idnits 2.17.1 

draft-ietf-httpbis-cdn-loop-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (February 04, 2019) is 1908 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  ** Obsolete normative reference: RFC 7230 (Obsoleted by RFC 9110, RFC 9112)

  ** Obsolete normative reference: RFC 7231 (Obsoleted by RFC 9110)


     Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	HTTP Working Group                                              S. Ludin
3	Internet-Draft                                       Akamai Technologies
4	Intended status: Standards Track                           M. Nottingham
5	Expires: August 8, 2019                                           Fastly
6	                                                             N. Sullivan
7	                                                              Cloudflare
8	                                                       February 04, 2019

10	                           CDN Loop Detection
11	                     draft-ietf-httpbis-cdn-loop-02

13	Abstract

15	   This document defines the CDN-Loop request header field for HTTP.
16	   CDN-Loop addresses an operational need that occurs when an HTTP
17	   request is intentionally forwarded between Content Delivery Networks
18	   (CDNs), but is then accidentally or maliciously re-routed back into
19	   the original CDN causing a non-terminating loop.  The new header
20	   field can be used to identify the error and terminate the loop.

22	Status of This Memo

24	   This Internet-Draft is submitted in full conformance with the
25	   provisions of BCP 78 and BCP 79.

27	   Internet-Drafts are working documents of the Internet Engineering
28	   Task Force (IETF).  Note that other groups may also distribute
29	   working documents as Internet-Drafts.  The list of current Internet-
30	   Drafts is at https://datatracker.ietf.org/drafts/current/.

32	   Internet-Drafts are draft documents valid for a maximum of six months
33	   and may be updated, replaced, or obsoleted by other documents at any
34	   time.  It is inappropriate to use Internet-Drafts as reference
35	   material or to cite them other than as "work in progress."

37	   This Internet-Draft will expire on August 8, 2019.

39	Copyright Notice

41	   Copyright (c) 2019 IETF Trust and the persons identified as the
42	   document authors.  All rights reserved.

44	   This document is subject to BCP 78 and the IETF Trust's Legal
45	   Provisions Relating to IETF Documents
46	   (https://trustee.ietf.org/license-info) in effect on the date of
47	   publication of this document.  Please review these documents
48	   carefully, as they describe your rights and restrictions with respect
49	   to this document.  Code Components extracted from this document must
50	   include Simplified BSD License text as described in Section 4.e of
51	   the Trust Legal Provisions and are provided without warranty as
52	   described in the Simplified BSD License.

54	Table of Contents

56	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
57	     1.1.  Relationship to Via . . . . . . . . . . . . . . . . . . .   3
58	     1.2.  Conventions and Definitions . . . . . . . . . . . . . . .   3
59	   2.  The CDN-Loop Request Header Field . . . . . . . . . . . . . .   3
60	   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
61	   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
62	   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
63	     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   5
64	     5.2.  Informative References  . . . . . . . . . . . . . . . . .   6
65	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

67	1.  Introduction

69	   In modern deployments of HTTP servers, it is common to interpose
70	   Content Delivery Networks (CDNs) in front of origin servers to
71	   improve end-user perceived latency, reduce operational costs, and
72	   improve scalability and reliability of services.

74	   Often, more than one CDN is in use by a given origin.  This happens
75	   for a variety of reasons, such as cost savings, arranging for
76	   failover should one CDN have issues, or to directly compare their
77	   services.

79	   As a result, it is not unknown for forwarding CDNs to be configured
80	   in a "loop" accidentally; because routing is achieved through a
81	   combination of DNS and forwarding rules, and site configurations are
82	   sometimes complex and managed by several parties.

84	   When this happens, it is difficult to debug.  Additionally, it
85	   sometimes isn't accidental; loops between multiple CDNs can be used
86	   as an attack vector (e.g., see [loop-attack]), especially if one CDN
87	   unintentionally strips the loop detection headers of another.

89	   This specification defines the CDN-Loop HTTP request header field to
90	   help detect such attacks and accidents among implementing forwarding
91	   CDNs, by disallowing its modification by their customers.

93	1.1.  Relationship to Via

95	   HTTP defines the Via header field in [RFC7230], Section 5.7.1 for
96	   "tracking message forwards, avoiding request loops, and identifying
97	   the protocol capabilities of senders along the request/response
98	   chain."

100	   In theory, Via could be used to identify these loops.  However, in
101	   practice it is not used in this fashion, because some HTTP servers
102	   use Via for other purposes - in particular, some implementations
103	   disable some HTTP/1.1 features when the Via header is present.

105	1.2.  Conventions and Definitions

107	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
108	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
109	   "OPTIONAL" in this document are to be interpreted as described in BCP
110	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
111	   capitals, as shown here.

113	   This specification uses the Augmented Backus-Naur Form (ABNF)
114	   notation of [RFC5234] with a list extension, defined in Section 7 of
115	   [RFC7230], that allows for compact definition of comma-separated
116	   lists using a '#' operator (similar to how the '*' operator indicates
117	   repetition).  Additionally, it uses the token, OWS, uri-host and port
118	   rules from [RFC7230] and the parameter rule from [RFC7231].

120	2.  The CDN-Loop Request Header Field

122	   The CDN-Loop request header field is intended to help a Content
123	   Delivery Network identify when an incoming request has already passed
124	   through that CDN's servers, to detect loops.

126	   CDN-Loop  = #cdn-info
127	   cdn-info  = cdn-id *( OWS ";" OWS parameter )
128	   cdn-id    = ( uri-host [ ":" port ] ) / pseudonym
129	   pseudonym = token

131	   The cdn-id identifies the CDN using either a hostname under its
132	   control or a pseudonym.  Hostnames are preferred, to help avoid
133	   accidental collisions.  If a pseudonym is used, unintentional
134	   collisions are more likely, and therefore values should be carefully
135	   chosen to prevent them; for example, using a well-known value (such
136	   as the recognized name of the CDN in question), or a generated value
137	   with enough entropy to make collisions unlikely (such as a UUID
138	   [RFC4122]).

140	   Optionally, cdn-info can have semicolon-separated key/value
141	   parameters, to accommodate additional information for the CDN's use.

143	   Conforming Content Delivery Networks SHOULD add a cdn-info to this
144	   header field in all requests they generate or forward (creating the
145	   header field if necessary).

147	   As with all HTTP header fields defined using the "#" rule, the CDN-
148	   Loop header field can be added to by comma-separating values, or by
149	   creating a new header field with the desired value.

151	   For example:

153	   GET /image.jpg HTTP/1.1
154	   Host: cdn-customer.example
155	   User-Agent: ExampleBrowser/5
156	   CDN-Loop: foo123.foocdn.example, barcdn.example; trace="abcdef"
157	   CDN-Loop: AnotherCDN; abc=123; def="456"

159	   Note that the pseudonym syntax does not allow whitespace, DQUOTE or
160	   any of the characters "(),/:;<=>?@[]{}".  See [RFC7230],
161	   Section 3.2.6.  Likewise, note the rules for when parameter values
162	   need to be quoted in [RFC7231], Section 3.1.1.

164	   The effectiveness of this mechanism relies on all intermediaries
165	   preserving the header field, since removing (or allowing it to be
166	   removed, e.g., by customer configuration) would prevent downstream
167	   CDNs from using it to detect looping.  In general, unknown header
168	   fields are not removed by intermediaries, but there may be need to
169	   add CDN-Loop to an implementation's list of header fields that are
170	   not to be removed under any circumstances.  The header field SHOULD
171	   NOT be used for other purposes.

173	3.  Security Considerations

175	   The threat model that the CDN-Loop header field addresses is a
176	   customer who is attacking a service provider by configuring a
177	   forwarding loop by accident or malice.  For it to function, CDNs
178	   cannot allow customers to modify or remove it in their configuration
179	   (see Section 2).

181	   Note that a CDN that allows customers to remove or modify the CDN-
182	   Loop header field (i.e., they do not implement this specification)
183	   remains an attack vector against both implementing and non-
184	   implementing CDNs.

186	   A CDN's use of the CDN-Loop header field might expose its presence.
187	   For example, if CDN A is configured to forward its requests to CDN B
188	   for a given origin, CDN B's presence can be revealed if it behaves
189	   differently based upon the presence of the CDN-Loop header field.

191	   The CDN-Loop header field can be generated by any client, and
192	   therefore its contents cannot be trusted.  CDNs who modify their
193	   behaviour based upon its contents should assure that this does not
194	   become an attack vector (e.g., for Denial-of-Service).

196	   It is possible to sign the contents of the header field (either by
197	   putting the signature directly into the field's content, or using
198	   another header field), but such use is not defined (or required) by
199	   this specification.

201	   Depending on how it is used, CDN-Loop can expose information about
202	   the internal configuration of the CDN; for example, the number of
203	   hops inside the CDN, and the hostnames of nodes.

205	4.  IANA Considerations

207	   This document registers the "CDN-Loop" header field in the Permanent
208	   Message Header Field Names registry.

210	   o  Header Field Name: CDN-Loop

212	   o  Protocol: http

214	   o  Status: standard

216	   o  Reference: (this document)

218	5.  References

220	5.1.  Normative References

222	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
223	              Requirement Levels", BCP 14, RFC 2119,
224	              DOI 10.17487/RFC2119, March 1997,
225	              <https://www.rfc-editor.org/info/rfc2119>.

227	   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
228	              Specifications: ABNF", STD 68, RFC 5234,
229	              DOI 10.17487/RFC5234, January 2008,
230	              <https://www.rfc-editor.org/info/rfc5234>.

232	   [RFC7230]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
233	              Protocol (HTTP/1.1): Message Syntax and Routing",
234	              RFC 7230, DOI 10.17487/RFC7230, June 2014,
235	              <https://www.rfc-editor.org/info/rfc7230>.

237	   [RFC7231]  Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
238	              Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
239	              DOI 10.17487/RFC7231, June 2014,
240	              <https://www.rfc-editor.org/info/rfc7231>.

242	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
243	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
244	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

246	5.2.  Informative References

248	   [loop-attack]
249	              Chen, J., Jiang, J., Zheng, X., Duan, H., Liang, J., Li,
250	              K., Wan, T., and V. Paxson, "Forwarding-Loop Attacks in
251	              Content Delivery Networks", DOI 10.14722/ndss.2016.23442,
252	              February 2016,
253	              <http://www.icir.org/vern/papers/cdn-loops.NDSS16.pdf>.

255	   [RFC4122]  Leach, P., Mealling, M., and R. Salz, "A Universally
256	              Unique IDentifier (UUID) URN Namespace", RFC 4122,
257	              DOI 10.17487/RFC4122, July 2005,
258	              <https://www.rfc-editor.org/info/rfc4122>.

260	Authors' Addresses

262	   Stephen Ludin
263	   Akamai Technologies

265	   Email: sludin@akamai.com

267	   Mark Nottingham
268	   Fastly

270	   Email: mnot@fastly.com

272	   Nick Sullivan
273	   Cloudflare

275	   Email: nick@cloudflare.com