📄 rfc3040.txt
字号:
requests.
Authentication based on IP number assumes that the end-to-end
properties of the Internet are preserved. This is typically not the
case for environments containing interception proxies.
9.2 Privacy
9.2.1 Trusted third party
When using a replication service, one must trust both the replica
origin server and the replica selection system.
Cooper, et al. Informational [Page 26]
RFC 3040 Internet Web Replication & Caching Taxonomy January 2001
Redirection of traffic - either by automated replica selection
methods, or within proxies - may introduce third parties the end user
and/or origin server must to trust. In the case of interception
proxies, such third parties are often unknown to both end points of
the communication. Unknown third parties may have security
implications.
Both proxies and replica selection services may have access to
aggregated access information. A proxy typically knows about
accesses by each client using it, information that is more sensitive
than the information held by a single origin server.
9.2.2 Logs and legal implications
Logs from proxies should be kept secure, since they provide
information about users and their patterns of behaviour. A proxy's
log is even more sensitive than a web server log, as every request
from the user population goes through the proxy. Logs from replica
origin servers may need to be amalgamated to get aggregated
statistics from a service, and transporting logs across borders may
have legal implications. Log handling is restricted by law in some
countries.
Requirements for object security and privacy are the same in a web
replication and caching system as it is in the Internet at large. The
only reliable solution is strong cryptography. End-to-end encryption
frequently makes resources uncacheable, as in the case of SSL
encrypted web sessions.
9.3 Service security
9.3.1 Denial of service
Any redirection of traffic is susceptible to denial of service
attacks at the redirect point, and both proxies and replica selection
services may redirect traffic.
By attacking a proxy, access to all servers may be denied for a large
set of clients.
It has been argued that introduction of an interception proxy is a
denial of service attack, since the end-to-end nature of the Internet
is destroyed without the content consumer's knowledge.
9.3.2 Replay attack
A caching proxy is by definition a replay attack.
Cooper, et al. Informational [Page 27]
RFC 3040 Internet Web Replication & Caching Taxonomy January 2001
9.3.3 Stupid configuration of proxies
It is quite easy to have a stupid configuration which will harm
service for content consumers. This is the most common security
problem with proxies.
9.3.4 Copyrighted transient copies
The legislative forces of the world are considering the question of
transient copies, like those kept in replication and caching system,
being legal. The legal implications of replication and caching are
subject to local law.
Caching proxies need to preserve the protocol output, including
headers. Replication services need to preserve the source of the
objects.
9.3.5 Application level access
Caching proxies are application level components in the traffic flow
path, and may give intruders access to information that was
previously only available at the network level in a proxy-free world.
Some network level equipment may have required physical access to get
sensitive information. Introduction of application level components
may require additional system security.
10. Acknowledgements
The editors would like to thank the following for their assistance:
David Forster, Alex Rousskov, Josh Cohen, John Martin, John Dilley,
Ivan Lovric, Joe Touch, Henrik Nordstrom, Patrick McManus, Duane
Wessels, Wojtek Sylwestrzak, Ted Hardie, Misha Rabinovich, Larry
Masinter, Keith Moore, Roy Fielding, Patrik Faltstrom, Hilarie Orman,
Mark Nottingham and Oskar Batuner.
References
[1] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L.,
Leach, P. and T. Berners-Lee, "Hypertext Transfer Protocol --
HTTP/1.1", RFC 2616, June 1999.
[2] Wessels, D. and K. Claffy, "Internet Cache Protocol (ICP),
Version 2", RFC 2186, September 1997.
[3] Wessels, D. and K. Claffy, "Application of Internet Cache
Protocol (ICP), Version 2", RFC 2187, September 1997.
Cooper, et al. Informational [Page 28]
RFC 3040 Internet Web Replication & Caching Taxonomy January 2001
[4] Postel, J. and J. Reynolds, "File Transfer Protocol (FTP)", STD
9, RFC 959, October 1985.
[5] Anklesaria, F., McCahill, M., Lindner, P., Johnson, D., Torrey,
D. and B. Alberti, "The Internet Gopher Protocol", RFC 1436,
March 1993.
[6] Berners-Lee, T., Fielding, R. and H. Frystyk, "Hypertext
Transfer Protocol -- HTTP/1.0", RFC 1945, May 1996.
[7] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D. and L.
Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996.
[8] Brisco, T., "DNS Support for Load Balancing", RFC 1794, April
1995.
[9] Vixie, P. and D. Wessels, "Hyper Text Caching Protocol
(HTCP/0.0)", RFC 2756, January 2000.
[10] Fan, L., Cao, P., Almeida, J. and A. Broder, "Summary Cache: A
Scalable Wide-Area Web Cache Sharing Protocol", Proceedings of
ACM SIGCOMM'98 pp. 254-265, September 1998.
[11] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.
[12] Netscape, Inc., "Navigator Proxy Auto-Config File Format",
March 1996,
<URL:http://www.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-
live.html>.
[13] Gauthier, P., Cohen, J., Dunsmuir, M. and C. Perkins, "The Web
Proxy Auto-Discovery Protocol", Work in Progress.
[14] Valloppillil, V. and K. Ross, "Cache Array Routing Protocol",
Work in Progress.
[15] Microsoft Corporation, "Cache Array Routing Protocol (CARP)
v1.0 Specifications, Technical Whitepaper", August 1999,
<URL:http://www.microsoft.com/Proxy/Guide/carpspec.asp>.
[16] Microsoft Corporation, "Cache Array Routing Protocol and
Microsoft Proxy Server 2.0, Technical White Paper", August
1998,
<URL:http://www.microsoft.com/proxy/documents/CarpWP.exe>.
[17] Lovric, I., "Internet Cache Protocol Extension", Work in
Progress.
Cooper, et al. Informational [Page 29]
RFC 3040 Internet Web Replication & Caching Taxonomy January 2001
[18] Cieslak, M. and D. Forster, "Cisco Web Cache Coordination
Protocol V1.0", Work in Progress.
[19] Cieslak, M., Forster, D., Tiwana, G. and R. Wilson, "Cisco Web
Cache Coordination Protocol V2.0", Work in Progress.
[20] Goutard, C., Lovric, I. and E. Maschio-Esposito, "Pre-filling a
cache - A satellite overview", Work in Progress.
[21] Hamilton, M., Rousskov, A. and D. Wessels, "Cache Digest
specification - version 5", December 1998,
<URL:http://www.squid-cache.org/CacheDigest/cache-digest-
v5.txt>.
[22] Cerpa, A., Elson, J., Beheshti, H., Chankhunthod, A., Danzig,
P., Jalan, R., Neerdaels, C., Shroeder, T. and G. Tomlinson,
"NECP: The Network Element Control Protocol", Work in Progress.
[23] Cooper, I. and J. Dilley, "Known HTTP Proxy/Caching Problems",
Work in Progress.
Cooper, et al. Informational [Page 30]
RFC 3040 Internet Web Replication & Caching Taxonomy January 2001
Authors' Addresses
Ian Cooper
Equinix, Inc.
2450 Bayshore Parkway
Mountain View, CA 94043
USA
Phone: +1 650 316 6065
EMail: icooper@equinix.com
Ingrid Melve
UNINETT
Tempeveien 22
Trondheim N-7465
Norway
Phone: +47 73 55 79 07
EMail: Ingrid.Melve@uninett.no
Gary Tomlinson
CacheFlow Inc.
12034 134th Ct. NE, Suite 201
Redmond, WA 98052
USA
Phone: +1 425 820 3009
EMail: gary.tomlinson@cacheflow.com
Cooper, et al. Informational [Page 31]
RFC 3040 Internet Web Replication & Caching Taxonomy January 2001
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Cooper, et al. Informational [Page 32]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -