Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 49E0D1277D2
 for <quic-issues@ietfa.amsl.com>; Sun, 30 Dec 2018 22:32:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.065
X-Spam-Level: 
X-Spam-Status: No, score=-8.065 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001,
 MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
 header.d=github.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 1pjwkwDRvi7G for <quic-issues@ietfa.amsl.com>;
 Sun, 30 Dec 2018 22:32:48 -0800 (PST)
Received: from out-15.smtp.github.com (out-15.smtp.github.com [192.30.254.198])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id B38DB1276D0
 for <quic-issues@ietf.org>; Sun, 30 Dec 2018 22:32:48 -0800 (PST)
Date: Sun, 30 Dec 2018 22:32:48 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
 s=pf2014; t=1546237968;
 bh=eqvJc543ozigt4Lkm9D8x0QZrYowVPPXb7FWOMHRh/I=;
 h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
 List-Archive:List-Post:List-Unsubscribe:From;
 b=wveKRIv2YAfqXMsaZozH15/V573I1h13aI6/kOVncX5kKFZqFIApg2UjZ18+d5K8S
 rxUwqrNpo6FQ+UYvPr44DenR38E0MwNmca2tHgCe8LvTfJl5/1+dsIUBbnKVlDJnvf
 K89Z47GEkU4186BptH6YlhyIIbOlP8hDW18OL1k8=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts
 <reply+0166e4ab6cab891472e01cb399798c8da74d8fa790c6b6f892cf0000000118417a1092a169ce178a34b7@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2279/450612881@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2279@github.com>
References: <quicwg/base-drafts/issues/2279@github.com>
Subject: Re: [quicwg/base-drafts] address-based access control (#2279)
Mime-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--==_mimepart_5c29b8102901c_4e333fbef2ed45b81048155";
 charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/j1ghYZji91nov4-P57GLlepLNOw>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG
 <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>,
 <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Dec 2018 06:32:50 -0000


----==_mimepart_5c29b8102901c_4e333fbef2ed45b81048155
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

Marking editorial because I don't see a concrete change as a result of this, more likely just advice, but this could flip.

One of the greatest pieces of baggage in HTTP is source-address-based ACLs.  I understand their value in DoS mitigation, but this issue implies something greater than that.  I hope that you don't mean as a substitute for authentication, but more part of a more comprehensive "your IP address is bad and you should feel bad, so here's a 4xx/5xx".

If we are talking about reputation for DoS mitigation, and a connection on a "good" address moves to a "bad" address, I would probably recommend against a change in treatment in all but extreme cases.

If you are using IP address as a proxy for physical location - which is a bad idea in general, but might be justifiable in terms of defense-in-depth strategies for high-value resources under conditions you control.  If your client moved outside that area, then you will need to consult your local policy.  Some policies could say "don't accept the packets", which is the most robust response, but it makes the HTTP status code somewhat irrelevant.  Clients in those contexts will want to be locked to the one network interface somehow.

The question is whether we might want to help the client avoid accidental address changes with an explicit signal.  I'm going to suggest that the answer is "no".

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2279#issuecomment-450612881
----==_mimepart_5c29b8102901c_4e333fbef2ed45b81048155
Content-Type: text/html;
 charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p>Marking editorial because I don't see a concrete change as a result of=
 this, more likely just advice, but this could flip.</p>
<p>One of the greatest pieces of baggage in HTTP is source-address-based =
ACLs.  I understand their value in DoS mitigation, but this issue implies=
 something greater than that.  I hope that you don't mean as a substitute=
 for authentication, but more part of a more comprehensive "your IP addre=
ss is bad and you should feel bad, so here's a 4xx/5xx".</p>
<p>If we are talking about reputation for DoS mitigation, and a connectio=
n on a "good" address moves to a "bad" address, I would probably recommen=
d against a change in treatment in all but extreme cases.</p>
<p>If you are using IP address as a proxy for physical location - which i=
s a bad idea in general, but might be justifiable in terms of defense-in-=
depth strategies for high-value resources under conditions you control.  =
If your client moved outside that area, then you will need to consult you=
r local policy.  Some policies could say "don't accept the packets", whic=
h is the most robust response, but it makes the HTTP status code somewhat=
 irrelevant.  Clients in those contexts will want to be locked to the one=
 network interface somehow.</p>
<p>The question is whether we might want to help the client avoid acciden=
tal address changes with an explicit signal.  I'm going to suggest that t=
he answer is "no".</p>

<p style=3D"font-size:small;-webkit-text-size-adjust:none;color:#666;">&m=
dash;<br />You are receiving this because you are subscribed to this thre=
ad.<br />Reply to this email directly, <a href=3D"https://github.com/quic=
wg/base-drafts/issues/2279#issuecomment-450612881">view it on GitHub</a>,=
 or <a href=3D"https://github.com/notifications/unsubscribe-auth/AWbkqyeK=
qrYAfS7JAVDck8In3Z2jJjErks5u-a-QgaJpZM4ZlOJ-">mute the thread</a>.<img sr=
c=3D"https://github.com/notifications/beacon/AWbkqzqx7drp-0wyrkDGtHPx0-_D=
GLtuks5u-a-QgaJpZM4ZlOJ-.gif" height=3D"1" width=3D"1" alt=3D"" /></p>
<script type=3D"application/json" data-scope=3D"inboxmarkup">{"api_versio=
n":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name"=
:"GitHub"},"entity":{"external_key":"github/quicwg/base-drafts","title":"=
quicwg/base-drafts","subtitle":"GitHub repository","main_image_url":"http=
s://github.githubassets.com/images/email/message_cards/header.png","avata=
r_image_url":"https://github.githubassets.com/images/email/message_cards/=
avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/q=
uicwg/base-drafts"}},"updates":{"snippets":[{"icon":"PERSON","message":"@=
martinthomson in #2279: Marking editorial because I don't see a concrete =
change as a result of this, more likely just advice, but this could flip.=
\r\n\r\nOne of the greatest pieces of baggage in HTTP is source-address-b=
ased ACLs.  I understand their value in DoS mitigation, but this issue im=
plies something greater than that.  I hope that you don't mean as a subst=
itute for authentication, but more part of a more comprehensive \"your IP=
 address is bad and you should feel bad, so here's a 4xx/5xx\".\r\n\r\nIf=
 we are talking about reputation for DoS mitigation, and a connection on =
a \"good\" address moves to a \"bad\" address, I would probably recommend=
 against a change in treatment in all but extreme cases.\r\n\r\nIf you ar=
e using IP address as a proxy for physical location - which is a bad idea=
 in general, but might be justifiable in terms of defense-in-depth strate=
gies for high-value resources under conditions you control.  If your clie=
nt moved outside that area, then you will need to consult your local poli=
cy.  Some policies could say \"don't accept the packets\", which is the m=
ost robust response, but it makes the HTTP status code somewhat irrelevan=
t.  Clients in those contexts will want to be locked to the one network i=
nterface somehow.\r\n\r\nThe question is whether we might want to help th=
e client avoid accidental address changes with an explicit signal.  I'm g=
oing to suggest that the answer is \"no\"."}],"action":{"name":"View Issu=
e","url":"https://github.com/quicwg/base-drafts/issues/2279#issuecomment-=
450612881"}}}</script>
<script type=3D"application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/quicwg/base-drafts/issues/2279#issuecomment=
-450612881",
"url": "https://github.com/quicwg/base-drafts/issues/2279#issuecomment-45=
0612881",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>=

----==_mimepart_5c29b8102901c_4e333fbef2ed45b81048155--