Re: [secdir] Secdir review of draft-ietf-hybi-permessage-compression-22

Robert Sparks <rjsparks@nostrum.com> Mon, 06 July 2015 16:03 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A1501A90A6; Mon, 6 Jul 2015 09:03:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKUlx12hSpx3; Mon, 6 Jul 2015 09:03:12 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1591A1A89A8; Mon, 6 Jul 2015 09:03:12 -0700 (PDT)
Received: from unnumerable.local (pool-71-170-237-80.dllstx.fios.verizon.net [71.170.237.80]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t66G32c2019216 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK); Mon, 6 Jul 2015 11:03:03 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host pool-71-170-237-80.dllstx.fios.verizon.net [71.170.237.80] claimed to be unnumerable.local
Message-ID: <559AA6B2.3@nostrum.com>
Date: Mon, 06 Jul 2015 11:02:58 -0500
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Takeshi Yoshino <tyoshino@google.com>
References: <558B1E9C.8080505@nostrum.com> <CAH9hSJYdb95V48jvuGAg5ymjhaaAbcYcuv=+OiTFnJ+PRyRNuQ@mail.gmail.com>
In-Reply-To: <CAH9hSJYdb95V48jvuGAg5ymjhaaAbcYcuv=+OiTFnJ+PRyRNuQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070408070604080409070400"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/CMNAd0QiyCrvPMC5QG3KNq8Zx8M>
Cc: draft-ietf-hybi-permessage-compression.all@ietf.org, hybi@ietf.org, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-hybi-permessage-compression-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 16:03:19 -0000

(adding the hybi list)

It seems to me that this effectively adding an actor (the intermediary) 
, and defining (not as explicitly as I think it needs to be) protocol 
mechanics for that actor in ways that the base specification did not 
anticipate.

I'm not comfortable that the consequences of these new mechanics 
(specifically - that the intermediary can directly participate in the 
extension negotiations, and change the results) are well understood. The 
additions to the text you propose will certainly help point out that 
there might be some, and the message that the endpoint won't have 
insight into how its messages are handled beyond the intermediary needs 
to be prominent.

But I wonder if the mechanics of an intermediary _changing the protocol 
signalling_ is something the working group should explicitly work on 
writing down?

RjS

On 6/30/15 3:42 AM, Takeshi Yoshino wrote:
> Thank you for review, Robert.
>
> On Thu, Jun 25, 2015 at 6:18 AM, Robert Sparks <rjsparks@nostrum.com 
> <mailto:rjsparks@nostrum.com>> wrote:
>
>     I have reviewed this document as part of the security directorate's
>     ongoing effort to review all IETF documents being processed by the
>     IESG.  These comments were written primarily for the benefit of the
>     security area directors.  Document editors and WG chairs should treat
>     these comments just like any other last call comments.
>
>     Summary: Ready with issues
>
>     (fwiw, I also reviewed up through version -24).
>
>     Section 7 (Intermediaries) should be more explicit that it's talking about an intermediary doing compression on one side and not (or doing different compression) on the other.
>     (If that's not what it's trying to set up, please clarify).
>
> OK. So, I'd like to change the text as follows:
>
> When an intermediary proxies ... Per-message Compression of messages 
> received from one peer, and then forward the messages to the other 
> peer, if the intermediary ...
>
>     It's not clear from reading RFC6455 that the idea of intermediaries changing the contents of the websocket extension negotiation mechanism was considered - have I missed the text in that RFC that discusses that?
>     Are there other extensions that suggest similar behavior? It's not immediately clear that the protocol mechanics do the right thing when the different negotiations on each side of the proxy fail differently.
>
> It's not well discussed in RFC6455. Right. AFAIK, there's no such 
> extension defined, yet.
>
> I understand that this text (intermediary section in the I-D) works 
> just not to disallow change of compression but there's nothing in 
> RFC6455 that guarantees that such transformation doesn't cause any 
> issue with other infrastructure of the WebSocket protocol.
>
> I believe that unless any extension that interferes with the other 
> negotiated extensions (e.g. counting the number of negotiated 
> extensions, relying on PMCE, etc.), the core WebSocket protocol 
> (things defined in RFC6455) should work. If such an extension is 
> introduced, it would be just considered to be incompatible with PMCEs, 
> or that extension should describe how to coordinate with change on 
> PMCE in the intermediaries section of its RFC.
>
> I think this is more reasonable than prohibiting change on Per-message 
> Compression by intermediaries.
>
>     This also seems to put an endpoint in a position where it has no say on what an intermediary does with the traffic on the other side of it. Is that worth discussing in the document?
>
> Ah, right. Maybe some text like:
>
> "It's not guaranteed that the PMCE which an endpoint has negotiated in 
> the opening handshake is preserved in the whole path to the peer 
> endpoint."
>
>     It would be good to point to, or provide, a discussion of how the extension negotiation mechanism in WebSockets is meant to be protected.
>
>
> As a general discussion to cover other extensions (if they want. by 
> referring to this to-be-RFC) like the section defining terms to 
> complement RFC6455 [1]?
>
> [1] 
> https://tools.ietf.org/html/draft-ietf-hybi-permessage-compression-24#section-3