IETF Logo Mail Archive

Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt

Christian Huitema <huitema@huitema.net> Wed, 13 July 2022 05:00 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC68C157B48 for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 22:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPqBklgUhTJi for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 22:00:43 -0700 (PDT)
Received: from mx36-out21.antispamcloud.com (mx36-out21.antispamcloud.com [209.126.121.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44667C14F732 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 22:00:42 -0700 (PDT)
Received: from xse322.mail2web.com ([66.113.197.68] helo=xse.mail2web.com) by mx258.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1oBUUK-0005hD-Ly for architecture-discuss@ietf.org; Wed, 13 Jul 2022 07:00:43 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4LjQRl0bXHzBV0 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 22:00:35 -0700 (PDT)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1oBUUE-0004P3-VV for architecture-discuss@ietf.org; Tue, 12 Jul 2022 22:00:34 -0700
Received: (qmail 26086 invoked from network); 13 Jul 2022 05:00:32 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.46.184]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <brian.e.carpenter@gmail.com>; 13 Jul 2022 05:00:32 -0000
Message-ID: <b2b761a0-ac1b-d5ce-f91f-e36d50bef651@huitema.net>
Date: Tue, 12 Jul 2022 22:00:32 -0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Bernard Aboba <bernard.aboba@gmail.com>
Cc: iab@iab.org, architecture-discuss@ietf.org
References: <a06000c5-939a-a896-9c0f-576e9e2ff97f@gmail.com> <D20FCDD6-3756-40E7-AD6A-416A2C464DF1@gmail.com> <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com>
From: Christian Huitema <huitema@huitema.net>
In-Reply-To: <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: 66.113.197.68
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yLNgi2F4M0RbknB3BDmsRxyINTMb4kYMD15j85Ktbckyo/ xMM0hxORRmMMI7DUTwhT3Foc2XGmrTQ+NgUmkQH15g+sHZmT3CLVmxntdIVybVy+BbGrglZA45nG CXVN8lqeyrhzWminYO4gRGXn3bDVBVisGv8MyVI5ms3guyJnGqEJaZzeRzTwswc/9//Q44AUOled bu+r9+W9cDXvzL3ST1lqonPXqA1lvocVTrImMdvifT4GqBfEkB7aN5XuM7B02nkLZSrmz+olE44+ sjwESum7gC1WgO/NiysYOr0Zp4PDdWi4V6nXPowtUXJ1bnedw+XGlIW1bb6iLQaqIs5BLfTttFI5 MCNL/izpcNORuAUvossjam0/HVDFzCeLVAjI+ht+2XwDC3Hj+WjRz7dukQbqbub9Z8raDZ3Nd/Bn xCUUNqgu448pzyBzzakp+EE11Iy42FkLdf+cZ0MpjKD7IK/1NH5THMtlYvyHAYGOGqz2oidVuoQM okQutY3pHcCHFzboKDhGx0chVC6Uo5u4TCAAaaqkRisg7PMbozN3Ku0b5IsvQhqaiDGxdGLN4G0j 3LCibV3iTOr0AGUo/2/2t6s5mKdfk/a81+9NDnTCvxJxc7AuPG0xBWNOv2GwfO1sPBtC6EvFdzLd abWvKgHC7QgdxtQsKWiN2eBEpDFg1SRHp8QaCIbd1dJ3pAKMVwKblFc89T3WbXGR7pKWYxAKsri3 x6gJwI+64Ch+/ngppoYKH2MTB61nKjDINN7T5a9UoXAOl772tkAFRI6aswDWqftvGlsgkVU+2JGO y3JFXFxCtGLGPdrPHcMCO7JB8JK9d6hWUqvBcfvaLZ9Gqo2vFSj6qXbJJOS8QUf/bdczDJHbuv0d hTPOJMWERUrwtSA4NQUVu4c6fMN4h3DsG1bbJln50BhorOBL20d417CNBEl8IQVNocLfydfAvh8o CZf4xM5tUrEfL92iWzfzWX2vKR4R2s/hz2tBwIBMeLFgxQ==
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/lpj8LhhOdWHxLvcQhmspyYTFcwQ>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 05:00:45 -0000

On 7/12/2022 9:03 PM, Brian E Carpenter wrote:
> On 13-Jul-22 15:46, Bernard Aboba wrote:
>>> On Jul 12, 2022, at 20:03, Brian E Carpenter 
>>> <brian.e.carpenter@gmail.com> wrote:
>>> People writing fault-tolerant software will draw their own conclusions.
>>
>> [BA] Looking at the document examples there are several cases of 
>> poorly written specifications. The Robustness Principle doesn’t 
>> condone that, nor does it preclude rejecting nonconformant inputs 
>> when there are good reasons to do so (e.g. security). If the spec is 
>> vague in places, if there are known interop issues, by all means fix 
>> it. It’s the Robustness principle, not the Don’t Worry Be Happy 
>> principle.
>>
>> There is another thing that bothers me, which is the problem of 
>> untested code paths. Greasing alone cannot solve this. The Robustness 
>> Principle mostly applies to expected conditions. Many security 
>> vulnerabilities fall into these unexpected cracks. The best tool I 
>> have seen us a formal state machine analysis to identify attack 
>> vectors. Robustness Principle doesn’t preclude that either.
>
> Would a state machine analysis detect possible race conditions? These 
> are not mentioned in the draft, and I think they're the sort of corner 
> case that the robustness principle should help with.


You need to distinguish between testing communication protocols and 
testing software. The "untested code paths" that Bernard mentions are 
more often software coding issues than protocol design issues.

If you are concerned that a succession of transitions drives the 
protocol state into untested territory, then it is much safer to stop 
sooner, e.g., close the connection with a "local error" diagnostic when 
things start looking iffy. The opposite would be to tolerate operation 
in modes that have not been tested yet, and that's exactly when bad 
stuff happens.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email