IETF Logo Mail Archive

Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC

Tom Herbert <tom@herbertland.com> Thu, 11 February 2021 23:19 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D4B3A0E06 for <saag@ietfa.amsl.com>; Thu, 11 Feb 2021 15:19:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdFhKlRLBQH2 for <saag@ietfa.amsl.com>; Thu, 11 Feb 2021 15:19:42 -0800 (PST)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472BA3A0E08 for <saag@ietf.org>; Thu, 11 Feb 2021 15:19:42 -0800 (PST)
Received: by mail-ed1-x52b.google.com with SMTP id s11so8788754edd.5 for <saag@ietf.org>; Thu, 11 Feb 2021 15:19:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kj+JDKq7Y3EI54fOd3TqP+uF9d9KW6IL6hYvNFJ9vno=; b=W47DwsUv8Pqwc+VDJNQ/RFJO6bTvZTpByvuF5GVBthSQ3dUy/qs37EO7rddHGsYnz8 cZM4lN40S4BsMvNxPyU+12DnmMq4Fkf4OrvIT78bttkdOliRrb95DLXCHXw0y7LqgpY/ vnTXmi3NT5bIPmelsq4ew7QOxAHX/x+2ijx5gHQXU114exvW8fHOaomw5Cn0pJaB7GkY lYgJuzS172LzK94J4CN1AX2okLkV4teIPHWxV9XvjY6fMCGa6jLj9/WZ/if8WyPgQeMt 9bpFQx6z3twK5YgBLZgGanr7IbO6+8qnSeMvVmXeYPMnrBxKvxc2PzNotWdeFj6PZ6gx UlpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kj+JDKq7Y3EI54fOd3TqP+uF9d9KW6IL6hYvNFJ9vno=; b=U8HiUG9cRXvdNzNdJIPE7l6rhtO4vJeHwhtcttd8AC1QCuzbSpxZwkOfPaBK50yB0z c0beMItqnV87v4JgyS7xWgcR5KcNwijVOvswPWvlwY0wHvxhK2s58QbvzYnhGkSsj5I9 2ntHI7cXWjOyPpSgG05/LguQadHuGfsMi3cLqDqCouCdxguH6oaBNfA5jXu2P9RaPYaF ZkV/I3VNyX4f9ZKZs5plHlPBly13sOjx77EF6NCo/o7ZcFuWWjKLr7mT7hF9cAIXn8cF rwA+HXPk31uTKAfUv+Nt4o7R46/frAZPYyzgzcXu+t5IBDBQIrguBXkLT3yrqwdm+24i 5sFA==
X-Gm-Message-State: AOAM530+OoBTgYLwQ9yDRwwOiEpxF+GItyQI17j/7ctXyYC8dq634TTi PB5PWusdmZ28PKpm22t0tvAmHngma3R4bEq8kAjQF0avi0xEtA==
X-Google-Smtp-Source: ABdhPJz2TpYZRaAs5eOAKWp4kC3Z23hQ3OxT83Yu8zSpVYCkcimy5J82vsrT2FprC/AJ4Vl/b5htqN5j3znuitMLBU8=
X-Received: by 2002:a05:6402:3070:: with SMTP id bs16mr525881edb.22.1613085580762; Thu, 11 Feb 2021 15:19:40 -0800 (PST)
MIME-Version: 1.0
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com> <20210210062551.GI21@kduck.mit.edu> <f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar> <MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com> <2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk> <1416490d-6532-59ce-e09f-388db716af8f@si6networks.com> <CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com> <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com> <CALx6S35U_Re0T5f9m4AbNyvv7Gk6s9UoN1wdo7_j_phSMm+2gg@mail.gmail.com> <1dcb48f6-f621-11f8-9e9a-067b65c44818@si6networks.com> <CALx6S351GUy=FJAZ1h6YYfmvJv2yGVVDma26r=Fu56bgzwhFpQ@mail.gmail.com> <16740.1613082711@localhost>
In-Reply-To: <16740.1613082711@localhost>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 11 Feb 2021 16:19:29 -0700
Message-ID: <CALx6S376UeJrikyyAbdTFAYzzEMackbaxiXri897xugJJf5mMA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zbU3n-ktu3PfPSKkAEplq9dA8So>
Subject: Re: [saag] [tsvwg] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 23:19:44 -0000

On Thu, Feb 11, 2021 at 3:32 PM Michael Richardson
<mcr+ietf@sandelman.ca> wrote:
>
>
> Tom Herbert <tom@herbertland.com> wrote:
>     > Perhaps, but in order to change the protocol to satisfy the
>     > requirements of folks running networks, we'd need to know *what* the
>     > requirements are. For instance, if someone were to say that networks
>     > require more information than what is in the IP header to successfully
>     > deliver packets, then I will immediately ask that they specify
>     > *exactly* what information they need. Until/unless that is answered we
>     > are left guessing as to what may or may not be acceptable in various
>     > networks and the tussle continues.
>
> 15+ years, when "transport-friendly ESP" was litigated (and to my surprise
> got a protocol number), the 3G people went on and on about how much better
> they could do if we (the IPsec people) would show them TCP information.
> I asked, repeatedly, for details of this supposed improvement.
> I got nothing in justification.  My request was simple: if you want me to
> increase my risk, then show me what the benefit is.
> (_Show me the money_)
> I now know that really, they were dealing with ad-hoc solutions to
> bufferbloat, but they didn't know that then.
>
> BTW: nobody uses TF-ESP. It's totally and completely dead. There was never
> any benefit worth the risk.
>
> Fernando says they need src/dst port, but I disagree.
> They want every bit they can get, including the encrypted insides of TLS, but
> they have no idea really, what legal things they actually want to do with it.
>
That's why I chose my words carefully and asked that "they specify
*exactly* what information they need". What MUST a host stack or
application expose to the network concerning it's traffic? (i.e. we
need the draft describing this in normative language).

It's also hard not to notice how similar these discussions are with
those that occurred when TLS was being brought up. Some network
providers argued vehemently that if they aren't able to inspect HTTP
payload they can't provide the services and security their customers
need. They lost those arguments, as I suspect similar arguments that
transport layer shouldn't be encrypted will also fail.

Tom


> Showing your layer-4 header is unlawful search in my opinion.
> The pen-registry only needs to have the destination number to connect the call.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>

v2.23.0 | Report a Bug | By Email