IETF Logo Mail Archive

Re: [Ohai] Artart last call review of draft-ietf-ohai-svcb-config-05

Tommy Pauly <tpauly@apple.com> Thu, 21 September 2023 23:59 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4732AC15257A for <ohai@ietfa.amsl.com>; Thu, 21 Sep 2023 16:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ollwdhZlnlAP for <ohai@ietfa.amsl.com>; Thu, 21 Sep 2023 16:59:43 -0700 (PDT)
Received: from rn-mailsvcp-mx-lapp02.apple.com (rn-mailsvcp-mx-lapp02.apple.com [17.179.253.23]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8E5CC151700 for <ohai@ietf.org>; Thu, 21 Sep 2023 16:59:43 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by rn-mailsvcp-mx-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S1D00W661B4YU40@rn-mailsvcp-mx-lapp02.rno.apple.com> for ohai@ietf.org; Thu, 21 Sep 2023 16:59:29 -0700 (PDT)
X-Proofpoint-ORIG-GUID: xurHlOqFmg7xgEjJm80srPgxtg8SubHx
X-Proofpoint-GUID: xurHlOqFmg7xgEjJm80srPgxtg8SubHx
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-09-21_20:2023-09-20, 2023-09-21 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 mlxscore=0 suspectscore=0 adultscore=0 mlxlogscore=999 malwarescore=0 spamscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2309180000 definitions=main-2309210208
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=x3wdDMTVRkAip5C5dhcUCivdOxFulVDuM68/XlJEJ/Q=; b=DKkROSPuFPz6OfRYkroenVArvSvnc34pQPQKPByKxggh00nLQcECbk/K/t1GvGLwvMqU LG92eRPw7LZH8euhIv/m6QI4UfHi0aI3UIDvspfykgt3Iaj4BE5V9hoTD/5aPJbBHs1k b0zqJGTse2ZM2VdN2gFYlx24C7ZzxHJPWz2cmotg+btIY3KxPylwjhYh2UkaS67L9rHI Zx13nMJgCG7NKzGrlIueSIluV3n+2SyMmsW6Nt7PzkyZj/eoOUjNTOQ5/az5ph5dpLRU xXDXdsl1T3HxcaNaii5B/d+rq+9mLk+RpW6UhANodKrZFLX043UOVnKldVGZ1FV3T8Sx 8w==
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S1D00ZAI1B3YI20@rn-mailsvcp-mta-lapp03.rno.apple.com>; Thu, 21 Sep 2023 16:59:27 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) id <0S1D00S0017Q8900@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 21 Sep 2023 16:59:27 -0700 (PDT)
X-Va-A:
X-Va-T-CD: a21793ab544743296fa6d6cb69f9bf66
X-Va-E-CD: d222768c09d7b4df51aab30ff3b30f2c
X-Va-R-CD: d3f9ca6aa994618bab49607b341ff1f9
X-Va-ID: 50c5ba3a-7f16-456d-8c72-bbd4aada6dd1
X-Va-CD: 0
X-V-A:
X-V-T-CD: a21793ab544743296fa6d6cb69f9bf66
X-V-E-CD: d222768c09d7b4df51aab30ff3b30f2c
X-V-R-CD: d3f9ca6aa994618bab49607b341ff1f9
X-V-ID: ef476624-15b6-407a-b4a0-2646d5fc8e7e
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.980 definitions=2023-09-21_20:2023-09-20, 2023-09-21 signatures=0
Received: from smtpclient.apple ([17.230.169.116]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPSA id <0S1D001Q21B3KW00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 21 Sep 2023 16:59:27 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <EE28EABE-6FE5-4446-99BF-D6AF608DEB53@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_A468F8F7-FFB1-4589-AC4C-77879E24A79F"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
Date: Thu, 21 Sep 2023 16:59:17 -0700
In-reply-to: <169264497299.52726.653116106307175768@ietfa.amsl.com>
Cc: art@ietf.org, draft-ietf-ohai-svcb-config.all@ietf.org, last-call@ietf.org, ohai@ietf.org
To: Christian Amsüss <christian@amsuess.com>
References: <169264497299.52726.653116106307175768@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/sKikAn5byEB2WzW8SVZxTCjwGSQ>
Subject: Re: [Ohai] Artart last call review of draft-ietf-ohai-svcb-config-05
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Sep 2023 23:59:46 -0000

Hi Christian,

Thanks very much for the thoughtful review! Apologies for the late response.

I’ve opened the following PR: https://github.com/ietf-wg-ohai/draft-ohai-svcb-config/pull/54

In addition to addressing the editorial remarks, I’ve adjusted the text around key configuration fetching to move the considerations for direct vs proxied up front. I do think it makes sense to highlight this earlier, since most implementations will want to proxy and/or use consistency checks. I don’t think it’s necessary, or even the right approach, to define an extension to the Oblivious Relay behavior to take on the role of proxy here. While it may serve as the entity that can fetch these configurations, the client could also have some other proxy that serves the same purpose. Additionally, it may not be necessary to proxy the fetch at all if the client is not concerned with communicating to the gateway — but only concerned about linking its particular request content to its identity; in such cases, a consistency check alone is sufficient.

Best,
Tommy

> On Aug 21, 2023, at 12:09 PM, Christian Amsüss via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Christian Amsüss
> Review result: Ready with Nits
> 
> Summary
> =======
> 
> This document fixes a gap between OHTTP servers and clients that was previously
> only addressed by out-of-band configuration. Apart from one security note
> (that's more on the how-do-we-get-it-implemented-well side and not on the
> there-is-a-flaw side), I think this is in very good shape.
> 
> Typical ART Area Issues
> =======================
> 
> * The document does not provide individual extension points, but that is OK:
>  Both OHTTP's evolution mechanism (media types) and SVCB records' mechansisms
>  (adding new protocol names such as h2/h3) are availble.
> 
> Security
> ========
> 
> * Key configuration fetching: This introduces a direct HTTP request from the
>  client to the Gateway, which with my limited overview of OHTTP is a new leg,
>  and reveals to the gateway an IP address from which it will be accessed (even
>  though the rules in section 5 on of not telling the relay where
>  .well-known/ohttp-gateway redirected will make sure that request can't be
>  correlated with the later OHTTP requests trivially). It does hint at using a
>  proxy (with later remarks in sec-cons pointing to a possible solution), but I
>  think it'd make sense to explore that option more thoroughly.
> 
>  It's hard for this document to mandate that those requests be proxied through
>  the relay (which doesn't generally do HTTP style proxying, and could be
>  limited to allow-listed requests such as GET /.well-known/ohttp-gateway
>  accepting application/http-keys), but unless that has been gone through in
>  previous discussions (in which case I'd appreciate a pointer), I think it'd
>  make sense to make that a default operation, falling back to direct GETs only
>  if the relay happens to not support that operation.
> 
>  If this is just done to avoid a normative reference to the comparatively
>  young CONSISTENCY document, maybe it'd be worth the wait. I haven't gone
>  through that complete document, it seems to offer several approaches. It may
>  not be possible to pick one that's good for all purposes, but if any of them
>  need collaboration from the relay, it'd be helpful if implementers took good
>  note that more is expected and needed of relays now.
> 
> Editorial remarks
> =================
> 
> * "an Oblivious Gateway Resource (gateway), which gates access to the target.":
>  I'd read that as limiting who may access the target, which to my
>  understanding is not the case. Maybe "which offers Oblivious HTTP accesst to
>  the target"?
> 
> * 'he "ohttp" SvcParamKey (Section 8) is used': I think that the forward
>  reference into IANA considerations is more confusing than helpful. This key
>  is defined here, IANA considerations just contain instructions to make it
>  happen in the registries. A reference back up (from table 8.1, s/This
>  document/This document (Section 4)/) would make more sense.
> 
> 
> 
> -- 
> Ohai mailing list
> Ohai@ietf.org
> https://www.ietf.org/mailman/listinfo/ohai

v2.23.0 | Report a Bug | By Email