IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 09 February 2017 18:18 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065D8129C46 for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 10:18:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRU_tdBuTPKu for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 10:18:19 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0101.outbound.protection.outlook.com [104.47.33.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76417127076 for <unbearable@ietf.org>; Thu, 9 Feb 2017 10:18:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=oqB28gg8kZENSk37kAz35H5XQL8u3ZdgvlMtFKgxrk0=; b=kv3MuPBt68BeGjlbefyJ1D3SIztUPSvemjrroaW9G8ttBTJJCzXa5xDtXv/sYc++h3MZ1OQ24IUGkRg+ik1D6/s7oKGAz8NbOVXNeqmUt3R98x7JiVdeUw7Ons2GD/Q+mBCI0qTTwLwch31LiRHy4SgtTFM2tgMIHaRs33mLZKo=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb 2017 18:18:17 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0888.026; Thu, 9 Feb 2017 18:18:17 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>, IETF TokBind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Thread-Index: AQHSgvaVoAIXC6BWu0OMPbiyGCJ7xqFg+h3w
Date: Thu, 09 Feb 2017 18:18:17 +0000
Message-ID: <CY1PR0301MB084218FB63BE0A51C6045AE18C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <935ac509-1e0f-3fed-0239-04cf390ef2ce@KingsMountain.com>
In-Reply-To: <935ac509-1e0f-3fed-0239-04cf390ef2ce@KingsMountain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: 09caef47-3629-4634-78d5-08d45118055e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0842;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0842; 7:kvkg8QHWZskgTKNHmiuthTs6W1fncgHDRTQ81UIzPgy4v3e58XoZUeuT4aBth0uyefDAGxuO8bh3hFEFamUsehW07bVacclrUPDpp7l4AX4RGKTfT2Xxejb6YtyFhr9PjUv2D7W60MVBDvRvwIA1x2NJlD2AU5zV2PU4CCXLQXGPmKugJp/ZFv8lCkLqd7P+Vtgo2BisEUuNOjW1g0Kp7d5q+7+P34znDLnHAU1zrmgFf+Sh1gCGA3UzWJx9SxVwvZzHbbkxZ4ljPq/NLQek/cX2cb4zce63UUk619TjUHHgSH/O8q1wy/1Uc+FsylwqMD88VVsQHHmBHgtF4Q/I82+CP1RoFssY25psTUuxFFjlbp5Q1YPr/v1fNIVL0P1zPNBemEdb63An/a0R8NlxRSVgc6XFclNdmxNAOZS3WmrCL/z0rpOsv2Ca+c80c+OQ40F+dI2KHLOoJ/vT+wxwoKtZbFhqK+6oLdwfLIzPYiG6iEFszVlvIppUUK7tP3c/dg+5OLKWYJJ7WRoxKV7v7I2jrb/m9jQTx5w+z5o4eq8=
x-microsoft-antispam-prvs: <CY1PR0301MB0842D8A18D8F84D39DB322198C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(788757137089)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123558025)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:CY1PR0301MB0842; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0842;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39450400003)(39410400002)(39850400002)(39860400002)(377454003)(199003)(189002)(13464003)(55016002)(6306002)(6506006)(25786008)(33656002)(6436002)(3280700002)(2906002)(81166006)(101416001)(5660300001)(106116001)(53936002)(92566002)(86362001)(99286003)(10090500001)(229853002)(6246003)(77096006)(86612001)(97736004)(5005710100001)(305945005)(9686003)(8936002)(54356999)(76176999)(230783001)(8676002)(50986999)(106356001)(68736007)(122556002)(10290500002)(102836003)(189998001)(6116002)(81156014)(105586002)(7736002)(7696004)(3660700001)(8990500004)(2900100001)(38730400002)(74316002)(2950100002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0842; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 18:18:17.5493 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0842
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/j5430UkErxm66tz0SjpXIwJsUyc>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 18:18:22 -0000

Hi Jeff,

If you agree that the client, generally, does not know whether the proxy/TLS terminator validates TB or passes it on to the back-end server, then why do you argue that the client should require the proxy to drop TB headers? I believe the client should not interfere with this and let datacenter infrastructure figure out how/where to handle TB headers.

> ..which is what we want by default for security considerations reasons, I think.
Sorry, what security considerations reasons are you referring to?

Cheers,

Andrei

-----Original Message-----
From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of =JeffH
Sent: Thursday, February 9, 2017 9:05 AM
To: IETF TokBind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

 >> I agree with this for security considerations reasons -- we want  >> the Sec-Token-Binding header to be hop-by-hop in sync with the  >> underlying TLS connection and not be "leaked" downstream unless it  >> is a conscious decision, e.g., in the tls terminating reverse proxy  >> (TTRP) case.
 >>
 >>
 > But the client is only making a connection to a server and client  > does not know whether it makes sense for that server to forward or  > not. And it shouldn't know that.

correct, agreed.

 > Sec-Token-Binding shouldn't be listed in Connection header field by  > a client.

listing Sec-Token-Binding in the Connection header means ([RFC7230] Section 6.1)..

    6.1.  Connection

     The "Connection" header field allows the sender to indicate desired
     control options for the current connection.  In order to avoid
     confusing downstream recipients, a proxy or gateway MUST remove or
     replace any received connection options before forwarding the
     message.

..which is what we want by default for security considerations reasons, I think.

As Dirk noted:
  >
  > If the proxy has qualms about violating the spec by forwarding the
  > Sec-Token-Binding header despite its being listed in the Connect
  > header, it can always just use a different header name, like
  > "Private-Forwarded-Token-Binding", or whatever - some  mechanism
  > proprietary to the proxy and downstream server.

Thus, a comment on
<https://tools.ietf.org/html/draft-campbell-tokbind-tls-term> (which i'll endeavor to write up more fully anon) is that it should either define another header field for conveyance of the EncodedTokenBindingMessage (along with the header field it already
defines) or have the header field it already defines convey both the EncodedTokenBindingMessage and the EKM et al.

=JeffH

_______________________________________________
Unbearable mailing list
Unbearable@ietf.org
https://www.ietf.org/mailman/listinfo/unbearable

v2.30.2 | Report a Bug | By Email | System Status