IETF Logo Mail Archive

Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt

Joel Halpern <jmh@joelhalpern.com> Fri, 15 July 2022 01:06 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66934C15A72E for <architecture-discuss@ietfa.amsl.com>; Thu, 14 Jul 2022 18:06:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.127
X-Spam-Level:
X-Spam-Status: No, score=-2.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvnDl5FxWx-e for <architecture-discuss@ietfa.amsl.com>; Thu, 14 Jul 2022 18:06:43 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE2FC157B39 for <architecture-discuss@ietf.org>; Thu, 14 Jul 2022 18:06:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4LkY8z0p00z1pXty; Thu, 14 Jul 2022 18:06:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1657847203; bh=FZiJVdflC28dgl2ltqSpVolL58boBPNqKgyLW9Ao4gk=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=M66buf2XJ377wj39HteUQ7M0WoKU5o0seR3Hz2qcz7AFHPxdSpUtTyLR3zISck+oc X+bOUs0hQa6GpghMZNONV+tHZgy/spSX3nsmiTQiQpKZbX8k6Fi33SZekLntdGu9kM ctbEREv1jixNKjPf5cVujqvAovTS2ihBxRa+MT/g=
X-Quarantine-ID: <hNAGvBeeMBXF>
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from [192.168.23.181] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4LkY8y2xR1z1pXtd; Thu, 14 Jul 2022 18:06:42 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------y8THDG0iet0Z5nQVVQbjObD0"
Message-ID: <a13312c7-fb6f-1b25-3a85-f9f34d3f4d49@joelhalpern.com>
Date: Thu, 14 Jul 2022 21:06:40 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Eric Rescorla <ekr@rtfm.com>
Cc: "iab@iab.org IAB" <iab@iab.org>, architecture-discuss@ietf.org
References: <165757861882.5604.10456894596583178055@ietfa.amsl.com> <482ad0ea-a64d-5156-445e-9a00ff2a7103@gmail.com> <CABcZeBPPL7a-0RdczMvDUmjwfRRd7qnBb=8nRJQ7Ni4oDJNSJg@mail.gmail.com>
From: Joel Halpern <jmh@joelhalpern.com>
In-Reply-To: <CABcZeBPPL7a-0RdczMvDUmjwfRRd7qnBb=8nRJQ7Ni4oDJNSJg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/Ab_gOqnSpwm3UHb5gvfd-IM6hkE>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2022 01:06:47 -0000

I suspect that the correct answer from a design perspective depends upon 
other aspects of the protocol.

It is clearly reasonable for the protocol designers as part of the spec 
to say "malformed messages MUST be ignore", or even "malformed messages 
MUST result in a connection reset" (whatever connection means).  if the 
WG writes that in, then that is the correct response.

Whether the WG should write those rules, or other more permissive rules, 
depends I expect on the consequences of problems.  For example, one 
could also write a rule that says that any duplicate or out of order 
TLVs cause the rest of the TLVs to be ignored". Thus allowing efficient 
parsing but not causing as much disruption.  Whether that is right or 
wrong depends upon the implications of the choices.

I can imagine a whole range of nuances and possibilities.

The more interesting case from a protocol robustness point of view is 
what a receiver should do when everything looks right, but the specific 
type code is not understood.  I would again hope that the spec answers 
that question.  But I would also hope and expect implementors to fall 
back to the robustness principle when and if the spec doesn't say.

Yours,

Joel

On 7/14/2022 8:46 PM, Eric Rescorla wrote:
> I'm finding myself a little unsure on where exactly to locate
> the disagreements here. Perhaps a hypothetical would help.
>
> Suppose we have a protocol that consists of a set of tag-length-values
> fields. A message consists of a length field followed by a list of
> TLVs.  The protocol defines the following requirements for how a
> message is constructed:
>
> 1. A given tag MUST only appear once
> 2. TLVs MUST appear in ascending tag order (this can help
>    detect violations of the previous condition)
>
> Question 1: How should implementations behave upon receiving the
> following messages, absent any other spec guidance?
>
> - Tags: 1, 2, 2  [Violates rule 1]
> - Tags: 1, 3, 2  [Violates rule 2]
>
>
> Question 2: Should we provide specification guidance for how to handle
> these rule violations, and if so, how?
>
> Question 3: Do you think the answers depend on other properties of the
> protocol? If so, what are they?
>
> -Ekr
>
>
>
> On Tue, Jul 12, 2022 at 4:44 PM Brian E Carpenter 
> <brian.e.carpenter@gmail.com> wrote:
>
>     I still find it hard to accept that there is community consensus for
>     this document as it stands. Most of what its says is correct but it
>     still seems to unreasonably claim universal scope.
>
>     Some suggestions:
>
>     Title: The Robustness Principle May Have Harmful Consequences
>
>     Last sentence of Abstract:
>     For some types of protocol that are actively maintained, the
>     robustness principle can, and should, be avoided.
>
>     And a few changes in the main text such as:
>     OLD:
>     Time and experience shows that negative consequences to
>     interoperability accumulate over time if implementations apply the
>     robustness principle.
>
>     NEW:
>     Time and experience shows that negative consequences to
>     interoperability sometimes accumulate over time if implementations
>     apply the robustness principle.
>
>     Even with changes like this, I'm not sure everyone will agree.
>
>     Regards
>         Brian Carpenter
>
>     On 12-Jul-22 10:30, internet-drafts@ietf.org wrote:
>     >
>     > A New Internet-Draft is available from the on-line
>     Internet-Drafts directories.
>     > This draft is a work item of the Internet Architecture Board
>     IETF of the IETF.
>     >
>     >          Title           : The Harmful Consequences of the
>     Robustness Principle
>     >          Authors         : Martin Thomson
>     >                            David Schinazi
>     >    Filename        : draft-iab-protocol-maintenance-08.txt
>     >    Pages           : 15
>     >    Date            : 2022-07-11
>     >
>     > Abstract:
>     >     The robustness principle, often phrased as "be conservative
>     in what
>     >     you send, and liberal in what you accept", has long guided
>     the design
>     >     and implementation of Internet protocols.  The posture this
>     statement
>     >     advocates promotes interoperability in the short term, but can
>     >     negatively affect the protocol ecosystem over time. For a
>     protocol
>     >     that is actively maintained, the robustness principle can, and
>     >     should, be avoided.
>     >
>     >
>     > The IETF datatracker status page for this draft is:
>     > https://datatracker.ietf.org/doc/draft-iab-protocol-maintenance/
>     >
>     > There is also an HTML version available at:
>     >
>     https://www.ietf.org/archive/id/draft-iab-protocol-maintenance-08.html
>     >
>     > A diff from the previous version is available at:
>     > https://www.ietf.org/rfcdiff?url2=draft-iab-protocol-maintenance-08
>     >
>     >
>     > Internet-Drafts are also available by rsync at
>     rsync.ietf.org::internet-drafts
>     >
>     >
>     > _______________________________________________
>     > I-D-Announce mailing list
>     > I-D-Announce@ietf.org
>     > https://www.ietf.org/mailman/listinfo/i-d-announce
>     > Internet-Draft directories: http://www.ietf.org/shadow.html
>     > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>
>     _______________________________________________
>     Architecture-discuss mailing list
>     Architecture-discuss@ietf.org
>     https://www.ietf.org/mailman/listinfo/architecture-discuss
>
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss

v2.23.0 | Report a Bug | By Email