IETF Logo Mail Archive

Re: [saag] [tsvwg] Comments on draft-ietf-tsvwg-transport-encrypt-08.txt

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Mon, 04 November 2019 18:02 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BC92120C88; Mon, 4 Nov 2019 10:02:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vThHzZY1As9T; Mon, 4 Nov 2019 10:02:05 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60066.outbound.protection.outlook.com [40.107.6.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2980120C7C; Mon, 4 Nov 2019 10:02:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iWCJA1X5tpz8G6e3Nrdw3HyqBsxovU/knMVU8frcEMUeCFVFsxFCGIuIPmlxZ3m1kD8LHNN2KEfABlZwCVn1JLlIQDslUNb92gTTvtLzb5XFlaOqBGTIAS/jnVrx5tO7bbAr2IxpHhfcApQzhUK/JPahwg5YwfPpF7+HOKlY7f+QQCvUTtHO3krt8q+AIr/5RFucpfJyYquZJFJOW7AF3ges3rTZF5w0rquuCCB7XynFGctMhnvtxbw8KU+tbNIrdiqpmOtQ72WAkrRbKgIE4S7Qv/yYKOpPqTFeJl4P99JChI65tG5f4fhjAtXAZzcLCtwfbL/rU4wbmh2FNt/K3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ONZXoxVYzYYWk0zhNDXNI2AJ6L3OF5bOoTBrX7SdmW4=; b=NjI5VP5aleiQMoZ4KDgfAGE0uEjTZi5dwMPRSZXzEY92j6ki+uzkNZeASa+INuV/Z/8QV4r1fmzsXNyPqqB5OfqGTcBTbs5861ciZcCyPRc2CDWDUF8yPVGYx8idvMWfbU1BN+kMFjm8K33CDLzCa2EkWWfKBmiIOv7akIrJzzleHYRagQ6OLCRgORk5ymfUvbqETtTgjqQzdUJKQuH4mS6uBo5n/tjbo8F8PQE+DKOonMLXTQjaZqdazOSkyQRJY+o8f02wiO/qJFqdwZ8IShyPmD6NVh9lcapJasMgD9c0r43ef726zH/J70gqfikw7D6uVeS/DnxqEpcY9gtHWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ONZXoxVYzYYWk0zhNDXNI2AJ6L3OF5bOoTBrX7SdmW4=; b=kXGbyNhabpEagezO/jns0QxYsWAJZ61MeMjrmGyFlzT0DqnhBvTmAdok20i8juRtU0bSqcF7IhzvzJWtB6N3yncLjMSZFvjDxyXLATVHdpAyUJg5u0B+x3sgEsiR37/VUuURhevHSO/to8syD86zhTGbr0/Y5JGWa+7BY+UjiBY=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB6242.eurprd07.prod.outlook.com (10.186.172.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.16; Mon, 4 Nov 2019 18:02:02 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4189:4ef8:bfc1:ec58]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4189:4ef8:bfc1:ec58%7]) with mapi id 15.20.2430.013; Mon, 4 Nov 2019 18:02:02 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>, Christian Huitema <huitema@huitema.net>
CC: Eric Rescorla <ekr@rtfm.com>, tsvwg IETF list <tsvwg@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [tsvwg] [saag] Comments on draft-ietf-tsvwg-transport-encrypt-08.txt
Thread-Index: AQHVky08JY2FDXmr60OAsbMwFkv5fad7STQAgAAVH4A=
Date: Mon, 04 Nov 2019 18:02:02 +0000
Message-ID: <B74B17C8-A8D7-47F9-9DA2-610A8EB9F3BA@ericsson.com>
References: <CABcZeBPajzuEdw8=M1g1i-TAniJ9O+H5dEMxv8c6N3tD=7mSvw@mail.gmail.com> <CALx6S35bSAa_zq=HsF-3e9qC-vRNFRu6dn+O4ak4Hi+c=Tmz5A@mail.gmail.com> <79E407F2-13D8-4F64-9A42-ED6BF6141DE9@ericsson.com> <CABcZeBPfT=B+fOXAkPuoEQQHAtJrefXSgnjOpPC7-4zC_myRsA@mail.gmail.com> <D36061F0-F872-4054-ACF0-C9A88FCEC572@ericsson.com> <2d3c909f-b21c-3916-1eb9-db6de5c661e3@huitema.net> <5DC063F2.8040502@erg.abdn.ac.uk>
In-Reply-To: <5DC063F2.8040502@erg.abdn.ac.uk>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [2003:eb:4700:cf00:3d57:7e7e:af67:8db2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 221b6ed1-7c82-4659-1a67-08d76151185d
x-ms-traffictypediagnostic: AM0PR07MB6242:
x-microsoft-antispam-prvs: <AM0PR07MB624288E0A5488BDF6A93B711F47F0@AM0PR07MB6242.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0211965D06
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(396003)(346002)(39860400002)(366004)(189003)(199004)(6486002)(2501003)(2906002)(76176011)(478600001)(6246003)(6436002)(102836004)(53546011)(296002)(316002)(54906003)(110136005)(14454004)(71190400001)(229853002)(71200400001)(44832011)(6512007)(256004)(5660300002)(486006)(305945005)(7736002)(6506007)(186003)(25786009)(86362001)(11346002)(46003)(2616005)(36756003)(446003)(64756008)(476003)(76116006)(66476007)(66556008)(66946007)(8936002)(33656002)(66446008)(99286004)(81166006)(81156014)(8676002)(14444005)(6116002)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6242; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 846VQorsEGGA8L2WF5hbdavkQr8FjNR2kndvV2/hxaa6L1W+N1G/FsxcUl1q1af04JcWk8Bed2pzKIO2n/miyL7YOmKSQ+W8SFFMNElSvpVvTAlKhe4+OlE3MAIa8fRbo8nP9LhTvewobuxPyQTfSMIXmo6mHE7OgyZYV0WAw6HjlrezU+SuCbNX2ZpK75m3CwAgus95mfMZpwZfvwBjzmknree/zR6Ub1c1m8PFCq01pph7+Yahs/tazAw5lkhI1I7rS9koR6uN0rkdtADNTPp4LPwd9vMlS4wqBILPx8eZ81zH6gXOPeAkCoiiWbfhaA94pTyQ6+girbVrFEd5MkTd+Btfr8simaeYrDrWKe5+iUDmQBY/ECuQY+1RAZEcuCwLLUSnJXGUHbrmLbJw0y7kky2m79PBj0fAibH9O2zKSaID4LjA1UrNaaonMqax
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <318504C219FC7940BC6995480CD119A6@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 221b6ed1-7c82-4659-1a67-08d76151185d
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2019 18:02:02.4634 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IGrNDnK8gJJM3fO5Yj37aeiNbI8asfkTvyKbD3VpepGfrGjyiDejR1YjLfNpZCejvnJRyi45WF/FPxfkH3laFmBQ/IESdu7OzGkICP0EOdA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6242
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/eutcRkV3aIy1Bug4Q6e_9j0yZW0>
Subject: Re: [saag] [tsvwg] Comments on draft-ietf-tsvwg-transport-encrypt-08.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 18:02:12 -0000

Hi Christian,

please see two comments below (marked with [MK]).

Mirja

On 04.11.19, 18:46, "Gorry Fairhurst" <gorry@erg.abdn.ac.uk> wrote:

    Just focussing on the end...
    
    On 04/11/2019, 16:29, Christian Huitema wrote:
    >>
    >> [MK] That’s not the intention here. But we also need to consider ways 
    >> to interact with the network where this brings benefit to both the 
    >> network and the performance of the end-to-end traffic. There are 
    >> situation where this is the case. And I don’t think one makes sense 
    >> without the other.
    >>
    > You seem to be arguing for something like "performance enhancing 
    > proxies". End-to-end encryption is indeed a way to opt out of such 
    > proxying. Measurements so far indicate that opting out has very little 
    > impact on actual performance, and that whatever impact there is could 
    > be reduced by improvements in end-to-end algorithms. In fact, in many 
    > cases, end to end performance is better without such proxies. But the 
    > real reason for the opposition to the concept is ossification. 
    > Enabling such proxies would quickly ossify the new transports, and a 
    > such there is a strong consensus in the end-to-end transport designers 
    > to use encryption and prevent interference by such devices.
    >
    On PEPs: The current case for many of the network segments I see is that 
    QUIC is quite good, but it is considerably worse (currently) than a PEP 
    using Split-TCP. That's not to say it can't improve - but that's not 
    true yet. However: It's curious that people keep going back to PEPs, 
    because network devices that change the transport header were 
    specifically out-of-scope for this ID!
    >
    > This does not mean that network level deployment have no role in the 
    > future. I could see for example tunnels deployed that use FEC or local 
    > retransmission to mask the poor performance of a particular subnet. Or 
    > I could see end-to-end devices opting into some kinds of application 
    > level caching services in order to improve performance. But the draft 
    > should be clear: transport protocols do not have to enable 
    > interference with the transport bits.

[MK] This is not what the draft is asking for. 

    >
    There are also many operators - e.g., enterprise who rely on the methods 
    currently mentioned in this draft. In this case, they also actually *do* 
    care about the performance of the networks they operate. They also do 
    care about the topics, which matters most depends on which organisation.
    >
    > My take is that this draft should not be published as is. It should be 
    > rewritten to actually reflect the consensus of the transport area, 
    > which has to reflect in particular the work in the QUIC working group.

[MK] The purpose of this draft is exactly to find and document consensus in the transport area and in the IETF. I don't think any individual at this points knows what the consensus actually is. This document has support in tsvwg (otherwise it would not have been adopted as wg document) and I also don't think there is anything in the draft that contradicts any work in the QUIC group.


    >
    I suspect the information you wish to see about QUIC's design is 
    actually available. I'm not sure documenting QUIC is helpful here, if 
    the QUIC WG wants to so that, can't it be added to the manageability draft?
    
    I dispute the claim that the entire transport area has the same 
    priorities as that voiced at the QUIC WG. I think this discussion needs 
    to look outside the QUIC working group and examine other transports and 
    WGs. As far as I know the RTP people are still doing specs in the IETF, 
    as are various other transport working groups. Also, this draft has been 
    presented at OPsec, and has contributors from other areas outside 
    transport...
    
    My assertion is that *current* practice is using transport header 
    information & header authentication/encryption is becoming common, let's 
    set out what the current facts are. I'm also going to oppose documenting 
    new ideas for how we can go forward - as Spencer insisted when this was 
    chartered: Proposing new methods belong in a different draft - paraphrased.
    
    Gorry

v2.23.0 | Report a Bug | By Email