IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

John Bradley <ve7jtb@ve7jtb.com> Wed, 08 February 2017 14:44 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD431129B6B for <unbearable@ietfa.amsl.com>; Wed, 8 Feb 2017 06:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x9ylxnUExTdl for <unbearable@ietfa.amsl.com>; Wed, 8 Feb 2017 06:44:07 -0800 (PST)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE726129B7A for <unbearable@ietf.org>; Wed, 8 Feb 2017 06:44:06 -0800 (PST)
Received: by mail-qt0-x22d.google.com with SMTP id x49so166669546qtc.2 for <unbearable@ietf.org>; Wed, 08 Feb 2017 06:44:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=C9L9mAKMbq+yNualnhmNLPgSio8o+j3CuyZ+HwqlZmI=; b=dtgN+G/lkHmXsWPxfAWl83osW8Y8zFFLQT4BoUd+S9Fyqbhul2HDe+eormLRz+6QpD puD8RA7lACu+kCSkkJjOKfjXakd/IZQ+S4WaXC2aontByaujymtGL2oFza5IWnW/JHuo iU+WZmLCcmLEaErxLLmoKYXxTudSK6+rYaSSm6VSQpWyZ+8NZtT/3yUFqjCzrQFfNfzP YnZghrSlYWJ65ELt69H1pmeAKxNwJHBIZGRmP6FRKxo1fTw72KiFvTQMO3wis7Hkvjlj yad/oGl5vLTq99/MkFyhycCP+9FpA6YQW8fGY9iHdDqporcGoqWb+16ilr4HHFK8EFIh 4wHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=C9L9mAKMbq+yNualnhmNLPgSio8o+j3CuyZ+HwqlZmI=; b=REQruOq6/efe6Os1xK4wg43YjxbAwIga3vqaW9aJqY6Gl0LesjISNoBMIeym9f/gcG unv8HokTZsfuP5ykSszLGaCYGOzW2DmW6M912wCzXQ5Q4Bm7LQzZUMvjE8JChup+y8lP nrCFtzEFYj7TLRnY361A2de3ZWrTzP7Ok0/tEYsRkGXMgd74OwK9I7bKyN76Qq7jFww+ cZTJupYzjZjYDZhbqe5EkZJ3DscQesvwyXrF0H0YNxhtU6tkvaj4XqFUGRrc8EaJdgF8 RuPTYwxjE5dDeDzdS+bDM2w6Te4MjI+ffyY/YIh2Bc8h+SMW3rswsDY8quTgAkzJp0hC jcZw==
X-Gm-Message-State: AMke39nWEr1Z9Ns6Alhcw2dqcd8X8HNFbRJh/N//F9emF9E3yfJEUHVsPBPaEooJ3Fh6RJXR
X-Received: by 10.237.61.20 with SMTP id g20mr21775245qtf.272.1486565045494; Wed, 08 Feb 2017 06:44:05 -0800 (PST)
Received: from [192.168.8.100] ([181.201.86.53]) by smtp.gmail.com with ESMTPSA id d52sm6361175qtc.2.2017.02.08.06.44.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 06:44:04 -0800 (PST)
From: John Bradley <ve7jtb@ve7jtb.com>
Message-Id: <43DD0CF0-4043-448D-BE38-FAFFDE779B57@ve7jtb.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_4744FFE4-2DC7-4809-8682-E0DE72E43CF8"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 08 Feb 2017 11:44:00 -0300
In-Reply-To: <CADHfa2A-kpD_swEzMue33eeKj=Xd6_au2KL=XD+AmYq=m6hrdw@mail.gmail.com>
To: Dirk Balfanz <balfanz@google.com>
References: <e56976df-c7e7-6dde-8f27-9aeb152f66ab@KingsMountain.com> <CY1PR0301MB084254BDDD2E72104D20BE9A8C430@CY1PR0301MB0842.namprd03.prod.outlook.com> <C97FF7A1-5EAB-4117-A9D2-65C9A9993A8F@ve7jtb.com> <CADHfa2A-kpD_swEzMue33eeKj=Xd6_au2KL=XD+AmYq=m6hrdw@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/g01JrNj4axlfgWYEoL9z7EsO3Co>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, IETF TokBind WG <unbearable@ietf.org>, =JeffH Hodges <Jeff.Hodges@kingsmountain.com>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 14:44:10 -0000

I suspect the only place we really run into a conflict is in Brian's draft by re using/maintaining the Sec-Token-Binding header.

As Dirk points out that draft could move the info in the Sec-Token-Binding header to a different header if it is listed in the Connect header, or always just use a different header name.

That can be debated as part of the reverse proxy spec.

I am not really getting the sense that we need to mention the connect header if we are happy with the default behaviour and can account for it in specs using token binding.

What do people think we should do to close this?

John B.


> On Feb 8, 2017, at 12:52 AM, Dirk Balfanz <balfanz@google.com> wrote:
> 
> I don't feel strongly about this - I'm fine either way, but would suggest the following:
> 
> - The Connect header is for the client to tell a proxy "this header really doesn't make sense to forward, please drop it on the next hop".
> - Clients usually aren't aware that they're talking to a TTRP, so I agree with John that that's probably not a use case that the Connect header was meant for.
> - If the client *is* aware that it's talking to a proxy, listing Sec-Token-Binding in the Connect header (thus indicating that it shouldn't be forwarded) makes sense to me.
> - If the proxy has some sort of arrangement with the downstream server that it's supposed to communicate the Token Binding information (like a TTRP would), it has a two options:
>   * verify the Token Binding information and forward just the Token Binding ID to the downstream server (using some mechanism proprietary to the proxy and downstream server).
>   * forward the Sec-Token-Binding header, and (using some mechanism proprietary to the proxy and downstream server) the EKM information, to the downstream server.
> If the proxy has qualms about violating the spec by forwarding the Sec-Token-Binding header despite its being listed in the Connect header, it can always just use a different header name, like "Private-Forwarded-Token-Binding", or whatever - some  mechanism proprietary to the proxy and downstream server.
> - Either way, the proxy will have to know what the Sec-Token-Binding header means and use some sort of proprietary mechanism between itself and the downstream server to pass on the information that the downstream server needs.
> - For a proxy that *doesn't* know what the Sec-Token-Binding header means, it's probably best to just drop it, thus saving the downstream server some work verifying a header that we know won't verify.
> 
> So to me it seems that listing it in the Connect header is the right answer, but like I said I don't feel strongly about it.
> 
> Dirk.
> 
> 
> On Tue, Feb 7, 2017 at 2:56 PM John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
> Are connection headers normally used in the reverse proxy use case?   Generally the user agent wouldn't know that it was talking to a proxy.
> 
> I thought that they were more for the forward proxy use case where the browser is configured to talk to a specific proxy or is transparently intercepted (man/enterprise in the middle) 
> 
> I could hypothetically see a enterprise proxy creating token binding Id’s for the connections to servers and mapping those to token binding ID from the browser. 
> 
> I think the NGNX token binding module (https://github.com/google/ngx_token_binding <https://github.com/google/ngx_token_binding>) is doing that sort of transparent mapping on the server side for session cookies. 
> 
> We probably don't want the same behaviour for both forward and reverse proxies.
> 
> John B.
> 
> 
>> On Feb 7, 2017, at 7:38 PM, Andrei Popov <Andrei.Popov@microsoft.com <mailto:Andrei.Popov@microsoft.com>> wrote:
>> 
>> When we discussed this early on, there was a strong distaste for connection headers in the HTTP community, so we've defined TB headers as per-request.
>> " clients MUST include the Sec-Token-
>>   Binding header field in their HTTP requests."
>> We could also explicitly prohibit listing TB headers in the Connection header, if folks would like to see this clarification. 
>> There are many reasons to keep TB headers per-request; it's not just about the proxies and terminators.
>> 
>> Cheers,
>> 
>> Andrei
>> 
>> -----Original Message-----
>> From: Unbearable [mailto:unbearable-bounces@ietf.org <mailto:unbearable-bounces@ietf.org>] On Behalf Of =JeffH
>> Sent: Tuesday, February 7, 2017 2:15 PM
>> To: IETF TokBind WG <unbearable@ietf.org <mailto:unbearable@ietf.org>>
>> Subject: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
>> 
>> the below is kind of long (read it anyway :)  The summary is we need to make a conscious decision regarding the Connection HTTP request header field and whether we provide guidance regarding it and the Sec-Token-Binding header (and what guidance if so), or not. This seems to have ramifications for the nascent draft-campbell-tokbind-tls-term draft, unless I'm misunderstanding things.
>> 
>> =JeffH
>> 
>> In working through the list of "Considerations for New Header Fields" at the end of rfc7231 section 8.3.1 [1], there are these two items..
>> 
>>    o  Whether it is appropriate to list the field-name in the Connection
>>       header field (i.e., if the header field is to be hop-by-hop; see
>>       Section 6.1 of [RFC7230]).
>> 
>>    o  Under what conditions intermediaries are allowed to insert,
>>       delete, or modify the field's value.
>> 
>> Given the specifics in [RFC7230] Section 6.1 [2]..
>> 
>>   6.1.  Connection
>> 
>>    The "Connection" header field allows the sender to indicate desired
>>    control options for the current connection.  In order to avoid
>>    confusing downstream recipients, a proxy or gateway MUST remove or
>>    replace any received connection options before forwarding the
>>    message.
>> 
>>    When a header field aside from Connection is used to supply control
>>    information for or about the current connection, the sender MUST list
>>    the corresponding field-name within the Connection header field.  A
>>    proxy or gateway MUST parse a received Connection header field before
>>    a message is forwarded and, for each connection-option in this field,
>>    remove any header field(s) from the message with the same name as the
>>    connection-option, and then remove the Connection header field itself
>>    (or replace it with the intermediary's own connection options for the
>>    forwarded message).
>> 
>>    Hence, the Connection header field provides a declarative way of
>>    distinguishing header fields that are only intended for the immediate
>>    recipient ("hop-by-hop") from those fields that are intended for all
>>    recipients on the chain ("end-to-end"), enabling the message to be
>>    self-descriptive and allowing future connection-specific extensions
>>    to be deployed without fear that they will be blindly forwarded by
>>    older intermediaries.
>> 
>> ..it offhand seems that one would want to list "Sec-Token-Binding" in the Connection header field because Sec-Token-Binding is ostensibly about the connection and is hop-by-hop because TLS is hop-by-hop.
>> 
>> However, given our current thinking wrt TB and TLS Terminating Reverse Proxies [3], where we are contemplating one approach where such "TTRPs" 
>> pass-through the Sec-Token-Binding header field and add a corresponding Token-Binding-Context header, one would not want to list Sec-Token-Binding in the Connection header (because a TTRP would then strip it off). However there are implementation and security considerations with this.
>> 
>> As one proposal, we could say in HTTPSTB something along the lines of..
>> 
>>   [...]
>>   Clients SHOULD NOT list the Sec-Token-Binding header field as
>>   a connection option in the Connection header field (Section 6.1
>>   of [RFC7230]) in order to generally enable Sec-Token-Binding
>>   header field pass-through by intermediaries, e.g., by TLS
>>   terminating reverse proxies (TTRP). Intermediaries MUST NOT
>>   modify the Sec-Token-Binding header field's value. See also the
>>   security considerations section.
>>   [...]
>>   Security Considerations
>>   [...]
>>   Not listing Sec-Token-Binding in the Connection header: this
>>   enables TTRPs to transparently convey the Sec-Token-Binding header
>>   field, containing a Token Binding Message, to the next tier ("backend
>>   servers"), e.g., where security tokens containing Token Binding IDs
>>   may be minted and validated. The communication between a TTRP and
>>   backend servers needs to be secured against eavesdropping and
>>   modification by unintended parties. The Token Binding Message itself
>>   may be validated by the TTRP or by a backend server. Though, in the
>>   latter case, the data necessary to perform such validation (i.e., the
>>   EKM, etc.) needs to be conveyed to the entity performing it. Such
>>   conveyance is out of scope for this specification.
>> 
>>   Listing Sec-Token-Binding in the Connection header: if done, this
>>   may help in ensuring that Token Binding IDs are not inadvertently
>>   revealed to unintended parties, though may cause difficulties with
>>   web sites employing TTRPs.
>>   [...]
>> 
>> Or, we could just say "clients SHOULD list the Sec-Token-Binding header field as a connection option in the Connection header field", but that will create problems for TTRPs [3].
>> 
>> Or, we can just not mention the Connection header and see if anyone raises questions about it during further WG and IETF-wide review.
>> 
>> thoughts?
>> 
>> [1] <https://tools.ietf.org/html/rfc7231#section-8.3.1 <https://tools.ietf.org/html/rfc7231#section-8.3.1>>
>> 
>> [2] <https://tools.ietf.org/html/rfc7230#section-6.1 <https://tools.ietf.org/html/rfc7230#section-6.1>>
>> 
>> [3] <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term>>
>> 
>> 
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org <mailto:Unbearable@ietf.org>
>> https://www.ietf.org/mailman/listinfo/unbearable <https://www.ietf.org/mailman/listinfo/unbearable>
>> 
>> _______________________________________________
>> Unbearable mailing list
>> Unbearable@ietf.org <mailto:Unbearable@ietf.org>
>> https://www.ietf.org/mailman/listinfo/unbearable <https://www.ietf.org/mailman/listinfo/unbearable>
> 
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org <mailto:Unbearable@ietf.org>
> https://www.ietf.org/mailman/listinfo/unbearable <https://www.ietf.org/mailman/listinfo/unbearable>

v2.46.0 | Report a Bug | By Email | System Status