IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 13 February 2017 05:00 UTC

Return-Path: <Jeff.Hodges@kingsmountain.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 341F712940B for <unbearable@ietfa.amsl.com>; Sun, 12 Feb 2017 21:00:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.787
X-Spam-Level:
X-Spam-Status: No, score=-3.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.887, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ZAmSML6pckq for <unbearable@ietfa.amsl.com>; Sun, 12 Feb 2017 21:00:57 -0800 (PST)
Received: from gproxy3-pub.mail.unifiedlayer.com (gproxy3-pub.mail.unifiedlayer.com [69.89.30.42]) by ietfa.amsl.com (Postfix) with SMTP id 513691204D9 for <unbearable@ietf.org>; Sun, 12 Feb 2017 21:00:57 -0800 (PST)
Received: (qmail 23926 invoked by uid 0); 13 Feb 2017 05:00:51 -0000
Received: from unknown (HELO CMOut01) (10.0.90.82) by gproxy3.mail.unifiedlayer.com with SMTP; 13 Feb 2017 05:00:51 -0000
Received: from box514.bluehost.com ([74.220.219.114]) by CMOut01 with id k50l1u0292UhLwi0150oaW; Sun, 12 Feb 2017 22:00:49 -0700
X-Authority-Analysis: v=2.1 cv=U+QBU4bu c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=n2v9WMKugxEA:10 a=ieNpE_y6AAAA:8 a=48vgC7mUAAAA:8 a=mQbAr3Z20UDnIPEh3PQA:9 a=QEXdDO2ut3YA:10 a=n7YKFLV3fQAA:10 a=J-Kc1YM4xMEA:10 a=lOZzU2MLX5qQKtuoMSD9:22 a=w1C3t2QeGrPiZgrLijVG:22
Received: from c-73-202-80-238.hsd1.ca.comcast.net ([73.202.80.238]:61468 helo=[192.168.11.53]) by box514.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1cd8kn-0003z2-KI for unbearable@ietf.org; Sun, 12 Feb 2017 22:00:45 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
To: IETF TokBind WG <unbearable@ietf.org>
Message-ID: <65a184a8-b00e-ddca-f1a5-2c9d274e9f8a@KingsMountain.com>
Date: Sun, 12 Feb 2017 21:00:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box514.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - KingsMountain.com
X-BWhitelist: no
X-Source-IP: 73.202.80.238
X-Exim-ID: 1cd8kn-0003z2-KI
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: c-73-202-80-238.hsd1.ca.comcast.net ([192.168.11.53]) [73.202.80.238]:61468
X-Source-Auth: jeff.hodges+kingsmountain.com
X-Email-Count: 1
X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/4BeWeTSeWu1T6ng-lmwG6_o4quQ>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 05:00:59 -0000

Andrei wrote:
 > Amos had said:
 >> The Connection header is not particularly about proxies. It is
 >> simply about distinguishing hop-by-hop things from end-to-end so
 >> any naive/old HTTP recipient can keep the relevant data secure in a
 >>  fail-closed way.
 >
 > ...and TB can be handled hop-by-hop or passed on for subsequent
 > validation; both are valid use-cases.
 >
 > It would be a concern if the backend servers were to assume that any
 >  TB header (and the contained TB message) floating around is always
 > valid. Instead what the specs currently say is that if you receive a
 > TB message, you've got to validate it before accepting a bound
 > token. If validation fails, the bound token is rejected.
 >
 > It seems therefore that stripping TB headers does not "fail closed",
 >  but simply eliminates the possibility that the contained TB message
 > may get verified further down the line.

Actually, unless I'm mis-interpreting TBPROTO (aka -tokbind-protocol),
it presently does not allow an application-layer proxy/gateway (that
terminates the client-side TLS connection) to simply pass a TBMSG on to
the next hop because (a) present spec language in TBPROTO S 4.2
precludes processing TBMSG if TB was not negotiated on the connection 
[1], and (b) S 5 precludes honoring bound tokens rec'd on a connection 
where their embedded TBIDs do not match the TBID established for the
connection they were received over [2].

Apropos to (a), we are presently thinking that HTTP/TLS Terminating
Reverse Proxies (TTRPs) likely will not negotiate TB on their
towards-origin-server connections (aka backend connections) [3], and so
if they simply forward along the Sec-Token-Binding (STB) header
containing the TBMSG, the receiver is (presently) obliged to reject any
"contained bindings".

In the (b) case, since TBPROTO aspires to be app protocol neutral, there
may be some app layer gateway that does want the gateway to negotiate TB
on the backend connections, and then the present spec language impedes
processing of tokens that have been gathered on prior hops. Plus in the
case where TB is not nego'd on the backend connection, the receiving
backend server is obliged to not honor the bound tokens because their
TBIDs do not match a null TBID of the non-TB'd connection they were
received over.

 > It is true that a proxy could forward Sec-Token-Binding's contents as
 > a custom header, possibly specified in another document. This is a
 > valid design; I'm just not convinced that this should be the only
 > possible design.

Also, if an STB header is forwarded along "automatically" (eg, because
it was not listed in the Connection header), it must be accompanied by 
the EKM et al necessary to validate it, so it seems a forwarding entity 
needs to be "TB-aware" to some degree in order to include said material 
(eg, via the proposed Token-Binding-Context (TBC) header [4]), and if it 
is so "aware", it ostensibly can then also forward along the STB 
regardless of whether the STB is listed in the received Connection 
header (due to the exception Amos cited earlier in RFC7230 S 6.1).

So unless I'm mistaken, we have identified some things we ought to alter 
in TBPROTO in order to facilitate TTRPs. HTTPSTB may also need some 
associated language. This seems to be regardless of what we say about 
STB being conveyed in the Connection header. See diagram at [5]. Other 
scenarios (and a legend etc) also diagrammed at..

http://kingsmountain.com/doc/draft-ietf-tokbind-figures-STB-TTRPs.txt

=JeffH


[1] in "4.2 Server Processing Rules":
https://tools.ietf.org/html/draft-ietf-tokbind-protocol-11#section-4.2

CURRENT:
    If the use of the Token Binding protocol was not negotiated, but the
    client sends the Token Binding message, the server MUST reject any
    contained bindings.


[2] in "5. Bound Security Token Creation and Validation":
https://tools.ietf.org/html/draft-ietf-tokbind-protocol-11#section-5

CURRENT:
                                                 If the token is bound
    and a Token Binding has not been established for the client
    connection, the server MUST discard the token.  If the Token Binding
    ID for the token does not match the Token Binding ID established for
    the client connection, the server MUST discard the token.



[3] <https://www.ietf.org/mail-archive/web/unbearable/current/msg01191.html>

[4] https://tools.ietf.org/html/draft-campbell-tokbind-tls-term

[5] Scenario 3: TB-aware TTRP, TB-wielding origin server.
[[ISSUES]]

Note: this scenario generalizes to more than one TB-aware TTRP in the
path.


TB-wielding                 TB-aware                      TB-wielding
client                      TTRP                        Origin Server
[TB nego,                   [TB-nego,                      [!TB-nego,
  mints STB]                  !process STB,		  process STB
                              !process Toks]		   using TBC,
							process Toks]
GET / HTTP/1.1
Host:...
STB:AIkAAg...72REUA
{Connection:STB}
-------------------------------->
         [TB-nego]
                            [pass-thru STB due to
                             exception clause in
                             RFC7230 S 6.1 (or
			    automatically if no
                             Connection hdr), add TBC,
                             optionally use Connection
			    header.]

                            GET / HTTP/1.1
                            Host:...
                            STB:AIkAAg..72REUA
                            TBC:AQAClt..7fFs4i
                            {Connection:STB,TBC}
                            ---------------------------------->
                                       [!TB-nego]

                                                  WANT:     using TBC,
                                                      origin server is
                                                        able to verify
                                                      TBMSG in STB and
                                                           to bind sec
                                                        tokens to TBID
                                                      from client-TTRP
                                                           connection.
						
                                                 BUT:        No TB on
                                                     connection to OS.
                                                    Also, present spec
                                                 language in [3] S 4.2
                                                  precludes processing
                                                STB, and S 5 precludes
                                                 honoring bound tokens
                                              rec'd on this connection
                                                                   !!!
                                        THUS:
                                                       HTTP/1.1 200 OK
                                            Set-cookie:foo=31d4..aad42
                                                       [cookie !bound]
                                   <----------------------------------

                    HTTP/1.1 200 OK
        Set-cookie:foo=31d4..aad42
                    [cookie !bound]
    <------------------------------



###+++###+++###+++###+++###+++###+++###+++###+++###+++###+++###+++###

v2.30.2 | Report a Bug | By Email | System Status