IETF Logo Mail Archive

Re: [Unbearable] Dealing with header injection through reverse proxies

"Cantor, Scott" <cantor.2@osu.edu> Mon, 17 July 2017 16:01 UTC

Return-Path: <cantor.2@osu.edu>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD8C0131C91 for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 09:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=osu.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zfbsd_eovA4V for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 09:01:13 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0094.outbound.protection.outlook.com [104.47.34.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC3A8131C6F for <unbearable@ietf.org>; Mon, 17 Jul 2017 09:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osu.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=SCEpj9XYqfcpkJ3IjLRvcBQVoS0GJzmdy3HXCxSH4ic=; b=ClmuKYUNs73o4j6XjksK/5LJg3QPK1D/QxlOL5Amx2x2xzZROEz3KeoD4JEzj772b8wbV3Bx5646ichvBy5bzb8U+rjVTNMrVoq1TNZNsyfGPW+HcbrBS2g5NDuG1eib4tWNgShJl4yFEh6fJvzhQpxky+zUrhTZCHswYa6R2JU=
Received: from MWHPR01CA0026.prod.exchangelabs.com (10.172.172.140) by CY1PR0101MB0924.prod.exchangelabs.com (10.160.139.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Mon, 17 Jul 2017 16:01:11 +0000
Received: from CO1NAM05FT024.eop-nam05.prod.protection.outlook.com (2a01:111:f400:7e50::201) by MWHPR01CA0026.outlook.office365.com (2603:10b6:300:101::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13 via Frontend Transport; Mon, 17 Jul 2017 16:01:11 +0000
Authentication-Results: spf=pass (sender IP is 128.146.138.9) smtp.mailfrom=osu.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=pass action=none header.from=osu.edu;
Received-SPF: Pass (protection.outlook.com: domain of osu.edu designates 128.146.138.9 as permitted sender) receiver=protection.outlook.com; client-ip=128.146.138.9; helo=cio-socc-esr03.osuad.osu.edu;
Received: from cio-socc-esr03.osuad.osu.edu (128.146.138.9) by CO1NAM05FT024.mail.protection.outlook.com (10.152.96.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1261.15 via Frontend Transport; Mon, 17 Jul 2017 16:01:11 +0000
Received: from CIO-TNC-HT06.osuad.osu.edu (localhost [127.0.0.1]) (using TLSv1.2 with cipher AES256-SHA256 (256/256 bits)) (No client certificate requested) by cio-socc-esr03.osuad.osu.edu (Postfix) with ESMTPS id 46B8399; Mon, 17 Jul 2017 12:01:10 -0400 (EDT)
Received: from CIO-TNC-D2MBX02.osuad.osu.edu ([fe80::3960:dd86:ba2:ad26]) by CIO-TNC-HT06.osuad.osu.edu ([fe80::3d16:84bd:8d88:7cfd%12]) with mapi id 14.03.0319.002; Mon, 17 Jul 2017 12:01:10 -0400
From: "Cantor, Scott" <cantor.2@osu.edu>
To: Eric Rescorla <ekr@rtfm.com>, IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] Dealing with header injection through reverse proxies
Thread-Index: AQHS/xADE0gv6ETK2EqMkQxjDxHEtKJYLPbQ
Date: Mon, 17 Jul 2017 16:01:08 +0000
Message-ID: <9846A6064BD102419D06814DD0D78DE13BCACE34@CIO-TNC-D2MBX02.osuad.osu.edu>
References: <CABcZeBNK4zHCR4V8cRAJBxC0AiVpep8HWoX8Ntnr9ZTZGq8S+A@mail.gmail.com>
In-Reply-To: <CABcZeBNK4zHCR4V8cRAJBxC0AiVpep8HWoX8Ntnr9ZTZGq8S+A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [128.146.94.228]
x-header-sapphire: true
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:128.146.138.9; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(39400400002)(39840400002)(39850400002)(39410400002)(39450400003)(2980300002)(438002)(189002)(199003)(2920100001)(189998001)(14454004)(50466002)(55846006)(86362001)(2900100001)(478600001)(75432002)(8936002)(109096001)(356003)(5660300001)(106466001)(88552002)(229853002)(6246003)(66066001)(2950100002)(47776003)(38730400002)(5250100002)(2906002)(50986999)(76176999)(54356999)(55016002)(626005)(7696004)(8676002)(23676002)(305945005)(33656002)(7736002)(7596002)(6116002)(102836003)(3846002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0101MB0924; H:cio-socc-esr03.osuad.osu.edu; FPR:; SPF:Pass; MLV:sfv; MX:1; A:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; CO1NAM05FT024; 1:T3NJ6BzItaKCHYKmu7aH4itQr6cAZ2YjnPWL/McMs4qTgAB6y4AK/bZH5rNNwujgfPGSzHarLxdrP8Tcje7dmL0U6A8jmfuuXQDcFQSh6nrWX6Y81h91fY9D07fyTUAIfbDbYvDxa5+p4L9ZqZRfix28lIDNSiBFp2TpQuSUtXBhoZRkooy6MOuGHpaYQZ0gSy5g4ZcfIQCtvOPVQ1rERQXf9ab4wzGx1M/YCMgNDNyw+9jvYBHqw0lmw456M33MfGQjH3arvWu2/o3ZjiFqV3sA8vurYcOINwJEcev1Vkv3zVx1hjwayV7fxflwE4PNavq8oiApIzc3i01AdqisAXN4Z6rUtDNmX5QVhdxV8ah91OnGNIurx7yNu19fwdHR3gEPCNWLXH9El0Zv1GuC6xttAoGFz1nsVJs2orsoWrb+z98aFpa5BDpaTlv0LJAhKeh5y7xN1eKNdWfWhekTGC3Bbh50kuKJ8dPqwdadIocxNvsRmboPxhSDrqcZ6j3I0G5h0Yzr78jopLFT+agoOwUkGUPT2LxUwHJKKAQiebt7Yv/Qe4mcASRdZXaiOZwc+dC2aGnllhMf1b6DBnQ9L5S1XEuBhX9+PY92cEfZs+RAvYXBXboNderQ3lfHRG7kyBU3VMA71sCBRnYzi+42HCvm1kGSXbKS2hm6hfUFFfN/NoRHqc2GnpNpj9YHPmAAvMsACb3eZ9jMJHRyzWrVo5lexWvyipN6yfWR3qKsUZ7HMjdyDkdC8QpGtn45wUelaFD5sEmd8WtEn6DPl/0VVBwSLscZsQFvJ2s1/JZbXiDCf6CKYxXZy5Pr+Vl8v2HRFzx04pkkqWPZFSxjAn2YZWUpQqCZbGAvq2wIXgUOFb06dQh3/www9U0uaGA7OEWlAU1AjD0hsU2/UoHSaH2DBw==
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1a54669d-9538-4fb1-592a-08d4cd2d0b7c
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(8251501002)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY1PR0101MB0924;
X-Microsoft-Exchange-Diagnostics: 1;CY1PR0101MB0924;3:hzoGuoSy9kqPa/ukDUkCwglIgimhVYh1/3KHIIkrIN3Dz/FV5veyLQiRah2p71bYvTsa2L8mVAhVSkGtFPIvtyUUbpYhdy3l8acXoWQcNcwMc00v+WJggFPoHljGN49rFNZsJBQFUjWU1HrZvk1AZbe99OAk0cfHdH81qFuMs5tciUOH17L9mX06FFvKqldU4Wg5onTaEo9ZMhYgxZLKjJZsDx7OxEIJdXHEOyN6KV8FzogOMXGPmPr4jQZjUy3Pt9MkSm4YvRXG6or/v4XsA+W8kJnkSFRLvep8kd8Y2Yje+atGQP7DaNn2gETnc/qiR5JnCR7It/bdxAhNRCL7HuY+NTO0PJE/TApSUINBdCIhM1NwBkItf9DRc02s0Ce78WdYK2yyDfOJi1oOtr2Xv0WVDhIS4bNkYhTdKPrqKU3brSGuIHPHB67yIYoMo6b4tOp6OPvLVAyhRCo5Pst5ZylqgYxgYiTygYKyXZykFuZwYCtBEnFJKhQt7NAGJNwqrFdtRCgTOouSb9d+V/yeVl8gHBhQO86cT8kMl2ACBWyBNryLkaBsOXiRlh7+Om3D6TcekiayGuhQHnyVAeTl802UsE6974E+kusCm2x7pccU639+IZw8dmb/eziBVW0Kk6zwQX8OuJlGOESqaK61LyVFpgdR1EKRuCIjzswdcBWf8s+DvgpbKcWgPj2ninVdKXsUA6iwgHY2LcWTa0F1jYQ5z5Vb5VfN2viLCsS9Z/7VbXT2Wl22C6IN9pezVzowlen4utbUuWwpWiV/am0dClLY4zv4yHxU1+Vj6lG2HJZpEJYJjHMEYgeQ7QAuZQH32TodaVVExlBsGPeOpnqUtzesqhVuhW4cxe2pXUa4t/4Jkv3diEeRpj9E7qdnRBfb1iQ7EqtbOtj3Lql6/kHEvm4dggZQD6JB2XRwrb15Pi+gTuaMXsE/fnLVKtNIDcEbpPKzdvepFeciaQVqLxREOw==
X-MS-TrafficTypeDiagnostic: CY1PR0101MB0924:
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0101MB0924; 25:k+f0SyHicmzwmyvplf9uwgexQuv2VAeOfW6w5B74LDiyTLeCKW6ACML3WGLrnXTFM7tXwmdLK+mdMeSdXQYAZteQJi3JA0OJv7ZrW++/KLIkdEhVkbcwtB+0wEAM57x78xMfODmRr9rSe738jPGPLFmP/v1W+bsvaOrPvkKgGxFLstkEEVmUJwDL0wMzgyyAmOrj/JQyXAPRre5NO6i34PZZc4E0TuAaJRVurr7WLJ+/Sx/c3rQPKgEHq5LUFgWzQNYFy9IepXV4Xcf2uHOKouvpsAf/WMEEs1TocBS0wcdML5kWC1I/FF1M9MTh1SxoczfNMys7WQInc5a55v4CJ9kc2q8Szn9PHqP6+wnM2f2afZfMofO1UUFvvv1vYoRJEWlDL5Rh1nwKm+8BjzDL67OY7gjsws2KhKdGGa/hj8kJwb775MknLIyXb7XuWYjZDeHonwKR0UEEnVKi4c2ZnqFP6zj/upeK7t9XBH34U+lscSmxKI7P4DUWO60XgUVKlngyJ05NTGN/yDMKU3sEKHZiwntYsD35amKxmXE8ZNj0rGjrMkDMMs27dfxfyFY1OsdQydVMBuyylYjd+u63S8Ty4xT86CBMZ1yhnri2oBfEEtWGUjNZ+KlN5QWGzgWXyReSV6xKwOwz9DBS9dlnl/mGg2bt4qk+AZ1sn21DPwXfFO+XVVwygx5QZNzbMcmFxXZTy7Va/VrbBM51MC2q81sthffv3r6ikmU1DOhh2ZJ7jmySFDbeaEuFe6BMCePeArj1ViZ3SuzpGvfxe3WzclLsTPgU+9eofuEF/dirg/k7OHLvxwO+Hv/sl/TOEGnvOiIQ5vrL+0B1dUmh5tILwQ5v2susl5YjN6HWLXKyGAPRX2MILLpTPCEuJ0JCyuC0YwTm+pZ+1yGmPh7vw9CCFq5DBIwU5tItzpGjFGf1Td8=
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0101MB0924; 31:4TuDBVOqq7+BtAcPYvWUs05ALASRAah4lnXUk+vtH1KchU9F3uBXmpS+qRaw+f2aKiY+6bo43mUyZgxJFEBRLJdWg9L6QhFTVpRDw65Ffj1yk+AhsavzwrrsE+GgaT4MP9ZPbx9ZitskWxCExq5/Qdj8H6U71TAro2OdC/xxVBHv/IGdaSWBSznxjrAdWIeeuA0L6uySAAs18XCjaQgH06THZ9UNBPazeZdgko5Ae1SAlc6YmlQP/3lAkKFjMYKrofDiKtqEHQjq3MACkAIIH5HJefShGJppeMPc/l0Y6O5Bv3IPCTyiVA4KouMEDYIsutvDpVl9tRejL/asevBj85NG9P0V/Qh9Q/ecv/ji/D0ff5zH7yTlsqFdI2khJtqmbeN1nlolSsmEsppsepkTb1TPrOKlJxQAGgCFLE2wDvE7DTHEWePUo6761qvwjOmT4lU0yGPyomJXvj1m/7KtVA107Q9UTrBZW1du4w7qnCVugxoIn3MBq1ENR5xtHARNStNORNxERX4k+OsuSoO+STNulu+2kTJ+D6nGaUoCFHdGiHDfopvDVyCm8JWbx+U2ggyzzBl5Nha8jqCMEKDOx/I/+SqZeBQL5rX1O0aKSwF3LDJNzA/NoSVTgDmJzrBblyqKv6Ur+C9rXfDHah1PJ3jA2iK+on0f1um77EJ7JDDJZOkSNrFapMSpEpsSB1jN
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0101MB0924; 20:DNbemSrksy7zwpLIgzbWA8vadvSYCNo0XOE4YO8+DstWrMJKssplMk9U27oLkvALUFsHfXWkERZAFqHoDuSPRk8wxyJ3CMrUyTcmp6rjyTcncDV0b6UqbJdn8yIkFs4gbbLmwYyF0g0UXH5uk68bSBV1Ov3F7RnN6ykzRWTQGWBpDyaxg1+WjnI0Ne0D0go/AOLIiw4F2obWLxWgpkP3kbXp04xP9X6IUI4FqTazg56FLsIdB1wMJw8+JzGyTHoefL/NCUt6y5qEo+Tt0n6dPOdWcRd5WYLvslAvm2rylmJx5AQaRWU/ex7kH5eMu9efdSuYXsGXonX1Pbc1Jb04Ln/C+A6ZBretfJDFApNJQzlNXiaVr2iTk/TJNzZ41Euz85zZcBri6Gzr5qtsHhJkzXBmiWwa4BUQ8rSUCr73IxWuQJoudPGcmOOWL0MlZbCWwJJZz4zP13AbwmrihvhaxYnfQLFQtoD2t1AhPFKGEgVkcdE3uYwmb6DWBiOoTRFV
X-Exchange-Antispam-Report-Test: UriScan:(236129657087228)(158140799945019);
X-Microsoft-Antispam-PRVS: <CY1PR0101MB09247DA60B25BB12CBC12772D0A00@CY1PR0101MB0924.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(2017060910075)(5005006)(13016025)(13018025)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93004095)(10201501046)(6041248)(20161123558100)(20161123560025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR0101MB0924; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR0101MB0924;
X-Microsoft-Exchange-Diagnostics: 1;CY1PR0101MB0924;4:Emr/zfYREkSGfHL0IkMuSAIfnxpmdxCW/4WGd7xPSuj0DMNKjMI7X0+Fpm/hr/9GMpuAU8dhN7vlR+edLwqtQ7YDg0YZEAMd1tTi8KJIeXojahoPcO5Yrh2TvMNslsdiaImtDCnrXNGpYksHKdJ49LniylrLTcBNhVw6vnZJRGI2qTIJqdZH2wevlHNJS0p9g9sX/vvVNNifMqVGIDwIRlMK3jtShlVNM2Pvb9uJf1O5VqYwIoAPV5Z0cPTQVbosElCNFa8Nw33uq3zfA7edCEKVqpwP0CI76BXZJKs3QNgCNZdq/k9dYu7Oi3nerTzW2do0KDlO1GsLnmBHMFwdy/fU0GsbFxtLF8ZyECiRycXMey0U+RSjQxHv487xp4u9+z2va3AKNCfXv58rX8SzLdQf65T9959oVXFaAYNuBCetm1ulMsmLuNfc01LNSnwxfEiKZhOAst6UBXSbAtwLx2VYI7zj0L6kwENnLoxWbSRaBIYhC8A3cPGhphu4m1Wnu56Q9ekkDhZpmfBXmByjYTcouZ5coHjTU9mc/QDKy26OjEYjHcnAyNqHdY6putUcMfSPChlvyYVoOfCWA5xxLoYigPpnigF/R5p0/vgdKST1MVNXOmVyeLkhIYuaXtLBaiFgIZXx4sm9+34uF17uEgJjYKPWwSPiAJImKqU3CHqtl07cvh4g4OZorMeZkzd+fPbEsiy7Hnjqfai27XTe5e3FRhDubmuWt6l6hPJt5J4QENXqCVeIO9FAPgqiGZjyhSdgcIGijAVsWcn+pCBpIqINvjDQhJZdRos1l5+jd36j4nMHm8mAMUtQU7BUOTmEX9+zRhMgz67qoV1ntLC85Bp26odrPPdtQ60YK96GbAL/+rmt5ygkDt32S2b9bSMazIsrUZuirkiP1ZX0lL4I+NEBXbnuAbqOqam8tq896XN814J3HVbFidOfJI2+ZgQvoJjn0cQKOfusM4N4s2K6fnmDM8Ap8OK2eiz5TMJc9whkelYgRBzuvhVWdHoQ8v+pO+NeTxsjN2vyxDwK9iYkKlNT2kDDP74IpGNWGgLHik5mZkY5jf2XpZGKvqhBPo0/ziJzXMTxAZ/2bNv+UjHOvPKg+Ihy+4ZRu30DwweQsukewP3/LKpcbq45A1QoQngj33k4h9KGOfrKr7Epr/L2crf0HwN4vadRBJOEPpw9pkefFs+aZvxBJw9anYwjGB58sEv6cb7x55G4nzCcZdZiAbwbxT5BxHcfJIH1BaZL01nZs0YFIJ1rkNXIVtT+EIChr170y8N6hdc3QNsQgJy4r+unJgRVtyHwsTGo1Uvxsf0=
X-Forefront-PRVS: 0371762FE7
X-Microsoft-Exchange-Diagnostics: 1;CY1PR0101MB0924;23:iCstjTEQv3RFeB+xl6HaWNPcubXS60m2szym4V1gxgyd4D9kk4/iyXYpz7TjH0dnEMgH4CRU1J7pkEtamn9xJTvmzTI4/OBfiG3eiZSqr5ExIPWNbfH3M7p+It3kHrnnLoIzu07T6pn5Z/XgEGTqTRY/WAaKt1cHVVrI1Mmu66ThVjp4aKbRhh38YzD0l3lo9Tqqx+3WtsX0XZQw+0cPIrMDrGQpUZO4lnJNhS4NRuf2tiu0KhOJXqKIWymtMUB6gL/LE/cLCYy/zMrKooagF9wLU9kCnJpiw/J525mGTDuXW4QEyclv1G91dDiObIaRU9hTh3j93Sh1jDkrkknjQ9RtFxVKVPWQjXumr6eSACe2YBPnO84MJPOriDzg+/J9p3kywDPN857lxvEo3HzwwDFEOlE+YGc0tVHOTfWN6s6JCUz+Smcc/tmMonJ3/YpIAA1KGqJFRi3sHLcJueOGI3UoAzqAeiZZH3jRGhGYLjGeKPZqqNUH2orx6Mx4JzbaNpWa//IBFD2Y2mi++EZYpicxmGGPqm+zWWkt67a7qk4QsixLbthcwFO/eFDPAFIar9qgVPMU9UuShRfb57hE/tmuCLmu3/0Dnwi/XEW8CJnYz7H9PoLec9d8IEPY7vbVo9KEEK4ssXv7CgDjFMEDDyrzl5qCIQS9qj89zwwxYT6rGrMCsyn2S3zbGuv7A3r98d/GTEP8kw9+w/EvPg0i6Oz6MwFyl9R0z4wLJp7rZCvYQj4lSlCc+d+3jaxEfyBrvqrUi29fBt5lnh/TbxcNjcRN/u3UQIxNmc2B7FknyZhZgyhTvE88wQYBkZf/0bH16WzMnfH13NWixMudrLWoR84ctttrksTtEGZWkPQOPrbGR9GSLKFsKsT8rLjQ2YAgRz9zXJ/SIOjb6IUbMk6E/kUnQC1Ma7psEBO4LYlxM92JJnXdXurIp7PbO5AFHfomg+p0gZHP7cBOAjCTschJFbT6768nJ/9MZxyaiKD3/veCgnAaBFgm59qm/Yjsbc+G6i7blfULpmQ0cZf9hzxdkIVBAApHHxlqb7o7sswBhDto3CeJ3YcJLm4jL9TxeJR/wAIByvhr/7KZZlY9xhV+a4hWYwx/HHbKaR9i8XJmUaRwxi5ZgNEXHUeehUu121EL/bc89N6B2y8OWGo/3vRo7ecA5a3YRzvS76yklfFwQvLtQvTHk5ysFgs7M2ll3rPA
X-Microsoft-Exchange-Diagnostics: 1;CY1PR0101MB0924;6:3TyNpjb/+sw2yXUzIqbtjGyVOwMJDvGBklajFDCqaIADBjNsJtl7y/fxMC450XVi0yMiJHYgSzysvfGETU+cdxxqEQaqbQDjIWYlp5YdoT5x88kJRemlqO4oG4TSvtc98uOPiZD4g3/yLDCLd0YOMWYBG8bXn2JWX+eddk53rTQxclyIm5d5BQBRZkhyML64xDFtFXw3GF51uLhnOvn3ken457bJe03FACeZ8yg8wx/U6BUY+aP0+SHvyCPSgZ/a6RlRfkb9rVgbbuTz1wT1AOtkpOG9NujaRUr/LdwNfI80Nl5cXyrFXzePDN1jvNQtiSEXjBC1O+vGmIbq/Z7leUmu2kCaCg6icKiUwhYnAY3ebQ20w56QAbfImLEHqXllMKloDJx1iDWjVmmzBWnfqfwlnmyKtzjErf2/yN/zTeq0mMJ5TpT290THLMAw7pLrv/84CgoVjns6lP9+qGvJglI6BFoT+FX3H9ePsKLyH97FJmn9wzhnQu37YBenHUhkFlpdChgwQ5RTXUm4aCcGIg73hFz9Z0vzejAtjy98NJvPLLiIgux2bH5CnQJE0g7VujA+HzYDWFhJdahYMI4ihTMDrXe/eouI5RbJOmRq2rB/g0/np+KVlN18vydpOB/Z6nCzEyKLNpybAEqlxCfA4vmOPnNs108fZuwjubj1si2AY1EM0HQs9PnaPhtD4O+6lJZBISuW0X+i5erK6dpHvz2y0LxvAnxxefHYMifG8597Xv4Sh4qxtCkhOSIJWr42QJwyWV3pEXX+taVnUKv6WIq9LcMBZ/rrVGuospNIN2hOn0h4juUvTSlQm2F0s6NFBQ3N/EefZe5IoFMb8dUEK5K04Ds+49rqhzgcjxngJ45+70ZVJWMiPoI/z8QRUWWw4/TBYJkZAs0uCLmtZuj4WVyz+t9hPFHqS3+y/yPM/2YaIaHGT/Fmr1ZNuqNUUYij+INw/i6mbWjBs3ZJFNUM5Q4YlXzm2jucfrBYtbLtc2A=
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0101MB0924; 5:U6Ri9B0ndJ8QVS1TwqtJfJ4OcbBYRkpxzCY5SQ/KCQJHMn+jrYQY9848fnyWJq+AR1CGJZw5Ik4nbyLleZiwcTbBbqtqTgeq7TKwM3y5oRbKEs+e30e+EA4XSpOCmIxZWvK+Aw+rkR4JnLTr2O2vduEvnJCLbFMrKUy36hRuzXCCeNphD31jnp5PKt2HFZIcK/Fa+cFEIg8vpk2mwndy3h2zexO5Ld7v2amoQF08YWVMo7JhLCF3E0XliJRg4zm8p5aVQRu+IZcpHMkA1cPB0/oh/F0+7HHrGVuG1X3cTiKmlVqx5tYwGkDK/jVSNd3AYEQlVnnz0hmTDyEEFNpXTtWfxUhbfvk8hV4VTqEM4bdJNnDHHFI3UUZ4CA1XIn/7CGyk38+q4Eq6D3ivfeGdEwD8sxMhTAPsKzk2CWZytDoeGU5UnPoNiVyBJzX7y1Voaaa9/+bnpagRomlbwe65LOsxN+T5aqX02evyIVMh5YO4WtbWHQ8bmpTppxvZAwdS; 24:bS+VtXzXs4COPtOXQaTsch9KJpQ8UVhDwAjGjPNYIbiPSJ7yT2HBFmswBRcSqRokjrhkrJP0PM+7e33u5K9jcZ/tHrJa3UbQPqN0Uoy0dHk=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0101MB0924; 7:4t4ZrLsw+5U7KoMO5hgkGd0OlpyVEInAisj6nYA6+d4uYaS5V0Asb2Dsg3Ei5NkR+MNz7RnHsw7VyWhpuYKA7TYltZ/EFCPLmrcSiSNARduMH/mKI0OYhl6H56LYL39rdrTlM243l9uwDTIBuTDL7MY2w7+VGvuSLD2qUJt3kB2RTMbm+kRmBxIj0JNzEALa2kndJf/4Op5hxG0GUPPKGnKbWQsE2Ej7tHaBrv4ZOqtRkScJ45RZf+cQoRa75RUHE9jxFh9d5Pgg2kNfCE7HQ72YjCqBXBEQ8Hg1ogu1G+iQjtRE3wXNUGzCuQ7s4MnySZ1lp/O5U68wOezUVkZZqlcP4EayrX3SozYcIAiXNcKjB8YSpZrAX7TgWeCVtog5uB7YCUdc3sx4iD+g3MQJvpCYRjkSLg2jGPoKGFLNIEFVxb4rVz7fgyCiIgOQnllpyP6C4Fryq8WcwaKDlFufsgrQ+Gwd983oEZgFo2W7U/OUZ66v9OxT6co0GeXrAovPddTEKLABc5H74VqeyFb7QXwIkp8zp6JMs8VXwVe+6cukeLZ8L/gDDmNoGt89Hbp8xqXf7NuvCdDGg+sL+fn14QuKT+qidHy5nVl3+3qJctuFW0Z/x+SzCmBNzcT8fiJL5aftKGxZzZp4ye9hosyWtZwJ+sXbg8VymgKjGJki2yKbvi8gbBbok6nITdX8bu2ea9TA79YE9ApUvtikm1gVcmlK+M2PgoEV/JqRp2Eo/GcEm2KZP8WXDO72EFXTaefFUYmVNYyZhwSJSqv4KVJ9jpqTEh5qosPAY8RKRZDpyOU=
X-Microsoft-Exchange-Diagnostics: 1; CY1PR0101MB0924; 20:z4x4yY1bIlE9tolxDP39ypASsM96pq1qxpBoGfO5vZSh34V2adFy2DzjjWF21m7v5okVpr1fb//5OoW8qj7F2fyARu561wj93n2OcPxJnBOLFhp0W1nGsEJt6QnHOU1wlzB3PDCEHZao56dKOa+wJROwCWXhMYLAXK6nKxW+3hs=
X-OriginatorOrg: osu.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jul 2017 16:01:11.4441 (UTC)
X-MS-Exchange-CrossTenant-Id: eb095636-1052-4895-952b-1ff9df1d1121
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=eb095636-1052-4895-952b-1ff9df1d1121; Ip=[128.146.138.9]; Helo=[cio-socc-esr03.osuad.osu.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0101MB0924
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/u6SJkRy5QInN9Y1EwuXE_qwHD-8>
Subject: Re: [Unbearable] Dealing with header injection through reverse proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 16:01:15 -0000

> Do people have other thoughts on this problem? Other good ways to
> establish the key? Other ideas for how to address it?

I don't think it's a technical problem in most organizations, it's a "will" problem. Unless you can get the load balancers to simply require some mechanism to do this more securely, it will just not get done by a lot of deployers, and if you presupposed the deployers cared, they'd filter the headers and you wouldn't need to do anything necessarily.

I say this after having reported to my own organization that our transmission of proxied client IP address to services to use in associating cookies and logging activity wasn't safe, and the response was to ignore it.

-- Scott

v2.23.0 | Report a Bug | By Email