ietf
[Top] [All Lists]

Re: IETF web site behind CloudFlare

2014-09-17 05:44:35
Jari Arkko <jari(_dot_)arkko(_at_)piuha(_dot_)net> wrote
Wed, 17 Sep 2014 12:54:09 +0300:

| The change to Cloudfare has been mentioned, for instance in the
| plenary. The decision was taken by IAOC, with input from the tools
| committee, based on our perception of the need to have a globally
| efficient access to IETF web content, with ability to scale as needed,
| and with the kind of support that we need. And obviously without
| having to build too much of it ourselves.  Note that the current setup
| involves static web content and not the data tracker.

Sadly it covers also the mailing list archives at
https://www.ietf.org/mail-archive/web/ietf/, which is a real
bummer. Would providing an alternative way to reach the archives, in
addition to the above, be possible?


| See page 18 in for some measurements regarding the effects
| http://www.ietf.org/proceedings/90/slides/slides-90-iesg-opsplenary-7.pdf
| and I think at least I personally have found the impact significant.

(If only I could access that document. ;))

Well, this is somewhat telling. Page 18 shows graphs and tables on HTTP
load time before and after switching CDN. I realise that people care
about performance but I think that we in this case care too little about
the safety of our users.

We serve static pages to users who risk having to talk to both
CloudFlare (every time regardless of "rating" actually) and Google (for
the captcha) and this with a browser executing javascript. While I do
applaud the support for TLS on the site, I think that we should take
more things than performance and DoS mitigation into consideration when
picking technology and setting up our services.

I realise the need for outsourcing of some things. I don't know if there
is a solution where users can pull the content from IETF servers
only. But wouldn't it be great if we used the power of the consumer to
try to make things better for web users? I would imagine that IETF is
somewhat listened to when it comes to this.


| I was not personally aware of the captcha operation nor have I ever
| seen it while accessing the IETF web site from various places. But we
| can ask Ray to investigate if there are different, more suitable
| settings. However, I’d note that being able to deal with some dos
| attacks is actually a useful feature, and it is not unthinkable for
| the IETF to be a target. So any defence tactic inconvenience should be
| weighted against the risks and benefits.

I agree. What worries me is that the risk of blocking legitimate users
is being underestimated.

Ray, please let me know how I can help with testing the settings
("Threat Scores" and "Security Level" seems to be relevant terms) from a
users point of view.


Jari, thanks for caring about this.