[secdir] secdir review of draft-ietf-httpbis-tunnel-protocol-04

Scott Kelly <scott@hyperthought.com> Fri, 05 June 2015 12:24 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1CF931B2D9C for <secdir@ietfa.amsl.com>; Fri, 5 Jun 2015 05:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2sF6v8BMLO41 for <secdir@ietfa.amsl.com>; Fri, 5 Jun 2015 05:24:26 -0700 (PDT)
Received: from smtp122.ord1c.emailsrvr.com (smtp122.ord1c.emailsrvr.com []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7867C1B2D0E for <secdir@ietf.org>; Fri, 5 Jun 2015 05:24:26 -0700 (PDT)
Received: from smtp24.relay.ord1c.emailsrvr.com (localhost.localdomain []) by smtp24.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id CEA5C80288; Fri, 5 Jun 2015 08:24:25 -0400 (EDT)
Received: by smtp24.relay.ord1c.emailsrvr.com (Authenticated sender: scott-AT-hyperthought.com) with ESMTPSA id 7335680196; Fri, 5 Jun 2015 08:24:25 -0400 (EDT)
X-Sender-Id: scott@hyperthought.com
Received: from [] (c-73-129-12-245.hsd1.md.comcast.net []) (using TLSv1 with cipher AES128-SHA) by (trex/5.4.2); Fri, 05 Jun 2015 12:24:25 GMT
From: Scott Kelly <scott@hyperthought.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Message-Id: <DA0CCE5D-D67A-4AD0-8DCB-87F0F397D342@hyperthought.com>
Date: Fri, 5 Jun 2015 05:24:25 -0700
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-httpbis-tunnel-protocol.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/4MLV6GNLsXKDw3w_WcFvqTcYVog>
Subject: [secdir] secdir review of draft-ietf-httpbis-tunnel-protocol-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 12:24:28 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Sorry that this review is a few days late, I hope it is still useful.

This document describes a method for using the HTTP ALPN header with the HTTP CONNECT method. HTTP CONNECT is used to ask a proxy to establish a tunnel through which other protocols (possibly HTTP, but not necessarily) can be forwarded. Once established, the client encapsulates the tunneled protocol in HTTP, sends this to the proxy, and the proxy de-encapsulates and forwards the traffic, which may or may not be encrypted. 

The ALPN header allows the client to tell the proxy which protocol(s) it intends to encapsulate. This ALPN header is not authenticated, and the draft makes no reference to client authentication and/or other protocol security mechanisms, so I assume this exchange is not secured in any way.

In the introduction, it says
   "When the CONNECT method is used to establish a tunnel, the ALPN
   header field can be used to identify the protocol that the client
   intends to use with that tunnel.  For a tunnel that is then secured
   using TLS [RFC5246], the header field carries the same application
   protocol label as will be carried within the TLS handshake.  If there
   are multiple possible application protocols, all of those application
   protocols are indicated.

   The ALPN header field carries an indication of client intent only.
   An ALPN identifier is used here only to identify the application
   protocol or suite of protocols that the client intends to use in the
   tunnel.  No negotiation takes place using this header field.  In TLS,
   the final choice of application protocol is made by the server from
   the set of choices presented by the client.  Other substrates could
   negotiate the application protocol differently.

   Proxies do not implement the tunneled protocol, though they might
   choose to make policy decisions based on the value of the header
   field.  For example, a proxy could use the application protocol to
   select appropriate traffic prioritization.”

The security considerations section notes that the client may falsify the ALPN header, but it also implies that this could be used as input to an authorization decision:

   The ALPN header field described in this document is an OPTIONAL
   header field.  Clients and HTTP proxies could choose to not support
   the header and therefore fail to provide it, or ignore it when
   present.  If the header is not available or ignored, a proxy cannot
   identify the purpose of the tunnel and use this as input to any
   authorization decision regarding the tunnel.  This is
   indistinguishable from the case where either client or proxy does not
   support the ALPN header field.

In the last of the previously quoted paragraphs, there was a similar implication regarding policy (traffic prioritization). These both raised red flags for me (especially the use of “authorization decision”).

This header is unauthenticated, and therefore not trustworthy. The client and/or a bad actor between the client/proxy can modify this. Further, unless the proxy actively compares the ALPN content to the TLS ClientHello message, those values may be different. For these reasons, the ALPN header in unreliable for use in traffic policy decisions, and for security-relevant definitions of “authorization”, should never be relied upon.

Things I think should change:

The draft never says what the proxy should do if the client makes one claim in the ALPN header, but then does something different (including using different ALPNs in encapsulated TLS negotiations). Seems like it should.

Also, the draft seems to suggest that it is okay to use the ALPN for policy/authorization decisions. This is unreliable from a security perspective. At minimum, I think the draft should explicitly call this out.