Last Call Review of draft-ietf-httpbis-cdn-loop-01
review-ietf-httpbis-cdn-loop-01-secdir-lc-eastlake-2018-12-13-00

Request Review of draft-ietf-httpbis-cdn-loop
Requested rev. no specific revision (document currently at 02)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-12-11
Requested 2018-11-27
Other Reviews Genart Last Call review of -01 by Joel Halpern (diff)
Tsvart Last Call review of -01 by Colin Perkins (diff)
Review State Completed
Reviewer Donald Eastlake
Review review-ietf-httpbis-cdn-loop-01-secdir-lc-eastlake-2018-12-13
Posted at https://mailarchive.ietf.org/arch/msg/secdir/Gx4PbPPWUYjzc0ddlqpJt6kLfUY
Reviewed rev. 01 (document currently at 02)
Review result Has Issues
Draft last updated 2018-12-13
Review completed: 2018-12-13

Review
review-ietf-httpbis-cdn-loop-01-secdir-lc-eastlake-2018-12-13

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

The summary of the review is Ready with issues.

This document specifies a new "CDN-Loop" HTTP header field to detect
Content Delivery Network loops. Such loops can be caused by
misconfiguration or as part of a denial of service attack.

Security:

It is slightly misleading that in Section 1 the draft says how valuable an
HTTP header "guaranteed not to be modified" would be but then the draft
does not provide such a header. Maybe instead say "should normally be
unmodified".


I believe this document should RECOMMEND that CDN-Loop headers include some
sort of MAC (Message Authentication Code) covering the header so a CDN node
can reliably recognize CDN-Loop headers that it has added. Since it need
only recognize its own headers, the MAC need not be further specified or
interoperable. (CDN-Loop information in an HTTP message can grow by the
appending of entries or by additional of another CDN-Loop header. Since I
have little confidence in the stability of header order, I would suggest
MACs added as a parameter to a CDN-Loop header by the last parameter for
that entry and sign that entry and all previous entries in that CDN-Loop
header.) This could be done by modifying the 3rd paragraph of the Security
Considerations section.


Nit:

Section 2: 3rd paragraph, suggest replacing "field to all requests" with
"field in all requests".

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 1424 Pro Shop Court, Davenport, FL 33896 USA
 d3e3e3@gmail.com