Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
Tom Herbert <tom@herbertland.com> Fri, 12 February 2021 14:47 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D3E3A1702 for <saag@ietfa.amsl.com>; Fri, 12 Feb 2021 06:47:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHp0OLj_lJyg for <saag@ietfa.amsl.com>; Fri, 12 Feb 2021 06:47:26 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89F43A16FC for <saag@ietf.org>; Fri, 12 Feb 2021 06:47:25 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id q2so11143233eds.11 for <saag@ietf.org>; Fri, 12 Feb 2021 06:47:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gDvGb+D4mddrs63XHzubiStBzaVffuOvCMev4NRJt3A=; b=GMFhWg+3kGM758C61Hh+y+yB7FvdzPGsT0vcFefGxJhLgSBJm+ruqpOtZtHBWZ0Mje VgEejObTpvhOCfebJgZVIURNouQiNUWuFpn/F3gCYdhZvZGbJ4/gxqeEp5GD789kzuwm xi1zL9K4Xb9PGQXyt1aBW5Ujuel0QC43VJB+Psnu/ubxoNHs+sb0vnWU3K+tI29khgVZ eZTzlOmlIBiHnnnZW2rIT13mcFlgVFnwHhst8DEkJ8ZlQl/TEDIYea3MojnKwv+nQNXW 58H3IW6UdvIAKnBilFZCBFmr0Uyt4eILTa1oIr0ndVI7ehY+muHhikrzsrgTELpEJUdR Lgow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gDvGb+D4mddrs63XHzubiStBzaVffuOvCMev4NRJt3A=; b=jH/elSX5Rnfb8w/5j+j43h3hnshSoSpbviimgg4+A/oGlpXvsbFwY8ZQfZi3b30Jpz nGvr/2Bdig5pr22BbfG8BCgiN+z2TpaBLlPZxG7pfo7pIrQJaqmI2JCpto1sE4cOPpA0 UDeppUyfVfR4Aq1w2DOOG08saKzA59zWUN5X7BAHFeEvXDOxmO7LFEVBGUhKAuN1gBXF tni/VeNGLxKr99+MO745Fy/hjiXyL+Enx7JuPLV16gwQNx+jzwdGJ6vvNGJaXMn21R8P ddg0zYRjG08LCzYXLvWKXarL2qYKkPzKcAxbVkQTuxLUqja8qocFsYyS/Vg15cgd4wcJ 6zrQ==
X-Gm-Message-State: AOAM530O2mieY/9nPn6bILAGWUVSri72Xth+1KTpur3fTviWdO6ZnaY8 Xu+O+3R7eyB/Me392cioOlInXPmHxWSpe5+EDt0Gm/7sc7A=
X-Google-Smtp-Source: ABdhPJyEFCGU1isd+4i74BcvBHUlKp2/jeCKidqKDW4LCMniHvjx3GSa/DOKvBRNoRsAYNq5Z72wQGmaNvPCOS3Ki6U=
X-Received: by 2002:aa7:c418:: with SMTP id j24mr3782300edq.293.1613141243789; Fri, 12 Feb 2021 06:47:23 -0800 (PST)
MIME-Version: 1.0
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com> <20210210062551.GI21@kduck.mit.edu> <f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar> <MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com> <2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk> <1416490d-6532-59ce-e09f-388db716af8f@si6networks.com> <CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com> <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com> <CALx6S35U_Re0T5f9m4AbNyvv7Gk6s9UoN1wdo7_j_phSMm+2gg@mail.gmail.com> <1dcb48f6-f621-11f8-9e9a-067b65c44818@si6networks.com> <CALx6S351GUy=FJAZ1h6YYfmvJv2yGVVDma26r=Fu56bgzwhFpQ@mail.gmail.com> <16740.1613082711@localhost> <CALx6S376UeJrikyyAbdTFAYzzEMackbaxiXri897xugJJf5mMA@mail.gmail.com> <b6780de8-fc73-cb35-5f44-87907681448a@gont.com.ar>
In-Reply-To: <b6780de8-fc73-cb35-5f44-87907681448a@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 12 Feb 2021 07:47:12 -0700
Message-ID: <CALx6S376vcrugJqgk1oGBsfzoGmpTnFqgzzSoiV5hzekswA5rw@mail.gmail.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "tsvwg@ietf.org" <tsvwg@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/GufwhdB3i1jPshXJpkzaz9XOROc>
Subject: Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 14:47:30 -0000
On Thu, Feb 11, 2021 at 7:08 PM Fernando Gont <fernando@gont.com.ar> wrote: > > On 11/2/21 20:19, Tom Herbert wrote: > > On Thu, Feb 11, 2021 at 3:32 PM Michael Richardson > > <mcr+ietf@sandelman.ca> wrote: > [....] > > > > It's also hard not to notice how similar these discussions are with > > those that occurred when TLS was being brought up. Some network > > providers argued vehemently that if they aren't able to inspect HTTP > > payload they can't provide the services and security their customers > > need. They lost those arguments, as I suspect similar arguments that > > transport layer shouldn't be encrypted will also fail. > > FWIW, I'm certainly *not* arguing that the transport layer should not be > encrypted. I'm simply pointing out that operators do more things with > packets that blindly forward packets on a per-packet and per-dst-address > basis. And that that, there are consequences of them not being able to > access IP+transport metadata. > Fernando, Yes, this draft describes those consequences. But what has not been adequately discussed IMO has been the negative consequences of network devices acting on transport layer information. In particular, this leads to protocol ossification and creates a myriad of impediments for application developers trying to build applications to work across the whole Internet. For instance, if you say that QUIC is the only UDP protocol allowed on the Internet., i.e. identified by UDP port 443, then how could we ever deploy a new UDP protocol? This also leads to arms escalation between application developers and network operators, for instance if I do know that UDP port number 443 is the only port number allowed the network then I'll simply wrap my new UDP protocol in a UDP datagram to 443. You might complain that such things might be purposely bypassing your network security, yes they do, however host developers have no obligation to abide by some arcane set of network security policies that are unwritten and inconsistent across the Internet. I do believe that network operators and their users could benefit from getting more information in a packet than just Ip addresses. But I also believe that exposure of information should be volutary as opposed to mandatory, and it should be be very clear what the value is the to the user in exposing information. IMO, HBH is the best vehicle to express this information and there is some good work in Network tokens, FAST, and APN around this. Tom > When it comes to QUIC, it could well be the case that then only thing > they care in this respect is IP header + UDP header... and e.g. rate > limit as they do for some other UDP traffic. > > Thanks, > -- > Fernando Gont > e-mail: fernando@gont.com.ar || fgont@si6networks.com > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > >
- [saag] Fwd: Last Call: <draft-ietf-tsvwg-transpor… Benjamin Kaduk
- Re: [saag] Fwd: Last Call: <draft-ietf-tsvwg-tran… Fernando Gont
- Re: [saag] Fwd: Last Call: <draft-ietf-tsvwg-tran… Black, David
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Gorry Fairhurst
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… C. M. Heard
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Michael Richardson
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Michael Richardson
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Sebastian Moeller
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Tom Herbert
- Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-ts… Fernando Gont