Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-tcpclv4-18: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Tue, 17 November 2020 01:10 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 207A73A1809 for <dtn@ietfa.amsl.com>; Mon, 16 Nov 2020 17:10:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnDkjYi1ftMZ for <dtn@ietfa.amsl.com>; Mon, 16 Nov 2020 17:10:17 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96FF93A17EB for <dtn@ietf.org>; Mon, 16 Nov 2020 17:10:17 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0AH1AAOg024117 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 16 Nov 2020 20:10:14 -0500
Date: Mon, 16 Nov 2020 17:10:09 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "R. Atkinson" <rja.lists@gmail.com>
Cc: DTN WG <dtn@ietf.org>
Message-ID: <20201117011009.GA39170@kduck.mit.edu>
References: <158215235500.17580.7759757155303566523.idtracker@ietfa.amsl.com> <50c5dae1bc26ade7d0fcd9388873665868f7284c.camel@rkf-eng.com> <20201001015416.GE89563@kduck.mit.edu> <MN2PR13MB3567B7727DF06411E47A826A9F160@MN2PR13MB3567.namprd13.prod.outlook.com> <6D6A8A1F-69C2-4B2B-B8B3-464C680D9A3D@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <6D6A8A1F-69C2-4B2B-B8B3-464C680D9A3D@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/8eQ-WZUeOCTqFB5UX1X_HMVwxng>
Subject: Re: [dtn] Benjamin Kaduk's Discuss on draft-ietf-dtn-tcpclv4-18: (with DISCUSS and COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 01:10:21 -0000

Hi Ran,

In short: I agree with what you write.

On Tue, Oct 27, 2020 at 10:42:31AM -0400, R. Atkinson wrote:
> 
> 
> > On Oct 26, 2020, at 23:49, Brian Sipos <BSipos@rkf-eng.com> wrote:
> 
> > It's also inconsistent with a desire
> > to make TLS support mandatory to implement (but not mandatory to use),
> > since mandatory to implement implies mandatory to be "capable of
> > exchanging messages with TLS", thus mandatory to use.
> 
> The quote above is a confusion, I think. 
> 
> Please bear with me while I try to explain why that claim about “mandatory
> to use" is only a confusion, not what “mandatory to implement” actually means.
> 
> The key distinction is that “mandatory to implement” means something must
> be fully implemented and supported in the code (or logic if one were to have a
> a Verilog implementation), but it does NOT mean that it have a default run-time 
> configuration of “security is enabled”.

Exactly.  I am (I think) complaining about the specific connotations of the
words used in the description of setting CAN_TLS, and am not trying to say
that the code always will have a default run-time configuration of
"security is enabled".

Specifically, the -23 has:

   If an entity is capable of exchanging messages according to TLS 1.3
   [RFC8446] or any successors which are compatible with that TLS
   ClientHello, the the CAN_TLS flag within its Contact Header SHALL be
   set to 1.  [...]

If we say that TLS support is "mandatory to implement" (do we?  I couldn't
find such text in a quick search, but thought we had talked about it), it
would require some very convoluted reasoning to come up with a scenario
where an entity is "not capable of exchanging messages according to TLS
1.3" -- it would be right in the spec that your implementation needs to
have the capability to do so!  Yes, we could come up with some explanation
about local policy clamping the implementation's capabilities, but it seems
like it would be simpler to use a slightly different wording here, like "if
the entity is configured to enable exchanging messages according to TLS
1.3" that does not set up an apparent conflict between "capable" and
"implements".

Thanks,

Ben

> As a trivial example, possibly unrealistic in life but still useful for understanding...
> 
>  Some implementation (which I will call “X”) of DTN implements support for BPsec
>  and TLS, but it also has a *user* (or maybe system administrator) configurable 
>  switch which allows TLS to be enabled or disabled for a given system which has
>  that implementation X installed on it.
> 
>  Such a switch might have various degrees of granularity,  It could be set
>  to default to respond to TLS but not initiate TLS.  It could be set to try to
>  initiate TLS but continue without TLS if the other end is not willing to do TLS.
>  Ideally, it would enable security to be invoked on a per DTN-session basis,
>  perhaps through some API.
>  
>  As an example from another protocol family, one’s smart phone handset almost
>  certainly _implements_ AH, ESP, and IKE.  That doesn’t mean that the handset
>  will respond to an unsolicited IKE initiation packet from an unknown remote IP
>  address.  Many IPsec deployments have been _configured_ to ignore unsolicited
>  IKE packets, for example.  One’s smart phone likely drops unsolicited / unexpected
>  incoming IKE initiation packets, unless it has been configured otherwise in some
>  manner.  
> 
>  (Example: For an iPhone, the “managed deployment” software generally provides
>  ways for a corporate IT department to automatically bring up an IPsec VPN, an
>  SSL/TLS VPN, or to have some security-protocol policies configured a certain way
>  inside the smart phone handset.)
> 
>  Common UNIX implementations of AH, ESP, and IKE use setsockopt() to enable
>  and/or configure the use of AH or ESP for a given IP session.  On my Mac, the
>  most immediately relevant man pages (man pages are only accessible if one has 
>  developer tools installed on MacOS, AFAIK) are:
>      setsockopt(2)
>      sysctl(8)
>      ipsec(4)
> 
>  On other flavours of UNIX, the relevant set of man pages might vary.
> 
>  So to use IPsec for a given IP session, one probably has a line of code which
>  invokes setsockopt() with the applicable socket option to enable IPsec.  This
>  might manifest in an application as a command-line switch or flag, for example.
> 
> So, to be very clear, the IETF meaning of “mandatory to implement” is that ALL
> implementations must support the feature/capability.  It does NOT mean that a
> given _deployment_ of that implementation on a _particular system_ is required 
> to configure that capability to be on by default.
> 
> Yours,
> 
> Ran
> 
>     
>  
> 
>