IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

John Bradley <ve7jtb@ve7jtb.com> Tue, 07 February 2017 22:56 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C52212948D for <unbearable@ietfa.amsl.com>; Tue, 7 Feb 2017 14:56:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jc9Y4-DpcZ0U for <unbearable@ietfa.amsl.com>; Tue, 7 Feb 2017 14:56:12 -0800 (PST)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D51C312947E for <unbearable@ietf.org>; Tue, 7 Feb 2017 14:56:11 -0800 (PST)
Received: by mail-qt0-x236.google.com with SMTP id k15so149860202qtg.3 for <unbearable@ietf.org>; Tue, 07 Feb 2017 14:56:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=cxZGZ9fwwh8p9OqpkUxr3nNenr70KMPcLrFiKFgho8Q=; b=fQCYhKgs6SJFkA9Tf+G/jF2yyPlqudjIGaK2Sww9OcOCtNFxbQGF8Zjsq8SWFKqhOF VcvCswq8sHx/8Xgq2nuY/IseFLVoRRtqe8Y2CKENgyfyyu8J3ljJWoQDo9Tmq+5rKPOM r53/dfgMRHYmyEJdGn1TKACjFofEyPjTXIy2rjyO/navai8uB9kqyVk8wVO0/OPHUivc BuQNm532FvEPRqGyfJvgQmtuDQX0FKpz8vYqXrHdibKlkBWARAnXT4YntJq7RHPDh/zV ajWpoW7UZ4q7hnwKIDO8qWKuXG1ZgWn8OFVQIA8SgoBZJrFGar6WtSDgIlPBHOY4Z3P9 WQAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=cxZGZ9fwwh8p9OqpkUxr3nNenr70KMPcLrFiKFgho8Q=; b=LijmM9o23wBM8VmjcNKOdmOF8Xu+Hq5AzhL3EOGNc4asVU8Q+jljkQ0fUqw1gzt9Gp Q/2wgIGWP2kJhYWbD328ohzSJo61nfaUObWvJA94J9uW3iYxp3WzbBRUC4C+kvCND6GS fp716BehiYb/9r4Z0rawoCB2ImCB+F5iiP69FjXMRyZXtD0gEbQo+Gics9xgFb5e5+76 3D3WpVk9S8Kpt2tCJxwqCVACM7pnLzrGfP771+QVATR4kvoEEOUn1f4PgXwtDZzUEAO1 GiybaNtpa5l7vcHk6HEy/F95UG7xcw6l3+KehkZF+Nd5pDzSLqldN5o3NM9wjP9kUOrW q6Gg==
X-Gm-Message-State: AMke39mlGPdxRwBruwJLUyuKTUlvWKTbw0VfM2+LAP1OYvTSRnAyKDUWk585UBmtrBOjGBBr
X-Received: by 10.200.44.243 with SMTP id 48mr15964872qtx.262.1486508170831; Tue, 07 Feb 2017 14:56:10 -0800 (PST)
Received: from [192.168.86.150] ([191.115.72.210]) by smtp.gmail.com with ESMTPSA id h40sm4604965qtb.6.2017.02.07.14.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Feb 2017 14:56:10 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <C97FF7A1-5EAB-4117-A9D2-65C9A9993A8F@ve7jtb.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_C617AC19-606D-4CAB-9C91-ACBF4B8B9A0B"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 07 Feb 2017 19:56:03 -0300
In-Reply-To: <CY1PR0301MB084254BDDD2E72104D20BE9A8C430@CY1PR0301MB0842.namprd03.prod.outlook.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
References: <e56976df-c7e7-6dde-8f27-9aeb152f66ab@KingsMountain.com> <CY1PR0301MB084254BDDD2E72104D20BE9A8C430@CY1PR0301MB0842.namprd03.prod.outlook.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/4y7mdKN2-zcer3NXoRGoOTLBT3M>
Cc: IETF TokBind WG <unbearable@ietf.org>, =JeffH Hodges <Jeff.Hodges@KingsMountain.com>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 22:56:14 -0000

Are connection headers normally used in the reverse proxy use case?   Generally the user agent wouldn't know that it was talking to a proxy.

I thought that they were more for the forward proxy use case where the browser is configured to talk to a specific proxy or is transparently intercepted (man/enterprise in the middle) 

I could hypothetically see a enterprise proxy creating token binding Id’s for the connections to servers and mapping those to token binding ID from the browser. 

I think the NGNX token binding module (https://github.com/google/ngx_token_binding <https://github.com/google/ngx_token_binding>) is doing that sort of transparent mapping on the server side for session cookies. 

We probably don't want the same behaviour for both forward and reverse proxies.

John B.


> On Feb 7, 2017, at 7:38 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> 
> When we discussed this early on, there was a strong distaste for connection headers in the HTTP community, so we've defined TB headers as per-request.
> " clients MUST include the Sec-Token-
>   Binding header field in their HTTP requests."
> We could also explicitly prohibit listing TB headers in the Connection header, if folks would like to see this clarification. 
> There are many reasons to keep TB headers per-request; it's not just about the proxies and terminators.
> 
> Cheers,
> 
> Andrei
> 
> -----Original Message-----
> From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of =JeffH
> Sent: Tuesday, February 7, 2017 2:15 PM
> To: IETF TokBind WG <unbearable@ietf.org>
> Subject: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
> 
> the below is kind of long (read it anyway :)  The summary is we need to make a conscious decision regarding the Connection HTTP request header field and whether we provide guidance regarding it and the Sec-Token-Binding header (and what guidance if so), or not. This seems to have ramifications for the nascent draft-campbell-tokbind-tls-term draft, unless I'm misunderstanding things.
> 
> =JeffH
> 
> In working through the list of "Considerations for New Header Fields" at the end of rfc7231 section 8.3.1 [1], there are these two items..
> 
>    o  Whether it is appropriate to list the field-name in the Connection
>       header field (i.e., if the header field is to be hop-by-hop; see
>       Section 6.1 of [RFC7230]).
> 
>    o  Under what conditions intermediaries are allowed to insert,
>       delete, or modify the field's value.
> 
> Given the specifics in [RFC7230] Section 6.1 [2]..
> 
>   6.1.  Connection
> 
>    The "Connection" header field allows the sender to indicate desired
>    control options for the current connection.  In order to avoid
>    confusing downstream recipients, a proxy or gateway MUST remove or
>    replace any received connection options before forwarding the
>    message.
> 
>    When a header field aside from Connection is used to supply control
>    information for or about the current connection, the sender MUST list
>    the corresponding field-name within the Connection header field.  A
>    proxy or gateway MUST parse a received Connection header field before
>    a message is forwarded and, for each connection-option in this field,
>    remove any header field(s) from the message with the same name as the
>    connection-option, and then remove the Connection header field itself
>    (or replace it with the intermediary's own connection options for the
>    forwarded message).
> 
>    Hence, the Connection header field provides a declarative way of
>    distinguishing header fields that are only intended for the immediate
>    recipient ("hop-by-hop") from those fields that are intended for all
>    recipients on the chain ("end-to-end"), enabling the message to be
>    self-descriptive and allowing future connection-specific extensions
>    to be deployed without fear that they will be blindly forwarded by
>    older intermediaries.
> 
> ..it offhand seems that one would want to list "Sec-Token-Binding" in the Connection header field because Sec-Token-Binding is ostensibly about the connection and is hop-by-hop because TLS is hop-by-hop.
> 
> However, given our current thinking wrt TB and TLS Terminating Reverse Proxies [3], where we are contemplating one approach where such "TTRPs" 
> pass-through the Sec-Token-Binding header field and add a corresponding Token-Binding-Context header, one would not want to list Sec-Token-Binding in the Connection header (because a TTRP would then strip it off). However there are implementation and security considerations with this.
> 
> As one proposal, we could say in HTTPSTB something along the lines of..
> 
>   [...]
>   Clients SHOULD NOT list the Sec-Token-Binding header field as
>   a connection option in the Connection header field (Section 6.1
>   of [RFC7230]) in order to generally enable Sec-Token-Binding
>   header field pass-through by intermediaries, e.g., by TLS
>   terminating reverse proxies (TTRP). Intermediaries MUST NOT
>   modify the Sec-Token-Binding header field's value. See also the
>   security considerations section.
>   [...]
>   Security Considerations
>   [...]
>   Not listing Sec-Token-Binding in the Connection header: this
>   enables TTRPs to transparently convey the Sec-Token-Binding header
>   field, containing a Token Binding Message, to the next tier ("backend
>   servers"), e.g., where security tokens containing Token Binding IDs
>   may be minted and validated. The communication between a TTRP and
>   backend servers needs to be secured against eavesdropping and
>   modification by unintended parties. The Token Binding Message itself
>   may be validated by the TTRP or by a backend server. Though, in the
>   latter case, the data necessary to perform such validation (i.e., the
>   EKM, etc.) needs to be conveyed to the entity performing it. Such
>   conveyance is out of scope for this specification.
> 
>   Listing Sec-Token-Binding in the Connection header: if done, this
>   may help in ensuring that Token Binding IDs are not inadvertently
>   revealed to unintended parties, though may cause difficulties with
>   web sites employing TTRPs.
>   [...]
> 
> Or, we could just say "clients SHOULD list the Sec-Token-Binding header field as a connection option in the Connection header field", but that will create problems for TTRPs [3].
> 
> Or, we can just not mention the Connection header and see if anyone raises questions about it during further WG and IETF-wide review.
> 
> thoughts?
> 
> [1] <https://tools.ietf.org/html/rfc7231#section-8.3.1>
> 
> [2] <https://tools.ietf.org/html/rfc7230#section-6.1>
> 
> [3] <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term>
> 
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable

v2.30.2 | Report a Bug | By Email | System Status