1 / 36

ATIS Open Web Alliance

ATIS Open Web Alliance. Jim McEachern Senior Technology Consultant ATIS 3 June 2014. Agenda. Welcome & Call to Order Introductions High-Level Workplan Use Cases & Use Case Analysis Open Service Optimization Proxy Next Steps & Future Meetings Adjournment. New OWA Members.

lilly
Download Presentation

ATIS Open Web Alliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ATIS Open Web Alliance • Jim McEachern • Senior Technology Consultant • ATIS • 3 June 2014

  2. Agenda • Welcome & Call to Order • Introductions • High-Level Workplan • Use Cases & Use Case Analysis • Open Service Optimization Proxy • Next Steps & Future Meetings • Adjournment

  3. New OWA Members • Advisory Consulting Associates • Cisco • Hughes • Leidos (OEC Support) • National Football League • Rogers Communications • Telefonica

  4. OWA Participants • Alcatel-Lucent • AT&T • Cisco Systems • CenturyLink • Ericsson, Inc. • Flash Networks • Google • Hitachi • Hughes (subsidiary of Echostar) • Intrado • NFL • Nokia Solutions & Networks USA LLC • NTT • Leidos (OEC Support) • OpenWave Mobility • Orange • Rogers Communications • Telefonica • ViaSat

  5. High Level Workplan

  6. OWA Working Procedures • OWA is open to all: • No fee to participate • Structure and working procedures: • Transitioning to new system for email and contributions • Full details will be sent to email list • Mailing list: contact ablasgen@atis.org • Any member can submit/upload contributions • All contributions will be publicly available • Meetings: • Virtual meetings every two weeks • F2F meeting if/when required

  7. ATIS Intellectual Property Rights (IPR) & Antitrust Policies ATIS Procedure Notice: ATIS Forum and Committee activities must adhere to the ATIS Operating Procedures (including basic principles such as fairness, due process, respect for minority opinions, and common sense). IPR Notice: In connection with the development of an American National Standard, or other deliverable that requires use of patented inventions, the use of patented inventions shall be governed by the ANSI Patent Policy as adopted by ATIS and as set forth in Section 10 of the "Operating Procedures for ATIS Forums and Committees." Under this policy: • Disclosure of relevant patented inventions at the earliest possible time in the development process is encouraged. An opportunity will be provided for the members to identify or disclose patents that any member believes may be essential for the use of a standard under development. • Neither the Committee, nor its leaders, can ensure the accuracy or completeness of any disclosure, investigate the validity or existence of a patent, or determine whether a patent is essential to the use of an ATIS deliverable. • ATIS prohibits any discussion of licensing terms in its Forums and Committees. Antitrust Risk Notice: The leaders further remind attendees that participation in industry fora involves the potential for antitrust concerns or risks. To avoid such concerns and risks, participants should carefully observe the "Operating Procedures for ATIS Forums and Committees". In addition, sensitive discussion topics such as price, territories, specific contractual terms, etc., should be avoided. Questions: Participants having questions, comments, or concerns regarding any of these topics should consult with their company's legal counsel, the Committee leadership, ATIS staff, or ATIS legal counsel.

  8. High Level Workplan • Review proxy use cases (https://github.com/http2/http2-spec/wiki/Proxy-User-Stories) • Provide additional use cases if required • Analyze use cases • Assess common themes • Identify requirements • Proxy, server, and client • Review existing work • Trusted proxy • Publish requirements • IETF • Assess next steps

  9. Use Cases & Use Case Analysis From https://github.com/http2/http2-spec/wiki/Proxy-User-Stories

  10. Use Cases • Review proxy use cases • All use cases are from: https://github.com/http2/http2-spec/wiki/Proxy-User-Stories • Questions: • Is this use case relevant to OWA? • Should it be modified or enhanced? • What is the essence of the use case? • Consider the need for additional use cases

  11. Alex's Enterprise-Supplied Laptop Alex's employer gives him a laptop computer, and when it's connected to their network, it should automatically use their proxy. Because the laptop is owned by his employer, they've installed a CA in its trust store, so that they can intercept traffic from it (as per his terms of employment). It would be nice if Alex were reminded that this was happening while he was browsing the Web, but really he should know this anyway. Also, Alex's browser would like some indication of the quality of encryption on the "other side" of the proxy.

  12. Bobbie-Sue's BYOD at Work Bobbie-Sue's employer allows her to use her own devices (laptop and phone) at work. However, to access some company assets, she needs to install a CA in her device trust store(s). Bobbie-Sue trusts her employer, but doesn't want to let them intercept traffic to other sites; she should be able to either limit the ability of the CA to her company's sites, not allow it to be used for interception at all, or detect when it's in use for interception.

  13. Charlie's Coffee Shop Charlie runs a coffee shop that provides Wifi to its customers. Before they use the network, however, he needs to show them a "terms and conditions" page, and perhaps get login details from them. Charlie doesn't want to intercept his customers' traffic after that, but he does need a way to show them the network login page, even when the browser tries to go to a HTTPS site.

  14. Darlene's Mobile Network Darlene is an executive at a mobile provider, and is responsible for building out their network. If Darlene's customers use too much bandwidth, she needs to deploy very expensive cell towers to provide capacity, which in turn means she needs to raise prices, potentially making her company less competitive. Therefore, Darlene has a strong incentive to save bandwidth or downgrade QoS for a category of traffic. By intercepting Web traffic, she can increase the capacity and responsiveness of her network by transcoding or downgrading QoS for content -- e.g., images and especially videos -- often (but not always) without the end user noticing (since they tend to be using smaller screens than the original video was intended). While Darlene used to apply these optimisations across the board, recently she has been using products that adapt to load and "hot spots" in her network, so that she only optimises when necessary.

  15. Eliot's Village Internet Connection Eliot lives in a remote village where Internet connectivity is quite poor, both in terms of bandwidth and latency. His co-villagers spend a lot of time browsing the Web, and so would benefit from a shared caching proxy. More encryption of HTTP makes it difficult for the village to deploy a proxy; while CDNs help "big" sites, it doesn't help the rest of their Web traffic, and doesn't even help the "big" sites unless the CDN has a node deployed on their side of the bottleneck.

  16. Francine's Virus Scanner Francine's computer has a virus scanner that needs to inspect all traffic -- encrypted or not -- as it goes by, and potentially modify responses ("cleaning" them), or rejecting them outright. The virus scanner achieves this currently by inserting a CA into Francine's trust store and performing TLS MITM on it.

  17. Grant's Debugging Proxy Grant uses a proxy to debug his application, and needs "raw" access to the data stream. Like Francine, he can achieve this by inserting a CA into his trust store and MITM'ing the stream, but this is cumbersome.

  18. Henrietta's Jailhouse Schoolroom Henrietta runs an educational institution inside a house of incarceration (since they share so many attributes). While her student inmates are allowed to surf the Web, they are not allowed to access prohibited resources -- indicated by URL as well as content. As a result, Henrietta needs to see all traffic that goes by.

  19. Ian's Compliance Mission Ian is an executive in a fictional ethical banking institution. He needs to ensure that his employees are complying with various legal requirements as they use the Web. In particular, he wants to assure that proprietary and sensitive information is not leaving via upload forms, etc. As a result, he needs access to all outgoing content.

  20. Jane's Thing Jane has a new Internet of Things device of some sort in her house, but she also has an access gateway that proxies all HTTP to the outside world. As such, she needs to easily configure it to use the proxy.

  21. Kirk's Kids Kirk's kids use all kinds of internet-connected devices in his family home, such as laptops, desktops and phones. He wants to maintain a proxy that limits access to certain Web sites from any of these devices attached to his home network to keep his kids on the safer side of the Web.

  22. Liam's Mobile Identity Proxy Liam runs a Mobile Identity Proxy in a Mobile Network and needs to add the real/anonymous mobile identity of the user as HTTP header, to facilitate the seamless authentication of the user by the service provider.

  23. Mike's Music Service Mike manages a very popular Rock music web site based on individual subscription and per month fee. To develop his business he partnered with a mobile operator who wants to provide rock music as bonus to his premium data subscribers. Alice is fond of Rock music. Thanks to her premium data subscription plan, Alice has an unlimited access to a Rock music web site. Thanks to service augmentation, Alice has seamless access to its favorite streaming music. Alice loves this seamless approach which protects her privacy and avoids the need to remember yet another login and password couple.

  24. Nancy's Kids' Mobile Devices Nancy's kids use mobile devices such as phones and tablets outside home. Nancy wants to sign up those devices with mobile operator's parental control service which is set up through a proxy to limit access from those devices to certain web sites to keep her kids browsing safely, and also limit certain contents like video streaming when close to the data plan quota in order to keep the data usage under control and no surprise bill.

  25. Oscar’s Certification Company Oscar runs an on-site education testing and professional certification company. His clients are students that need to take the online tests like TOEFEL, SAT as well as individuals required by their profession to getting/renewing their certification. Due to the nature of the business and in order to prevent cheating, Oscar has restricted access to only the online sites offering the tests during the testing hours. In order to maintain his credibility with the certification organizations he needs to make sure that employees authenticate, and their access to the testing sites is monitored for audit purposes.

  26. Peter’s Flowers Delivery Company Peter owns a flower delivery company and he just started taking orders online. He got feedback that while some of his customers are frequently ordering from their mobile phones, others call in because they don’t want to pay for the data. In order to grow the business and reduce costs associated with the dedicated phone order representatives, he partnered with several mobile operators to cover and pay for the data usage associated with his customers’ access to his website.

  27. Quincy’s Online Movie Download Store Quincy runs a successful business allowing his customers to download movies for rent or to buy. His customers are increasingly using their smartphones to view the movies on the go but a common complaint was that with the increased size of the downloads they had no way to intuitively determine if they reached their data plan limits and incurred significant overcharges. Quincy had partnered with several mobile operators and his developers are able to receive in real-time (in a form of a custom header) the remaining data value for the current billing cycle. With this enhancement, Quincy was able to pre-emptively and accurately notify his customers when they were close to reaching their limits without the need for his users to disclose their phone numbers, and therefore minimize the information he collected from them.

  28. Rick’s Fast In-flight Wifi Rick provides high-bandwidth Wifi in-flight via a satellite network. The high latency of satellite means that HTTP prefetching, caching, and compression are needed to provide the snappy web performance that users have come to expect from broadband networks. Like Darlene, Rick also wants to save bandwidth usage via caching and compression. Rick's users are airline travelers who will temporarily opt-in to trust the proxy and/or only trust the proxy for specific sites.

  29. Students' Shared Cache Bob and Alice are two university students in a developing country. The university forward proxy has a large cache and a limited international connection in order to reduce its network bill. Bob and Alice study network and IT. The students of their section frequently download the same RFCs from the IETF site. In practice, when the proxy downloads a file from the IETF, it saves the document for two weeks in its cache as far as there is available storage. Students are very happy with this situation as they access the documents very quickly.

  30. Tom's Rural Broadband Tom lives far enough from town that Telcos are not able to make the economics work to lay wire to his home. He therefore relies on satellite for his broadband Internet. The high latency of satellite means that HTTP prefetching, caching, and compression are needed to provide the snappy web performance Tom's friends get in town. Tom is willing to trust his service provider to decrypt his HTTPS traffic for most sites in exchange for page load time acceleration but would also like the ability to disable this decryption for activities like online banking.

  31. Ulrich's Censorship Circumvention Ulrich is keeping up a collection of proxy servers to help internet users in Elbonia bypass internet censorship in their country. The proxies are set up in jurisdictions outside the censorship regime and control of Elbonian authorities. To thwart deep packet inspection, all connections between the clients and the proxy look to an on-the-wire observer like opaque TLS-encrypted HTTP connections with no discernible features to detect proxy usage. To save network traffic and reduce possibility of detection, the proxies only serve resources that are actually banned, the rest to be retrieved directly by the clients. To this end, proxy auto-configuration scripts are provided for the clients allowing selective proxy usage. "HTTPS" PAC directive could be used as currently implemented by Chrome.

  32. Use Case Analysis Use case analysis would consider: • Value: • From user perspective • From admin perspective • Device owner • Current solution for use case • Alternative solutions for use case • Requirements for preferred solution Soliciting Volunteers to Participate in Use Case Analysis

  33. Outline: Open Service Optimization Proxy • Introduction • Problem statement • Terminology • Proxy use cases • Use case analysis • Derived requirements • Discovery • Security Considerations • Privacy Considerations • IANA Considerations • Acknowledgements • References

  34. Next Steps

  35. Next Steps • Ad Hoc team to analyze use cases • Report back to full team • Feedback from HTTPbis interim meeting • Update on draft-loreto-httpbis-trusted-proxy20-01

  36. OWA Meeting Schedule • Proposed meeting schedule (through the summer): • Thursday June 26th, 11:00 – 1:00 EDT • Thursday July 10th, 11:00 – 1:00 EDT • Thursday July 24th, 11:00 – 1:00 EDT • Thursday Aug 7th, 11:00 – 1:00 EDT • Thursday Aug 21st, 11:00 – 1:00 EDT • Thursday Sept 4th, 11:00 – 1:00 EDT

More Related