Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-04.txt

"BRUNGARD, DEBORAH A" <db3546@att.com> Wed, 06 November 2019 21:14 UTC

Return-Path: <db3546@att.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A26A1208DB; Wed, 6 Nov 2019 13:14:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aIhdkpKw9yc; Wed, 6 Nov 2019 13:14:44 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 679E51208F5; Wed, 6 Nov 2019 13:14:44 -0800 (PST)
Received: from pps.filterd (m0083689.ppops.net [127.0.0.1]) by m0083689.ppops.net-00191d01. (8.16.0.42/8.16.0.42) with SMTP id xA6L9tjG001987; Wed, 6 Nov 2019 16:14:41 -0500
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0083689.ppops.net-00191d01. with ESMTP id 2w45seg9y7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 06 Nov 2019 16:14:33 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id xA6LEIYu027104; Wed, 6 Nov 2019 16:14:18 -0500
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [135.66.87.50]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id xA6LEAOH026831 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 6 Nov 2019 16:14:10 -0500
Received: from zlp27128.vci.att.com (zlp27128.vci.att.com [127.0.0.1]) by zlp27128.vci.att.com (Service) with ESMTP id 1CB994009E7E; Wed, 6 Nov 2019 21:14:10 +0000 (GMT)
Received: from MISOUT7MSGHUBAD.ITServices.sbc.com (unknown [130.9.129.148]) by zlp27128.vci.att.com (Service) with ESMTPS id 000944009E7D; Wed, 6 Nov 2019 21:14:09 +0000 (GMT)
Received: from MISOUT7MSGUSRDE.ITServices.sbc.com ([169.254.5.44]) by MISOUT7MSGHUBAD.ITServices.sbc.com ([130.9.129.148]) with mapi id 14.03.0468.000; Wed, 6 Nov 2019 16:14:09 -0500
From: "BRUNGARD, DEBORAH A" <db3546@att.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "iab@iab.org" <iab@iab.org>, "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>
Thread-Topic: [arch-d] I-D Action: draft-iab-protocol-maintenance-04.txt
Thread-Index: AQHVktorQzqaBndTdEufGR0WueBBLad8Go4AgAJ+wLA=
Date: Wed, 6 Nov 2019 21:14:08 +0000
Message-ID: <F64C10EAA68C8044B33656FA214632C8A3AAC7A4@MISOUT7MSGUSRDE.ITServices.sbc.com>
References: <157284936054.13440.20144182660413459@ietfa.amsl.com> <d6c4e7b7-1a43-7859-427a-35ebf1343fcf@gmail.com>
In-Reply-To: <d6c4e7b7-1a43-7859-427a-35ebf1343fcf@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.249.177]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-06_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1910280000 definitions=main-1911060207
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/FF-hVFWMW_TLrE7AeQKr2rt5iB4>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-04.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 21:14:53 -0000

+1 on Brian's points

I may be mis-reading Brian's conclusion, and will take the liberty to re-phrase - "even for a protocol actively maintained, we are not perfect".

I still have difficulty with the title of this document. As Brian says, much of the content of the draft is good. Active/responsible maintenance on our protocols - nothing wrong - totally agree. But to say "the robustness principle is harmful" because it encourages interoperability and discourages proper maintenance/new implementations doesn't parse for me. The title, while attention getting, simply doesn't make sense.

For me, the robustness principle has nothing to do with preventing new extensions on a protocol, it has everything to do with protecting existing deployments. The document's proposal "Choosing to generate fatal errors for unspecified conditions" may be appropriate for some protocols, it would cause a melt down of the network for other protocols. One of my working groups currently is doing a "fix" - and only because of the robustness principle, there have been no issues with current deployments. Sure, when the document was first done, it should have all been perfect. But we are not perfect, even after all the Area Directorate reviews and IESG reviews😊 Theory vs. practice.

RFC1958 is not the only RFC citing the robustness principle - it is in many many documents. How about this one on "The Twelve Networking Truths", unfortunately it is not as easily set to tune as a similar 12-days tune:
https://datatracker.ietf.org/doc/rfc1925/

Regards,
Deborah

-----Original Message-----
From: Architecture-discuss <architecture-discuss-bounces@ietf.org> On Behalf Of Brian E Carpenter
Sent: Monday, November 04, 2019 8:13 PM
To: iab@iab.org; architecture-discuss@ietf.org
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-04.txt

Hi,

Thanks for the updates, but I still have concerns about this draft.

> Abstract
....
>    For a protocol
>    that is actively maintained, the robustness principle can, and
>    should, be avoided.

To be blunt, I don't think there is community consensus for this statement. Now the IAB can of course express an opinion, but for something as contentious as this, I think it needs to be labelled as an opinion statement, especially in the Abstract which tends to bias the reader's mindset. Or a more neutral phrasing could be used; for example:

For a protocol that is actively maintained, the impact of applying the robustness principle should be carefully considered.

> 1.  Introduction
....
>    Ideally, protocol implementations never have to apply the robustness
>    principle.  Or, where it is unavoidable, use of the robustness
>    principle is viewed as a short term workaround that needs to be
>    quickly reverted.

In an ideal world, all implementations would be perfect, so the robustness principle would be unnecessary. But the very basis for it is that the world *is not* ideal and many implementations *are
not* perfect. So, really, what is the point of the first sentence?

And no, I don't believe it's a short term workaround. That's like
saying: when I've finished testing my Python program, I can take out all the try:... except:... statements because I've fixed all the errors, so I don't need the except: cases any more.

On the contrary - good engineers leave the exception handling in for ever. When they don't, planes crash.

Is there really a consensus view in the community that "the robustness principle is viewed as a short term workaround"?
I don't believe it.

> 4.  Ecosystem Effects
> 
>    Once deviations become entrenched, it can be extremely difficult - if
>    not impossible - to rectify the situation.

I take the point. Sloppy usage of the robustness principle can indeed allow sloppy errors in the spec or in an implmentation to survive. But there's a trade-off that, IMHO, the draft does not recognize: non-robust implementations that do not tolerate sloppy inputs are bad for users trying to accomplish something.

It's perfectly reasonable to argue that an implementation should have a strict mode, in which it logs errors etc., in a way that allows the detection of sloppiness at the other end. And I agree that this is of particular value during active development of the protocol and its ecosystem**. But I don't see any developer shipping code to the mass market that has strict mode on by default. I don't see any recognition of this reality in the draft.

It's also correct to argue that sloppiness in certain security functions such as algorithm negotiation is never OK.

** If anyone here is masochistic enough to try my prototype of GRASP, they'll discover that its first two questions to the user are:

Test mode (many extra diagnostics)? Y/N:
Diagnostics for inbound message parse errors? Y/N:

So yes, I agree with a lot of the points this draft makes.

Regards
   Brian Carpenter

On 04-Nov-19 19:36, internet-drafts@ietf.org wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Internet Architecture Board IETF of the IETF.
> 
>         Title           : The Harmful Consequences of the Robustness Principle
>         Author          : Martin Thomson
> 	Filename        : draft-iab-protocol-maintenance-04.txt
> 	Pages           : 12
> 	Date            : 2019-11-03
> 
> Abstract:
>    The robustness principle, often phrased as "be conservative in what
>    you send, and liberal in what you accept", has long guided the design
>    and implementation of Internet protocols.  The posture this statement
>    advocates promotes interoperability in the short term, but can
>    negatively affect the protocol ecosystem over time.  For a protocol
>    that is actively maintained, the robustness principle can, and
>    should, be avoided.
> 
> 
> The IETF datatracker status page for this draft is:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.
> org_doc_draft-2Diab-2Dprotocol-2Dmaintenance_&d=DwICAg&c=LFYZ-o9_HUMeM
> TSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsRmSzCBeDJz
> yoVaPHVhcM&s=kbSZMir2ED-982IgMsZSmq2G0iPUdthSM2OmHkm7W44&e=
> 
> There are also htmlized versions available at:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_ht
> ml_draft-2Diab-2Dprotocol-2Dmaintenance-2D04&d=DwICAg&c=LFYZ-o9_HUMeMT
> SQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsRmSzCBeDJzy
> oVaPHVhcM&s=yOBYHio-zq9drjV-NoYsh-7zDm1dbhVtWGDnXX-sQt4&e=
> https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.
> org_doc_html_draft-2Diab-2Dprotocol-2Dmaintenance-2D04&d=DwICAg&c=LFYZ
> -o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsR
> mSzCBeDJzyoVaPHVhcM&s=cfqDe8UOdKMLYOSZayKW5qXoRtgv_fOKJJVqzXbIc28&e=
> 
> A diff from the previous version is available at:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_rfcd
> iff-3Furl2-3Ddraft-2Diab-2Dprotocol-2Dmaintenance-2D04&d=DwICAg&c=LFYZ
> -o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsR
> mSzCBeDJzyoVaPHVhcM&s=_2Gg5j9lE4NJ-fC5UpvjR92DL87-FMEznk37rlLFf50&e=
> 
> 
> Please note that it may take a couple of minutes from the time of 
> submission until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_intern
> et-2Ddrafts_&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8
> w&m=Kbpfbfhq9PliTP86bV5fWjsRmSzCBeDJzyoVaPHVhcM&s=fKiTxTwdBtv-0D5ZdWSX
> _yLBdgAV-wejt4IHzTAqnec&e=
> 
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail
> man_listinfo_i-2Dd-2Dannounce&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhG
> pW9lwi9dM7jYlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsRmSzCBeDJzyoVaPHVhcM&s=iZ-
> UvHWovm7zLcAC4hCujoaOsShUADQtZ6qP7jZ_tZ8&e=
> Internet-Draft directories: 
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ietf.org_shado
> w.html&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=Kb
> pfbfhq9PliTP86bV5fWjsRmSzCBeDJzyoVaPHVhcM&s=cReF-yA9QwtrV64dgHdCDDHGMg
> FIWD12ew4N1pCgY7M&e= or 
> https://urldefense.proofpoint.com/v2/url?u=ftp-3A__ftp.ietf.org_ietf_1
> shadow-2Dsites.txt&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7j
> YlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsRmSzCBeDJzyoVaPHVhcM&s=ZaMAMODG1LYT-6
> -vEcjh4adopGO4zky8Kbb0pPsVVn0&e=
> 

_______________________________________________
Architecture-discuss mailing list
Architecture-discuss@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_architecture-2Ddiscuss&d=DwICAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=6UhGpW9lwi9dM7jYlxXD8w&m=Kbpfbfhq9PliTP86bV5fWjsRmSzCBeDJzyoVaPHVhcM&s=kgdQSQezCV64A81czxxBKDaCq-wDS0lG8yl_XwvYRRc&e=