IETF Logo Mail Archive

Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 13 July 2022 05:27 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 297BFC157B48 for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 22:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OxOvw_zwaaS6 for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 22:27:07 -0700 (PDT)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B12CC14F732 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 22:27:07 -0700 (PDT)
Received: by mail-pj1-x102d.google.com with SMTP id z12-20020a17090a7b8c00b001ef84000b8bso1866623pjc.1 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 22:27:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=wwW7QfRXKVyXx1g8/AYNZg9TKb0e9qIqk/sfMfTm44Y=; b=e5Ro+I5O2tbgIiw2TSWt3i/mDFJ/4Iz/ztuNFxT1WIiGpnK1udW+dSzCzUFlObzd4E +hYx92Ur1DarNQOiOf45yzHd767qaQ/lGatTNxtrq0uFu5ViC560BnCmYy+9CNEx5TMv Mqy0MZdq1LcM2/4xro3UEYmhT/HLcvUJ3rx/v5KrufxWvdtH32qCpM/J7xtYfp6CVteA z9h32buh7t+khj5hxdgtbCkVGszv/+3rOMyPW3/cRJfXt9R8V8HtdTVlPUwjesrcTj8I /FaN1+9s5UwWAMMk60mrzYnR0vI3Ze8g9SuR87SOBBAWhAkJeuXzLm5wJUazOlmNLNZN kdgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=wwW7QfRXKVyXx1g8/AYNZg9TKb0e9qIqk/sfMfTm44Y=; b=RZgx7hgI5bF62pMft4adO8sbtDzvGwBCFNw94K3aTIrUUVG/TO1GNxIqE7P38w06ra JeLD0MmtyV0+36uXE5AYfxADx8y1DyHbAqrt8ukFJYMoa/Ab2ccBc8u7ciTfWAGSWObR eOiim7snOyNP0uDkrqXXlfE/AxjARnlYAA6ocWb7t1TZtxoiDONG75Awq6yqLGQht4aU HHSL2LsglJDHHFKRKp8NRDpgkJSSRAuNhBXTDeYJD4mR0gIxrEWAGZsmwU2re4OGyOPC Hpv/SVZjAAJ/wCgUv7fT0A/YgFwJ1UGCdj4ipX58PmvYd7yRJ0/63+METqy6CiF3bySf gZ3w==
X-Gm-Message-State: AJIora+CQyWnxUdT3tpdp0ZAPZ3pNpZM4FA6sw6Pt04QcMJPcfcla7kI WZ9erObJmpEMWBpezhdiaSM=
X-Google-Smtp-Source: AGRyM1u/iXqka0+ILKaR1A3P88kGWtAdSmbWXErUfbG4eAIOawA2O7JVbfJ6YyEAkJJGI8noMVBksQ==
X-Received: by 2002:a17:902:8209:b0:16c:2da4:e734 with SMTP id x9-20020a170902820900b0016c2da4e734mr1516384pln.43.1657690026860; Tue, 12 Jul 2022 22:27:06 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id z19-20020a170903409300b001675d843332sm7773364plc.63.2022.07.12.22.27.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Jul 2022 22:27:06 -0700 (PDT)
Message-ID: <0d0ba11e-29c8-5708-a252-d8d31535d08d@gmail.com>
Date: Wed, 13 Jul 2022 17:27:02 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Christian Huitema <huitema@huitema.net>, Bernard Aboba <bernard.aboba@gmail.com>
Cc: iab@iab.org, architecture-discuss@ietf.org
References: <a06000c5-939a-a896-9c0f-576e9e2ff97f@gmail.com> <D20FCDD6-3756-40E7-AD6A-416A2C464DF1@gmail.com> <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com> <b2b761a0-ac1b-d5ce-f91f-e36d50bef651@huitema.net>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <b2b761a0-ac1b-d5ce-f91f-e36d50bef651@huitema.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/cqVS7QsPx-Q4ieOIY-17fyR0yJ8>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 05:27:09 -0000

On 13-Jul-22 17:00, Christian Huitema wrote:
> 
> On 7/12/2022 9:03 PM, Brian E Carpenter wrote:
>> On 13-Jul-22 15:46, Bernard Aboba wrote:
>>>> On Jul 12, 2022, at 20:03, Brian E Carpenter
>>>> <brian.e.carpenter@gmail.com> wrote:
>>>> People writing fault-tolerant software will draw their own conclusions.
>>>
>>> [BA] Looking at the document examples there are several cases of
>>> poorly written specifications. The Robustness Principle doesn’t
>>> condone that, nor does it preclude rejecting nonconformant inputs
>>> when there are good reasons to do so (e.g. security). If the spec is
>>> vague in places, if there are known interop issues, by all means fix
>>> it. It’s the Robustness principle, not the Don’t Worry Be Happy
>>> principle.
>>>
>>> There is another thing that bothers me, which is the problem of
>>> untested code paths. Greasing alone cannot solve this. The Robustness
>>> Principle mostly applies to expected conditions. Many security
>>> vulnerabilities fall into these unexpected cracks. The best tool I
>>> have seen us a formal state machine analysis to identify attack
>>> vectors. Robustness Principle doesn’t preclude that either.
>>
>> Would a state machine analysis detect possible race conditions? These
>> are not mentioned in the draft, and I think they're the sort of corner
>> case that the robustness principle should help with.
> 
> 
> You need to distinguish between testing communication protocols and
> testing software. The "untested code paths" that Bernard mentions are
> more often software coding issues than protocol design issues.
> 
> If you are concerned that a succession of transitions drives the
> protocol state into untested territory, then it is much safer to stop
> sooner, e.g., close the connection with a "local error" diagnostic when
> things start looking iffy. The opposite would be to tolerate operation
> in modes that have not been tested yet, and that's exactly when bad
> stuff happens.

Absolutely, and that's another approach to robust software of course:
when the "impossible" happens, kill everything and start again. That
works whether the problem is a protocol design error or an implementation
error.

    Brian

v2.23.0 | Report a Bug | By Email