Skip to main content

Last Call Review of draft-ietf-httpbis-cdn-loop-01

Request Review of draft-ietf-httpbis-cdn-loop
Requested revision No specific revision (document currently at 02)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2018-12-11
Requested 2018-11-27
Authors Stephen Ludin , Mark Nottingham , Nick Sullivan
Draft last updated 2018-12-13
Completed reviews Secdir Last Call review of -01 by Donald E. Eastlake 3rd (diff)
Genart Last Call review of -01 by Joel M. Halpern (diff)
Tsvart Last Call review of -01 by Colin Perkins (diff)
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Review review-ietf-httpbis-cdn-loop-01-secdir-lc-eastlake-2018-12-13
Reviewed revision 01 (document currently at 02)
Result Has Issues
Completed 2018-12-13
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

The summary of the review is Ready with issues.

This document specifies a new "CDN-Loop" HTTP header field to detect
Content Delivery Network loops. Such loops can be caused by
misconfiguration or as part of a denial of service attack.


It is slightly misleading that in Section 1 the draft says how valuable an
HTTP header "guaranteed not to be modified" would be but then the draft
does not provide such a header. Maybe instead say "should normally be

I believe this document should RECOMMEND that CDN-Loop headers include some
sort of MAC (Message Authentication Code) covering the header so a CDN node
can reliably recognize CDN-Loop headers that it has added. Since it need
only recognize its own headers, the MAC need not be further specified or
interoperable. (CDN-Loop information in an HTTP message can grow by the
appending of entries or by additional of another CDN-Loop header. Since I
have little confidence in the stability of header order, I would suggest
MACs added as a parameter to a CDN-Loop header by the last parameter for
that entry and sign that entry and all previous entries in that CDN-Loop
header.) This could be done by modifying the 3rd paragraph of the Security
Considerations section.


Section 2: 3rd paragraph, suggest replacing "field to all requests" with
"field in all requests".

 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 1424 Pro Shop Court, Davenport, FL 33896 USA