Changeset 1369
- Timestamp:
- 02/08/11 12:03:26 (11 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p1-messaging.html
r1368 r1369 359 359 } 360 360 @bottom-center { 361 content: "Expires February 2, 2012";361 content: "Expires February 3, 2012"; 362 362 } 363 363 @bottom-right { … … 410 410 <meta name="dct.creator" content="Reschke, J. F."> 411 411 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest"> 412 <meta name="dct.issued" scheme="ISO8601" content="2011-08-0 1">412 <meta name="dct.issued" scheme="ISO8601" content="2011-08-02"> 413 413 <meta name="dct.replaces" content="urn:ietf:rfc:2145"> 414 414 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> … … 442 442 </tr> 443 443 <tr> 444 <td class="left">Expires: February 2, 2012</td>444 <td class="left">Expires: February 3, 2012</td> 445 445 <td class="right">HP</td> 446 446 </tr> … … 495 495 <tr> 496 496 <td class="left"></td> 497 <td class="right">August 1, 2011</td>497 <td class="right">August 2, 2011</td> 498 498 </tr> 499 499 </tbody> … … 525 525 in progress”. 526 526 </p> 527 <p>This Internet-Draft will expire on February 2, 2012.</p>527 <p>This Internet-Draft will expire on February 3, 2012.</p> 528 528 <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1> 529 529 <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p> … … 675 675 <li>11.2 <a href="#abuse.of.server.log.information">Abuse of Server Log Information</a></li> 676 676 <li>11.3 <a href="#attack.pathname">Attacks Based On File and Path Names</a></li> 677 <li>11.4 <a href="#dns. spoofing">DNS Spoofing</a></li>677 <li>11.4 <a href="#dns.related.attacks">DNS-related Attacks</a></li> 678 678 <li>11.5 <a href="#attack.proxies">Proxies and Caching</a></li> 679 679 <li>11.6 <a href="#attack.protocol.element.size.overflows">Protocol Element Size Overflows</a></li> … … 2733 2733 bugs in such HTTP server implementations have turned into security risks. 2734 2734 </p> 2735 <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a> <a id="dns.spoofing" href="#dns.spoofing">DNS Spoofing</a></h2> 2736 <p id="rfc.section.11.4.p.1">Clients using HTTP rely heavily on the Domain Name Service, and are thus generally prone to security attacks based on the 2737 deliberate mis-association of IP addresses and DNS names. Clients need to be cautious in assuming the continuing validity 2738 of an IP number/DNS name association. 2739 </p> 2740 <p id="rfc.section.11.4.p.2">In particular, HTTP clients <em class="bcp14">SHOULD</em> rely on their name resolver for confirmation of an IP number/DNS name association, rather than caching the result of previous 2741 host name lookups. Many platforms already can cache host name lookups locally when appropriate, and they <em class="bcp14">SHOULD</em> be configured to do so. It is proper for these lookups to be cached, however, only when the TTL (Time To Live) information 2742 reported by the name server makes it likely that the cached information will remain useful. 2743 </p> 2744 <p id="rfc.section.11.4.p.3">If HTTP clients cache the results of host name lookups in order to achieve a performance improvement, they <em class="bcp14">MUST</em> observe the TTL information reported by DNS. 2745 </p> 2746 <p id="rfc.section.11.4.p.4">If HTTP clients do not observe this rule, they could be spoofed when a previously-accessed server's IP address changes. As 2747 network renumbering is expected to become increasingly common <a href="#RFC1900" id="rfc.xref.RFC1900.1"><cite title="Renumbering Needs Work">[RFC1900]</cite></a>, the possibility of this form of attack will grow. Observing this requirement thus reduces this potential security vulnerability. 2748 </p> 2749 <p id="rfc.section.11.4.p.5">This requirement also improves the load-balancing behavior of clients for replicated servers using the same DNS name and reduces 2750 the likelihood of a user's experiencing failure in accessing sites which use that strategy. 2735 <h2 id="rfc.section.11.4"><a href="#rfc.section.11.4">11.4</a> <a id="dns.related.attacks" href="#dns.related.attacks">DNS-related Attacks</a></h2> 2736 <p id="rfc.section.11.4.p.1">HTTP clients rely heavily on the Domain Name Service (DNS), and are thus generally prone to security attacks based on the 2737 deliberate misassociation of IP addresses and DNS names not protected by DNSSec. Clients need to be cautious in assuming the 2738 validity of an IP number/DNS name association unless the response is protected by DNSSec (<a href="#RFC4033" id="rfc.xref.RFC4033.1"><cite title="DNS Security Introduction and Requirements">[RFC4033]</cite></a>). 2751 2739 </p> 2752 2740 <h2 id="rfc.section.11.5"><a href="#rfc.section.11.5">11.5</a> <a id="attack.proxies" href="#attack.proxies">Proxies and Caching</a></h2> … … 2853 2841 <h2 id="rfc.references.2"><a href="#rfc.section.13.2" id="rfc.section.13.2">13.2</a> Informative References 2854 2842 </h2> 2855 <table> 2843 <table> 2856 2844 <tr> 2857 2845 <td class="reference"><b id="BCP97">[BCP97]</b></td> … … 2946 2934 </tr> 2947 2935 <tr> 2936 <td class="reference"><b id="RFC4033">[RFC4033]</b></td> 2937 <td class="top">Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, “<a href="http://tools.ietf.org/html/rfc4033">DNS Security Introduction and Requirements</a>”, RFC 4033, March 2005. 2938 </td> 2939 </tr> 2940 <tr> 2948 2941 <td class="reference"><b id="RFC4288">[RFC4288]</b></td> 2949 2942 <td class="top"><a href="mailto:ned.freed@mrochek.com" title="Sun Microsystems">Freed, N.</a> and <a href="mailto:klensin+ietf@jck.com">J. Klensin</a>, “<a href="http://tools.ietf.org/html/rfc4288">Media Type Specifications and Registration Procedures</a>”, BCP 13, RFC 4288, December 2005. … … 3634 3627 <p id="rfc.section.D.17.p.1">Closed issues: </p> 3635 3628 <ul> 3629 <li> <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/100">http://tools.ietf.org/wg/httpbis/trac/ticket/100</a>>: "DNS Spoofing / DNS Binding advice" 3630 </li> 3636 3631 <li> <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/270">http://tools.ietf.org/wg/httpbis/trac/ticket/270</a>>: "\-escaping in quoted strings" 3637 3632 </li> … … 3898 3893 </ul> 3899 3894 </li> 3900 <li><em>RFC1900</em> <a href="# rfc.xref.RFC1900.1">11.4</a>, <a href="#RFC1900"><b>13.2</b></a></li>3895 <li><em>RFC1900</em> <a href="#RFC1900"><b>13.2</b></a></li> 3901 3896 <li><em>RFC1919</em> <a href="#rfc.xref.RFC1919.1">2.4</a>, <a href="#RFC1919"><b>13.2</b></a></li> 3902 3897 <li><em>RFC1945</em> <a href="#rfc.xref.RFC1945.1">2.6</a>, <a href="#RFC1945"><b>13.2</b></a>, <a href="#rfc.xref.RFC1945.2">B</a></li> … … 3942 3937 </ul> 3943 3938 </li> 3939 <li><em>RFC4033</em> <a href="#rfc.xref.RFC4033.1">11.4</a>, <a href="#RFC4033"><b>13.2</b></a></li> 3944 3940 <li><em>RFC4288</em> <a href="#rfc.xref.RFC4288.1">10.3</a>, <a href="#RFC4288"><b>13.2</b></a></li> 3945 3941 <li><em>RFC4395</em> <a href="#rfc.xref.RFC4395.1">10.2</a>, <a href="#RFC4395"><b>13.2</b></a></li> -
draft-ietf-httpbis/latest/p1-messaging.xml
r1368 r1369 4011 4011 </section> 4012 4012 4013 <section title="DNS Spoofing" anchor="dns.spoofing"> 4014 <t> 4015 Clients using HTTP rely heavily on the Domain Name Service, and are 4016 thus generally prone to security attacks based on the deliberate 4017 mis-association of IP addresses and DNS names. Clients need to be 4018 cautious in assuming the continuing validity of an IP number/DNS name 4019 association. 4020 </t> 4021 <t> 4022 In particular, HTTP clients &SHOULD; rely on their name resolver for 4023 confirmation of an IP number/DNS name association, rather than 4024 caching the result of previous host name lookups. Many platforms 4025 already can cache host name lookups locally when appropriate, and 4026 they &SHOULD; be configured to do so. It is proper for these lookups to 4027 be cached, however, only when the TTL (Time To Live) information 4028 reported by the name server makes it likely that the cached 4029 information will remain useful. 4030 </t> 4031 <t> 4032 If HTTP clients cache the results of host name lookups in order to 4033 achieve a performance improvement, they &MUST; observe the TTL 4034 information reported by DNS. 4035 </t> 4036 <t> 4037 If HTTP clients do not observe this rule, they could be spoofed when 4038 a previously-accessed server's IP address changes. As network 4039 renumbering is expected to become increasingly common <xref target="RFC1900"/>, the 4040 possibility of this form of attack will grow. Observing this 4041 requirement thus reduces this potential security vulnerability. 4042 </t> 4043 <t> 4044 This requirement also improves the load-balancing behavior of clients 4045 for replicated servers using the same DNS name and reduces the 4046 likelihood of a user's experiencing failure in accessing sites which 4047 use that strategy. 4013 <section title="DNS-related Attacks" anchor="dns.related.attacks"> 4014 <t> 4015 HTTP clients rely heavily on the Domain Name Service (DNS), and are thus 4016 generally prone to security attacks based on the deliberate misassociation 4017 of IP addresses and DNS names not protected by DNSSec. Clients need to be 4018 cautious in assuming the validity of an IP number/DNS name association unless 4019 the response is protected by DNSSec (<xref target="RFC4033"/>). 4048 4020 </t> 4049 4021 </section> … … 4726 4698 </reference> 4727 4699 4700 <reference anchor='RFC4033'> 4701 <front> 4702 <title>DNS Security Introduction and Requirements</title> 4703 <author initials='R.' surname='Arends' fullname='R. Arends'/> 4704 <author initials='R.' surname='Austein' fullname='R. Austein'/> 4705 <author initials='M.' surname='Larson' fullname='M. Larson'/> 4706 <author initials='D.' surname='Massey' fullname='D. Massey'/> 4707 <author initials='S.' surname='Rose' fullname='S. Rose'/> 4708 <date year='2005' month='March' /> 4709 </front> 4710 <seriesInfo name='RFC' value='4033' /> 4711 </reference> 4712 4728 4713 <reference anchor="RFC4288"> 4729 4714 <front> … … 5974 5959 <list style="symbols"> 5975 5960 <t> 5961 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/100"/>: 5962 "DNS Spoofing / DNS Binding advice" 5963 </t> 5964 <t> 5976 5965 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/270"/>: 5977 5966 "\-escaping in quoted strings"
Note: See TracChangeset
for help on using the changeset viewer.