[secdir] secdir review of draft-ietf-httpbis-h2-websockets
Carl Wallace <carl@redhoundsoftware.com> Tue, 29 May 2018 17:32 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6000712D885 for <secdir@ietfa.amsl.com>; Tue, 29 May 2018 10:32:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKrFN-MW9rhr for <secdir@ietfa.amsl.com>; Tue, 29 May 2018 10:32:34 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E52E126D73 for <secdir@ietf.org>; Tue, 29 May 2018 10:32:34 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id m5-v6so19691762qti.1 for <secdir@ietf.org>; Tue, 29 May 2018 10:32:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :mime-version:content-transfer-encoding; bh=v4weYQW0y/4foBhwGD2pC68ugrokNhTGderbwVFDq10=; b=cwziYF+ZgO6kCGcXp0AgHXA/xKlQM8XV7ONdDJOCG2mh+JsuP0NYyEuRLYMY5bIGO8 xjwQ6s0iqR9Jyo3i9rPmxKhW1YGSdtizcLhlQRv1hkDb7qe40yBJv3QF5A7U3lbKJ4aX 6uUcnf5zHnC/YgjrF7mRiWOTwNeUXxdVqVtSQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-transfer-encoding; bh=v4weYQW0y/4foBhwGD2pC68ugrokNhTGderbwVFDq10=; b=gowCNzbC31rf8J4q2ZyhFdaA6HL8knYhWOjSy2fv6RRoK+xiYKdCy4XWIqTKQfV9N/ 9ALS9C2N0u812rROqoc8/J+ZHqtbW5BkdxhpxBTHw8EfUjvcWZfA49h1iR7+iIp0lsoI B9z1yP1zc4X1dbk5sgfXJUDZTQW9nz8Kx+j2edq+HxdBHvz94BPs3Q9rkeJk8TS1+Scn tJgIm7kUGYmnCSMwpPVX64hAi5Y28tvLa7P374oW6MSQo/DTKwBOUtKPo9uRsJNCE38C SzjAdp4c7o7tvvvTAXMPugODScHbnmp437hu8vBvrfUJ5h/yBhrNKU4asmbDndzwCAPJ nvhA==
X-Gm-Message-State: ALKqPwemGrSB4bnM99qtBkemy0Y7s390Yq/NH41evU7Fl6Mjj5S0wHs5 tWvQzCae3c9ESAeygY/piI95kQ==
X-Google-Smtp-Source: ADUXVKKIKwK/MKitz+lsIqkIMgQzxJ8yW7U3VyhXRVsnJeJ/uEEBF6nByIhQKV0HxNno5Rw9PhF1rQ==
X-Received: by 2002:ac8:2e1c:: with SMTP id r28-v6mr8814736qta.156.1527615153430; Tue, 29 May 2018 10:32:33 -0700 (PDT)
Received: from [192.168.2.27] (pool-74-96-253-73.washdc.fios.verizon.net. [74.96.253.73]) by smtp.googlemail.com with ESMTPSA id s19-v6sm25057498qki.62.2018.05.29.10.32.30 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 29 May 2018 10:32:32 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.7.6.170621
Date: Tue, 29 May 2018 13:32:25 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: draft-ietf-httpbis-h2-websockets.all@ietf.org
CC: secdir@ietf.org, iesg@ietf.org
Message-ID: <D73306E9.B8C32%carl@redhoundsoftware.com>
Thread-Topic: secdir review of draft-ietf-httpbis-h2-websockets
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-Nn0a6CYWizwOryi9ZWm2Oor2BE>
Subject: [secdir] secdir review of draft-ietf-httpbis-h2-websockets
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 17:32:37 -0000
I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a mechanism for running the WebSocket Protocol (RFC 6455 ) over a single stream of an HTTP/2 connection. The mechanism takes the form of a new SETTINGS parameter and a new pseudo-header. The document is well-written and I see no issues with it other than some friction with this statement in section 8.1.2.1 of RFC7540: "Endpoints MUST NOT generate pseudo-header fields other than those defined in this document." The draft-ietf-httpbis-h2-websockets defines a new pseudo-header field in section 4. Section 3 addresses extending HTTP/2 via a reference to section 5.5 of RFC7540, but there was nothing in that section to relax the prohibition on using pseudo-header fields not defined by 7540. Is a mod to 7540 necessary to enable support for the mechanism in draft-ietf-httpbis-h2-websockets? One minor nit, section 3 states "a sender MUST NOT send a SETTINGS_ENABLE_CONNECT_PROTOCOL parameter with the value of 0 after previously sending a value of 1". This reads as though one could never turn off web socket support once enabled.
- [secdir] secdir review of draft-ietf-httpbis-h2-w… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-httpbis-… Patrick McManus
- Re: [secdir] secdir review of draft-ietf-httpbis-… Carl Wallace
- Re: [secdir] secdir review of draft-ietf-httpbis-… Mark Nottingham
- Re: [secdir] secdir review of draft-ietf-httpbis-… Carl Wallace