> -----Original Message----- > From: iesg <[email protected]> On Behalf Of Qin Wu > Sent: Thursday, December 2, 2021 5:11 AM > To: Roman Danyliw <[email protected]>; The IESG <[email protected]> > Cc: [email protected]; [email protected]; draft-ietf-alto-cdni-request-routing- > [email protected]; Vijay Gurbani <[email protected]> > Subject: RE: Roman Danyliw's Discuss on draft-ietf-alto-cdni-request-routing- > alto-17: (with DISCUSS and COMMENT) > > Hi, Roman: > -----邮件原件----- > 发件人: Roman Danyliw via Datatracker [mailto:[email protected]] > 发送时间: 2021年12月2日 6:42 > 收件人: The IESG <[email protected]> > 抄送: [email protected]; [email protected]; > [email protected]; Vijay Gurbani <[email protected]>; > [email protected] > 主题: Roman Danyliw's Discuss on draft-ietf-alto-cdni-request-routing-alto-17: > (with DISCUSS and COMMENT) > > Roman Danyliw has entered the following ballot position for > draft-ietf-alto-cdni-request-routing-alto-17: Discuss > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/blog/handling-iesg-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-alto-cdni-request-routing-alto/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > The security consideration is silent on how to handle client (uCDN) > authentication for this specific CDN use case. Hence, the default guidance > from > Section 15.13.2 of RFC7285 seems to apply -- that HTTP Digest Authentication > or TLS client authentication could be used. > [Qin Wu] RFC7285 section 8.3.5 recommends to use HTTP Digest > Authentication and TLS Client Authentication for client authentication. So > yes, > section 15.3.2 of RFC7285 did apply. See quoted text below " > For deployment scenarios where client authentication is desired to > address risk type (2), ALTO requires that HTTP Digestion > Authentication is supported to achieve ALTO client authentication to > limit the number of parties with whom ALTO information is directly > shared. TLS client authentication may also be supported. Depending > on the use case and scenario, an ALTO server may apply other access > control techniques to restrict access to its services. Access > control can also help to prevent Denial-of-Service attacks by > arbitrary hosts from the Internet. > " > > If I understand the use case right, it seems like the uCDNs and dCDNs should > know about each other, and there wouldn’t be an unreasonably large number > of them to prevent credentials existing for peers. Is there a reason why > there > isn’t a normative guidance requiring some kind of peer authentication given > this narrow use case? If not, why is ok given the significance of this ALTO > data > in FCI model. > > [Qin Wu] The normative guidance we provide is section 15 of RFC7285 which > cover normative guidance for client authentication. Let us know if you have > any > suggested text.
The relevant part of RFC7285 Section 15.3.2 is: For deployment scenarios where client authentication is desired to address risk type (2), ALTO requires that HTTP Digestion Authentication is supported to achieve ALTO client authentication to limit the number of parties with whom ALTO information is directly shared. TLS client authentication may also be supported. This document has not explicitly established that the CDNI use case "desires" or "requires" client authentication. Because it is generic guidance intended for multiple applications, text in RFC7285 does not use RFC2119 language and presents two options. I'm not sure which ones should be used for the CDNI use case. I would said something to the effective of: The uCDN (ALTO Client) MUST be authenticated to the dCDN (ALTO Server). dCDNs (ALTO Server) MUST support HTTP Digest Authentication and MAY also support TLS mutual authentication. The authentication method will need to be negotiated out of band and is out of scope for this document, as is the approach for provisioning and managing these credentials. Regards, Roman _______________________________________________ alto mailing list [email protected] https://www.ietf.org/mailman/listinfo/alto
