IETF Logo Mail Archive

Re: [OPSAWG] Christian's review of draft-mm-wg-effect-encrypt-13

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 05 January 2018 21:03 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: expand-draft-mm-wg-effect-encrypt.all@virtual.ietf.org
Delivered-To: opsawg@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id 932DE1241F5; Fri, 5 Jan 2018 13:03:43 -0800 (PST)
X-Original-To: xfilter-draft-mm-wg-effect-encrypt.all@ietfa.amsl.com
Delivered-To: xfilter-draft-mm-wg-effect-encrypt.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CEDC1270A3; Fri, 5 Jan 2018 13:03:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOoa3ec0hrZG; Fri, 5 Jan 2018 13:03:41 -0800 (PST)
Received: from mail-pl0-x22a.google.com (mail-pl0-x22a.google.com [IPv6:2607:f8b0:400e:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 393541241F5; Fri, 5 Jan 2018 13:03:41 -0800 (PST)
Received: by mail-pl0-x22a.google.com with SMTP id b96so3742979pli.2; Fri, 05 Jan 2018 13:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7ra7R4NlTLE3c9LezZGDlUHUcCa0jB4liUGHflIyr7g=; b=Dbj7R2y/mOXh+BBVv34j7OUqTPpXf6lvO2NgKW6LFIJ7GIt2yX8afFVIVl4GmajCNR LvtmuwOzbjyO3uQB/9H2K9Lab09lM7IBFc+TtVXeifcxT+dswXTg/D2QFi/QUAiun/TK 9iaS+IXfQOpjolF3JGVv9XTIi7eE6Hhex3P76uDX+KDOOlEOuUyrwl5LQu8aMG59ey8h gE8104dkEe51z4wYButJM9vCqOF02eY4aLDU0Jv4Hg7k6I2T22LPrkZ9C19iiwhVQfWC NjTo0Nas34Nme0rb+5USkf66VDRFjNb6gyxYjDcdgQKi/2ycjWa0Rq2/ERbIhi4oNY9X lNXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7ra7R4NlTLE3c9LezZGDlUHUcCa0jB4liUGHflIyr7g=; b=IkYkJ1BEcwgdsm3OK88OGvXE5lJgPoVe3FY+uHmFOgPtZq3oltPovZhoRbyorsNs22 JR3h56lDEm9rS8XVM0laH14k7LPjr9KLKIheuyf9L0p67mGW7k39IutzaKL3hLjvAAjH +xHucyn2gfb8KGw2q+1lzfC57FbWO+uIZX1RAF0u+9xSMnDQmg6M+gAAEnBKvtZfSkoY ukLYYbtyrofxIUiIP1x7qg6kHrD3o3g07rNvi73DXIDhc33EfMOSt3Kuv/xxXF44TZjZ /Wl0TmLJ8NuM0YyKBGVjUM01o27Gq3RyIRzP8HTYKI2OihbhxYZZBGmb3xgz4p/Erv9x 94HA==
X-Gm-Message-State: AKGB3mL00Og8+lfmDMa4/YMpbtONGTv6kuCRrhyxZLEThSMpAacuG22k BDERRk/FFvQyTGq5V+qSgnwoD97WoQN+D0cp7Ug=
X-Google-Smtp-Source: ACJfBoubrzYZSZG37MQC8FUG39ilfOIpCwe7bZFohk7DLtUbLgQAje6yumfmbZmTJaGG3EqPJ8CI+RVPl4Z7zFtpW2I=
X-Received: by 10.84.251.135 with SMTP id w7mr4321178pll.305.1515186220576; Fri, 05 Jan 2018 13:03:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.186.208 with HTTP; Fri, 5 Jan 2018 13:03:00 -0800 (PST)
In-Reply-To: <8D818A25-1FD6-4FFF-AD64-56C716DF272D@google.com>
References: <1ecac9b1-685b-8114-780a-a43425fb167d@huitema.net> <8D818A25-1FD6-4FFF-AD64-56C716DF272D@google.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 05 Jan 2018 16:03:00 -0500
Message-ID: <CAHbuEH4nqsj6=1SW9O8RQ1hXq=sCTiap60K2cRym+j-d1OCzgQ@mail.gmail.com>
To: james woodyatt <jhw@google.com>
Cc: Christian Huitema <huitema@huitema.net>, IETF Discussion Mailing List <ietf@ietf.org>, draft-mm-wg-effect-encrypt.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Resent-From: alias-bounces@ietf.org
Resent-To: Kathleen.Moriarty@dell.com, acmorton@att.com, Kathleen.Moriarty.ietf@gmail.com, warren@kumari.net, ekr@rtfm.com, Paul Hoffman <paul.hoffman@vpnc.org>, opsawg@ietf.org, paul.hoffman@vpnc.org
Resent-Message-Id: <20180105210343.932DE1241F5@ietfa.amsl.com>
Resent-Date: Fri, 05 Jan 2018 13:03:43 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/yhWfJ4z4ku7NvZsYB8H7EQjpj2I>
Subject: Re: [OPSAWG] Christian's review of draft-mm-wg-effect-encrypt-13
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2018 21:03:43 -0000

Hello James,

Thank you for your review and suggestions, responses are inline.

On Fri, Dec 8, 2017 at 1:53 PM, james woodyatt <jhw@google.com> wrote:
> On Dec 4, 2017, at 08:23, Christian Huitema <huitema@huitema.net> wrote:
>>
>> In section 2.3.3, Application Layer Gateways, I was wishing it would say
>> something about IPv6. But then of course most IPv6 deployments today
>> involve a form of NAT64...
>
> That section leaves unmentioned a vast array of open questions related to IPv6-layer security filters and the problem of application layer gateways.

If there are specific problems that are encountered with session
encryption that you think should be added, please provide text and
explain if it is with encryption that leaves a 5-tuple or 2-tuple
available and what other metadata is typically used.

>
> It contains an extended discussion of the ALG functions in one example case-- and not a particularly good one I would say-- the RTSP protocol, which in the presence of an ALG, depends on the parties performing it in cleartext, or it alternatively requires a proxy being a participant in the security protocol. The issues it describes apply to RTSP over both IPv4 and IPv6 in the presence of stateful filters that deny unsolicited inbound flows. Both NAT44 and NAT64 depend on such stateful filters, and "Simple Security in IPv6 Gateway CPE” [RFC 6092] is an example of a place where the issue applies in the absence of any network address translation.

Hmm, we do have text elsewhere in the draft on the problems with RSTP
for operators.  In looking at RFC6092, that is specific to small
offices and home gateways, which we don't cover in this draft.  Since
the issues are already covered in that RFC, are you suggesting an
addition here?  I'm not sure it's a fit.

>
> Some history might be worth recalling here, at the risk of yet again being That Guy Who Told You So.
>
> Because I’m a bitter old man, I like to go back to “Local Network Protection for IPv6” [RFC 4864]. Specifically, §4.2 IPv6 and Simple Security. This document, while Informational, is the point in our history where IETF formally published a statement acknowledging that IPv6 would absolutely always have the same problem with needing trustworthy ALGs and proxies in the network that IPv4 does.

I think this also boils down to architectural decisions.  There are
ways to perform many of the functions multiple ways, this document
doesn't go much into the alternate option of proxying the encrypted
traffic since that will still be possible with TLS 1.3.

>
> The key sentence there is this one:
>
>>> These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state).
>
> After this document was published, and the howling subsided, some of us thought it would be a good idea to describe the behavioral requirements of this IPv6 "Simple Security" function in the same way that RFC 4787 and RFC 5382 do for UDP and TCP, respectively, in the IPv4/NAT case. Which is why we now have "Simple Security in IPv6 Gateway CPE” [RFC 6092].
>
> When RFC 6092 was in development, an early draft revision had a section about recommendations for various application layer gateways, e.g. RTSP+RTP, L2TP+IKE+IPsec/ESP, FTP, et cetera. The final draft didn’t include any of that, because consensus emerged around the idea that IPv6 simple security functions should not *need* any ALGs, and they should instead include a generic service for applications to use in soliciting inbound flows from unknown remote addresses. This entailed having the usual IETF tussle over competing non-standard solutions, i.e. UPnP-IGD vs. NAT-PMP. It was unresolved at the time RFC 6092 was published. It would still take some time before "Port Control Protocol (PCP)" [RFC 6887] would settle that debate.
>
> Which is why REC-48 is written with such curiously vague text:
>
>>> Internet gateways with IPv6 simple security capabilities SHOULD implement a protocol to permit applications to solicit inbound traffic without advance knowledge of the addresses of exterior nodes with which they expect to communicate.
>
> Were we to revise RFC 6092 today, I would like to see this amended to recommend PCP specifically. If there is an RFC anywhere that specifically asserts that deploying PCP servers in NAT64 and IPv6 firewall devices is Best Current Practice, then I’m unaware of it. It would be nice.

I'm not aware of one either, I don't think that exists.

>
> With hindsight, I was right to harbor pessimism about the rosy predictions, favored by some IETF participants, for the future of IPv6 without simple security gateways everywhere, entailing the need for an array of ALGs and proxies in every gateway, with the consequential impediment to application protocol evolution created thereby. It turns out that “Local Network Protection for IPv6” [RFC 4864] really was a BCP in an Informational drag, which is the case I remember making here all those years ago.
>
> With respect to NAT64, it’s worth reviewing “NAT64 Deployment Options and Experience” [RFC 7269], which is Informational, and it discusses both PCP and "An FTP Application Layer Gateway (ALG) for IPv6-to-IPv4 Translation” [RFC 6384], as an example of a case where we recognized that ubiquitous stateful filtering and denial of unsolicited inbound flows would entail the placement of application layer gateways and proxies in the network. Why do IPv6 FTP clients require RFC 6384? Because they don’t have PCP clients in them, and there are no PCP servers anyway.
>
> Now it’s almost 2018, and we are finally discovering that pervasive encryption requires ALGs and proxies to be trusted by all parties in the application protocol. And this is painful. Because new host application protocols aren’t even developed to use PCP. Because PCP servers haven’t been deployed anywhere. Because everything is terrible, and everyone would love to keep it that way. Or, at least, it seems so to me. Because I’m a bitter old man.
>
> I honestly don’t know if there is anything useful to say about ALGs in this document beyond simply acknowledging somewhere that they’re all necessarily broken by pervasive end-to-end encryption and operators who value administrative privacy, user tracking and/or topology hiding should consider the utility of secure application level proxies instead.

Thanks for your input.  We are not including solutions in the draft
intentionally (as much as possible).  If you have specific text about
ALGs that should be added, please do provide it, but please have it
specific to the goals of the draft - documenting the function impacted
by encryption and the data used currently when sessions are not
encrypted so there can be some assessment of impact.  Of course the
use of proxies are slower than many other solutions and not always an
option or good idea.

>
>
> --james woodyatt <jhw@google.com>
>
>
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email