Trusted Traffic
draft-jjmb-httpbis-trusted-traffic-00

Document Type Active Internet-Draft (individual)
Last updated 2018-05-22
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
httpbis                                                    J. Brzozowski
Internet-Draft                                             Comcast Cable
Intended status: Best Current Practice                        K. Beevers
Expires: November 23, 2018                                           NS1
                                                             J. Cariello
                                                                  Google
                                                               J. Colton
                                                             Squarespace
                                                                L. Jacob
                                                               Bloomberg
                                                                J. Leddy
                                                           Comcast Cable
                                                                J. Shaul
                                                                  Akamai
                                                            L. Steinberg
                                                            CTM Insights
                                                            May 22, 2018

                            Trusted Traffic
                 draft-jjmb-httpbis-trusted-traffic-00

Abstract

   Current methods for managing traffic through content inspection tend
   to process all sessions similarly.  Internet traffic examples like
   DDoS mitigation require all data to pass through one of a limited
   number of scrubbing centers, which create both natural choke points
   and the potential for widespread collateral damage should a center
   become overloaded.  Similar issues exist with email SPAM and malware
   filtering, traffic shaping, etc.  We propose a method to utilize
   existing HTTP and HTTPS protocols that enables destinations to
   temporarily confer trust on sources, and for trusted traffic to be
   routed and processed differently from untrusted traffic.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any

Brzozowski, et al.      Expires November 23, 2018               [Page 1]
Internet-Draft               Trusted Traffic                    May 2018

   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 23, 2018.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Assumptions . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Approach  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  HTTP and HTTPS  . . . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  Trust Tokens as Cookies . . . . . . . . . . . . . . . . .   6
     4.2.  Assertion Tokens  . . . . . . . . . . . . . . . . . . . .   7
     4.3.  Assertion Token use within a Browser  . . . . . . . . . .   8
     4.4.  Validator Function  . . . . . . . . . . . . . . . . . . .   8
     4.5.  Implementation Considerations . . . . . . . . . . . . . .   8
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   9
   6.  Internationalization Considerations . . . . . . . . . . . . .   9
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   In the wake of several high profile DDoS attacks, the authors
   convened a series of meetings to investigate alternatives to routing
Show full document text