IETF Logo Mail Archive

Re: [arch-d] deprecating Postel's principle- considered harmful

Bob Briscoe <ietf@bobbriscoe.net> Thu, 09 May 2019 13:20 UTC

Return-Path: <ietf@bobbriscoe.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14FDA1200D7; Thu, 9 May 2019 06:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1iptq1xjs-_A; Thu, 9 May 2019 06:20:29 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE36812003E; Thu, 9 May 2019 06:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=WjLZqn6zeFZkeYK+LlcJicvPOdStIJJn58hGPhtag+s=; b=xG8bB2t3VMOP7U/jvzoxVvSr8 vryiJr+MV7zy46h55uBhSPShTHKsDkPe/cODTBtOlefgCZor3Ln9hXr17hfWbbUfTZVNSQGe74IZU xKznDV+NyiVqOl/qBo/wzcq3tXU6gjKFzRJzjzjNgClipM0frJZUi3F9Ml58c8w/62oUVfDWV98m8 L2jSSVt8WPvohci5xfER74AwimQN0vy5DE0TNGvG9295YfR3iBggC04Hd3sQ4kRT3XmlKq6JpxLH1 Rd944TzwX61+n6bNN1Bxotl3/ucLtLimX/WXeMYlIq2554e5w/wxu4O1fE+kkAtuuSLgRyauDl+ei kJNDaSojA==;
Received: from [31.185.135.221] (port=45718 helo=[192.168.0.5]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <ietf@bobbriscoe.net>) id 1hOiyH-0003j9-LB; Thu, 09 May 2019 14:20:25 +0100
Subject: Re: [arch-d] deprecating Postel's principle- considered harmful
To: Henning Schulzrinne <hgs@cs.columbia.edu>, Jari Arkko <jari.arkko@piuha.net>
Cc: "architecture-discuss@ietf.org" <architecture-discuss@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <F64C10EAA68C8044B33656FA214632C89F024CD3@MISOUT7MSGUSRDE.ITServices.sbc.com> <CALaySJJDHg5j9Z7+noS=YXoNROqdsbJ6coEECtLtbJ6fWJ3xsQ@mail.gmail.com> <CAHw9_iKE9SSOK_9AUpoMaS9pGz91LuJr1_HNv0B-6RxT_rb2dw@mail.gmail.com> <BA365F84-3BD8-4B6B-B454-B32E4B6B6D23@piuha.net> <CACgrgBYBW9zi+jzdGK55aQUa36UK669A2an6gm=Tm=fxDgP68A@mail.gmail.com>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <f52e3197-c148-50f5-ae7e-167a37b30546@bobbriscoe.net>
Date: Thu, 09 May 2019 14:20:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CACgrgBYBW9zi+jzdGK55aQUa36UK669A2an6gm=Tm=fxDgP68A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------6A5FBEFF5DCB84E9A320D5C1"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/pxSJ65bZXPICLiCXAQJC5XXzzxY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 May 2019 13:20:33 -0000

Jari, Henning,

Altho long, this thread has been educational for me. Even better, this 
recent thread moves towards solution mode.

Let's explore the idea that incentives are needed to encourage senders 
to tighten-up, rather than permanently rely on the receiver's 
liberality. Henning's responsible disclosure example is a good one, but 
it relies on a lot of human intervention at both ends. The EDNS flag day 
example was also effort-intensive.

Perhaps we need something between Error and Warning, that says "Warning, 
Error imminent". Then, if the developer of the sender doesn't stop 
relying on the liberality of the receiver after a stated deadline, the 
receiver will stop being liberal, and communication will subsequently 
fail (or incrementally degrade, or publicly disclose the developer's 
laziness, etc).

The receiver might need to hold per sender state, but a single 
per-receiver deadline would also be possible (effectively automating a 
per-receiver flag-day).

These warning responses would have to be defined as part of the protocol 
(not necessarily when it was first defined). But how to collect the 
warnings from deployed implementations would be up to developers and 
operators - and they would have the incentive to work this out. The 
rationale is to minimize the work for good implementations, and bounce 
as much of the work as possible onto lazy developers.


At first I thought that an implementer would be unlikely to write the 
necessary warning code, cos they don't care as much about protocol 
purity as protocol designers do. However, if their own code is getting 
increasingly complex, because it's having to handle all the unexpected 
cases, they will have an incentive to encourage the remote ends to 
tighten up their act.


Bob


On 08/05/2019 14:58, Henning Schulzrinne wrote:
> To a different degree, the security community has struggled with this 
> in the "responsible disclosure" discussion. The incentives are 
> different, but there seem to be three best practices that might 
> generalize: (1) a well-documented mechanism to reach the right part of 
> the organization, beyond the general support mechanism; (2) a 
> reasonable time period to address the problem; (3) public disclosure 
> after that time period.
>
> A related problem is that it is often difficult for developers to get 
> advice and help. If they are lucky, they find the IETF mailing list, 
> but it may no longer be active or such questions may be seen as 
> out-of-scope. We had the sip-implementors@ list for a while, and it 
> generally seemed helpful. But this requires somewhat-experienced 
> people willing to help relative newbies and does not scale well. 
> Interop events (plugfests and the like) are also helpful, particularly 
> if these include torture tests.
>
> Henning
>
> On Wed, May 8, 2019 at 7:38 AM Jari Arkko <jari.arkko@piuha.net 
> <mailto:jari.arkko@piuha.net>> wrote:
>
>     I find myself agreeing with many of the posts, but maybe Warren
>     put it most nicely and compactly: "The principle should be applied
>     judiciously (sometimes it isn't), not discarded."
>
>     And having seen some of the
>     too-big-to-demand-compliant-interoperability situations that Paul
>     and others mention, I’ve also felt the pain :-)
>
>     I find it interesting to compare the situation to analogue
>     situations in other kinds of systems. For instance, I always like
>     to program in defensive style, where my software is as brittle as
>     possible to catch errors. Yet, for delivered software, one often
>     switches to maximum survivability, and often your software
>     components can at least attempt reasonable recovery from many
>     situations that shouldn’t have occurred. More modern software
>     development practices combine development with monitoring,
>     feedback, instrumentation, tracking of new versions in small
>     populations before enlarging their usage, etc. That is kind of a
>     best of both worlds setup, because you can make things survivable
>     but you’ll be receiving real-time feedback on what’s actually
>     happening in the field, and can take corrective action.
>
>     This is obviously usable also in our protocol world, but there’s a
>     problem. You can quite easily get a lot of feedback on your own
>     thing working well. You can also get feedback about who you are
>     having problems with. But it isn’t easy to send that feedback to
>     where it might actually belong in many cases: the other
>     implementation’s maintainers. Disconnecting or 4xxing is the
>     crudest form of signal. Yes, sometimes effective. But it also an
>     action between two parties (me as an implementor of my thing and
>     you as an implementor of the peer) that hurts a third party: the
>     user..
>
>     I wish there was some other option between the silent obedience
>     and the refusal to talk. But I don’t know what it could be.
>
>     Jari
>
>     _______________________________________________
>     Architecture-discuss mailing list
>     Architecture-discuss@ietf.org <mailto:Architecture-discuss@ietf.org>
>     https://www.ietf.org/mailman/listinfo/architecture-discuss
>
>
> _______________________________________________
> Architecture-discuss mailing list
> Architecture-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/architecture-discuss

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email