IETF Logo Mail Archive

Re: [Ohai] Call for adoption: draft-rdb-ohai-feedback-to-proxy

tirumal reddy <kondtir@gmail.com> Wed, 16 August 2023 13:29 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EEBFC1516F2 for <ohai@ietfa.amsl.com>; Wed, 16 Aug 2023 06:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_V_WXyhYV4g for <ohai@ietfa.amsl.com>; Wed, 16 Aug 2023 06:29:53 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00BE6C1516E9 for <ohai@ietf.org>; Wed, 16 Aug 2023 06:29:52 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-4fe8f602e23so2409880e87.1 for <ohai@ietf.org>; Wed, 16 Aug 2023 06:29:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692192590; x=1692797390; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AypDsRIlJy9fvbYwU3/SpxeimAIc2620FyN0qEqtLpk=; b=FYi5GMAW7eoOzBiZ7hswoO7PTbJXY7WHbwmZK++m6Rt3SCQKMAjSv/UrgaOUSPNlO+ vzf5pUlwCjmngmFS4EUep7Cwi16VKpSIgm/gbW+MT2/HCEJTnJSxb2oGUy/UiTsoPlTe Pg8jUsgB24YNOx1wLR+SiHtcxhFfC+crr0AUORkQziYWKYZdoKK0nCPD1Au6jBo4B167 znK+Rf2tKhzlzObt3jnxYiHK2ybhnU5NmuDZlCoa2eeytgkOs1na/gqbXE9RO9eyf7Wl htolxITAUWvG5TRG+lsKOovf4SWRXv85qRuLY8nypXrzPSrTkzz2LMwFlZTcq4jovUqV XeQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692192590; x=1692797390; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AypDsRIlJy9fvbYwU3/SpxeimAIc2620FyN0qEqtLpk=; b=X1oR+9CLemBpV5Q1cPhoW6rhcVV3NAKYaxgGacfBlKJCN1kF00JtzhpEJ63XwJ7Ygy xvRT+TpBb6vb8bNc4MYPZyoOHMBP9oXFAKUFzvbK+Ew9EC0gTdNgCoRMMBqSaAWiuNkX lN7CUWb3kyfAznjBuPQlZ9WAKbtE/otYFeHcDS4I+YLv326iGPTWuBF4yB19tAmLov4p vM5vz+ZdI0Gk/8ri920pIxvDA6/RX/d0ZzR3wVrxbxBSpa0FFU0qxJZUl960tAQ6HqII Ui2vfyPh+iXvjL6LIo9+BVqSR0HK93on4PMQcQHNUnDVVGTtRMUkH1cVn1Fz8jNJwGi/ nQdw==
X-Gm-Message-State: AOJu0Yz19feZnKbY4mhnxImMbxP9sZSlC5v754d5xloV4b4xt57nGl5R 3zZ96hqPIFX0s0gE1wpgv0l2djP1Cr8VWLV2ZCH77YJ7DF8=
X-Google-Smtp-Source: AGHT+IERMVupdPmmG6r8OeOvieTzOlGoYrk7pomcmn56bYCkOnpI2vZLgGU5p0GHXXbLIyzdJGGQeoO4Rm3DHvoEHO4=
X-Received: by 2002:a2e:bc14:0:b0:2b7:34c0:a03a with SMTP id b20-20020a2ebc14000000b002b734c0a03amr1853689ljf.3.1692192589920; Wed, 16 Aug 2023 06:29:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAG3f7Mh1F6t9=1Dw+PRpTfsan0F=OtoVi=FsuewVAZ326vDL_Q@mail.gmail.com> <320231FB-D508-4DE4-B89B-BC1F5FFF6321@apple.com> <48A47702-1805-4D46-BD1F-0D95A9ECE84F@kuehlewind.net> <73638b7f-e4c0-4113-a6c2-5a244c4071a5@app.fastmail.com>
In-Reply-To: <73638b7f-e4c0-4113-a6c2-5a244c4071a5@app.fastmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Wed, 16 Aug 2023 18:59:38 +0530
Message-ID: <CAFpG3gcGPQozxtv4+AR1zSMKa_5cbWVMFTFWgKsw6fDVY_FQ_g@mail.gmail.com>
To: Christopher Wood <caw@heapingbits.net>
Cc: ohai@ietf.org
Content-Type: multipart/alternative; boundary="00000000000036bfcd06030a4adf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/R31p-i8VLtdXCLXovTpeUHGYqBc>
Subject: Re: [Ohai] Call for adoption: draft-rdb-ohai-feedback-to-proxy
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2023 13:29:56 -0000

On Tue, 15 Aug 2023 at 20:42, Christopher Wood <caw@heapingbits.net> wrote:

> On Tue, Aug 15, 2023, at 10:55 AM, Mirja Kuehlewind wrote:
> > Hi all,
> >
> > Sorry for my slightly delayed reply but I finally found time to fully
> > review the draft. I agree that the problem is an interesting problem to
> > solve but I’m less sure about the proposed approach. More generally I
> > wonder if this signal is needed at all (or if some static config/out of
> > band signalling is enough). Effectively the draft adds an option to
> > signal the relay that the target is under attack. However, if the
> > attack source is part of the relay traffic, wouldn’t the relay be able
> > to detect the attack on its own? Maybe there are other cases for
> > rate-limiting but the attack scenario isn’t fully clear to me. Also
> > adding this information to one “random” http response, seem more like a
> > hack than a clear design.
> >
> > I’m supportive of further work in this space but I’m not sure if
> > adopting the proposed solution is the right way forward.
>
> For what it's worth, I tried to turn my comments into something
> constructive by turning them into a more complete proposal, located here:
>
>
> https://chris-wood.github.io/draft-wood-remote-rate-limiting/draft-wood-remote-rate-limiting.html
>
> The salient points of this approach are:
>
> 1. Rate limit rules happen out-of-band, or outside of the proxy protocol,
> rather than in-band. This makes it generally applicable to OHTTP, MASQUE,
> etc.
> 2. Rate limit rules are only allowed from authenticated targets. (This
> particular proposal leans on ACME based on DV as a way of targets being
> provisioned with authentication credentials, but this is mainly a
> convenience and implementation detail.)
> 3. Rate limit rules are restricted in how they can be expressed so that
> the mechanism can't be misused or abused to harm client privacy. As such,
> this proposal has limitations that are naturally complemented by
> privacy-preserving authentication mechanisms such as Privacy Pass.


> I'm sure there are a lot of odd or imperfect things in the draft, but in
> writing this down I felt a lot more comfortable with the privacy and
> security story given the constraints in place. Bike sheds aside, I'm
> curious to know what people think about the high level aspects of this
> alternative approach -- especially those in favor of solving this problem.
>

The above approach can be done using DOTS, it has DOTS data channel for
this purpose which uses RESTCONF and defines filtering rules with
rate-limit action

-Tiru


>
> Best,
> Chris
>
> --
> Ohai mailing list
> Ohai@ietf.org
> https://www.ietf.org/mailman/listinfo/ohai
>

v2.23.0 | Report a Bug | By Email