IETF Logo Mail Archive

Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 09 February 2017 18:49 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A261112957E for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 10:49:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Frvf7pPHG3ht for <unbearable@ietfa.amsl.com>; Thu, 9 Feb 2017 10:48:59 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0134.outbound.protection.outlook.com [104.47.33.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CEEC127076 for <unbearable@ietf.org>; Thu, 9 Feb 2017 10:48:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IugP1kIw0soJCvtWp43/LL7AN16eazzJSv0oIiz9WcE=; b=i9Vywz5JD/kB+3LZrn2VY5YtkP9MGd71iAHzkmZ02NJsIDNKs0PereWHByy9lSlZGyneWr1n5WKhJZl3jAauQVaZ8e0Xd1HoZTHLFZskHFrGIGDl4E5HY/gZUJLltaKfe5ZJsS2QVnFoRjsf+qifOMTVV/dcw9A3nZe8ByrqlK4=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0844.namprd03.prod.outlook.com (10.160.163.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Thu, 9 Feb 2017 18:48:54 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0888.026; Thu, 9 Feb 2017 18:48:54 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
Thread-Index: AQHSguz8oAIXC6BWu0OMPbiyGCJ7xqFg384AgAAczHCAAAWOgIAAAH5g
Date: Thu, 09 Feb 2017 18:48:54 +0000
Message-ID: <CY1PR0301MB08423422FB68F197584F31B98C450@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <074faef6-b425-17f8-ac05-223834a2cc0b@KingsMountain.com> <CA+k3eCSwvcKyN6t+9cTLSAJu9+5Uz27Db5NW_zy9W7Bx71gG4Q@mail.gmail.com> <CY1PR0301MB084223E0274288D9B330D16D8C450@CY1PR0301MB0842.namprd03.prod.outlook.com> <C9D5F321-CA4F-4359-96E8-AC436E5B2A13@ve7jtb.com>
In-Reply-To: <C9D5F321-CA4F-4359-96E8-AC436E5B2A13@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: 3c50e62f-f473-4083-fdcd-08d4511c4c77
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:CY1PR0301MB0844;
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0844; 7:7ZUmVjOI3theL1LwXGbkYRR9OuURjF1GB638NfJ93BcLqbbduuaZWOw81Eq/vI3WbmBjXGll9lWePpJAWYIFrsQv+kz6T327/J8aLE+H5M+OpdpykEG8e3Go2QypyHl6yFu/3zBu6J5krusyDEOOE4iDpuSsDtIRurGx/Nd9AkWpV5WAtW8y7vn+pX6AOAv8YyPPtdLCzgSrw0+VAO/3MP4pmnLzzCpk/cssxLh60lWB77MsJF/zcdm17i5dGqZ3Cl7NOmPS9KGxNYGHqCCEmMKyYC2V7uLdiHKkO04M4F6Pp65f/eZMxxDK5r3RLBRlFENvCVXK+t0akor2+KPMQwYFI5Y4WnVDHolLwJ5i161ZecZL3P2opj6XhFk0p4PMKJWv6d55DzeM/9Nf7ckMzMUVEYmooanoqqY/LFvqRn0O4u+9j6j/d7qhC26l8DeEf/ZRsiAyyM7s2B2FI+s+0b+ZNJ6OPHG2mzzBNhMJ8Du20gtfDYW2/aYxOa+Ho6vwM9frLE45IF3cmnCvFwH/ElMXCAlLOUYBIdndXHMSM7Y=
x-microsoft-antispam-prvs: <CY1PR0301MB08445C0395E8B4441A465C4A8C450@CY1PR0301MB0844.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(21748063052155)(17755550239193);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123558025)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:CY1PR0301MB0844; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0844;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39850400002)(39410400002)(39860400002)(39450400003)(189002)(199003)(24454002)(377454003)(2950100002)(6916009)(8936002)(106356001)(8990500004)(38730400002)(53936002)(81166006)(2900100001)(3280700002)(54906002)(50986999)(92566002)(76176999)(54356999)(236005)(8676002)(230783001)(81156014)(101416001)(7696004)(189998001)(5660300001)(10090500001)(110136004)(97736004)(33656002)(2906002)(7736002)(10290500002)(5005710100001)(122556002)(6246003)(4326007)(105586002)(106116001)(7906003)(77096006)(3660700001)(606005)(6436002)(86612001)(93886004)(68736007)(55016002)(25786008)(6506006)(74316002)(86362001)(54896002)(6306002)(9686003)(102836003)(229853002)(99286003)(6116002)(790700001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0844; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB08423422FB68F197584F31B98C450CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Feb 2017 18:48:54.7046 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0844
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/rQkhqsFMTaDN_O3i99eDJWSSKgw>
Cc: IETF TokBind WG <unbearable@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>, =JeffH Hodges <Jeff.Hodges@kingsmountain.com>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 18:49:00 -0000

Ø  I dont know that a proxy that doesn’t understand token binding should forward the header especially in the forward case.

Ø

Ø  What if the forward proxy is negotiating it’s own token binding  to the server?  (should a forward proxy proxy do that is perhaps another question)

Would you agree that if a proxy is negotiating its own TB to the server, then this proxy is TB-aware, and knows what to do about the client’s TB header?

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, February 9, 2017 10:41 AM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>; =JeffH Hodges <Jeff.Hodges@kingsmountain.com>; IETF TokBind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?

That may be the rub.

From a header perspective we are talking about any proxy forward and reverse.

I dont know that a proxy that doesn’t understand token binding should forward the header especially in the forward case.

What if the forward proxy is negotiating it’s own token binding  to the server?  (should a forward proxy proxy do that is perhaps another question)

I understand the desire to pass the header on in the reverse proxy case as it may make server code easier.

However I take Jeff’s point that token binding is by its nature hop by hop and if we mess with that we may get some unintended side effects.

If Brian had proposed sticking everything in one or two  new headers and removing the existing one then this would be much less controversial.

I always thought that we could use the same header on the inside of the proxy, but can see why that might mess up some other expectations.

So is token binding hop by hop?

John B.

On Feb 9, 2017, at 3:25 PM, Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>> wrote:

Exactly, I agree with Brian. The proxy/terminator is better positioned to know how/where TB headers are handled in a particular datacenter. And a proxy/terminator that knows nothing about TB headers should forward them on.

From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Thursday, February 9, 2017 8:38 AM
To: =JeffH <Jeff.Hodges@kingsmountain.com<mailto:Jeff.Hodges@kingsmountain.com>>
Cc: IETF TokBind WG <unbearable@ietf.org<mailto:unbearable@ietf.org>>
Subject: Re: [Unbearable] on not listing 'Sec-Token-Binding' in the Connection header field?



On Thu, Feb 9, 2017 at 9:55 AM, =JeffH <Jeff.Hodges@kingsmountain.com<mailto:Jeff.Hodges@kingsmountain.com>> wrote:

I agree with this for security considerations reasons -- we want the Sec-Token-Binding header to be hop-by-hop in sync with the underlying TLS connection and not be "leaked" downstream unless it is a conscious decision, e.g., in the tls terminating reverse proxy (TTRP) case.

But the client is only making a connection to a server and client does not know whether it makes sense for that server to forward or not. And it shouldn't know that.  Sec-Token-Binding shouldn't be listed in Connection header field by a client.

_______________________________________________
Unbearable mailing list
Unbearable@ietf.org<mailto:Unbearable@ietf.org>
https://www.ietf.org/mailman/listinfo/unbearable

v2.30.2 | Report a Bug | By Email | System Status