IETF Logo Mail Archive

Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt

"Bless, Roland (TM)" <roland.bless@kit.edu> Thu, 14 July 2022 21:09 UTC

Return-Path: <roland.bless@kit.edu>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28E95C157B39 for <architecture-discuss@ietfa.amsl.com>; Thu, 14 Jul 2022 14:09:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UifPjjCpO4gv for <architecture-discuss@ietfa.amsl.com>; Thu, 14 Jul 2022 14:09:17 -0700 (PDT)
Received: from iramx1.ira.uni-karlsruhe.de (iramx1.ira.uni-karlsruhe.de [IPv6:2a00:1398:2::10:80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F8D9C14792A for <architecture-discuss@ietf.org>; Thu, 14 Jul 2022 14:09:16 -0700 (PDT)
Received: from [2a00:1398:2:4006:ac9a:4147:855e:ea65] (helo=i72vorta.tm.kit.edu) by iramx1.ira.uni-karlsruhe.de with esmtpsa port 25 iface 2a00:1398:2::10:8 id 1oC656-0001bK-Ej; Thu, 14 Jul 2022 23:09:09 +0200
Received: from [IPV6:::1] (ip6-localhost [IPv6:::1]) by i72vorta.tm.kit.edu (Postfix) with ESMTPS id 4C836D00161; Thu, 14 Jul 2022 23:09:09 +0200 (CEST)
Message-ID: <e7bacfeb-e6f2-99d7-c0fa-d9067e7e4bd4@kit.edu>
Date: Thu, 14 Jul 2022 23:09:09 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Thunderbird/91.11.0
Content-Language: en-US
To: Martin Thomson <mt@lowentropy.net>, "Joel M. Halpern" <jmh@joelhalpern.com>, architecture-discuss@ietf.org
References: <a06000c5-939a-a896-9c0f-576e9e2ff97f@gmail.com> <D20FCDD6-3756-40E7-AD6A-416A2C464DF1@gmail.com> <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com> <6723979f-c496-43e1-a389-a50dd3af2224@beta.fastmail.com> <ade079ff-b8b4-76ab-626c-e74f99229205@joelhalpern.com> <0bdc5d0f-2411-4797-b116-d46643d21746@beta.fastmail.com>
From: "Bless, Roland (TM)" <roland.bless@kit.edu>
Organization: Institute of Telematics, Karlsruhe Institute of Technology (KIT)
In-Reply-To: <0bdc5d0f-2411-4797-b116-d46643d21746@beta.fastmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-ATIS-AV: ClamAV (iramx1.ira.uni-karlsruhe.de)
X-ATIS-Checksum: v3zoCAcc32ckk
X-ATIS-Timestamp: iramx1.ira.uni-karlsruhe.de esmtpsa 1657832949.585697833
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/AVcwUU21eTQhJgc_afF02wVBJj4>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 21:09:19 -0000

Hi Martin,

I think that you attribute properties to Postel's robustness principle
that are not implied by it. Please reread RFC1122 section 1.2.2.
The robustness principle is not an obstacle for protocol evolution.
I think that we have enough examples of protocols
that have built-in extensible protocol objects (like IPv6's extension 
header)
while there implementations can still adhere to the robustness principle.
So older implementations can still handle new and unknown objects
in a useful manner, thereby not impeding protocol evolution (sec. 6.1
talks also about this, but I don't agree with "In contrast, relying on 
implementations
to consistently apply the robustness principle is not a good strategy 
for extensibility."
as they do not exclude each other).

Your draft says:
"Time and experience shows that negative consequences to 
interoperability accumulate over time if implementations apply the 
robustness principle. This problem originates from an assumption 
implicit in the principle that it is not possible to effect change in a 
system the size of the Internet. It assumes that once a protocol 
specification is published, changes that might require existing 
implementations to change are not feasible."

I cannot find any evidence for the above statements in any formulation
of the robustness principle. You also state
"Today, robustness *is* used as an excuse for protocol developers doing 
a bad job.",
but this is not related really to the robustness principle you are 
referring to.

As I wrote in an earlier mail:
* one aspect of the robustness principle is security: the implementation
   should not crash or be vulnerable to faulty inputs.
   Why shouldn't this be valid anymore in face of protocol evolution?
* another aspect is interoperability (conservative sending) and avoiding
   unnecessary overhead. I also don't see any problems here for protocol
   evolution. The robustness principle would always be applied to the
   corresponding (evolved) protocol specification. If there is an 
evolutionary
   path in the base spec, fine! The protocol can then evolve inside the 
given
   boundaries while the robustness principle still holds for the 
corresponding
   implementation.

The draft also says:
"A flaw can become entrenched as a de facto standard. Any implementation 
of the protocol is required to replicate the aberrant behavior, or it is 
not interoperable."
Obviously, either the protocol spec is not clear enough or the 
robustness principle wasn't really applied
on the sender's side. Instead of diluting the protocol specification by 
adapting other implementations
to the flaw(s) of a single implementation, the aberrant implementation 
should be fixed.
So in this case if the statement "it is necessary for both 
specifications and implementations to be responsive to changes"
this could be applied to the aberrant implementation straight away: go 
and fix it!
More conservative implementations could refuse to interoperate with the 
faulty implementation also due to adherence
to the robustness principle.

Regards,
  Roland

On 14.07.22 at 02:02 Martin Thomson wrote:
> On Thu, Jul 14, 2022, at 00:33, Joel Halpern wrote:
>> Your description of the Robustness Principle below does not match my
>> understanding at all.  It was never intended as an excuse for protocol
>> developers to do a bad job.
> I agree, but then I don't.
>
> The Robustness Principle was a totally appropriate tool for the Internet of the 1980s.  What passed for specification was necessarily loose.  That was OK because the people implementing and deploying were collaborators on a research project.  That sort of thing happens all the time when building something complex.  It was, in essence, the author setting out the high-level details and leaving the details to colleagues.  It was partly an embodiment of respect and an acknowledgment that everyone involved was still learning.
>
> That doesn't pass for responsible today though.  People consuming RFCs aren't all respected colleagues who share a common goal and can be trusted to work it out for themselves.  Today, robustness *is* used as an excuse for protocol developers doing a bad job.
>
> I've seen that people are very much willing to drop the excuse and do the work after some nudging.  And I've had to nudge less often recently.
>
> The trick then is in determining what else robustness is good for.  Papering over a temporary interoperability issue is the best I've heard.  Of course, the number of problems I've witnessed arising from that practice makes me want to discourage that as strongly as possible.
>
> Of course, if you have a better definition, please go ahead and produce one. Maybe what I've said makes no sense under an alternative definition.  The text in RFC 760 seems pretty clear to me if you want to rely on documented canon; the same applies to my observations of how it was interpreted.
>
> I'm also not looking to change your mind.  Reasonable people can disagree on points like this.  You clearly have a well-established position based on lots of experience and careful thought.
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss

v2.23.0 | Report a Bug | By Email