IETF Logo Mail Archive

Re: [arch-d] deprecating Postel's principle- considered harmful

Paul Wouters <paul@nohats.ca> Wed, 08 May 2019 02:06 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD5E120073; Tue, 7 May 2019 19:06:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2OynZtbpH5R; Tue, 7 May 2019 19:06:11 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EE7012002E; Tue, 7 May 2019 19:06:11 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44zKZn0XB9z34l; Wed, 8 May 2019 04:06:09 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1557281169; bh=2XYORSqiiQ6SvIqCf5BW+jyGPvEdalSkkjvlllBPuAs=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Die2JXHV9haoAWCApxR3ChoR8xnpX/8G/r55pUNd3rg9jmGxnZm6oWcdAP5w/A7/T FAmpDJfRXNwaKlAL+ZAWYtx0cqjfwER4ZppzcG0UrnklV+FUvqVBA+wdhTi2V1oE4g QjkfCG3LjbBuw7DjoRkHkP3F8DwtVfi8xiwDgTUI=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FzuMN1EYcaGN; Wed, 8 May 2019 04:06:07 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 8 May 2019 04:06:06 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E52BC61DCD; Tue, 7 May 2019 22:06:04 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca E52BC61DCD
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id D890741982E0; Tue, 7 May 2019 22:06:04 -0400 (EDT)
Date: Tue, 07 May 2019 22:06:04 -0400
From: Paul Wouters <paul@nohats.ca>
To: ietf@nohats.ca
cc: "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>, "iab@iab.org" <iab@iab.org>, The IESG <iesg@ietf.org>
In-Reply-To: <20190507215332.GA31547@gsp.org>
Message-ID: <alpine.LRH.2.21.1905072123580.8852@bofh.nohats.ca>
References: <F64C10EAA68C8044B33656FA214632C89F024CD3@MISOUT7MSGUSRDE.ITServices.sbc.com> <CALaySJJDHg5j9Z7+noS=YXoNROqdsbJ6coEECtLtbJ6fWJ3xsQ@mail.gmail.com> <53a9c16c-163c-a18a-371a-f8aa8697af15@cs.tcd.ie> <20190507215332.GA31547@gsp.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/BObPVMeIryRNi7808C-p5nf-9Eo>
Subject: Re: [arch-d] deprecating Postel's principle- considered harmful
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 02:06:14 -0000

On Tue, 7 May 2019, Rich Kulawiec wrote:

> But now?  In the decades since, we've learned that every tiny opening
> can be and will be exploited by someone, often in surprising ways.
> The pendulum has swung a long way from "be liberal in what you accept"
> because it's now dangerous.  When I think about Jon, and of what he
> envisioned, I'm saddened by this.

Having done IKE/IPsec since the late 90s - so 30 years - I can tell you
that applying the "no Postel principle" strictly would only work under
special conditions.

The problem is not the Postel principle. The problem is that we have "too
big to fail" implementations and a lack of implementation diversity. The
Postel principle works fine if there is diversity. As soon as someone
can just do whatever they want, the principle breaks. But that does not
mean the answer is to blindly promote the opposite. That will just end
up with errata's or bis documents to follow the incumbents mistakes.

As an example, Microsoft IKEv2 completely breaks DH/PFS on rekeying. If
I apply the unforgiven stance, either my implementation dies because "it
does not work", or all Windows desktop VPN's die, or both. Additionally,
any Microsoft setup with an intermediate CA would get their CERT
payloads rejected for being in the wrong PKCS#7 format. Again, I am not
an incumbent so I have no choice but to apply the Postel principle for
my own survival.

Another example, if my implementation were strict on IPsec ESP with
SHA2_256 truncation, 1 billion Android devices would not have IPsec VPNs.

An RFC telling me not to do this, is going to get ignored by me.

If anything, Postel's principle was too binary. Sometimes it makes sense
to use, and sometimes it does not. But how to apply that is tricky too.
Should I allow Microsoft to do IKEv2 rekeying with DH using modp1024? It
severely degrades security. Am I in a position to do so? Not really. Can
I document this and tell people to enable a workaround and hope to shame
a vendor into compliance? Yes I can[*]. Without having to break everyone.
Can I put in an Android workaround option and tell the Android developers
everytime I see them they still do it wrong. Yes I can, and after 3
years of harassment they finally fixed it and added their own "legacy"
option to get their old behaviour back.

Now, picking up on the origin of the ESP SHA2_256 truncation bug, this
was caused by the linux kernel implementing a draft instead of the final
RFC. I pointed this out to the Linux maintainer in 2008 or so, long
before Android. Their fix was to keep the original broken behaviour and
add a new API for the new correct behaviour. But people kept using old
software that did not use the new API, including the giant Google. This
is clearly a broken strategy. I'd say you MUST fix your code to be RFC
compliant, and clearly mark such fixes in your changelog/release notes.
Yes, it might still break people, but you might prevent 1 billion future
people from being broken, and anyone who does an upgrade and sees a fail,
can do a downgrade and read up on why and what happened. That is, don't
keep on doing it wrong, because then the workarounds never die. You did
it wrong, then you take the extra work to do it right (and wrong) and
maybe in 10-15 years you can delete the workarounds for your own
mistakes.

It is hard for an old code base to still understand various bits of code
and workaround. This is where comments really help. To give another
example, a recent bug showed my implementation ignored VPN delete
requests within the first few seconds of an established VPN session. I
tracked down the problem and found a comment in the code, that allowed
me to make an informed  decision to remove it:

https://github.com/libreswan/libreswan/commit/82adf12106f4d3b44f80819f6e2858d5cd7dfb97

For people saying "that was 20 years ago, this is a different internet
age", I don't believe that. The incumbents might have changed, but the
scenario of the underdog has not changed.

Now, when we do something fairly new and experimental, and we are
doing our first interops, please reject everything that violates the
draft. Get the first implementations to be rigid and robust. The more
strict those first players are, the better we get compliance out of
the different vendors. But if you find something a year later, and you
can do a workaround based on the Postel principle, be a good citizen
and report the bug and implement the workaround clearly. And remove it
again in a number of years. (bonus: people get rewarded for upgrading
their systems!)

In principle, live according to the Postel principle.

Paul
[*] I'm still in the "hoping" phase on this one :(

v2.23.0 | Report a Bug | By Email