IETF Logo Mail Archive

Re: [arch-d] deprecating Postel's principle- considered harmful

"Martin Thomson" <mt@lowentropy.net> Thu, 09 May 2019 03:25 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DA812022A for <ietf@ietfa.amsl.com>; Wed, 8 May 2019 20:25:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=YwBxJ8vG; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=kZXtZieH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YKNV3eEN3MtW for <ietf@ietfa.amsl.com>; Wed, 8 May 2019 20:25:32 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACF741201DA for <ietf@ietf.org>; Wed, 8 May 2019 20:25:32 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id A0FD1359 for <ietf@ietf.org>; Wed, 8 May 2019 23:25:30 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 08 May 2019 23:25:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=KENOS BEvfu5NUDgbGI76mRBEScxcBuSAZq8mYWzKrlI=; b=YwBxJ8vGboxl2GXqLD7gB uiGS1Go2QN17v3iUYNj8eDoK25iGTMst0FsHSC94Fl9LVX+FHndJGi70HBHAesMl Rc5A19fhuIXx6rvYWbgxO0E8BeLylZYBBJyzwu3bKeyAo2Ik7jcpbagXHRE6xg6q 99MvOl1Y73s43hi+ckWT7a/2YGQPDvb7NZ28710u61dR1UVtg1fVVYh9tEevLRXs GcPyMjwqgAfMccBkiLRdIGDeTiubiizlaTWui0ooKnLif7rEOmZjkTF7eaBnOqWe fyK2yWf/R+izNuE0x7eV9FUCq6mAKKfnV+9kM+rv0gRGRGcC66a31tXYFvqyvBOM A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=KENOSBEvfu5NUDgbGI76mRBEScxcBuSAZq8mYWzKr lI=; b=kZXtZieHjudRaxTEmbBKvdsJcRnm9eWZJPxVqJ45sX9jj3qwF4pQq83QH eq4yMMGk/VCfhSy/1enKHP8iElE/tpQ1FSg6k0noPypZN2G/aCPCr2GOO1EenSc+ eqy57KP+SrAscV+aJDxW2CALebMqIMTFQKH0IEmr6E4enoMMhABIXTyau4xYHlSY pZyeFcROM0LTNseMaNG2hlQu5SguwaRZHJBqOcQ6h8vpbB9eiZ35ykVBI6d7Z1e3 2ucLs976Yu84fF/JlFgq8zYmIRtdB9O93v4ec9Fjo1kwhbV0TkH+HuXxbC8e10tb zYfg2i6wJaE5IR4BQMcg8fPQd+eCg==
X-ME-Sender: <xms:qZ3TXH6LvMDGreOVDNJdHB7szHM1xIeGzcpSPltt0pGl7W2OX0nwbw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrkeeggdejtdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehloh ifvghnthhrohhphidrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:qZ3TXJOFbRPiPbpyl-3aEQN_rtURQfRbLRcRrtKyMOpJnA6nir9AQg> <xmx:qZ3TXBP7Jlh1d9qlprEZxtRKg39slEHgZHQ_i50u3E6Un38J6lDw-Q> <xmx:qZ3TXJ-YQ1bN8K2x3sinA_riFm91XdnKnCmV2Hzdg4BTt0kQcbEz5A> <xmx:qp3TXC0y9WX147fMOQSZLa6L2_ok6VlQgTb7OY6a6hOXYa0R9ireeg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 919187C3DB; Wed, 8 May 2019 23:25:29 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-449-gfb3fc5a-fmstable-20190430v1
Mime-Version: 1.0
Message-Id: <266adfd4-6eec-46cb-9c62-36735db9bd24@www.fastmail.com>
In-Reply-To: <99FE5EE91CE738A39D99CAC2@PSB>
References: <F64C10EAA68C8044B33656FA214632C89F024CD3@MISOUT7MSGUSRDE.ITServices.sbc.com> <CALaySJJDHg5j9Z7+noS=YXoNROqdsbJ6coEECtLtbJ6fWJ3xsQ@mail.gmail.com> <CAHw9_iKE9SSOK_9AUpoMaS9pGz91LuJr1_HNv0B-6RxT_rb2dw@mail.gmail.com> <BA365F84-3BD8-4B6B-B454-B32E4B6B6D23@piuha.net> <99FE5EE91CE738A39D99CAC2@PSB>
Date: Wed, 08 May 2019 23:25:30 -0400
From: Martin Thomson <mt@lowentropy.net>
To: ietf@ietf.org
Subject: Re: [arch-d] deprecating Postel's principle- considered harmful
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/kYlsWdoTBeHCjOyStM1C7TTYeyo>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 May 2019 03:25:36 -0000

On Wed, May 8, 2019, at 21:38, Jari Arkko wrote:
> I wish there was some other option between the silent obedience and the 
> refusal to talk. But I don’t know what it could be.

I'm replying to Jari here because this pithy bit, taken out of context and - after having read John's well considered response - grabbed me.  I've known this exact feeling often, and it's deeply frustrating.

On Wed, May 8, 2019, at 23:10, John C Klensin wrote:
> [...] there is an almost inevitable choice between: 
> 
> -- trying to specify every possible detail so that an
> implementer knows what to do in every case and for every design
> choice, including what is supposed to be done about each variety
> of deviation from the standard by others.
> 
> -- specifying the normal cases and general philosophy of the
> design or protocol and trust that, with a bit of guidance,
> implementers who are reasonably intelligent and acting in good
> faith will sort things out correctly. 

The choice John presents here is even more fundamental.  Like many others who were brought up on the IETF flavour of specification, I greatly prefer it.  I find WhatWG and W3C specifications incomprehensible for all the reasons Henry articulated.  They are very much in the first category.  Unquestionably thorough in detail, but obstinately inhospitable to the process of extracting higher meaning.  I would be the last person to advocate for following that path.

(I'm going to catch heat for saying that, so let me qualify it a little.  The web platform doesn't operate in quite the same way as the IETF and their choice of specification mode, abhorrent as I find it, does work for that community.  They had to deal with something of a post-robustness-principle technical debt the likes of which many people would have walked away from.  What you see is the result of dedicated, meticulous work that has restored functioning interoperability to that world.  The outcome is uneven, as might be expected, but it functions quite effectively.  Now more so due to the use of a shared test infrastructure that we should be envious of.)

In my opinion, the mistake here is presenting this as a binary choice.  The goal of teaching implementers the protocol remains - for me - the most important function of a specification.  Existing implementations don't need a spec, except to argue over when there are disagreements.  A spec is most helpful in serving in the creation of new implementations.  The state of web specifications might be an indication that the Web has given up on that (there it is again; Web people, you have my email address :), but I believe that to be the most important function of IETF specifications.

The trap that leads to the binary choice is - again - in the assumption of immutability of specifications and the unwillingness of others to amend their errant ways.  But we all come the IETF with the idea in mind that we can work together on improving things, and surely proper functioning of protocols that are important to us (and our businesses) is high on our list of priorities.  If I thought that RFC 2246 were set in stone, I'd have stayed home.  If I thought that other implementers were not prepared to consider changes to their implementation in response to a consensus decision on a protocol, I could have saved a lot time sitting in aeroplanes and airports.

Possibly the best thing that has come out of IETF involvement for me has been the communities I've joined as a result.  When presented with an interoperability challenge, my first reaction now is never to look for a workaround.  Once I determine that it isn't a local problem (i.e., my fault: a lot of the problems we see), I try contacting someone responsible for the problem.  And that's worked more often than not.  People are responsive to reports of problems with their systems.  If we conclude that we need to change specs, we work out how to do that.  As a result, I haven't built a workaround for a while now; we've even started to remove them from code, mostly as a result of better collaboration and continued protocol maintenance.  (To the earlier discussion about deployment timelines, I appreciate how much this is a privilege.)

Getting back to the binary choice, this is where the immutability of the RFC series and our processes work against us.  The view that the specification has to be "done" is a trap.  John points at the idea of progression from Proposed Standard to Internet Standard as being the intended way to capture the progression from "probably OK" to "more concretely OK" and "almost entirely good".  While that might have been the intent, I don't think that this has worked out all that well in practice, or that such a directly linear progression is always appropriate.  The maturity of many specs I've worked on is not always uniform in a way that suits that model.

Our highly discrete process hasn't been good at capturing and responding to the evolving needs of a protocol.  On the other hand, one of the good things with the gradual raising of the quality expectations for PS RFCs[1] is that protocols have spent more time in draft form, where changes are far more feasible.  But even in TLS 1.3, where the process was unnaturally extended to deal with the side effects it had on some forms of intermediation, the publication of an RFC is not a stopping point.

If we can, over time, capture all those little pitfalls and fence them in with MUST and SHOULD and whatnot in a specification, we aren't forced to make a choice between a timely spec and a thorough one.  Just start with timely and keep moving in the direction of better.  

[1] What it means to be suitable for the Internet has moved in the same direction as our expectations for PS quality, which is entirely appropriate in my opinion.  That doesn't really change the fundamental analysis of when to ship, just the thresholds.

On Thu, May 9, 2019, at 09:05, Brian E Carpenter wrote:
> But yes, the word "tolerate" was carefully chosen. It doesn't say 
> "ignore buffer overflow errors" or "use heuristics to guess what the 
> sender meant". It means "don't throw a fatal exception when something 
> unexpected arrives." And it suggests silent discard unless an error 
> message "is required by the specification". That's entirely consistent 
> with the RFC1122 text that Roland quoted.

RFC 1122 is my favourite articulation of the "robustness principle", because it isn't the robustness principle as much as it is just straight up common sense.  But the meme takes a different form.  The meme has the temerity of demanding that I design protocols to it, to the point that a response was necessary.

v2.23.0 | Report a Bug | By Email