Last Call Review of draft-ietf-httpbis-cdn-loop-01
review-ietf-httpbis-cdn-loop-01-secdir-lc-eastlake-2018-12-13-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

The summary of the review is Ready with issues.

This document specifies a new "CDN-Loop" HTTP header field to detect
Content Delivery Network loops. Such loops can be caused by
misconfiguration or as part of a denial of service attack.

Security:

It is slightly misleading that in Section 1 the draft says how valuable an
HTTP header "guaranteed not to be modified" would be but then the draft
does not provide such a header. Maybe instead say "should normally be
unmodified".


I believe this document should RECOMMEND that CDN-Loop headers include some
sort of MAC (Message Authentication Code) covering the header so a CDN node
can reliably recognize CDN-Loop headers that it has added. Since it need
only recognize its own headers, the MAC need not be further specified or
interoperable. (CDN-Loop information in an HTTP message can grow by the
appending of entries or by additional of another CDN-Loop header. Since I
have little confidence in the stability of header order, I would suggest
MACs added as a parameter to a CDN-Loop header by the last parameter for
that entry and sign that entry and all previous entries in that CDN-Loop
header.) This could be done by modifying the 3rd paragraph of the Security
Considerations section.


Nit:

Section 2: 3rd paragraph, suggest replacing "field to all requests" with
"field in all requests".

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 1424 Pro Shop Court, Davenport, FL 33896 USA
 d3e3e3@gmail.com