IETF Logo Mail Archive

Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 13 July 2022 04:03 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: architecture-discuss@ietfa.amsl.com
Delivered-To: architecture-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DD0CC157B45 for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 21:03:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IBsOB_J7BtO for <architecture-discuss@ietfa.amsl.com>; Tue, 12 Jul 2022 21:03:41 -0700 (PDT)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BF7EC157B57 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 21:03:41 -0700 (PDT)
Received: by mail-pj1-x1030.google.com with SMTP id g16-20020a17090a7d1000b001ea9f820449so1584745pjl.5 for <architecture-discuss@ietf.org>; Tue, 12 Jul 2022 21:03:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=YhociqDO/FiQGiXgjpYX1/UxW0u09NjeDAE7Z+gyjfo=; b=osTcyWm6gHO8BsnT9xzpFoVOEkGUalJzP5zVf+2Y94icj5y13/h3IRNCysMjHc6k09 omoXGyr4Iemyt3+ic0l+f+xEom0Zdu73R60t2hEMknaKo7bmvSIkXfGAybeUkriP/hOg e8zVKHmnUt/5txo6VhHg37gWwhK0JrJsQCLbmcE32a0npBlPsalmqwQxBIfQ94ZRWl/2 pDS2Egl67xhpkFrULTbYqeBaaS4acmYMXeyP/tCPOpheO8oX5JkGzolsiii0AzPOQ1b4 YOAuhpVn4W85zke9lpVYLfNh+aZmgjiGsPg1Httf9XiJO2Xsx/zLstARXFvpLScaaw9R kjkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=YhociqDO/FiQGiXgjpYX1/UxW0u09NjeDAE7Z+gyjfo=; b=h7zncyr6bA4mKZcKKEbY02DU4Sh9v8z218XH8cDW7/b8DnlJfEIw/7rg9wfZp+uciN uJMNdauvB8+7PaLPHNCAZEViqYRHg0Mo5kUE4p/m+V9J0psXxg4ECBqfuvSIwI9vWDD0 w0AWlqR8P9lMrAcpyxSPZ5675co1YNp4eoTa+VGJRzfZs5TPJp0VMt/MXpndKxJaqifl ktyCoy802EFuySZ05mINwslW6GpEdMh1QF2GXkyos1Nlk9mMvPzEEQX2X/HlAqEDyWJR wn1qLTPZgu4AoJSB0XY9xQMsSdxIB0qLgItea8rYv8GOj/P9DvSyGECbdIomqfjL1Si1 cI4Q==
X-Gm-Message-State: AJIora840NR2da/tNErWQBYw49lJuRVw1ND4zYsLgXMDbcWVMNN6glOl f04ACMpYvbFTBK3DPxqWKNCaIJoGSqo=
X-Google-Smtp-Source: AGRyM1uCXE60LHF1Qqa8jyPZ2KcDMLn8U996gI3/Zxsg2uGyTNsbN8lLUSdECt0DXSSJ4Gp0VFxSYA==
X-Received: by 2002:a17:902:c94e:b0:16c:4d5e:5dfc with SMTP id i14-20020a170902c94e00b0016c4d5e5dfcmr1557732pla.56.1657685020603; Tue, 12 Jul 2022 21:03:40 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id a8-20020aa78e88000000b005286124df03sm7655419pfr.87.2022.07.12.21.03.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Jul 2022 21:03:39 -0700 (PDT)
Message-ID: <dbee51f0-1913-af6e-de00-c3a7f5b77f68@gmail.com>
Date: Wed, 13 Jul 2022 16:03:36 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Bernard Aboba <bernard.aboba@gmail.com>
Cc: iab@iab.org, architecture-discuss@ietf.org
References: <a06000c5-939a-a896-9c0f-576e9e2ff97f@gmail.com> <D20FCDD6-3756-40E7-AD6A-416A2C464DF1@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <D20FCDD6-3756-40E7-AD6A-416A2C464DF1@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/architecture-discuss/mpyyD0eZVyTkge_45ul2a5UKrrE>
Subject: Re: [arch-d] I-D Action: draft-iab-protocol-maintenance-08.txt
X-BeenThere: architecture-discuss@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: open discussion forum for long/wide-range architectural issues <architecture-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/architecture-discuss/>
List-Post: <mailto:architecture-discuss@ietf.org>
List-Help: <mailto:architecture-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/architecture-discuss>, <mailto:architecture-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 04:03:42 -0000

On 13-Jul-22 15:46, Bernard Aboba wrote:
>> On Jul 12, 2022, at 20:03, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>> People writing fault-tolerant software will draw their own conclusions.
> 
> [BA] Looking at the document examples there are several cases of poorly written specifications. The Robustness Principle doesn’t condone that, nor does it preclude rejecting nonconformant inputs when there are good reasons to do so (e.g. security). If the spec is vague in places, if there are known interop issues, by all means fix it. It’s the Robustness principle, not the Don’t Worry Be Happy principle.
> 
> There is another thing that bothers me, which is the problem of untested code paths. Greasing alone cannot solve this. The Robustness Principle mostly applies to expected conditions. Many security vulnerabilities fall into these unexpected cracks. The best tool I have seen us a formal state machine analysis to identify attack vectors. Robustness Principle doesn’t preclude that either.

Would a state machine analysis detect possible race conditions? These are not mentioned in the draft, and I think they're the sort of corner case that the robustness principle should help with.

    Brian

v2.23.0 | Report a Bug | By Email