[EME] Requirements

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Mon, 18 June 2007 19:49 UTC

Return-path: <eme-bounces@irtf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0NDj-0005W4-5R; Mon, 18 Jun 2007 15:49:03 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0NDh-0005Vw-QT for eme@irtf.org; Mon, 18 Jun 2007 15:49:01 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1I0NDh-00019g-Cu for eme@irtf.org; Mon, 18 Jun 2007 15:49:01 -0400
Received: (qmail invoked by alias); 18 Jun 2007 19:48:59 -0000
Received: from p549853D3.dip.t-dialin.net (EHLO [192.168.1.3]) [84.152.83.211] by mail.gmx.net (mp042) with SMTP; 18 Jun 2007 21:48:59 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19KVypqxklKd63nDHXDfDMwFf/vTeYB3aKPaLijw2 U2DrXMrk4PXkHw
Message-ID: <4676E1A9.3080701@gmx.net>
Date: Mon, 18 Jun 2007 21:48:57 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: eme@irtf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Subject: [EME] Requirements
X-BeenThere: eme@irtf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: end-middle-end research group <eme.irtf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/eme>
List-Post: <mailto:eme@irtf.org>
List-Help: <mailto:eme-request@irtf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=subscribe>
Errors-To: eme-bounces@irtf.org

Hi all,

I went through the requirements document and here are some comments:

REQ-2: Middleboxes MUST be able to authenticate endpoints, and endpoints 
MUST be able to authenticate middleboxes that they are aware of.

[hannes] It may be sufficient to authorize the end point without 
authenticating it.

REQ-4: The Internet MUST allow anonymous communications (policy 
permitting).

[hannes]  This requirement is in conflict with REQ-2.

REQ-5: The Internet MUST allow endpoints and middleboxes to protect 
confidential information, and reveal it only to trusted parties when 
necessary. Confidential information may include endpoint names, network 
addresses, authentication tokens, encryption keys etc.

Endpoints must not be required to reveal their network address to 
untrusted middleboxes and endpoints. Network addresses must be made 
available after authentication and authorization as the address can be 
used to direct a DoS attack to a bottleneck link.

[hannes] I guess the confidentiality protection refers to an adversary 
model with a middlebox being trusted and evil guy being somewhere in the 
middle. Right?
The two paragraphs don't fit together. How would I prevent my network 
address from revealing to the middlebox?

3.6.  Protocol Negotiation

   REQ-8:  Endpoints MUST be able to negotiate the protocol stack for a
           flow subject to application requirements and relevant
           endpoint and middlebox policy.

   Endpoints may require or prefer datagram delivery (UDP, DCCP) or
   reliable stream delivery (TCP, SCTP), with or without encryption
   (TLS, IPSec), with or without compression etc.  Not all endpoints may
   have support for all protocols.  New protocols may be implemented
   that endpoints would like to negotiate.

[hannes] If I want to use TLS with a web server then I don't want todo a 
protocol negotiation with a middlebox that tells me not to use it. The 
firewall can reject a firewall pinhole to be created. Is that what you 
want to accomplish?

   REQ-9:  Multi-homed endpoints and middleboxes MUST be allowed to to
           specify the route(s) to use for a flow.  The Internet MUST
           allow multiple routes to be used simultaneously.

[hannes] Why does an end point want to control the routes through a 
network? Why do I care?

3.5.  Steering, Anycast, and Mobility

   REQ-7:  Endpoints and middleboxes MUST be able to redirect flows to
           alternate endpoints, addresses or through alternate routes.

[hannes] This functionality may be provided by a NAT automatically when 
you are able to install NAT bindings. I read through the section and I 
wasn't quite sure what you todo.

Sections 3.9 and 3.10 contain only requirements that don't provide too 
much insight. Every requirements document contain them but they provide 
very little help for the protocol designer.

Please try to avoid writing "The Internet MUST ..." when the document is 
about requirements for a protocol.


Ciao
Hannes


_______________________________________________
EME mailing list
EME@irtf.org
https://www1.ietf.org/mailman/listinfo/eme