| draft-ietf-httpbis-cdn-loop-02.txt | draft-ietf-httpbis-cdn-loop-latest.txt | |||
|---|---|---|---|---|
| HTTP Working Group S. Ludin | HTTP Working Group S. Ludin | |||
| Internet-Draft Akamai Technologies | Internet-Draft Akamai Technologies | |||
| Intended status: Standards Track M. Nottingham | Intended status: Standards Track M. Nottingham | |||
| Expires: August 8, 2019 Fastly | Expires: June 21, 2024 Fastly | |||
| N. Sullivan | N. Sullivan | |||
| Cloudflare | Cloudflare | |||
| February 04, 2019 | December 19, 2023 | |||
| CDN Loop Detection | Loop Detection in Content Delivery Networks (CDNs) | |||
| draft-ietf-httpbis-cdn-loop-02 | draft-ietf-httpbis-cdn-loop-latest | |||
| Abstract | Abstract | |||
| This document defines the CDN-Loop request header field for HTTP. | This document defines the CDN-Loop request header field for HTTP. | |||
| CDN-Loop addresses an operational need that occurs when an HTTP | CDN-Loop addresses an operational need that occurs when an HTTP | |||
| request is intentionally forwarded between Content Delivery Networks | request is intentionally forwarded between Content Delivery Networks | |||
| (CDNs), but is then accidentally or maliciously re-routed back into | (CDNs), but is then accidentally or maliciously re-routed back into | |||
| the original CDN causing a non-terminating loop. The new header | the original CDN causing a non-terminating loop. The new header | |||
| field can be used to identify the error and terminate the loop. | field can be used to identify the error and terminate the loop. | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on August 8, 2019. | This Internet-Draft will expire on June 21, 2024. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2023 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 26 ¶ | skipping to change at page 2, line 26 ¶ | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . 6 | 5.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| In modern deployments of HTTP servers, it is common to interpose | In modern deployments of HTTP servers, it is common to interpose | |||
| Content Delivery Networks (CDNs) in front of origin servers to | Content Delivery Networks (CDNs) in front of origin servers to | |||
| improve end-user perceived latency, reduce operational costs, and | improve latency perceived by end users, reduce operational costs, and | |||
| improve scalability and reliability of services. | improve scalability and reliability of services. | |||
| Often, more than one CDN is in use by a given origin. This happens | Often, more than one CDN is in use by a given origin. This happens | |||
| for a variety of reasons, such as cost savings, arranging for | for a variety of reasons, such as cost savings, arranging for | |||
| failover should one CDN have issues, or to directly compare their | failover should one CDN have issues, or direct comparison of the | |||
| services. | CDNs' services. | |||
| As a result, it is not unknown for forwarding CDNs to be configured | As a result, it is possible for forwarding CDNs to be configured in a | |||
| in a "loop" accidentally; because routing is achieved through a | "loop" accidentally; because routing is achieved through a | |||
| combination of DNS and forwarding rules, and site configurations are | combination of DNS and forwarding rules, and site configurations are | |||
| sometimes complex and managed by several parties. | sometimes complex and managed by several parties. | |||
| When this happens, it is difficult to debug. Additionally, it | When this happens, it is difficult to debug. Additionally, it | |||
| sometimes isn't accidental; loops between multiple CDNs can be used | sometimes isn't accidental; loops between multiple CDNs can be used | |||
| as an attack vector (e.g., see [loop-attack]), especially if one CDN | as an attack vector (e.g., see [loop-attack]), especially if one CDN | |||
| unintentionally strips the loop detection headers of another. | unintentionally strips the loop detection headers of another. | |||
| This specification defines the CDN-Loop HTTP request header field to | This specification defines the CDN-Loop HTTP request header field to | |||
| help detect such attacks and accidents among implementing forwarding | help detect such attacks and accidents among forwarding CDNs that | |||
| CDNs, by disallowing its modification by their customers. | have implemented it; the header field may not be modified by their | |||
| customers. | ||||
| 1.1. Relationship to Via | 1.1. Relationship to Via | |||
| HTTP defines the Via header field in [RFC7230], Section 5.7.1 for | HTTP defines the Via header field in Section 5.7.1 of [RFC7230] for | |||
| "tracking message forwards, avoiding request loops, and identifying | "tracking message forwards, avoiding request loops, and identifying | |||
| the protocol capabilities of senders along the request/response | the protocol capabilities of senders along the request/response | |||
| chain." | chain." | |||
| In theory, Via could be used to identify these loops. However, in | In theory, Via could be used to identify these loops. However, in | |||
| practice it is not used in this fashion, because some HTTP servers | practice it is not used in this fashion, because some HTTP servers | |||
| use Via for other purposes - in particular, some implementations | use Via for other purposes -- in particular, some implementations | |||
| disable some HTTP/1.1 features when the Via header is present. | disable some HTTP/1.1 features when the Via header is present. | |||
| 1.2. Conventions and Definitions | 1.2. Conventions and Definitions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| This specification uses the Augmented Backus-Naur Form (ABNF) | This specification uses the Augmented Backus-Naur Form (ABNF) | |||
| notation of [RFC5234] with a list extension, defined in Section 7 of | notation of [RFC5234] with a list extension, defined in Section 7 of | |||
| [RFC7230], that allows for compact definition of comma-separated | [RFC7230], that allows for compact definition of comma-separated | |||
| lists using a '#' operator (similar to how the '*' operator indicates | lists using a '#' operator (similar to how the '*' operator indicates | |||
| repetition). Additionally, it uses the token, OWS, uri-host and port | repetition). Additionally, it uses a token (OWS), uri-host, and port | |||
| rules from [RFC7230] and the parameter rule from [RFC7231]. | rules from [RFC7230] and the parameter rule from [RFC7231]. | |||
| 2. The CDN-Loop Request Header Field | 2. The CDN-Loop Request Header Field | |||
| The CDN-Loop request header field is intended to help a Content | The CDN-Loop request header field is intended to help a Content | |||
| Delivery Network identify when an incoming request has already passed | Delivery Network identify when an incoming request has already passed | |||
| through that CDN's servers, to detect loops. | through that CDN's servers to detect loops. | |||
| CDN-Loop = #cdn-info | CDN-Loop = #cdn-info | |||
| cdn-info = cdn-id *( OWS ";" OWS parameter ) | cdn-info = cdn-id *( OWS ";" OWS parameter ) | |||
| cdn-id = ( uri-host [ ":" port ] ) / pseudonym | cdn-id = ( uri-host [ ":" port ] ) / pseudonym | |||
| pseudonym = token | pseudonym = token | |||
| The cdn-id identifies the CDN using either a hostname under its | The cdn-id identifies the CDN using either a hostname under its | |||
| control or a pseudonym. Hostnames are preferred, to help avoid | control or a pseudonym. Hostnames are preferred, to help avoid | |||
| accidental collisions. If a pseudonym is used, unintentional | accidental collisions. If a pseudonym is used, unintentional | |||
| collisions are more likely, and therefore values should be carefully | collisions are more likely, and therefore values should be carefully | |||
| chosen to prevent them; for example, using a well-known value (such | chosen to prevent them; for example, using a well-known value (such | |||
| as the recognized name of the CDN in question), or a generated value | as the recognized name of the CDN in question), or a generated value | |||
| with enough entropy to make collisions unlikely (such as a UUID | with enough entropy to make collisions unlikely (such as a UUID | |||
| [RFC4122]). | [RFC4122]). | |||
| Optionally, cdn-info can have semicolon-separated key/value | Optionally, cdn-info can have semicolon-separated key/value | |||
| parameters, to accommodate additional information for the CDN's use. | parameters to accommodate additional information for the CDN's use. | |||
| Conforming Content Delivery Networks SHOULD add a cdn-info to this | Conforming Content Delivery Networks SHOULD add a cdn-info to this | |||
| header field in all requests they generate or forward (creating the | header field in all requests they generate or forward (creating the | |||
| header field if necessary). | header field if necessary). | |||
| As with all HTTP header fields defined using the "#" rule, the CDN- | As with all HTTP header fields defined using the "#" rule, the CDN- | |||
| Loop header field can be added to by comma-separating values, or by | Loop header field can be added to by comma-separating values, or by | |||
| creating a new header field with the desired value. | creating a new header field with the desired value. | |||
| For example: | For example: | |||
| GET /image.jpg HTTP/1.1 | GET /image.jpg HTTP/1.1 | |||
| Host: cdn-customer.example | Host: cdn-customer.example | |||
| User-Agent: ExampleBrowser/5 | User-Agent: ExampleBrowser/5 | |||
| CDN-Loop: foo123.foocdn.example, barcdn.example; trace="abcdef" | CDN-Loop: foo123.foocdn.example, barcdn.example; trace="abcdef" | |||
| CDN-Loop: AnotherCDN; abc=123; def="456" | CDN-Loop: AnotherCDN; abc=123; def="456" | |||
| Note that the pseudonym syntax does not allow whitespace, DQUOTE or | Note that the pseudonym syntax does not allow whitespace, DQUOTE, or | |||
| any of the characters "(),/:;<=>?@[]{}". See [RFC7230], | any of the characters "(),/:;<=>?@[]{}". See Section 3.2.6 of | |||
| Section 3.2.6. Likewise, note the rules for when parameter values | [RFC7230]. Likewise, note the rules for when parameter values need | |||
| need to be quoted in [RFC7231], Section 3.1.1. | to be quoted in Section 3.1.1 of [RFC7231]. | |||
| The effectiveness of this mechanism relies on all intermediaries | The effectiveness of this mechanism relies on all intermediaries | |||
| preserving the header field, since removing (or allowing it to be | preserving the header field, since removing (or allowing it to be | |||
| removed, e.g., by customer configuration) would prevent downstream | removed, e.g., by customer configuration) would prevent downstream | |||
| CDNs from using it to detect looping. In general, unknown header | CDNs from using it to detect looping. In general, unknown header | |||
| fields are not removed by intermediaries, but there may be need to | fields are not removed by intermediaries, but there may be a need to | |||
| add CDN-Loop to an implementation's list of header fields that are | add CDN-Loop to an implementation's list of header fields that are | |||
| not to be removed under any circumstances. The header field SHOULD | not to be removed under any circumstances. The header field SHOULD | |||
| NOT be used for other purposes. | NOT be used for other purposes. | |||
| 3. Security Considerations | 3. Security Considerations | |||
| The threat model that the CDN-Loop header field addresses is a | The threat model that the CDN-Loop header field addresses is a | |||
| customer who is attacking a service provider by configuring a | customer who is attacking a service provider by configuring a | |||
| forwarding loop by accident or malice. For it to function, CDNs | forwarding loop by accident or malice. For it to function, CDNs | |||
| cannot allow customers to modify or remove it in their configuration | cannot allow customers to modify or remove it in their configuration | |||
| skipping to change at page 5, line 12 ¶ | skipping to change at page 5, line 12 ¶ | |||
| remains an attack vector against both implementing and non- | remains an attack vector against both implementing and non- | |||
| implementing CDNs. | implementing CDNs. | |||
| A CDN's use of the CDN-Loop header field might expose its presence. | A CDN's use of the CDN-Loop header field might expose its presence. | |||
| For example, if CDN A is configured to forward its requests to CDN B | For example, if CDN A is configured to forward its requests to CDN B | |||
| for a given origin, CDN B's presence can be revealed if it behaves | for a given origin, CDN B's presence can be revealed if it behaves | |||
| differently based upon the presence of the CDN-Loop header field. | differently based upon the presence of the CDN-Loop header field. | |||
| The CDN-Loop header field can be generated by any client, and | The CDN-Loop header field can be generated by any client, and | |||
| therefore its contents cannot be trusted. CDNs who modify their | therefore its contents cannot be trusted. CDNs who modify their | |||
| behaviour based upon its contents should assure that this does not | behavior based upon its contents should assure that this does not | |||
| become an attack vector (e.g., for Denial-of-Service). | become an attack vector (e.g., for Denial of Service). | |||
| It is possible to sign the contents of the header field (either by | It is possible to sign the contents of the header field (either by | |||
| putting the signature directly into the field's content, or using | putting the signature directly into the field's content or using | |||
| another header field), but such use is not defined (or required) by | another header field), but such use is not defined (or required) by | |||
| this specification. | this specification. | |||
| Depending on how it is used, CDN-Loop can expose information about | Depending on how it is used, CDN-Loop can expose information about | |||
| the internal configuration of the CDN; for example, the number of | the internal configuration of the CDN; for example, the number of | |||
| hops inside the CDN, and the hostnames of nodes. | hops inside the CDN, and the hostnames of nodes. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document registers the "CDN-Loop" header field in the Permanent | This document registers the "CDN-Loop" header field in the "Permanent | |||
| Message Header Field Names registry. | Message Header Field Names" registry. | |||
| o Header Field Name: CDN-Loop | o Header Field Name: CDN-Loop | |||
| o Protocol: http | o Protocol: http | |||
| o Status: standard | o Status: standard | |||
| o Reference: (this document) | o Reference: RFC 8586 | |||
| 5. References | 5. References | |||
| 5.1. Normative References | 5.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 6, line 24 ¶ | skipping to change at page 6, line 24 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| 5.2. Informative References | 5.2. Informative References | |||
| [loop-attack] | [loop-attack] | |||
| Chen, J., Jiang, J., Zheng, X., Duan, H., Liang, J., Li, | Chen, J., Jiang, J., Zheng, X., Duan, H., Liang, J., Li, | |||
| K., Wan, T., and V. Paxson, "Forwarding-Loop Attacks in | K., Wan, T., and V. Paxson, "Forwarding-Loop Attacks in | |||
| Content Delivery Networks", DOI 10.14722/ndss.2016.23442, | Content Delivery Networks", February 2016, | |||
| February 2016, | ||||
| <http://www.icir.org/vern/papers/cdn-loops.NDSS16.pdf>. | <http://www.icir.org/vern/papers/cdn-loops.NDSS16.pdf>. | |||
| [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | |||
| Unique IDentifier (UUID) URN Namespace", RFC 4122, | Unique IDentifier (UUID) URN Namespace", RFC 4122, | |||
| DOI 10.17487/RFC4122, July 2005, | DOI 10.17487/RFC4122, July 2005, | |||
| <https://www.rfc-editor.org/info/rfc4122>. | <https://www.rfc-editor.org/info/rfc4122>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Stephen Ludin | Stephen Ludin | |||
| End of changes. 21 change blocks. | ||||
| 31 lines changed or deleted | 31 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||