[Hipsec] Adam Roach's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

Adam Roach <adam@nostrum.com> Thu, 10 May 2018 05:43 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: hipsec@ietf.org
Delivered-To: hipsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B74BB126BFD; Wed, 9 May 2018 22:43:12 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach <adam@nostrum.com>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-hip-native-nat-traversal@ietf.org, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, hip-chairs@ietf.org, gonzalo.camarillo@ericsson.com, hipsec@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.80.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <152593099270.10455.6602365389829924376.idtracker@ietfa.amsl.com>
Date: Wed, 09 May 2018 22:43:12 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/FLh2KMtyoNaDq0qSZgAK4oDhbNM>
Subject: [Hipsec] Adam Roach's Abstain on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 05:43:13 -0000

Adam Roach has entered the following ballot position for
draft-ietf-hip-native-nat-traversal-28: Abstain

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-hip-native-nat-traversal/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I share Ben's concerns about the disjointedness of this document's
specification, and am likewise abstaining. My reasons for abstaining are
deeper than Ben's, however.

I recognize that the effort put into this document is substantial, and that
the recommendations I make are unlikely to be taken at this point in time,
but I believe that the HIP ecosystem would be far better served by an "RFC
5570 bis" approach rather than a modified form of ICE recast using HIP
messages. Among other reasons: several companies already offer
geographically-distributed hosted TURN solutions, largely due to the relative
popularity of WebRTC. HIP will have to reach a similar level of popularity
before HIP-specific relay nodes are similarly commercially available.  Using
ICE as-is would allow HIP to use those services that are available today.

As a further concern, I worry that this pattern may end up replicated in other
protocols. For example, although ICE was initially developed with RTP/RTCP in
mind, it was not implemented as a series of extensions to RTP or RTCP;
instead, it is its own protocol, intended to be re-used in other contexts. I
would not like to see, e.g., ICE-like extensions to the QUIC protocol to enable
its use in peer-to-peer situations; I would certainly hope that such an effort
would use ICE as currently defined.

Given that the headline rationale offered in this document is that
"Implementing a full ICE/STUN/TURN protocol stack as specified in Legacy
ICE-HIP results in a considerable amount of effort and code which could be
avoided by re-using and extending HIP messages and state machines for the same
purpose," this document puts forth an implication that all protocols could
benefit from similar not-quite-ICE-but-almost-ICE extensions. I believe
this implication is harmful. I also believe this analysis overlooks the
availability of multiple existing, open-source, already-debugged, and
"compatible with commercial use" ICE implementations.

It is not clear that the four additional reasons offered in Appendix B are
sufficient to justify the design. Taken in turn:

>  For example, ICE is meant for application-layer protocols, whereas HIP
>  operates at layer 3.5 between transport and network layers.

This doesn't have practical effect: ICE is designed to work with generic UDP
packet flows, subject only to the ability to demultiplex STUN from such
packets.

>  This is particularly problematic because the implementations employ IPsec
>  ESP as their data plane: demultiplexing of incoming ESP, HIP and TURN
>  messages required capturing of all UDP packets destined to port 10500 to
>  the userspace, thus causing additional software complexity and an
>  unnecessary latency/throughput bottleneck for the dataplane performance.

This doesn't seem like a foregone consequence. If you're using user-space HIP
implementations, this user-space diversion is already necessary. If you're
using kernel-space HIP implementations, it seems a modest step to add minimal
STUN demultiplexing to the kernel implementation that is already performing
ESP/HIP demultiplexing.  It's possible that I'm misunderstanding some subtle
aspect of the way these protocols interact with each other, but isn't this
described performance impact simply the result of specific implementation
design decisions rather than inherent to the design of RFC 5570's mechanism?

>  Also, relaying of ESP packets via TURN relays was not
>  considered that simple because TURN relays require adding and
>  removing extra TURN framing for the relayed packets.

While it's been a while since I've looked at network kernel code, my
recollection is that implementation of the POSIX "sendmsg()" system call
generally maintains scatter/gather buffers all the way down the stack until
such bytes are copied from system memory to the network hardware. Stripping
such headers on receipt can be accomplished with simple pointer arithmetic.
It's not clear what aspect of the system "simple" is intended to refer to, but
both implementation and performance impacts should be immeasurably small when
implemented in this way, unless I'm missing something.

>  Finally, the developers of the two Legacy ICE-HIP implementations concluded
>  that "effort needed for integrating an ICE library into a HIP
>  implementation turned out to be quite a bit higher that initially
>  estimated.  Also, the amount of extra code (some 10 kLoC) needed for all
>  the new parsers, state machines, etc., is quite high and by re-using the
>  HIP code one should be able to do with much less.  This should result in
>  smaller binary size, less bugs, and easier debugging.".

Such size is not inherent in the implementation of ICE: for example, the ICE
stack used by Firefox is 2.2 kLoC in size (if you ignore the ~1.2 kLoC of
boilerplate copyright notice). Having seen the debugging of an ICE stack
up-close-and-personal, I'm pretty comfortable saying that the effort to
integrate a working stack has to be orders of magnitude less than implementing
even the simplified ICE procedures defined in this document correctly. There
are a lot of surprising corner cases that don't really turn up until you get
into production.

For the foregoing reasons, it is my conclusion that publication of this
document is harmful for HIP and is harmful as a precedent that other protocols
may mistakenly emulate. I believe that a restructuring of the document to more
clearly explain why HIP chose this path while other protocols should not would
limit some of these concerns. However, I do not believe that the fundamental
flaw -- a partial respecification of ICE for the cited reasons --  can be
fixed. I do not support publication of a document describing this mechanism,
and encourage the working group to withdraw the document from consideration
for publication.

To be clear: despite the length and detail of my preceding objections, I
recognize that I may be off in the weeds. I am happy to be corrected about
any of the assertions I make above, up to and including corrections that make my
conclusion incorrect. I will further note that this is not a blocking ballot
position, and that, procedurally, the document can be published despite my
misgivings.

===========================================================================

I have included some additional comments below.

---------------------------------------------------------------------------

§1:

>  As one solution, the HIP experiment report [RFC6538] mentions that
>  Teredo based NAT traversal for HIP and related ESP traffic (with
>  double tunneling overhead).

This isn't a sentence. Perhaps remove "that"?

Also: "Teredo-based"

---------------------------------------------------------------------------

§4.6:

>  The connectivity checks follow the ICE methodology [MMUSIC-ICE], but
>  UDP encapsulated HIP control messages are used instead of ICE
>  messages.  Only normal nomination MUST be used for the connectivity
>  checks, i.e., aggressive nomination MUST NOT be employed.

The cited document does not describe aggressive nomination, and deprecates its
use. Consider removing the mention of aggressive nomination in this document.

---------------------------------------------------------------------------

§5.4:

>    The following NAT traversal mode IDs are defined:
>
>        ID name            Value
>        RESERVED             0
>        UDP-ENCAPSULATION    1
>        ICE-STUN-UDP         2
>        ICE-HIP-UDP          3

This should probably point to the IANA table rather than replicating a snapshot
of its contents.

---------------------------------------------------------------------------

Appendix B:

>  o  Unlike in ICE, the addresses are not XOR-ed in Native ICE-HIP
>     protocol in order to avoid middlebox tampering.

This bullet should explain why such obfuscation is unnecessary.