and figure
> out its format, but also do the injection protection step yourself. Since
> all of these are disconnected, there are a lot more places that it could
> fall over. Even a typo where you throw out incoming “CLIENT_CERT” but
> inject “CLIENT_CERTS” or something like that would be disastrous.
>
> All in all, I am in favor of this being defined in one standard way, in
> addition to secure communication between proxies and backends being
> standardized — but this latter bit really seems like a separate problem.
>
>  — Justin
>
> On Oct 28, 2019, at 12:32 PM, Neil Madden <neil.madden@forgerock.com>;
> wrote:
>
> While there are some benefits to standardizing headers for this kind of
> communication, there are some significant downsides - particularly when
> using headers to communicate critical security information like certs. It
> is *very* easy to misconfigure a reverse proxy to not strip Forwarded (or
> whatever) headers from incoming requests, allowing a client to simply
> supply a certificate as a header without authenticating the TLS connection
> with the corresponding private key. One good practice to prevent this is to
> pick a random and unguessable header name (configurable per installation)
> to be used for communicating the certificate, rather than using something
> fixed and standard. That way even if you misconfigure the proxy an attacker
> still has to try and guess the correct header name.
>
> I suppose the same thing could be accomplished by having an extension for
> including a shared secret (or HMAC tag) in the header to authenticate it.
>
> -- Neil
>
> On 28 Oct 2019, at 15:32, Brian Campbell <
> bcampbell=40pingidentity.com@dmarc.ietf.org>; wrote:
>
> I don't think there's anything beyond defining something to carry the
> client certificate information (including the format and encoding). And it
> could well be a new RFC7239 parameter. Or it might just be a new HTTP
> header on its own.
>
> On Mon, Oct 28, 2019 at 9:05 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>;
> wrote:
>
>> Thanks Brian,
>>
>> I guess my question is: given RFC7239 and the fact that it is
>> straightforward to secure the channel between the terminating reverse proxy
>> and the backend service in a cluster, is there anything, from a standard
>> perspective, that we need to do beyond defining a new parameter to carry
>> the client certificate information?
>> You seem suggest that the answer is yes. If so, can you please elaborate
>> on why is that?
>>
>> Regards,
>>  Rifaat
>>
>>
>>
>> On Mon, Oct 28, 2019 at 8:42 AM Brian Campbell <
>> bcampbell@pingidentity.com>; wrote:
>>
>>>
>>>
>>> On Sat, Oct 26, 2019 at 3:55 PM Rifaat Shekh-Yusef <
>>> rifaat.ietf@gmail.com>; wrote:
>>>
>>>>
>>>> On Fri, Oct 25, 2019 at 3:47 PM Brian Campbell <
>>>> bcampbell@pingidentity.com>; wrote:
>>>>
>>>>>
>>>>> I did look at RFC7239 when doing that and it could have been made to
>>>>> work but felt the fit wasn't quite right and would have been more
>>>>> cumbersome to use than not.
>>>>>
>>>>>
>>>> Can you elaborate on this?
>>>> These days, with the zero trust model in mind, there are orchestration
>>>> tools, e.g. Istio, that easily allows you to establish an MTLS channel
>>>> between the reverse proxy/load balancer/API GW and the backend servers.
>>>> Why is that not sufficient?
>>>> Which part is cumbersome?
>>>>
>>>
>>> What I meant was only that in the course of writing
>>> https://tools.ietf.org/html/draft-ietf-tokbind-ttrp-09, which aims to
>>> define HTTP header fields that enable a TLS terminating reverse proxy to
>>> convey information to a backend server about the validated Token Binding
>>> Message received from a client, it seemed more straightforward and
>>> sufficient for the use-case to use new HTTP headers to carry the
>>> information rather than to use new fields in the Forwarded header framework
>>> from RFC7239.
>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._