IETF Logo Mail Archive

Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC

Tom Herbert <tom@herbertland.com> Fri, 12 February 2021 14:47 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3D3E3A1702 for <saag@ietfa.amsl.com>; Fri, 12 Feb 2021 06:47:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHp0OLj_lJyg for <saag@ietfa.amsl.com>; Fri, 12 Feb 2021 06:47:26 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89F43A16FC for <saag@ietf.org>; Fri, 12 Feb 2021 06:47:25 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id q2so11143233eds.11 for <saag@ietf.org>; Fri, 12 Feb 2021 06:47:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gDvGb+D4mddrs63XHzubiStBzaVffuOvCMev4NRJt3A=; b=GMFhWg+3kGM758C61Hh+y+yB7FvdzPGsT0vcFefGxJhLgSBJm+ruqpOtZtHBWZ0Mje VgEejObTpvhOCfebJgZVIURNouQiNUWuFpn/F3gCYdhZvZGbJ4/gxqeEp5GD789kzuwm xi1zL9K4Xb9PGQXyt1aBW5Ujuel0QC43VJB+Psnu/ubxoNHs+sb0vnWU3K+tI29khgVZ eZTzlOmlIBiHnnnZW2rIT13mcFlgVFnwHhst8DEkJ8ZlQl/TEDIYea3MojnKwv+nQNXW 58H3IW6UdvIAKnBilFZCBFmr0Uyt4eILTa1oIr0ndVI7ehY+muHhikrzsrgTELpEJUdR Lgow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gDvGb+D4mddrs63XHzubiStBzaVffuOvCMev4NRJt3A=; b=jH/elSX5Rnfb8w/5j+j43h3hnshSoSpbviimgg4+A/oGlpXvsbFwY8ZQfZi3b30Jpz nGvr/2Bdig5pr22BbfG8BCgiN+z2TpaBLlPZxG7pfo7pIrQJaqmI2JCpto1sE4cOPpA0 UDeppUyfVfR4Aq1w2DOOG08saKzA59zWUN5X7BAHFeEvXDOxmO7LFEVBGUhKAuN1gBXF tni/VeNGLxKr99+MO745Fy/hjiXyL+Enx7JuPLV16gwQNx+jzwdGJ6vvNGJaXMn21R8P ddg0zYRjG08LCzYXLvWKXarL2qYKkPzKcAxbVkQTuxLUqja8qocFsYyS/Vg15cgd4wcJ 6zrQ==
X-Gm-Message-State: AOAM530O2mieY/9nPn6bILAGWUVSri72Xth+1KTpur3fTviWdO6ZnaY8 Xu+O+3R7eyB/Me392cioOlInXPmHxWSpe5+EDt0Gm/7sc7A=
X-Google-Smtp-Source: ABdhPJyEFCGU1isd+4i74BcvBHUlKp2/jeCKidqKDW4LCMniHvjx3GSa/DOKvBRNoRsAYNq5Z72wQGmaNvPCOS3Ki6U=
X-Received: by 2002:aa7:c418:: with SMTP id j24mr3782300edq.293.1613141243789; Fri, 12 Feb 2021 06:47:23 -0800 (PST)
MIME-Version: 1.0
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com> <20210210062551.GI21@kduck.mit.edu> <f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar> <MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com> <2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk> <1416490d-6532-59ce-e09f-388db716af8f@si6networks.com> <CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com> <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com> <CALx6S35U_Re0T5f9m4AbNyvv7Gk6s9UoN1wdo7_j_phSMm+2gg@mail.gmail.com> <1dcb48f6-f621-11f8-9e9a-067b65c44818@si6networks.com> <CALx6S351GUy=FJAZ1h6YYfmvJv2yGVVDma26r=Fu56bgzwhFpQ@mail.gmail.com> <16740.1613082711@localhost> <CALx6S376UeJrikyyAbdTFAYzzEMackbaxiXri897xugJJf5mMA@mail.gmail.com> <b6780de8-fc73-cb35-5f44-87907681448a@gont.com.ar>
In-Reply-To: <b6780de8-fc73-cb35-5f44-87907681448a@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Fri, 12 Feb 2021 07:47:12 -0700
Message-ID: <CALx6S376vcrugJqgk1oGBsfzoGmpTnFqgzzSoiV5hzekswA5rw@mail.gmail.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "tsvwg@ietf.org" <tsvwg@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/GufwhdB3i1jPshXJpkzaz9XOROc>
Subject: Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 14:47:30 -0000

On Thu, Feb 11, 2021 at 7:08 PM Fernando Gont <fernando@gont.com.ar> wrote:
>
> On 11/2/21 20:19, Tom Herbert wrote:
> > On Thu, Feb 11, 2021 at 3:32 PM Michael Richardson
> > <mcr+ietf@sandelman.ca> wrote:
> [....]
> >
> > It's also hard not to notice how similar these discussions are with
> > those that occurred when TLS was being brought up. Some network
> > providers argued vehemently that if they aren't able to inspect HTTP
> > payload they can't provide the services and security their customers
> > need. They lost those arguments, as I suspect similar arguments that
> > transport layer shouldn't be encrypted will also fail.
>
> FWIW, I'm certainly *not* arguing that the transport layer should not be
> encrypted. I'm simply pointing out that operators do more things with
> packets that blindly forward packets on a per-packet and per-dst-address
> basis. And that that, there are consequences of them not being able to
> access IP+transport metadata.
>
Fernando,

Yes, this draft describes those consequences. But what has not been
adequately discussed IMO has been the negative consequences of network
devices acting on transport layer information. In particular, this
leads to protocol ossification and creates a myriad of impediments for
application developers trying to build applications to work across the
whole Internet. For instance, if you say that QUIC is the only UDP
protocol allowed on the Internet., i.e. identified by UDP port 443,
then how could we ever deploy a new UDP protocol? This also leads to
arms escalation between application developers and network operators,
for instance if I do know that UDP port number 443 is the only port
number allowed the network then I'll simply wrap my new UDP protocol
in a UDP datagram to 443. You might complain that such things might be
purposely bypassing your network security, yes they do, however host
developers have no obligation to abide by some arcane set of network
security policies that are unwritten and inconsistent across the
Internet.

I do believe that network operators and their users could benefit from
getting more information in a packet than just Ip addresses. But I
also believe that exposure of information should be volutary as
opposed to mandatory, and it should be be very clear what the value is
the to the user in exposing information. IMO, HBH is the best vehicle
to express this information and there is some good work in Network
tokens, FAST, and APN around this.

Tom

> When it comes to QUIC, it could well be the case that then only thing
> they care in this respect is IP header + UDP header... and e.g. rate
> limit as they do for some other UDP traffic.
>
> Thanks,
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>

v2.23.0 | Report a Bug | By Email