Discussion:
[Uta] Updated MTA-STS & TLSRPT
Brotman, Alexander
2017-09-28 20:42:15 UTC
Permalink
Folks,

We've just uploaded new revisions for the drafts mentioned above. Not a ton of changes, but wanted to share with the group.

MTA-STS: Added Policy Delegation and a few other clarifications

TLSRPT: Changed the domains associated with reporting, added examples for policy-strings, and added a MUST for not using l= for the DKIM signature

Please let us know if you have any comments or questions, and thank you for your time.

--
Alex Brotman
Sr. Engineer, Anti-Abuse
Comcast
Viktor Dukhovni
2017-09-28 21:02:05 UTC
Permalink
Post by Brotman, Alexander
Please let us know if you have any comments or questions, and thank you for your time.
I see that 302 HTTP redirects are still not supported, and that policy
delegation without SNI is via reverse proxying, rather than 302
redirects. I may have missed the discussion that arrived at this
decision. Is this the "rough consensus" view?

I would expected it to be easier to serve 302 redirects than deploy
a reverse proxy, but perhaps I am mistaken, and HTTPs servers come with
reverse-proxy support as a common built-in feature?

With reverse-proxying, would caching of the policy by the reverse proxy
be a reasonable strategy? With the usual HTTP cache control headers
(rather than max_age) setting the duration?
--
Viktor.
Leif Johansson
2017-09-29 06:28:47 UTC
Permalink
Post by Viktor Dukhovni
Post by Brotman, Alexander
Please let us know if you have any comments or questions, and thank you for your time.
I see that 302 HTTP redirects are still not supported, and that policy
delegation without SNI is via reverse proxying, rather than 302
redirects. I may have missed the discussion that arrived at this
decision. Is this the "rough consensus" view?
May I suggest that if you would like to see redirects supported in
addition to instead of reverse proxy then provide text so we have
something concrete to discuss ?
Post by Viktor Dukhovni
I would expected it to be easier to serve 302 redirects than deploy
a reverse proxy, but perhaps I am mistaken, and HTTPs servers come with
reverse-proxy support as a common built-in feature?
Speaking as an individual I'd say that modern general purpose webservers
do both equally well and just as easily. There may still be deployment
issues making one or the other preferable in any one situation though...


Cheers Leif
Daniel Margolis
2017-09-29 13:20:28 UTC
Permalink
I actually wrote up a commit with 302 support: https://github.com/
mrisher/smtp-sts/commit/c41f24d8500f058073b5b78ac18e177f738146a5. However,
I didn't merge it in, since there was no clear consensus on the WG or among
the authors.

The argument *for* 302s is for added flexibility of hosting, of course,
especially on delegated policies. An example usage would be to allow people
like me, who have a personal domain with just an MX that points to Google,
to use a minimal HTTPS host (e.g. from their registrar) to point a 302 for
the policy host to Google's policy.

The argument *against* 302s is merely whether the extra complexity for MTA
implementors (to ensure proper validation of identities while traversing
redirects, as I wrote* in the commit linked below) is risky or can be
gotten wrong, or whether there are additional issues around difficulty
figuring out (e.g.) which certificate is not trusted by a sender if there
is some policy fetch failure.

I don't think redirects are either critical or fatal, so I would first and
foremost like to see the WG reach a consensus (quickly!) on whether to
support them or not.

Leif, do you think it's reasonable to have a simple up-or-down vote on the
10 draft vs the additional text linked above, with a conclusion by (say)
end of next week?

Dan


* "Note that when following an HTTP 30x redirect, the aforementioned
certificate authentication MUST nonetheless be applied to the initial HTTPS
response that serves the 30x code; subsequent redirect URIs MUST also be
HTTPS with a server certificate that is trusted by the sending
MTA, non-expired, and valid for the host identity, though this identity may
differ from that the initial `mta-sts` host. (Thus, for example, `
https://mta-sts.user.com` may redirect requests to `
https://mta-sts.provider.com`, but the `provider.com` endpoint must also
be authenticated."
Post by Brotman, Alexander
Post by Viktor Dukhovni
On Sep 28, 2017, at 4:42 PM, Brotman, Alexander <
Please let us know if you have any comments or questions, and thank you
for your time.
Post by Viktor Dukhovni
I see that 302 HTTP redirects are still not supported, and that policy
delegation without SNI is via reverse proxying, rather than 302
redirects. I may have missed the discussion that arrived at this
decision. Is this the "rough consensus" view?
May I suggest that if you would like to see redirects supported in
addition to instead of reverse proxy then provide text so we have
something concrete to discuss ?
Post by Viktor Dukhovni
I would expected it to be easier to serve 302 redirects than deploy
a reverse proxy, but perhaps I am mistaken, and HTTPs servers come with
reverse-proxy support as a common built-in feature?
Speaking as an individual I'd say that modern general purpose webservers
do both equally well and just as easily. There may still be deployment
issues making one or the other preferable in any one situation though...
Cheers Leif
_______________________________________________
Uta mailing list
https://www.ietf.org/mailman/listinfo/uta
Leif Johansson
2017-09-29 15:00:22 UTC
Permalink
 Leif, do you think it's reasonable to have a simple up-or-down vote on
the 10 draft vs the additional text linked above, with a conclusion by
(say) end of next week?
Yeah I think folks who like the alternative text or some version of that
should speak up now so we can judge consensus on this issue.

By my reckoning this is the final post-WGLC issue and but for this we're
ready to push this to the IESG.

Cheers Leif
Eric Mill
2018-04-05 21:15:32 UTC
Permalink
Post by Brotman, Alexander
Post by Viktor Dukhovni
On Sep 28, 2017, at 4:42 PM, Brotman, Alexander <
Please let us know if you have any comments or questions, and thank you
for your time.
Post by Viktor Dukhovni
I would expected it to be easier to serve 302 redirects than deploy
a reverse proxy, but perhaps I am mistaken, and HTTPs servers come with
reverse-proxy support as a common built-in feature?
Speaking as an individual I'd say that modern general purpose webservers
do both equally well and just as easily. There may still be deployment
issues making one or the other preferable in any one situation though...
Ringing in quite a bit later now, with my apologies for engaging so late...

I wanted to provide one possible use case where HTTP redirects would be
much more helpful than requiring the use of reverse proxies.

Consider the case of a service like login.gov - https://login.gov and
https://www.login.gov collectively serve a static brochure website for the
product. https://secure.login.gov is the actual dynamic application that
people log in to. Emails sent by the system use @login.gov for the hostname.

Deployment/review processes for the brochure site and the dynamic
application are handled differently, and may be handled by different people.

In this situation, deploying a MTA-STS policy to
https://login.gov/.well-known/mta-sts.txt feels a bit risky, because the
content served at that URL is now very security-relevant to the mail being
sent by the application at secure.login.gov. It would feel less risky if
the URL could redirect to https://secure.login.gov/.well-known/mta-sts.txt,
so that its content (and any updates to that URL) are reviewed by the same
people and with the same rigor that the dynamic application uses.

This also makes it more plausible to generate the contents of mta-sts.txt
dynamically, so that information is at less risk of going out of sync.

I don't want to say it's a dealbreaker or impossible to deploy MTA-STS in
this situation without redirects. But, allowing redirects would drop the
level of operational risk of managing the content in a static site, or
would drop the level of effort to change the architecture to support
reverse proxying, by a lot, and make it easier to justify the effort.

-- Eric
Post by Brotman, Alexander
Cheers Leif
_______________________________________________
Uta mailing list
https://www.ietf.org/mailman/listinfo/uta
--
konklone.com | @konklone <https://twitter.com/konklone>
James Cloos
2017-09-29 18:53:47 UTC
Permalink
BA> TLSRPT: Changed the domains associated with reporting, added
BA> examples for policy-strings, and added a MUST for not using l=
BA> for the DKIM signature

Looking at the diff, I noticed that the reference to RFC7159 (JSON) got
dropped. Given that json is still in the draft, I can't tell whether
that was intentional.

-JimC
--
James Cloos <***@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
Brotman, Alexander
2017-10-02 20:33:01 UTC
Permalink
James,

Do you mean the section where the policy-string was declared? There are other references to RFC7493. If you'd like, I can add another reference to RFC7159 in the document as well. It was originally there to explicitly reference the section about the serialization for including the STS policy (which was a JSON body itself, which no longer is the case).

--
Alex Brotman
Sr. Engineer, Anti-Abuse
Comcast


-----Original Message-----
From: James Cloos [mailto:***@jhcloos.com]
Sent: Friday, September 29, 2017 2:54 PM
To: Brotman, Alexander <***@cable.comcast.com>
Cc: ***@ietf.org
Subject: Re: [Uta] Updated MTA-STS & TLSRPT
BA> TLSRPT: Changed the domains associated with reporting, added
BA> examples for policy-strings, and added a MUST for not using l= for
BA> the DKIM signature

Looking at the diff, I noticed that the reference to RFC7159 (JSON) got dropped. Given that json is still in the draft, I can't tell whether that was intentional.

-JimC
--
James Cloos <***@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
James Cloos
2017-10-03 00:20:05 UTC
Permalink
Post by Brotman, Alexander
Do you mean the section where the policy-string was declared?
I read the side-by-side diff and noticed that the json rfc ws no longer
in the references list, but the string json still showed up several
places.

Hense the q as to whether that change was intentional or inadvertent.

Especially since you'd added a ref the to case-insensitive rfc. I
couldn't tell whether something typo-ish had occurred.
Post by Brotman, Alexander
It was originally there
to explicitly reference the section about the serialization for
including the STS policy (which was a JSON body itself, which no
longer is the case).
But that looks like the change was intentional.

-JimC
--
James Cloos <***@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
Binu Ramakrishnan
2017-09-29 20:59:58 UTC
Permalink
---------- Forwarded message ----------
From: Binu Ramakrishnan <***@oath.com>
Date: Fri, Sep 29, 2017 at 9:52 AM
Subject: Re: [Uta] Updated MTA-STS & TLSRPT
To: Daniel Margolis <***@google.com>
Cc: Leif Johansson <***@sunet.se>, ***@ietf.org, Nicolas Lidzborski␄ <***@google.com>


IMO, whether to support 30x redirects or just depend on reverse-proxy mechanism is a question of preference. Though both can satisfy policy delegation, I would prefer the later because, as a MTA-STS implementor, I do not need write additional code (and related tests) to support 30x redirects. Like Leif mentioned, all modern general purpose web servers are equally good with both redirects and reverse-proxy.
Thanks,-binu
On Fri, Sep 29, 2017 at 6:20 AM, Daniel Margolis <***@google.com> wrote:

I actually wrote up a commit with 302 support: https://github.com/mrisher/smtp-sts/commit/c41f24d8500f058073b5b78ac18e177f738146a5. However, I didn't merge it in, since there was no clear consensus on the WG or among the authors.
The argument for 302s is for added flexibility of hosting, of course, especially on delegated policies. An example usage would be to allow people like me, who have a personal domain with just an MX that points to Google, to use a minimal HTTPS host (e.g. from their registrar) to point a 302 for the policy host to Google's policy.
The argument against 302s is merely whether the extra complexity for MTA implementors (to ensure proper validation of identities while traversing redirects, as I wrote* in the commit linked below) is risky or can be gotten wrong, or whether there are additional issues around difficulty figuring out (e.g.) which certificate is not trusted by a sender if there is some policy fetch failure.
I don't think redirects are either critical or fatal, so I would first and foremost like to see the WG reach a consensus (quickly!) on whether to support them or not. 
 Leif, do you think it's reasonable to have a simple up-or-down vote on the 10 draft vs the additional text linked above, with a conclusion by (say) end of next week?
Dan

* "Note that when following an HTTP 30x redirect, the aforementioned certificate authentication MUST nonetheless be applied to the initial HTTPS response that serves the 30x code; subsequent redirect URIs MUST also be HTTPS with a server certificate that is trusted by the sending MTA, non-expired, and valid for the host identity, though this identity may differ from that the initial `mta-sts` host. (Thus, for example, `https://mta-sts.user.com` may redirect requests to `https://mta-sts.provider.com`, but the `provider.com` endpoint must also be authenticated."
Post by Viktor Dukhovni
Post by Brotman, Alexander
Please let us know if you have any comments or questions, and thank you for your time.
I see that 302 HTTP redirects are still not supported, and that policy
delegation without SNI is via reverse proxying, rather than 302
redirects.  I may have missed the discussion that arrived at this
decision.  Is this the "rough consensus" view?
May I suggest that if you would like to see redirects supported in
addition to instead of reverse proxy then provide text so we have
something concrete to discuss ?
Post by Viktor Dukhovni
I would expected it to be easier to serve 302 redirects than deploy
a reverse proxy, but perhaps I am mistaken, and HTTPs servers come with
reverse-proxy support as a common built-in feature?
Speaking as an individual I'd say that modern general purpose webservers
do both equally well and just as easily. There may still be deployment
issues making one or the other preferable in any one situation though...


        Cheers Leif
Viktor Dukhovni
2017-09-29 21:17:57 UTC
Permalink
Post by Binu Ramakrishnan
IMO, whether to support 30x redirects or just depend on reverse-proxy
mechanism is a question of preference. Though both can satisfy policy
delegation, I would prefer the later because, as a MTA-STS implementor,
I do not need write additional code (and related tests) to support 30x
redirects. Like Leif mentioned, all modern general purpose web servers
are equally good with both redirects and reverse-proxy.
In that case, reverse-proxy it is, but users will likely seek to
configure some sort of caching in the reverse proxy, and the document
should perhaps provide some guidance about that (and of course
stress that the reverse proxy needs to validate the upstream
certificate, if that language is not there already).
--
Viktor.
Binu Ramakrishnan
2017-09-30 01:39:56 UTC
Permalink
Hi Victor,
Thank you for the feedback. We will update the document and provide some guidance on reverse-proxy operations.
-binu

From: Viktor Dukhovni <ietf-***@dukhovni.org>
To: ***@ietf.org
Sent: Friday, 29 September 2017 2:18 PM
Subject: Re: [Uta] Updated MTA-STS & TLSRPT
Post by Binu Ramakrishnan
IMO, whether to support 30x redirects or just depend on reverse-proxy
mechanism is a question of preference. Though both can satisfy policy
delegation, I would prefer the later because, as a MTA-STS implementor,
I do not need write additional code (and related tests) to support 30x
redirects. Like Leif mentioned, all modern general purpose web servers
are equally good with both redirects and reverse-proxy.
In that case, reverse-proxy it is, but users will likely seek to
configure some sort of caching in the reverse proxy, and the document
should perhaps provide some guidance about that (and of course
stress that the reverse proxy needs to validate the upstream
certificate, if that language is not there already).
--
    Viktor.
Daniel Margolis
2017-09-30 09:15:45 UTC
Permalink
Sounds fair. Right now there's no specific operational guidance about that,
but I think it makes sense to add to section 6.2. I can easily work
something in there.

Current text:

This can be done either by setting the
"mta-sts" record to a host or CNAME specified by the hosting
organization and by giving the hosting organization a TLS certificate
which is valid for that host, or by setting up a "reverse proxy"
(also known as a "gateway") server that serves as the Policy Domain's
policy the policy currently served by the hosting organization.
Regarding authenticating the proxied host, I would just add:

In the case of a reverse proxy configuration, implementors should be
careful to ensure that the proxy requires a TLS connection to the proxied
host, and that the host server's identity is authenticated to prevent
proxying a spoofed policy.
Regarding caching, Viktor, Binu, do you believe this is useful to allow?
While it can be done safely (by simply ensuring the cache-control headers
set by the mta-sts.provider.com host--i.e. the one behind the proxy--are
"correct"), it doesn't strike me as necessary; perhaps it's simpler and
safer to simply recommend against HTTP caching. The expected request rate
is low, and I would assume any provider behind the proxy can handle more
traffic than the proxy itself, so caching isn't quite as compelling, no?
Post by Binu Ramakrishnan
IMO, whether to support 30x redirects or just depend on reverse-proxy
mechanism is a question of preference. Though both can satisfy policy
delegation, I would prefer the later because, as a MTA-STS implementor,
I do not need write additional code (and related tests) to support 30x
redirects. Like Leif mentioned, all modern general purpose web servers
are equally good with both redirects and reverse-proxy.
In that case, reverse-proxy it is, but users will likely seek to
configure some sort of caching in the reverse proxy, and the document
should perhaps provide some guidance about that (and of course
stress that the reverse proxy needs to validate the upstream
certificate, if that language is not there already).
--
Viktor.
_______________________________________________
Uta mailing list
https://www.ietf.org/mailman/listinfo/uta
Viktor Dukhovni
2017-10-02 20:43:36 UTC
Permalink
Post by Daniel Margolis
Regarding caching, Viktor, Binu, do you believe this is useful to allow?
I think it is useful.
Post by Daniel Margolis
While it can be done safely (by simply ensuring the cache-control headers
set by the mta-sts.provider.com host--i.e. the one behind the proxy--are
"correct"), it doesn't strike me as necessary; perhaps it's simpler and
safer to simply recommend against HTTP caching. The expected request rate
is low, and I would assume any provider behind the proxy can handle more
traffic than the proxy itself, so caching isn't quite as compelling, no?
The provider can likely handle the query rate just fine, but serving
cached content is much cheaper than making upstream connections to
the provider. So I think this is attractive for the site doing the
delegation.
--
Viktor.
Binu Ramakrishnan
2017-10-02 21:58:34 UTC
Permalink
My preference would be not to cache the policy by the reverse-proxy. Like Dan said, the provider can handle more traffic than the proxy, hence I think caching is not a requirement. Provider may set appropriate Cache-Control HTTP header to prevent caching
Example:Cache-Control: no-cache, no-store, must-revalidate

If caching is desired, then provider may set a Cache-Control policy with an short TTL. The proxy may cache the policy until the cache expires. 
Thanks,-binu
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control

From: Viktor Dukhovni <ietf-***@dukhovni.org>
To: ***@ietf.org
Sent: Monday, 2 October 2017 1:43 PM
Subject: Re: [Uta] Updated MTA-STS & TLSRPT
Post by Daniel Margolis
Regarding caching, Viktor, Binu, do you believe this is useful to allow?
I think it is useful.
Post by Daniel Margolis
While it can be done safely (by simply ensuring the cache-control headers
set by the mta-sts.provider.com host--i.e. the one behind the proxy--are
"correct"), it doesn't strike me as necessary; perhaps it's simpler and
safer to simply recommend against HTTP caching. The expected request rate
is low, and I would assume any provider behind the proxy can handle more
traffic than the proxy itself, so caching isn't quite as compelling, no?
The provider can likely handle the query rate just fine, but serving
cached content is much cheaper than making upstream connections to
the provider.  So I think this is attractive for the site doing the
delegation.
--
    Viktor.
Viktor Dukhovni
2017-10-02 22:15:20 UTC
Permalink
Post by Binu Ramakrishnan
My preference would be not to cache the policy by the reverse-proxy. Like
Dan said, the provider can handle more traffic than the proxy, hence I
think caching is not a requirement.
The provider may not require it, but it is useful for the provider's
customer. You may be too used to the provider's point of view. :-)
Post by Binu Ramakrishnan
Provider may set appropriate
Cache-Control HTTP header to prevent caching
Example:Cache-Control: no-cache, no-store, must-revalidate
I think that's too strict. After all, policies will be cached by
MTAs for weeks or months. So allowing them to be cached for a few
minutes by a reverse proxy makes good sense.
Post by Binu Ramakrishnan
If caching is desired, then provider may set a Cache-Control policy with
an short TTL. The proxy may cache the policy until the cache expires. 
That'd be the advice I'd like to see in the draft.
--
Viktor.
Daniel Margolis
2017-10-03 09:04:19 UTC
Permalink
Yes, if we are going to allow cache-control, I think we should call it out
explicitly.

But this feels a bit weird to me: we are going to say that cache-control
headers may be honored by proxies but not by MTA clients fetching the
policy for their own use? Why do that?

If someone might conceivably proxy your policy, then you really want to get
your cache-control headers right. At which point you may as well allow MTAs
to use them, too.

In any event, I believe the main argument against cache-control is merely
that it means deployers (i.e. policy domains) have to be aware of it--they
must consider, e.g. in section 6.3, that a policy will be valid for "last
serve time + max age *+ cache ttl*". This isn't especially complex, but I
think it's the primary simplicity argument against HTTP caching.

In any event, like I said, if we want to allow cache-control, we should
just allow it globally. It's not horrible to allow it, but we should be
consistent. No?
Post by Viktor Dukhovni
Post by Binu Ramakrishnan
My preference would be not to cache the policy by the reverse-proxy. Like
Dan said, the provider can handle more traffic than the proxy, hence I
think caching is not a requirement.
The provider may not require it, but it is useful for the provider's
customer. You may be too used to the provider's point of view. :-)
Post by Binu Ramakrishnan
Provider may set appropriate
Cache-Control HTTP header to prevent caching
Example:Cache-Control: no-cache, no-store, must-revalidate
I think that's too strict. After all, policies will be cached by
MTAs for weeks or months. So allowing them to be cached for a few
minutes by a reverse proxy makes good sense.
Post by Binu Ramakrishnan
If caching is desired, then provider may set a Cache-Control policy with
an short TTL. The proxy may cache the policy until the cache expires.
That'd be the advice I'd like to see in the draft.
--
Viktor.
_______________________________________________
Uta mailing list
https://www.ietf.org/mailman/listinfo/uta
Viktor Dukhovni
2017-10-03 16:54:48 UTC
Permalink
Yes, if we are going to allow cache-control, I think we should call it out explicitly.
I don't like to see under-specified features in a protocol. So yes!
But this feels a bit weird to me: we are going to say that cache-control headers may be honored by proxies but not by MTA clients fetching the policy for their own use? Why do that?
Well MTAs are not Web browsers or HTTP proxies, so they don't go around caching
HTTP content as such. They will cache MTA-STS *policies* in some appropriate
internal representation of said policies, with a cache lifetime that is no greater
than the policy "max_age" field. Therefore, cache-control is of no possible
relevance to the MTA.

Given that the MTA is accessing an HTTPS URL, even if it were configured to use a
(forward) HTTPS proxy to access the Web, it would use "CONNECT" to establish an
HTTPS tunnel, and so any proxy cache is typically bypassed. Only when the proxy
is doing MITM SSL interception (mints certificates for remote sites on the fly via
a CA cert trusted by the MTA) is there a possibility of caching in the proxy, but
I would expect that SSL MITM proxies are not really in the caching business...

So I think that cache control is simply not applicable to the MTA, and there's
no need to "prohibit" it as such.
If someone might conceivably proxy your policy, then you really want to get your cache-control headers right. At which point you may as well allow MTAs to use them, too.
See above. I don't see how or why the MTA would use said cache-control headers.
In any event, I believe the main argument against cache-control is merely that it means deployers (i.e. policy domains) have to be aware of it--they must consider, e.g. in section 6.3, that a policy will be valid for "last serve time + max age + cache ttl". This isn't especially complex, but I think it's the primary simplicity argument against HTTP caching.
The cache TTL should be short enough to be inconsequential by comparison with "max age", and yet long enough to allow a reverse proxy to consolidate closely-spaced requests. Anything more than 60s is probably counter-productive until we start hosting SMTP server farms on Mars.
In any event, like I said, if we want to allow cache-control, we should just allow it globally. It's not horrible to allow it, but we should be consistent. No?
See above, it is not that prohibiting processing of HTTP cache control headers
by SMTP servers was needed, but rather than this specification explicitly
overrides any such headers with "max_age", which is intended to be an explicit
part of the policy and not some out of band data managed in the HTTP server
configuration.

The explicit presence of "max_age" makes possible and *invites* the possibility
of using a shorter cache-control lifetime for use-cases like reverse proxies.
--
Viktor.
Daniel Margolis
2017-10-04 15:39:14 UTC
Permalink
Post by Daniel Margolis
Yes, if we are going to allow cache-control, I think we should call it
out explicitly.
I don't like to see under-specified features in a protocol. So yes!
Post by Daniel Margolis
But this feels a bit weird to me: we are going to say that cache-control
headers may be honored by proxies but not by MTA clients fetching the
policy for their own use? Why do that?
Well MTAs are not Web browsers or HTTP proxies, so they don't go around caching
HTTP content as such. They will cache MTA-STS *policies* in some appropriate
internal representation of said policies, with a cache lifetime that is no greater
than the policy "max_age" field. Therefore, cache-control is of no possible
relevance to the MTA.
Given that the MTA is accessing an HTTPS URL, even if it were configured to use a
(forward) HTTPS proxy to access the Web, it would use "CONNECT" to establish an
HTTPS tunnel, and so any proxy cache is typically bypassed. Only when the proxy
is doing MITM SSL interception (mints certificates for remote sites on the fly via
a CA cert trusted by the MTA) is there a possibility of caching in the proxy, but
I would expect that SSL MITM proxies are not really in the caching business...
So I think that cache control is simply not applicable to the MTA, and there's
no need to "prohibit" it as such.
I mean, I agree that it's unlikely an MTA would *want* to do this, but I
think it's useful that we (already have) said "no honoring
cache-control"--the implication of not saying that is that someone who
wants to can cache the HTTP content for up to the cache lifetime, which
may, in some bizarre (and probably faulty) misconfiguration be longer than
the max_age, thus resulting in a cache hit on policy refresh, which is
silly. (Even if it's not longer than max_age, a DNS- or failure-triggered
policy refresh could hit the HTTP cache.)

So I agree that MTAs are unlikely to want to honor HTTP caching headers,
but my point was more that they really *shouldn't* do so, since HTTP
caching brings more complexity to the system and, quite possibly, heartache
and tears. In the interests of specifying the protocol clearly, we just
forbid it.
Post by Daniel Margolis
In any event, I believe the main argument against cache-control is
merely that it means deployers (i.e. policy domains) have to be aware of
it--they must consider, e.g. in section 6.3, that a policy will be valid
for "last serve time + max age + cache ttl". This isn't especially complex,
but I think it's the primary simplicity argument against HTTP caching.
The cache TTL should be short enough to be inconsequential by comparison
with "max age", and yet long enough to allow a reverse proxy to consolidate
closely-spaced requests. Anything more than 60s is probably
counter-productive until we start hosting SMTP server farms on Mars.
I hear Elon Musk is working on that last one.

Are you suggesting we just say that cache-control can be honored up to a
value of 60s? I think that's fine. But note (as I said above) that caching
that is less than the max-age can still be problematic; it means that
someone who sees updated DNS but an old cached HTTP endpoint sees the old
policy. So the interplay between HTTP caching and DNS TTLs are weird, no?
Post by Daniel Margolis
In any event, like I said, if we want to allow cache-control, we should
just allow it globally. It's not horrible to allow it, but we should be
consistent. No?
See above, it is not that prohibiting processing of HTTP cache control headers
by SMTP servers was needed, but rather than this specification explicitly
overrides any such headers with "max_age", which is intended to be an explicit
part of the policy and not some out of band data managed in the HTTP server
configuration.
The explicit presence of "max_age" makes possible and *invites* the possibility
of using a shorter cache-control lifetime for use-cases like reverse proxies.
OK. So to be clear, is your suggestion just to allow cache-control headers *as
long as the cache lifetime is less than the policy max_age*? Or up to a
value of 60s? Or something else?

I think there is some oddity around cache lifetimes greater than the DNS
TTL, though...should we worry about that? Or just advise against it on the
grounds that it can result in confusion, but leave it up to deployers if
they wish to do it?
--
Viktor.
_______________________________________________
Uta mailing list
https://www.ietf.org/mailman/listinfo/uta
Leif Johansson
2017-10-05 06:25:42 UTC
Permalink
As usual I'm going to suggest that somebody comes up with specific
language we can discuss to keep the document moving towards completion
more quickly.

Cheers Leif
Viktor Dukhovni
2017-10-05 07:40:25 UTC
Permalink
Post by Daniel Margolis
Post by Viktor Dukhovni
So I think that cache control is simply not applicable to the MTA, and
there's no need to "prohibit" it as such.
I mean, I agree that it's unlikely an MTA would *want* to do this, but I
think it's useful that we (already have) said "no honoring
cache-control".
Agreed, we should keep on saying "no honoring cache-control" for
the MTA, however redundant that may be in practice.
Post by Daniel Margolis
Are you suggesting we just say that cache-control can be honored up to a
value of 60s? I think that's fine.
I was thinking that larger values should generally not be published,
but I am open to some client-side (reverse-proxy) limits if you think
that's appropriate.
Post by Daniel Margolis
But note (as I said above) that caching
that is less than the max-age can still be problematic; it means that
someone who sees updated DNS but an old cached HTTP endpoint sees the old
policy. So the interplay between HTTP caching and DNS TTLs are weird, no?
Good point, after updating the HTTPS policy, one MUST wait at least
the duration of the cache-ttl, before making visible DNS changes.
The same also applies when HTTPS changes are made in some content
management system and take a bit of time to propagate out to the
entire server farm. The idea is to ensure that the most recent
visible change in the DNS id occurs more recently than the most
recent visible change in the underlying policy.
Post by Daniel Margolis
Post by Viktor Dukhovni
The explicit presence of "max_age" makes possible and *invites* the possibility
of using a shorter cache-control lifetime for use-cases like reverse proxies.
OK. So to be clear, is your suggestion just to allow cache-control headers *as
long as the cache lifetime is less than the policy max_age*? Or up to a
value of 60s? Or something else?
Something on the order of 60s feels about right to me, it could be
even shorter. Basically, anything that allows a reverse proxy to
consolidate a high-volume streamm of closely-spaced requests is
useful, and once it is only doing one upstream request every few
seconds, most of the gain is achieved. There's little benefit to
pushing it to one upstream request every ten minutes or every hour.

So I guess I'd like to see providers offer a cache-ttl of at least
5s and at most 60s, with the latter limit recommended to be enfoced
by the reverse proxy as an upper bound. The proxy MUST start the
clock from when it *initiates* the upstream connection, not when
it receives the payload, as network delays could otherwise lead to
serving stale data for fresh requests.

A related issue arises for MTAs, if two separate threads are doing
policy retrieval, it would be bad if policy data obtained by one
"thread" that took a long time to arrive displaced more recent data
obtained by another "thread". And worse if the MTA fails to reliably
associate the TXT id that caused each thread to run with the policy
retrieved by that thread. That is, it would be bad to squirrel
away the latest observed DNS TXT id in some shared state and then
separately obtain a policy, and at that time associate the policy
with a TXT id that may be a later one obtained by some other thread.

There needs to be a proper causal ordering of policy data and TXT
ids, where an MTA never ends up a TXT id with a policy that was
already replaced when the TXT id was published.
Post by Daniel Margolis
I think there is some oddity around cache lifetimes greater than the DNS
TTL, though...should we worry about that? Or just advise against it on the
grounds that it can result in confusion, but leave it up to deployers if
they wish to do it?
I don't think that's an issue, provide the TXT id is never visible
before the new policy is in place, and the old has been flushed
from any HTTP caches. When TXT TTL expires, the client will just
go fetch the latest. Seeing a slightly stale TXT is never a problem,
what could be a problem is seeing a stale policy in association with
a fresh TXT.
--
Viktor.
Daniel Margolis
2017-10-05 07:52:47 UTC
Permalink
Well, so this isn't that big a change or that weird, and I think we can
mostly reconcile here. :)

In section 3.3, we already say this:

Senders may wish to rate-limit the frequency of attempts to fetch the
HTTPS endpoint even if a valid TXT record for the recipient domain
exists. In the case that the HTTPS GET fails, we suggest
implementions may limit further attempts to a period of five minutes
or longer per version ID, to avoid overwhelming resource-constrained
recipients with cascading failures.

So we are already opening the door to short-term caching-*like* behavior in
some cases, for basically the reasons you describe (throttling, though in
the section 3.3. case, to avoid repeatedly hitting an endpoint in case of
*failure*).

First, we all agree MTAs should not use HTTP caching, since it's redundant
and confusing.

If we want to allow intermediate proxies to use HTTP caching, they should
do so only if the cache-control headers allow it, or else their behavior
will be opaque to the real server.

The real server, if it allows HTTP caching, should probably not allow
caching of any meaningful period of time--say, 1 minute--and should
probably in practice make the cache lifetime much shorter than the DNS TTL,
since the caching then becomes mostly immaterial. (I'm fudging a bit here,
but it makes operational considerations easier: the HTTP cache lifetime is
fetch-time + cache lifetime, whereas the DNS cache lifetime is resolve-time
+ TTL; since resolve-time and fetch-time are quite close together, making
the DNS TTL longer than the HTTP cache lifetime removes the need to
seriously consider the HTTP caching.)

As Lief said, what's the concrete language here?

"HTTP caching MAY be used by reverse proxies if allowed by the
Cache-Control headers on the HTTPS endpoint. Hosts who are serving a policy
that is delegated to by other domains SHOULD limit their cache lifetimes to
values under one minute; further, when rotating deployed policies, they
should consider that the new HTTP policy may not be visible to MTAs
fetching the delegator domain's policy until the HTTP cache lifetime has
expired."

Something like that?
Post by Viktor Dukhovni
Post by Daniel Margolis
Post by Viktor Dukhovni
So I think that cache control is simply not applicable to the MTA, and
there's no need to "prohibit" it as such.
I mean, I agree that it's unlikely an MTA would *want* to do this, but I
think it's useful that we (already have) said "no honoring
cache-control".
Agreed, we should keep on saying "no honoring cache-control" for
the MTA, however redundant that may be in practice.
Post by Daniel Margolis
Are you suggesting we just say that cache-control can be honored up to a
value of 60s? I think that's fine.
I was thinking that larger values should generally not be published,
but I am open to some client-side (reverse-proxy) limits if you think
that's appropriate.
Post by Daniel Margolis
But note (as I said above) that caching
that is less than the max-age can still be problematic; it means that
someone who sees updated DNS but an old cached HTTP endpoint sees the old
policy. So the interplay between HTTP caching and DNS TTLs are weird, no?
Good point, after updating the HTTPS policy, one MUST wait at least
the duration of the cache-ttl, before making visible DNS changes.
The same also applies when HTTPS changes are made in some content
management system and take a bit of time to propagate out to the
entire server farm. The idea is to ensure that the most recent
visible change in the DNS id occurs more recently than the most
recent visible change in the underlying policy.
Post by Daniel Margolis
Post by Viktor Dukhovni
The explicit presence of "max_age" makes possible and *invites* the possibility
of using a shorter cache-control lifetime for use-cases like reverse proxies.
OK. So to be clear, is your suggestion just to allow cache-control
headers *as
Post by Daniel Margolis
long as the cache lifetime is less than the policy max_age*? Or up to a
value of 60s? Or something else?
Something on the order of 60s feels about right to me, it could be
even shorter. Basically, anything that allows a reverse proxy to
consolidate a high-volume streamm of closely-spaced requests is
useful, and once it is only doing one upstream request every few
seconds, most of the gain is achieved. There's little benefit to
pushing it to one upstream request every ten minutes or every hour.
So I guess I'd like to see providers offer a cache-ttl of at least
5s and at most 60s, with the latter limit recommended to be enfoced
by the reverse proxy as an upper bound. The proxy MUST start the
clock from when it *initiates* the upstream connection, not when
it receives the payload, as network delays could otherwise lead to
serving stale data for fresh requests.
A related issue arises for MTAs, if two separate threads are doing
policy retrieval, it would be bad if policy data obtained by one
"thread" that took a long time to arrive displaced more recent data
obtained by another "thread". And worse if the MTA fails to reliably
associate the TXT id that caused each thread to run with the policy
retrieved by that thread. That is, it would be bad to squirrel
away the latest observed DNS TXT id in some shared state and then
separately obtain a policy, and at that time associate the policy
with a TXT id that may be a later one obtained by some other thread.
There needs to be a proper causal ordering of policy data and TXT
ids, where an MTA never ends up a TXT id with a policy that was
already replaced when the TXT id was published.
Post by Daniel Margolis
I think there is some oddity around cache lifetimes greater than the DNS
TTL, though...should we worry about that? Or just advise against it on
the
Post by Daniel Margolis
grounds that it can result in confusion, but leave it up to deployers if
they wish to do it?
I don't think that's an issue, provide the TXT id is never visible
before the new policy is in place, and the old has been flushed
from any HTTP caches. When TXT TTL expires, the client will just
go fetch the latest. Seeing a slightly stale TXT is never a problem,
what could be a problem is seeing a stale policy in association with
a fresh TXT.
--
Viktor.
_______________________________________________
Uta mailing list
https://www.ietf.org/mailman/listinfo/uta
Brotman, Alexander
2017-10-09 18:24:36 UTC
Permalink
Do we think we really need to allow caching? From what are we trying to protect the backend systems? Feels like it would be easier to disallow caching (or recommend against). I understand the sense that a smaller company could be overwhelmed by an attacker or ill-configured legit sender, but I don’t know how much caching will really help there. The caching server would be similarly overwhelmed I would imagine, and be unable to serve policies to any other requesting systems.
--
Alex Brotman
Sr. Engineer, Anti-Abuse
Comcast

From: Uta [mailto:uta-***@ietf.org] On Behalf Of Daniel Margolis
Sent: Thursday, October 05, 2017 3:53 AM
To: ***@ietf.org
Subject: Re: [Uta] Updated MTA-STS & TLSRPT

Well, so this isn't that big a change or that weird, and I think we can mostly reconcile here. :)

In section 3.3, we already say this:

Senders may wish to rate-limit the frequency of attempts to fetch the

HTTPS endpoint even if a valid TXT record for the recipient domain

exists. In the case that the HTTPS GET fails, we suggest

implementions may limit further attempts to a period of five minutes

or longer per version ID, to avoid overwhelming resource-constrained

recipients with cascading failures.
So we are already opening the door to short-term caching-*like* behavior in some cases, for basically the reasons you describe (throttling, though in the section 3.3. case, to avoid repeatedly hitting an endpoint in case of *failure*).

First, we all agree MTAs should not use HTTP caching, since it's redundant and confusing.

If we want to allow intermediate proxies to use HTTP caching, they should do so only if the cache-control headers allow it, or else their behavior will be opaque to the real server.

The real server, if it allows HTTP caching, should probably not allow caching of any meaningful period of time--say, 1 minute--and should probably in practice make the cache lifetime much shorter than the DNS TTL, since the caching then becomes mostly immaterial. (I'm fudging a bit here, but it makes operational considerations easier: the HTTP cache lifetime is fetch-time + cache lifetime, whereas the DNS cache lifetime is resolve-time + TTL; since resolve-time and fetch-time are quite close together, making the DNS TTL longer than the HTTP cache lifetime removes the need to seriously consider the HTTP caching.)

As Lief said, what's the concrete language here?

"HTTP caching MAY be used by reverse proxies if allowed by the Cache-Control headers on the HTTPS endpoint. Hosts who are serving a policy that is delegated to by other domains SHOULD limit their cache lifetimes to values under one minute; further, when rotating deployed policies, they should consider that the new HTTP policy may not be visible to MTAs fetching the delegator domain's policy until the HTTP cache lifetime has expired."

Something like that?
Post by Daniel Margolis
Post by Viktor Dukhovni
So I think that cache control is simply not applicable to the MTA, and
there's no need to "prohibit" it as such.
I mean, I agree that it's unlikely an MTA would *want* to do this, but I
think it's useful that we (already have) said "no honoring
cache-control".
Agreed, we should keep on saying "no honoring cache-control" for
the MTA, however redundant that may be in practice.
Post by Daniel Margolis
Are you suggesting we just say that cache-control can be honored up to a
value of 60s? I think that's fine.
I was thinking that larger values should generally not be published,
but I am open to some client-side (reverse-proxy) limits if you think
that's appropriate.
Post by Daniel Margolis
But note (as I said above) that caching
that is less than the max-age can still be problematic; it means that
someone who sees updated DNS but an old cached HTTP endpoint sees the old
policy. So the interplay between HTTP caching and DNS TTLs are weird, no?
Good point, after updating the HTTPS policy, one MUST wait at least
the duration of the cache-ttl, before making visible DNS changes.
The same also applies when HTTPS changes are made in some content
management system and take a bit of time to propagate out to the
entire server farm. The idea is to ensure that the most recent
visible change in the DNS id occurs more recently than the most
recent visible change in the underlying policy.
Post by Daniel Margolis
Post by Viktor Dukhovni
The explicit presence of "max_age" makes possible and *invites* the possibility
of using a shorter cache-control lifetime for use-cases like reverse proxies.
OK. So to be clear, is your suggestion just to allow cache-control headers *as
long as the cache lifetime is less than the policy max_age*? Or up to a
value of 60s? Or something else?
Something on the order of 60s feels about right to me, it could be
even shorter. Basically, anything that allows a reverse proxy to
consolidate a high-volume streamm of closely-spaced requests is
useful, and once it is only doing one upstream request every few
seconds, most of the gain is achieved. There's little benefit to
pushing it to one upstream request every ten minutes or every hour.

So I guess I'd like to see providers offer a cache-ttl of at least
5s and at most 60s, with the latter limit recommended to be enfoced
by the reverse proxy as an upper bound. The proxy MUST start the
clock from when it *initiates* the upstream connection, not when
it receives the payload, as network delays could otherwise lead to
serving stale data for fresh requests.

A related issue arises for MTAs, if two separate threads are doing
policy retrieval, it would be bad if policy data obtained by one
"thread" that took a long time to arrive displaced more recent data
obtained by another "thread". And worse if the MTA fails to reliably
associate the TXT id that caused each thread to run with the policy
retrieved by that thread. That is, it would be bad to squirrel
away the latest observed DNS TXT id in some shared state and then
separately obtain a policy, and at that time associate the policy
with a TXT id that may be a later one obtained by some other thread.

There needs to be a proper causal ordering of policy data and TXT
ids, where an MTA never ends up a TXT id with a policy that was
already replaced when the TXT id was published.
Post by Daniel Margolis
I think there is some oddity around cache lifetimes greater than the DNS
TTL, though...should we worry about that? Or just advise against it on the
grounds that it can result in confusion, but leave it up to deployers if
they wish to do it?
I don't think that's an issue, provide the TXT id is never visible
before the new policy is in place, and the old has been flushed
from any HTTP caches. When TXT TTL expires, the client will just
go fetch the latest. Seeing a slightly stale TXT is never a problem,
what could be a problem is seeing a stale policy in association with
a fresh TXT.
--
Viktor.

_______________________________________________
Uta mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/uta
Viktor Dukhovni
2017-10-09 19:54:35 UTC
Permalink
Post by Brotman, Alexander
Do we think we really need to allow caching? From what are we trying to
protect the backend systems?
NOT the backend systems, rather the rather more constrained reverse
proxies of the customers.

Caching can of course be disabled by provider, but I think that's
needless inconsiderate of the reverse proxies.
Post by Brotman, Alexander
Feels like it would be easier to disallow
caching (or recommend against). I understand the sense that a smaller
company could be overwhelmed by an attacker or ill-configured legit sender,
but I don�t know how much caching will really help there. The caching
server would be similarly overwhelmed I would imagine, and be unable to
serve policies to any other requesting systems.
The defense is not against deliberate DDoS, rather it significally
reduces proxy concurrency, by making it possible to serve content
from a cache, rather than go upstream for each request. This
can significantly improve scalability at little cost.

All the provider has to do is delay the publication of the TXT
record, until the corresponding new policy has been the only
one available for > 60s. This is a low cost to pay, and allows
cooperative caching to be supported by providers that wish to
do so. I think that providers should support caching, but
this specification will not require them to do so.
--
Viktor.
Brotman, Alexander
2017-10-09 20:58:36 UTC
Permalink
The points are valid. I suppose I just expect that the tiny file will reside in memory and require little to serve it (beyond as you stated, initiating a session), resulting in little benefit. Just seems like we're stating something that could/should be left to the implementer/admin at the site to implement as is proper for their environment.

I believe Daniel was waiting on comments from Leif (and Viktor?)about his proposed language changes.

--
Alex Brotman
Sr. Engineer, Anti-Abuse
Comcast


-----Original Message-----
From: Uta [mailto:uta-***@ietf.org] On Behalf Of Viktor Dukhovni
Sent: Monday, October 09, 2017 3:55 PM
To: ***@ietf.org
Subject: Re: [Uta] Updated MTA-STS & TLSRPT
Post by Brotman, Alexander
Do we think we really need to allow caching? From what are we trying
to protect the backend systems?
NOT the backend systems, rather the rather more constrained reverse proxies of the customers.

Caching can of course be disabled by provider, but I think that's needless inconsiderate of the reverse proxies.
Post by Brotman, Alexander
Feels like it would be easier to disallow caching (or recommend
against). I understand the sense that a smaller company could be
overwhelmed by an attacker or ill-configured legit sender, but I don t
know how much caching will really help there. The caching server
would be similarly overwhelmed I would imagine, and be unable to serve
policies to any other requesting systems.
The defense is not against deliberate DDoS, rather it significally reduces proxy concurrency, by making it possible to serve content from a cache, rather than go upstream for each request. This can significantly improve scalability at little cost.

All the provider has to do is delay the publication of the TXT record, until the corresponding new policy has been the only one available for > 60s. This is a low cost to pay, and allows cooperative caching to be supported by providers that wish to do so. I think that providers should support caching, but this specification will not require them to do so.
--
Viktor.
Viktor Dukhovni
2017-10-09 22:14:45 UTC
Permalink
Post by Brotman, Alexander
The points are valid. I suppose I just expect that the tiny file will
reside in memory and require little to serve it (beyond as you stated,
initiating a session),
The "initiatig a session" cost is precisely the cost that caching
helps to avoid. Any request rate faster than 1/min becomes ~1/min
when a 60/s cache is enabled.
Post by Brotman, Alexander
resulting in little benefit.
I disagree there.
Post by Brotman, Alexander
Just seems like we're
stating something that could/should be left to the implementer/admin at
the site to implement as is proper for their environment.
The request is to NOT prohibit caching between the reverse proxy and
the provider, and to give said provider some guidance on pitfalls to
avoid.

Daniel's proposal looked on track to me.
--
Viktor.
Leif Johansson
2017-10-10 09:03:03 UTC
Permalink
Post by Viktor Dukhovni
Daniel's proposal looked on track to me.
If nobody else has an opposing view I'd say rev the document with the
proposed change and lets call it a day.
Loading...