Re: [arch-d] deprecating Postel's principle- considered harmful
Paul Wouters <paul@nohats.ca> Wed, 08 May 2019 02:06 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD5E120073; Tue, 7 May 2019 19:06:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2OynZtbpH5R; Tue, 7 May 2019 19:06:11 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EE7012002E; Tue, 7 May 2019 19:06:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44zKZn0XB9z34l; Wed, 8 May 2019 04:06:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1557281169; bh=2XYORSqiiQ6SvIqCf5BW+jyGPvEdalSkkjvlllBPuAs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Die2JXHV9haoAWCApxR3ChoR8xnpX/8G/r55pUNd3rg9jmGxnZm6oWcdAP5w/A7/T FAmpDJfRXNwaKlAL+ZAWYtx0cqjfwER4ZppzcG0UrnklV+FUvqVBA+wdhTi2V1oE4g QjkfCG3LjbBuw7DjoRkHkP3F8DwtVfi8xiwDgTUI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FzuMN1EYcaGN; Wed, 8 May 2019 04:06:07 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 8 May 2019 04:06:06 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E52BC61DCD; Tue, 7 May 2019 22:06:04 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E52BC61DCD
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D890741982E0; Tue, 7 May 2019 22:06:04 -0400 (EDT)
Date: Tue, 07 May 2019 22:06:04 -0400
From: Paul Wouters <paul@nohats.ca>
To: ietf@nohats.ca
cc: "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>, "iab@iab.org" <iab@iab.org>, The IESG <iesg@ietf.org>
In-Reply-To: <20190507215332.GA31547@gsp.org>
Message-ID: <alpine.LRH.2.21.1905072123580.8852@bofh.nohats.ca>
References: <F64C10EAA68C8044B33656FA214632C89F024CD3@MISOUT7MSGUSRDE.ITServices.sbc.com> <CALaySJJDHg5j9Z7+noS=YXoNROqdsbJ6coEECtLtbJ6fWJ3xsQ@mail.gmail.com> <53a9c16c-163c-a18a-371a-f8aa8697af15@cs.tcd.ie> <20190507215332.GA31547@gsp.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/BObPVMeIryRNi7808C-p5nf-9Eo>
Subject: Re: [arch-d] deprecating Postel's principle- considered harmful
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 02:06:14 -0000
On Tue, 7 May 2019, Rich Kulawiec wrote: > But now? In the decades since, we've learned that every tiny opening > can be and will be exploited by someone, often in surprising ways. > The pendulum has swung a long way from "be liberal in what you accept" > because it's now dangerous. When I think about Jon, and of what he > envisioned, I'm saddened by this. Having done IKE/IPsec since the late 90s - so 30 years - I can tell you that applying the "no Postel principle" strictly would only work under special conditions. The problem is not the Postel principle. The problem is that we have "too big to fail" implementations and a lack of implementation diversity. The Postel principle works fine if there is diversity. As soon as someone can just do whatever they want, the principle breaks. But that does not mean the answer is to blindly promote the opposite. That will just end up with errata's or bis documents to follow the incumbents mistakes. As an example, Microsoft IKEv2 completely breaks DH/PFS on rekeying. If I apply the unforgiven stance, either my implementation dies because "it does not work", or all Windows desktop VPN's die, or both. Additionally, any Microsoft setup with an intermediate CA would get their CERT payloads rejected for being in the wrong PKCS#7 format. Again, I am not an incumbent so I have no choice but to apply the Postel principle for my own survival. Another example, if my implementation were strict on IPsec ESP with SHA2_256 truncation, 1 billion Android devices would not have IPsec VPNs. An RFC telling me not to do this, is going to get ignored by me. If anything, Postel's principle was too binary. Sometimes it makes sense to use, and sometimes it does not. But how to apply that is tricky too. Should I allow Microsoft to do IKEv2 rekeying with DH using modp1024? It severely degrades security. Am I in a position to do so? Not really. Can I document this and tell people to enable a workaround and hope to shame a vendor into compliance? Yes I can[*]. Without having to break everyone. Can I put in an Android workaround option and tell the Android developers everytime I see them they still do it wrong. Yes I can, and after 3 years of harassment they finally fixed it and added their own "legacy" option to get their old behaviour back. Now, picking up on the origin of the ESP SHA2_256 truncation bug, this was caused by the linux kernel implementing a draft instead of the final RFC. I pointed this out to the Linux maintainer in 2008 or so, long before Android. Their fix was to keep the original broken behaviour and add a new API for the new correct behaviour. But people kept using old software that did not use the new API, including the giant Google. This is clearly a broken strategy. I'd say you MUST fix your code to be RFC compliant, and clearly mark such fixes in your changelog/release notes. Yes, it might still break people, but you might prevent 1 billion future people from being broken, and anyone who does an upgrade and sees a fail, can do a downgrade and read up on why and what happened. That is, don't keep on doing it wrong, because then the workarounds never die. You did it wrong, then you take the extra work to do it right (and wrong) and maybe in 10-15 years you can delete the workarounds for your own mistakes. It is hard for an old code base to still understand various bits of code and workaround. This is where comments really help. To give another example, a recent bug showed my implementation ignored VPN delete requests within the first few seconds of an established VPN session. I tracked down the problem and found a comment in the code, that allowed me to make an informed decision to remove it: https://github.com/libreswan/libreswan/commit/82adf12106f4d3b44f80819f6e2858d5cd7dfb97 For people saying "that was 20 years ago, this is a different internet age", I don't believe that. The incumbents might have changed, but the scenario of the underdog has not changed. Now, when we do something fairly new and experimental, and we are doing our first interops, please reject everything that violates the draft. Get the first implementations to be rigid and robust. The more strict those first players are, the better we get compliance out of the different vendors. But if you find something a year later, and you can do a workaround based on the Postel principle, be a good citizen and report the bug and implement the workaround clearly. And remove it again in a number of years. (bonus: people get rewarded for upgrading their systems!) In principle, live according to the Postel principle. Paul [*] I'm still in the "hoping" phase on this one :(
- Re: [arch-d] deprecating Postel's principle- cons… BRUNGARD, DEBORAH A
- Re: [arch-d] deprecating Postel's principle- cons… Barry Leiba
- Re: [arch-d] deprecating Postel's principle- cons… Stephen Farrell
- Re: [arch-d] deprecating Postel's principle- cons… Brian E Carpenter
- Re: [arch-d] deprecating Postel's principle- cons… Andrew G. Malis
- Re: [arch-d] deprecating Postel's principle- cons… Barry Leiba
- Re: [arch-d] deprecating Postel's principle- cons… Warren Kumari
- Re: [arch-d] deprecating Postel's principle- cons… Tony Li
- Re: [arch-d] deprecating Postel's principle- cons… Stephen Farrell
- Re: [arch-d] deprecating Postel's principle- cons… Adam Roach
- Re: [arch-d] deprecating Postel's principle- cons… Salz, Rich
- Re: [arch-d] deprecating Postel's principle- cons… Joel M. Halpern
- Re: [arch-d] deprecating Postel's principle- cons… Adam Roach
- Re: [arch-d] [IAB] deprecating Postel's principle… Christian Huitema
- Re: [arch-d] [IAB] deprecating Postel's principle… Stephen Farrell
- Re: [arch-d] deprecating Postel's principle- cons… Matthew Kerwin
- Re: [arch-d] deprecating Postel's principle- cons… Rich Kulawiec
- Re: [arch-d] deprecating Postel's principle- cons… Henning Schulzrinne
- Re: [arch-d] [IAB] deprecating Postel's principle… Henning Schulzrinne
- Re: [arch-d] deprecating Postel's principle- cons… Christian Huitema
- Re: [arch-d] deprecating Postel's principle- cons… Brian E Carpenter
- Re: [arch-d] deprecating Postel's principle- cons… Henning Schulzrinne
- Re: [arch-d] deprecating Postel's principle- cons… Mark Andrews
- Re: [arch-d] deprecating Postel's principle- cons… Paul Wouters
- Re: [arch-d] [IAB] deprecating Postel's principle… Randy Bush
- Re: [arch-d] deprecating Postel's principle- cons… Joe Touch
- Re: [arch-d] deprecating Postel's principle- cons… Carsten Bormann
- Re: [arch-d] deprecating Postel's principle- cons… Jari Arkko
- Re: [arch-d] deprecating Postel's principle- cons… John C Klensin
- Re: [arch-d] deprecating Postel's principle- cons… Henning Schulzrinne
- Re: [arch-d] deprecating Postel's principle- cons… Phillip Hallam-Baker
- Re: [arch-d] deprecating Postel's principle- cons… Bless, Roland (TM)
- Re: [arch-d] deprecating Postel's principle- cons… Joe Touch
- Re: [arch-d] deprecating Postel's principle- cons… Henry S. Thompson
- Re: [arch-d] deprecating Postel's principle- cons… Henning Schulzrinne
- Re: [arch-d] deprecating Postel's principle- cons… Henning Schulzrinne
- Re: [arch-d] deprecating Postel's principle- cons… S Moonesamy
- Re: [arch-d] deprecating Postel's principle- cons… Eliot Lear
- Re: [arch-d] deprecating Postel's principle- cons… Carsten Bormann
- Re: [arch-d] deprecating Postel's principle- cons… Eliot Lear
- Re: [arch-d] deprecating Postel's principle- cons… Bob Briscoe
- Re: [arch-d] deprecating Postel's principle- cons… Henning Schulzrinne
- Re: [arch-d] deprecating Postel's principle- cons… Henry S. Thompson