IETF Logo Mail Archive

Re: [arch-d] deprecating Postel's principle- considered harmful

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 08 May 2019 14:03 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1FB3120089; Wed, 8 May 2019 07:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bb0OtwFWiyv5; Wed, 8 May 2019 07:03:04 -0700 (PDT)
Received: from mail-oi1-f181.google.com (mail-oi1-f181.google.com [209.85.167.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88491120026; Wed, 8 May 2019 07:03:04 -0700 (PDT)
Received: by mail-oi1-f181.google.com with SMTP id x16so9321376oic.6; Wed, 08 May 2019 07:03:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cfN2iMjqVNIcVnOHcOhsps+NnyRca5E0plA7sYnueeE=; b=YZhy5wIaJxyF00vLOGj0cQjNBCqdyzVvzed1ppmycmtfZnZea3S0olHBjIbGF0aHLk KnCfsmmx66KKJNAZrmiGHUpOKuxnpN/7pyF9vfMWYuh1PumqyeKv/BBLQLi9eLDG+7oy Zwhruy7ejVIP8quPxOvK2OrfRNiI1SHEc9G+mBqN3ZziTPRY4I7V0XD0BuezYEVQoNGY 7Q6aqBjUQsp+5pGkY6Er5hU1ss4cLgJVwlY3NQNUTl4zn2z+qHnV+7i+yotz1zz1g/Kc bFowpoj38Ikga9b2QrNYRPStJnvef7aLgx8YB0snab7XRMjkSoQ3+KRHPy1PwE89ub4k +HrQ==
X-Gm-Message-State: APjAAAVbDrB9zxdv7gi8DlCR67W0kfV72ok0Mst89hEbtCU0aCj2WoLA bnMBZLajngubaF1l36YyBU1Krtt+XcD8P4joOUU=
X-Google-Smtp-Source: APXvYqzMNhZxyS8jOdERlWdVnk7fBx8xAxpt4qWnLHqMIO57OfQwEV8+ndneoK4eSjScJbAHHlDgH6l9DFYFFqbVqs4=
X-Received: by 2002:aca:c348:: with SMTP id t69mr2388250oif.95.1557324183802; Wed, 08 May 2019 07:03:03 -0700 (PDT)
MIME-Version: 1.0
References: <F64C10EAA68C8044B33656FA214632C89F024CD3@MISOUT7MSGUSRDE.ITServices.sbc.com> <CAHw9_iKE9SSOK_9AUpoMaS9pGz91LuJr1_HNv0B-6RxT_rb2dw@mail.gmail.com> <BA365F84-3BD8-4B6B-B454-B32E4B6B6D23@piuha.net> <99FE5EE91CE738A39D99CAC2@PSB>
In-Reply-To: <99FE5EE91CE738A39D99CAC2@PSB>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 08 May 2019 10:02:52 -0400
Message-ID: <CAMm+LwgJ6st28ujPAyE87WTa+cqrv4=yRBfw3nLbMiBELhYt7w@mail.gmail.com>
Subject: Re: [arch-d] deprecating Postel's principle- considered harmful
To: John C Klensin <john-ietf@jck.com>
Cc: architecture-discuss@ietf.org, IETF Discussion Mailing List <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c6a1b3058860ca5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/0Td17J8vDRUHYcRzO0xRw4DKwmc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 May 2019 14:03:06 -0000

Let's talk about how Disney Studios lost their way. They tried to continue
the methods of the great man after he died and it was a disaster. Then they
suddenly realized that the great man himself had never done things the way
they thought he did. Walt Disney did use storyboards, they were in his head
all the time. So now they use storyboards and if you invested in Disney
back in 2000 you are a very happy camper right now.

We get the end-to-end principle wrapped around the axle in the same way.
The argument is much more subtle than most imagine. The real principle
being *think* very carefully about where you put complexity.

The problems with the robustness principle became clear when we started to
try to extend HTML and found that it was almost impossible to do it right
because every implementation in the wild handled unknown input in different
ways.

The issues with SMTP are not the same because we have never really tried to
change SMTP in drastic ways and even the incremental extensions are all
working around the mass of legacy deployment.

My approach is to distinguish reference code from running code and reverse
the robustness principle. Reference code should be pedantic in what it
accepts and liberal in what it generates. In fact it should perform fuzzing
on its outputs deliberately sending maliciously formed messages to test for
security vulnerabilities.

We live in a different Internet today. There are well funded nation state
actors working to break it. That is their job. There is a full blown
cyber-war going on out there.

The other point I think relevant is that there are limits to re-use of
existing code or infrastructure. There comes a time when starting from
scratch is not just the best approach, it is the only viable approach.
Accepting the robustness principle means this point will be reached sooner.

v2.23.0 | Report a Bug | By Email