IETF Logo Mail Archive

Re: [Ohai] Call for adoption: draft-rdb-ohai-feedback-to-proxy

Christopher Wood <caw@heapingbits.net> Thu, 17 August 2023 12:23 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A454EC14CE2B for <ohai@ietfa.amsl.com>; Thu, 17 Aug 2023 05:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.808
X-Spam-Level:
X-Spam-Status: No, score=-2.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b="MT5EHbk1"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="bCb8q5Ip"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhC2CSMLWPjq for <ohai@ietfa.amsl.com>; Thu, 17 Aug 2023 05:23:33 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44371C14E515 for <ohai@ietf.org>; Thu, 17 Aug 2023 05:23:33 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 747EA32005C1; Thu, 17 Aug 2023 08:23:32 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Thu, 17 Aug 2023 08:23:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to; s=fm1; t=1692275011; x=1692361411; bh=EicWF9DQ5tneglGOyo2Bz3YgC riRkk37FGQ3MEpIWQg=; b=MT5EHbk1EtxS7al14fAvSxfaxSFmjB/78RVWKsloc kcyNNZPBQsJnUfMobp8AYl47N+Z9DOqmG578+kwWeH1+HElkhMQCXy2EObjNgKI1 TGh3ul9Rw7fUI6PVcljB3FhSO/GECv4EPobyumrDj/cKcZIk1ZgB7v/avy3LdXqV rkJqZhmF4lX1LoHzVCPYEEe/pGIQihhTC2oKDIAVPptCnrTzvoK3yUIMFwCIYgqZ aEbu2c2yVXY3DUeo/WNDn1quBB6cjFf+gp1715pZ7tKyRUmql1hxiOwW7L6WGPz2 Ct4nz4TtEhuyxHJibz2jvxSOBx/xOyOVdU9aiofDcqMvw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1692275011; x=1692361411; bh=EicWF9DQ5tneglGOyo2Bz3YgCriRkk37FGQ 3MEpIWQg=; b=bCb8q5IpjfLozGA/AWr/C/bF17JK06wzGo7wFmR6WSw2HGwFfsr QJea2Zq95lIl2BkPMv+WLKOkZyY0IAs77EMI0S6wO3uU9NJLZ2NtRXJHstejM2nU GDaT3v3xXhHFB3I9WPeBsQAT5dFBfAi1jiiXP0GILCOuPbZbnewZWc+QKNe2WyTl jDR00BQHxKytCzO5p/eNy+525Qa0rZAJbxbU+roq4z4bqUVPY1IWqpi62IJBAOtF g0aoEww6VO1yn/N/krLpLRPpiKqOiCaZ6YIO3KCRS16qLEVjs0ndokQ4zq+KYYbE YLk0hEQQqrzvu8cd/mBqLlmVuhWRxQl3kgg==
X-ME-Sender: <xms:QxHeZJLqdc5dQeN1v5UdbZwMxw9yUJmj6yoQSy4AUMht45li0Te9CA> <xme:QxHeZFIogvvxzOZIxCVjkWqw1CKCWO_Lqrdu27LOQKDP402Y9cgTCc9ZGdION741V stj6BxNY8y-UIvkaKg>
X-ME-Received: <xmr:QxHeZBsvnUV54PpSBqWQfm3xmUVnWb0_W8c6I1GpbYZurzSvprjFKGSDsKVJiICBqcDvAGkHU6ECanGwXMELuMjU0dmRzbZJRU61inch2_LW5tbR>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrudduuddgheduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgoufhushhpvggtthffohhmrghinhculdegledmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdejnecuhfhrohhmpeevhhhr ihhsthhophhhvghrucghohhougcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucggtffrrghtthgvrhhnpeegleehffdtvdefuedttedugeejledvffelgfdukeeilefg uefhvdehieevueejfeenucffohhmrghinhephhhtthhprhgvshhpohhnshgvshgvvghmmh horhgvlhhikhgvrghhrggtkhhthhgrnhgrtghlvggrrhguvghsihhgnhdrihhmpdhgihht hhhusgdrihhonecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:QxHeZKa8BvhhMXk5W0xMjNFggYPDatqQ5ZEb0TmJAmHtnGxVLGYEDg> <xmx:QxHeZAY7p8FFIZ_742t4_sCtW20syq85sygEVKzxScjWfVGk1s_wLQ> <xmx:QxHeZOAhqtHFJyG6j6LXwJnc1QgSGV4lNJyuUrcuV6kwBa9MGWMb5g> <xmx:QxHeZJD0uFUX42TJXvBT3_HhR-r8uUkUUksl6a7CAp6a2tI-LM-DAg>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 17 Aug 2023 08:23:31 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <CAFpG3gcGPQozxtv4+AR1zSMKa_5cbWVMFTFWgKsw6fDVY_FQ_g@mail.gmail.com>
Date: Thu, 17 Aug 2023 08:23:30 -0400
Cc: ohai@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <8C03A6A2-4B30-49D6-8985-034E97D676DD@heapingbits.net>
References: <CAG3f7Mh1F6t9=1Dw+PRpTfsan0F=OtoVi=FsuewVAZ326vDL_Q@mail.gmail.com> <320231FB-D508-4DE4-B89B-BC1F5FFF6321@apple.com> <48A47702-1805-4D46-BD1F-0D95A9ECE84F@kuehlewind.net> <73638b7f-e4c0-4113-a6c2-5a244c4071a5@app.fastmail.com> <CAFpG3gcGPQozxtv4+AR1zSMKa_5cbWVMFTFWgKsw6fDVY_FQ_g@mail.gmail.com>
To: tirumal reddy <kondtir@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/4uqVWQ-6kJkKeTj4a3B4nRq--So>
Subject: Re: [Ohai] Call for adoption: draft-rdb-ohai-feedback-to-proxy
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2023 12:23:37 -0000

> On Aug 16, 2023, at 9:29 AM, tirumal reddy <kondtir@gmail.com> wrote:
> 
> On Tue, 15 Aug 2023 at 20:42, Christopher Wood <caw@heapingbits.net> wrote:
> On Tue, Aug 15, 2023, at 10:55 AM, Mirja Kuehlewind wrote:
> > Hi all,
> >
> > Sorry for my slightly delayed reply but I finally found time to fully 
> > review the draft. I agree that the problem is an interesting problem to 
> > solve but I’m less sure about the proposed approach. More generally I 
> > wonder if this signal is needed at all (or if some static config/out of 
> > band signalling is enough). Effectively the draft adds an option to 
> > signal the relay that the target is under attack. However, if the 
> > attack source is part of the relay traffic, wouldn’t the relay be able 
> > to detect the attack on its own? Maybe there are other cases for 
> > rate-limiting but the attack scenario isn’t fully clear to me. Also 
> > adding this information to one “random” http response, seem more like a 
> > hack than a clear design. 
> >
> > I’m supportive of further work in this space but I’m not sure if 
> > adopting the proposed solution is the right way forward.
> 
> For what it's worth, I tried to turn my comments into something constructive by turning them into a more complete proposal, located here:
> 
>    https://chris-wood.github.io/draft-wood-remote-rate-limiting/draft-wood-remote-rate-limiting.html
> 
> The salient points of this approach are:
> 
> 1. Rate limit rules happen out-of-band, or outside of the proxy protocol, rather than in-band. This makes it generally applicable to OHTTP, MASQUE, etc.
> 2. Rate limit rules are only allowed from authenticated targets. (This particular proposal leans on ACME based on DV as a way of targets being provisioned with authentication credentials, but this is mainly a convenience and implementation detail.)
> 3. Rate limit rules are restricted in how they can be expressed so that the mechanism can't be misused or abused to harm client privacy. As such, this proposal has limitations that are naturally complemented by privacy-preserving authentication mechanisms such as Privacy Pass. 
> 
> I'm sure there are a lot of odd or imperfect things in the draft, but in writing this down I felt a lot more comfortable with the privacy and security story given the constraints in place. Bike sheds aside, I'm curious to know what people think about the high level aspects of this alternative approach -- especially those in favor of solving this problem.
> 
> The above approach can be done using DOTS, it has DOTS data channel for this purpose which uses RESTCONF and defines filtering rules with rate-limit action 

I’ll leave it to the DOTS experts to determine if that can be extended for this purpose. However, I would like to surface my view of the threat model and essential requirements for this to be done safely (if it’s going to be done at all). Copying directly from the draft above:

# Threat Model

The remote rate limiting (RRL) protocol is based on the following threat model.
Clients are either honest or malicious. Honest clients do not engage in abusive
behavior, whereas malicious clients are carry out whatever behavior they wish,
including abusive behavior. Targets can also be honest or malicious. An honest
target will faithfully use the protocol to protect itself against abuse, whereas
a malicious target will try to use the protocol to carry out the following goals.

1. Learn information about clients. The attacker aims to use the rate limiting
   protocol to learn information about the clients behind a proxy. This information
   might include, for example, the total number of clients behind a proxy, or any
   other information that might be useful in partitioning client anonymity sets.
1. Disproportionately and negatively impact honest clients. The attacker aims to
   misuse the rate limiting protocol to single out honest clients and cause service
   disruption for them.

Malicious clients can engage in abusive behavior with the intent of disrupting service
for honest targets, or for negatively impacting the proxy service for other honest
clients.

The proxy is assumed to be honest, since a malicious proxy could easily violate
client privacy by revealing the client's IP address to targets.

# Overview

Given the threat model in {{threat-model}}, the remote rate limiting (RRL) protocol
is based on the following assumptions:

1. The definition of abuse varies widely and depends on the target service.
   In other words, targets are authoritative for what is considered abusive traffic
   that negatively affects the target.
1. Rate limiting rules can only be expressed in terms of behavior that can be validated
   by both proxy and taget. Importantly, this means that targets can only express rules
   in terms of information that both parties know. In other words, targets cannot express
   rules in terms of information they do not know. As an example, it is not possible to
   express rules in terms of the number of requests per client if the target does not know
   how many clients are behind a particular proxy, nor if the proxy does not know the number
   of requests that a particular client is sending because the client's connection to the
   target is encrypted.
1. Proxies cannot trust targets which cannot authenticate themselves, as this can
   spoofed by attackers (malicious targets). Moreover, authenticating a target does
   not necessarily mean the target is honest; an authenticated target can still engage
   in malicious behavior. As such, the rate limiting protocol cannot leak information
   to the the privacy proxy that it does not already know. In particular, the protocol
   cannot depend on application data that is encrypted and unknown to the proxy.
   This ensures that the protocol cannot be misused by targets in an attempt to
   deanonymize clients.
1. IP addresses are not suitable for authentication and authorization decisions. In
   particular, this means that proxies cannot use target IP addresses to determine
   whether or not a particular target message is authenticated.

Best,
Chris

v2.23.0 | Report a Bug | By Email