IETF Logo Mail Archive

[saag] Last call feedback: draft-mm-wg-effect-encrypt

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 08 March 2017 20:18 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A66129490 for <saag@ietfa.amsl.com>; Wed, 8 Mar 2017 12:18:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6Fd63ZL40jn for <saag@ietfa.amsl.com>; Wed, 8 Mar 2017 12:18:11 -0800 (PST)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D922712940F for <saag@ietf.org>; Wed, 8 Mar 2017 12:18:10 -0800 (PST)
Received: by mail-pg0-x233.google.com with SMTP id b129so17037659pgc.2 for <saag@ietf.org>; Wed, 08 Mar 2017 12:18:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=IW616r/MatpSqFb4Z352BSriYwDYCrDDv8Jdvq5B2WY=; b=U1G3hClt+6Q93uSNGs6pAA/6p4ykyigfNJHUiA96dDWBfDBi4uQJe5dfNTCIWYDqEw cXt7GSpCOg5EKhPt0kv3fNuSb9LUPX+MpcFOV6xtyjGDqnVRlvHe48axdlc9/2/FExJJ BAJcoP4uf6Vy0cX1j5UJfsm8XWGIxFl3Lsl1fIE4B2sDi6018/aVlfLGBVxJ8CTgmxUn tUP28aaOo550ygXCGdcBpl5PyYgcGq2WdobVe8jLgSXPHcLlkBPO08Zq3wH4Z6DYgWI9 I4666TWSmaqRU2ywtwjZZpKDdXosQqsruRknYhs4qnIiNQ9+m0UadgipFD/YuCCIGTHN HQ3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=IW616r/MatpSqFb4Z352BSriYwDYCrDDv8Jdvq5B2WY=; b=gWLAr4JqSvsua8+SWcCWKZAVFnGONskVJZW1YvwFnvVOJh5kOoDKydt3I7r3Xx/R+x FbZ0M8gBOP/ysI0WJw1LkZV8MCd7XdcAtMQGgcoBPoNWrqCNIdC7BElnx6bzfqZdgwYc qmo4jVIgZaIZVOP2/kcS+3tgMQjqhTfF0DWp6OfzLsDbW4q1FbLzKbOatJ8Z3YXW3PH5 ekAuiP18vSWQv8HKiPuw6hO7BKK9RfQQHEe1G4Uy6nJn+WHU8XlLMRyxhzhR8tNukVEk v22S1txjIJv4+BjijbrTI9mLWyQ/mDmKVc2Up1EiO9dFKdT8lQ7OkCBH9hlL7JOURCtG 7tBQ==
X-Gm-Message-State: AMke39lvZAs7x+fAq8T0Amcp/vaiD9xENc39WuIJAt8QB2MJCZA/v64MwJkMpE2NevIgt+onVprLuH+2M9MpBg==
X-Received: by 10.98.54.196 with SMTP id d187mr9420183pfa.33.1489004290299; Wed, 08 Mar 2017 12:18:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.177.199 with HTTP; Wed, 8 Mar 2017 12:18:09 -0800 (PST)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 8 Mar 2017 15:18:09 -0500
Message-ID: <CAHbuEH4+bd=0PJa1rWDQN6tbeRK5vXKdbcUwsj2=zf9V8ejeDg@mail.gmail.com>
To: "saag@ietf.org" <saag@ietf.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/y99lWdMFb2qIZ6YSGBXQ7m0-OR8>
Cc: "Badri.Subramanyan@ril.com" <Badri.Subramanyan@ril.com>, "ALFRED C MORTON \(AL\)" <acmorton@att.com>
Subject: [saag] Last call feedback: draft-mm-wg-effect-encrypt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 20:18:12 -0000

Hello Badri,

Thank you very much for your review and feedback on the draft.  This
is very helpful to add in your perspective.  I do have a few questions
in line and am hoping you have some good references for us to cite as
well.  We need to get a draft revision out by Friday, so hopefully we
can iterate quickly.


>
> On Feb 23, 2017, at 9:54 AM, "Badri.Subramanyan@ril.com"
> <Badri.Subramanyan@ril.com> wrote:
>
> Hello,
>
>
>
>                 I work for a Mobile Service Provider and wanted to start by
> thanking you for putting this document together (Effects of Pervasive
> Encryption). Encryption of content has been impacting the service providers
> for sometime, and this document outlines it very well. I had a few
> comments/suggestions on the document. This documents is comprehensive, but
> there are a few impacts more specific to Mobile Carriers which I thought
> were not included. I would greatly appreciate it, if you could look into
> these and modify the document as suited.
>
>
>
> 1.       ALG – Application Layer Gateway, is a feature used by Firewalls,
> NAT boxes and Load Balancers to identify streams which are related and treat
> them alike. Many of the protocols work in conjunction to deliver a service.
> Eg. RTSP/RTCP/RTP protocols are used to provide video service. RTSP uses TCP
> and negotiates the UDP ports used for RTP and RTCP communication. RTSP and
> RTCP form the control plane, when RTP forms the data plane.
>
> a.       The ALG feature makes the Firewall application-aware and allow or
> block a video content as desired.
>
> b.      This feature is also used as of today on the Firewall or NAT box.
> The scenario here is, the FW/NAT box acts as a demarcation point between the
> DMZ and untrusted network, which allows out bound traffic and any flow
> initiated from within the DMZ. When we have service with multiple flows,
> some of these could be initiated from within the DMZ, which should enable
> other flows in both directions. Eg. RTSP Request from within the DMZ would
> need to allow RTP packets from the untrusted zone into the DMZ. The FW/NAT
> box can only allow this if they are aware of the co-relation between the
> different flows using feature like ALG.
>
> c.       The ALG feature on a LB similarly would allow the identification of
> the different co-related flows and treat them alike – allow, block, LB them
> to the same server or re-route to another set of servers.
>
> If the streams are encrypted, then the ALG feature would be rendered
> useless. This would limit the capability of any network element to make
> smart policing and routing decisions based on application layer attributes.

Do you know if these can work with a 2-tuple or 5-tuple?  Is there an
impact from encryption via TLS for instance?  If so, what is that
impact?

What is used by ALG to correlate streams?  This would be helpful to
understand if this particular method for ALGs does become 'useless'
and also to figure out if other options may exist to perform the
functions needed.

Do you have references on this that are stable (ones we can cite in an RFC)?

>
> 2.       Over-The-Top Caching web content – You did touch upon this topic in
> section 2.1.4, but I think this is a big enough topic that it warrants its
> own subsection. As the Internet traffic increases across the world, Mobile
> Carriers and other Service Providers are using caching solution to keep up
> with the bandwidth needs. Caching at a high level would allow for web/video
> and other caches to be located closer to the customers. The first time a
> content is requested, it is stored in the cache and every request going
> forward would be served from the cache thus cutting down on the backhaul
> tonnage between the source of the content and the cache. This not only helps
> in cutting down on the bandwidth requirements, but also cuts down on the
> latency with quicker time to first byte and improves customer experience.
> Mobile Carriers are deploying caches closer to the customers, thus cutting
> down latency drastically. These caches play an even more significant role
> when the latency to the destination is very high, eg: Mobile carrier is
> located in the Asia, but the source content is located in US or vice versa.
> This also helps mobile carriers located outside of US, to cut down on their
> Internet traffic to the US, which directly translates to savings. The cache
> server uses information in the HTTP headers, payload and other attribute to
> make the effective caching decisions. As we move to encryption the cache
> server does not have this information, rendering them useless.

Do you have references on this trend?  It would be good if we can cite
a resource as we also heard at the MARNEW workshop that some content
carriers prefer end-to-end solutions.  In that case, caching wouldn't
work anyway.  If there are trends in both directions, it would be good
to cite resources.

>
> 3.       HTTP header enrichment – HTTP header enrichment has been a
> mechanism for the mobile carrier to provide “allowed” (Non-CPNI) subscriber
> information to third parties or other internal systems. The third parties
> can in turn provide customized service, or use it to bill the customer or
> allow/block selective content…. This header-enrichment method is also used
> within the Mobile Carrier to pass information internally between
> sub-systems, thus keeping the internal systems loosely-coupled. With
> encryption, the mobile carrier loses the capability to include any
> information in the content itself as it is encrypted, making it impossible
> for the mobile carrier to pass on the information in any HTTP headers.

A reference would be helpful, thanks!

>
> 4.       HTTP Redirection – As of today the Mobile Carrier would need to
> block or redirect a customer for multiple reasons

>
> a.       The customer may not be allowed to view the content due to parental
> controls.

OK, so you have the information to block, but no ability to redirect
in this case.

>
> b.      The customer  may not be allowed to view the content as they have
> not purchased the content.

Wouldn't this be a server-side decision anyway?  In that case, TLS
makes no difference.

>
> c.       The customer may not be allowed as they have reached their usage
> limit and need to buy additional data.
>
> Currently, the Mobile carrier redirects the customer using HTTP redirect to
> a page which educates the customer on the reason for the blockage and
> provide steps to proceed. Once the content is encrypted, the Mobile carrier
> loses the option to redirect the traffic and the only option being to block
> the customer, for all scenarios. This would not only cause bad customer
> experience, but would also need another way to pass on the additional
> information to the customer – text message. If for any reason, the customer
> is not able to find the information, he/she would have to call customer care
> to find out the reason. This is not only an inconvenience to the customer,
> but also an overhead to the service provider.
>
>

This is reasonable to add.  Do you have a reference we can cite on the
practices?

Thank you!
Kathleen
>
>                 Please feel free to get back to me if you have any
> questions.
>
>
>
> Thanks,
>
> Badri
>
> Reliance Jio
>
>
> "Confidentiality Warning: This message and any attachments are intended only
> for the use of the intended recipient(s), are confidential and may be
> privileged. If you are not the intended recipient, you are hereby notified
> that any review, re-transmission, conversion to hard copy, copying,
> circulation or other use of this message and any attachments is strictly
> prohibited. If you are not the intended recipient, please notify the sender
> immediately by return email and delete this message and any attachments from
> your system.
>
> Virus Warning: Although the company has taken reasonable precautions to
> ensure no viruses are present in this email. The company cannot accept
> responsibility for any loss or damage arising from the use of this email or
> attachment."



-- 

Best regards,
Kathleen

v2.8.7 | Report a Bug | By Email