Re: [arch-d] Comments on draft-iab-protocol-maintenance
Mark Nottingham <mnot@mnot.net> Tue, 19 July 2022 02:30 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16E6EC157B40 for <architecture-discuss@ietfa.amsl.com>; Mon, 18 Jul 2022 19:30:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.83
X-Spam-Level:
X-Spam-Status: No, score=-2.83 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=ll2m7faP; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=UpJrGKhe
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6B6vYF-eYCdI for <architecture-discuss@ietfa.amsl.com>; Mon, 18 Jul 2022 19:30:27 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F857C15790C for <architecture-discuss@ietf.org>; Mon, 18 Jul 2022 19:30:27 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 831F85C00A3; Mon, 18 Jul 2022 22:30:26 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 18 Jul 2022 22:30:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1658197826; x= 1658284226; bh=P71ta6xSh8MMInKbWmZ1ehEXM+A6+TzhbAtrfq5l2r0=; b=l l2m7faPWac2cZdTh3wjuWU8HZTZIh51G+sbho8cAvcIQ9m9rR+7BZIol5sE3I+xi m9hngurtA4LqWDOVjwubC0RYqzzosUmf+rAYq1sw4gjHVun4fZhCu61RMiub9hLL DrVX6jHIyaDXZkyH09zrcuUE8Q1mSdn9ofwdGmXLWv/U+KeHNAnKhoOLyXLuND3x ThDEdLoWlsQyy6ZS5QygPu3NsH2UTiQMTMu73mGECwFJKD/MEeI9mw8na4pmi8W0 B8TjJOjzJV2gdOWY+iob6pJxDg29p8iT/vYfcegbQr8+VTkY8sr0RHKya5iuuYrJ zxmQ4or9fM3gCnsVblxsQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1658197826; x= 1658284226; bh=P71ta6xSh8MMInKbWmZ1ehEXM+A6+TzhbAtrfq5l2r0=; b=U pJrGKheN1H6EDvtoSgYFpUWCJpxBNAoQUAd0eKP57aWDqk3TXBYXXRj4GaVXLvoV 3qxJD5mfcMYbjecf4r92rKoDXaInmNl1G2h0eQbYg/PYE1KwlJJnoAR+YlmSPUQ6 v7VXxl9fnyZ71jvaOvt37JRCIDZof/smRnvY0yP4M83NXTz/C1ZxZMh6Ouhasxc5 Mbt0RGWdKLL1Te9XlK6m6QJ6+CmZ3J93Kxt396FISj8/D0VLH/l6+bvplS13qGyM urcSogyiycImY9DkuwdkvSy34heA1pES2SDXRKc4n+yP1upCGIYXFJxs3DCsLfD7 O8RAYcD3/1bLRMntpbJwQ==
X-ME-Sender: <xms:QhfWYs3qVZDrMw4xPhnQU05Foj2M6m-ghJltDQ9Uf6_JfdGwMChhKg> <xme:QhfWYnFDeyi7IF6E4hnCSFv452Jm01607HKcVjw2pJ45Jw9By9CS1n8m1RSkRPBwR HT85j95fUsA3dShfQ>
X-ME-Received: <xmr:QhfWYk6Vnxxh9yeNRn6Fir_XSQeXfe9cAU3POSUuNN2L9GQygUPmAoiUuRcE3RklBZ4zHfl-NN8Nvm-eVrBYuJfpo6eCDL2AxRQih8CbPDgjUhmuyM6qnQn1>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudekledgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghr khcupfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrth htvghrnhepheffheeutdfhkedtgeffvdegjeeiieevffdtgfduhffhudeigeefteejueej kefgnecuffhomhgrihhnpehhthhtphhrvghsphhonhhsvghsphhlihhtthhinhhgrdgrsh dprghrgihivhdrohhrghdpghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghdpmhhnohht rdhnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:QhfWYl0S4hwDUJPk8Nrrb54WVeExUeuDBX8DLrLnuih78bzTaGDhRA> <xmx:QhfWYvEjwTiTG1ka3Hj0eYM88qjqOqpw0h11OaVxyMWqt19QXWZuTQ> <xmx:QhfWYu9vmVHaKFGZhb6B-sK1YhKAJg3a7Mkhsi53k_wT85wqnspjYQ> <xmx:QhfWYkRe2OOXghSqzuN_FRZkiz8Pqk5f7Ckf82m9cEoLNSsl7vbfRw>
Feedback-ID: ie6694242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Jul 2022 22:30:25 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <BY5PR11MB4196901E8EE4F70BB75BA75CB58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
Date: Tue, 19 Jul 2022 12:30:22 +1000
Cc: Martin Thomson <mt@lowentropy.net>, "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <38680335-BBB9-4C62-8125-C8A02B9EA06B@mnot.net>
References: <BY5PR11MB4196901E8EE4F70BB75BA75CB58C9@BY5PR11MB4196.namprd11.prod.outlook.com>
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/UTjZwQoJTBvNxNgcS2lH9vhJlOI>
Subject: Re: [arch-d] Comments on draft-iab-protocol-maintenance
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 02:30:32 -0000
Just throwing my .02 in - My experience in HTTP and other application protocols leads me to nod my head a lot when reading this draft. The biggest problem we see when the robustness principle is relied upon is that implementations make different decisions regarding what is reasonable, resulting not only in interoperability problems, but security issues (e.g., HTTP response splitting). As the draft alludes to, the robustness principle is attractive when you're trying to make progress in the early stages of a protocol's development; completely covering the corner cases is indeed hard. The problem is that those 'loose' areas become the new definition of interoperability, and they're not well-defined. Cleaning them up after the fact becomes very difficult. One factor that the draft doesn't talk about much is the size of the implementation pool, and I think it might be the source of much of the disagreement here. When there are only a few implementations and everyone can get in touch with each other, the robustness principle might be sufficient for that community (although it has the effect of _requiring_ a small pool, thereby insulating against 'outsiders', which is not great - the draft does talk about this some). When the pool is larger -- for example, HTTP, HTML, etc. -- it's completely impractical to downright dangerous. Regarding formal verification - see also: https://arxiv.org/abs/1810.04755 https://github.com/RFCNLP I know that some of the authors as well as other academics are interested in improving RFCs along these lines. If we wanted to start a conversation I'm pretty sure they'd participate. Cheers, > On 19 Jul 2022, at 12:18 am, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org> wrote: > > Hi Martin, > > Thanks for spending the time on this document. > > I am broadly supportive of the approach that is recommending, i.e., when it comes to protocol design, explicit is better than implicit. > > A few comments, which given it is an IAB document and not an IETF document, you are free to do with as you wish ;-) > > 1) Abstract: "For a protocol that is actively maintained, the robustness principle can, and should, be avoided." > > I can see how some people find this sentence to be contentious and inflammatory. I think that there is a strong argument to say that various IETF routing protocols are actively maintained, implementations are seemingly built around the robustness protocol, and that arguably they have been successful. This document almost suggests that they protocols should move away from that to strict checking, but it is unclear that would be a good change to make. They could do it for new extensions, but it is unclear whether ending up in a hybrid of strictness would ever really make sense. > > > 2) For a newly designed protocol, I broadly agree with the suggestion that it is much better to have strict implementations to quickly find and remove bugs in the specifications and implementations. However, I'm sure that there are cases where the initial specification is weaker, and the initial implementations won't follow the advice in this draft, particularly when there's time/cost pressures to ship something quickly. > > If another implementation comes along, particularly from a smaller vendor, then as has been previously pointed out, there often isn't really any choice but to interoperate with what has already been deployed. I would suggest that in these scenarios it may be better to have an implementation that defaults to a strict interpretation of the protocol RFC but has one or more configuration options to allow an operator to enable interoperability with existing implementations where needed. > > > 3) Having had the pleasure of reading and reviewing many protocol specifications as an AD, I am always surprised that so many protocols, many of which are primarily intended to distribute some state between two or more entities in a semi-efficient way, end up being written as text descriptions of packets, fields, TLVs, behaviour, error handling, etc. Each of these protocol drafts document these behaviours in entirely different ways, focussing on different aspects to specify, broadly left to the imagination and experience of the authors. I suspect that many of these specifications are incomplete w.r.t to corner cases and error conditions. > > Probably out of scope for this draft, but I've long thought that having these more formally specified in a data modelling language with formal constraints on the valid data, and a standard set of behaviours for republishing minimal subsets of what has changed, would likely to be a better place to end up, particularly if tooling can then automatically generate efficient code to encode/decode protocol data, efficiently republish minimal changesets, and validate the received data in an efficient way. RIFT is probably a step in the right direction by making use of Thrift (although I question how stable the Thrift definition/specification really is, and I presume probably doesn't support any validation beyond existence and type checking). > > If some cases, a tight hand-written specification of protocol fields is justified, where every bit saved make sense, but for many other protocols, e.g., where the protocol data is being processed in userland processes rather than in the kernel or NPUs, then formally specifying the data model and constraints, and using a standard encoding (e.g., CBOR) may be a better pragmatic choice. > > Regards, > Rob > > _______________________________________________ > Architecture-discuss mailing list > Architecture-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/architecture-discuss -- Mark Nottingham https://www.mnot.net/
- [arch-d] Comments on draft-iab-protocol-maintenan… Rob Wilton (rwilton)
- Re: [arch-d] Comments on draft-iab-protocol-maint… Mark Nottingham