[secdir] a different thing (was: Fwd: DISPATCH and strategies for standards maintenance)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 22 January 2016 12:49 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 233771A1BDF for <secdir@ietfa.amsl.com>; Fri, 22 Jan 2016 04:49:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.302
X-Spam-Level:
X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_NUt6jQZdAM for <secdir@ietfa.amsl.com>; Fri, 22 Jan 2016 04:49:27 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EE221A1BD4 for <secdir@ietf.org>; Fri, 22 Jan 2016 04:49:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 904DCBEAA for <secdir@ietf.org>; Fri, 22 Jan 2016 12:49:25 +0000 (GMT)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4pA7719fObwW for <secdir@ietf.org>; Fri, 22 Jan 2016 12:49:25 +0000 (GMT)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id ECB7ABDCA for <secdir@ietf.org>; Fri, 22 Jan 2016 12:49:24 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1453466965; bh=iZNXszTDb6nxoE7NQKax8xRslxFDAZltabyt4vZdk2w=; h=Subject:References:To:From:Date:In-Reply-To:From; b=vnco60RhcYW1pCocO5CvykyPECsZdCRwPjJoYQ5AYBKvJPnFdfXQlmyfTdcEksJgV ztQa3HfaE4wLnTRdv5E4FR869srbWeeV8gdKohAGpMOC22x2+qNS9orUO1v0bXNhPa r4E7nzoZxnGMK83YtSLX3GeCwSifJL6m5kw6UXgU=
References: <56A1DB2D.40106@alvestrand.no>
To: "secdir@ietf.org" <secdir@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
X-Forwarded-Message-Id: <56A1DB2D.40106@alvestrand.no>
Message-ID: <56A22554.9000004@cs.tcd.ie>
Date: Fri, 22 Jan 2016 12:49:24 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56A1DB2D.40106@alvestrand.no>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/_5vdu7V-UzcT-3FemXtsVaOxQTM>
Subject: [secdir] a different thing (was: Fwd: DISPATCH and strategies for standards maintenance)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 12:49:29 -0000
Hiya, Way down below, Harald says: " What the DISPATCH process fails to achieve is what a good directorate should have been doing: Taking a view of the whole area of the protocol suite, and noticing things like: " followed by a list of what Harald figures are bad things found in the RAI area. We don't tend to do anything like that in secdir, and I'm not sure how we could if we wanted to, or even if we should want to, but I suspect you'd be the folks involved if we ever did. So with no specific idea in mind, I wonder would (somehow) getting that kind of review be a good thing? And if so, any idea on how we might be able to do that? (Without us all using it to beat up on our least fav security technology:-) I'd be interested in what you think about that, on the list now and maybe for chatting at the secdir lunch for those of us who'll get to IETF95. Cheers, S. -------- Forwarded Message -------- Subject: DISPATCH and strategies for standards maintenance Date: Fri, 22 Jan 2016 08:33:01 +0100 From: Harald Alvestrand <harald@alvestrand.no> To: ietf@ietf.org Recently, in a response to a Last Call on <draft-campbell-art-rfc5727-update-02>, I wrote the following on the IETF list: Objection: I find the DISPATCH style of review to be a horribly broken idea. I also find the use of the term "working group", and the procedures of working groups, for what is effectively a permanent review panel and a standing BOF venue to be counterproductive and destructive of getting work done. This document proposes recommending this method as a generic tool that can be used in areas outside of the limited scope of SIP extensions - something I think is taking a bad idea and making it even more harmful. (RFC 5727 already said it would do that, but the RAI area has not followed up on this particular bad idea from RFC 5727, letting initiatives like WEBRTC flourish outside of the DISPATCH process, so the damage done by DISPATCH has been limited.) I therefore object to this document being published as a BCP. These words were rather harsh, and were commented on as such. It seems best for the community that I spend some words on describing why I came to this conclusion. When I came to deal with WebRTC and the assocated areas, I believed (not having examined the area too closely) that with the SIP suite, which uses SDP and RTP, we had achieved a reasonably functional and architecturally competent real time communications suite. I was wrong. It turned out that a number of fundamental problems existed, including: * A lack of clarity on the connection between SDP and RTP - the word âsessionâ was used at both layers, but represented different things. * A lack of consensus on how one negotiated session properties that applied in one direction only. * An SDP architectural misfeature that led to a completely bogus requirement that differing media types be carried on different UDP ports * A number of issues with use of addresses in signalling - including the formulation of rules like the âSDP patch-up offer/answerâ for making one set of addresses (in m-lines) match up with another set of addresses (in ICE) * A general acknowledgement that certain fairly absolute rules, like âalways use RTCPâ, were widely ignored in the industry and couldnât be depended on * A number of rules around SSRCs that were based on an operating environment that doesnât exist in practice (multicast groups) - in particular SSRC collisions - which have made these identifiers much less powerful than they might have been. * A number of long-standardized extension features (CAPNEG in particular) that are largely ignored by industry due to complexity, but are still used to block other efforts by saying âwhy canât you use X insteadâ. * A number of unfinished products (EKT in particular) that seemed to be a good fit for some problem - but somehow never seemed to cross the finish line. This list is far from exhaustive. We have been chipping away at the issues that mattered to the WebRTC effort, while attempting to make sure the issues we were not addressing did not affect the effort (by not using the features they referenced). I observed the DISPATCH process for much of the time of my engagement. The DISPATCH process is reasonably efficient â¦. at solving the wrong problem. The ideal DISPATCH task is a proposal to address a small problem (or paper over some deficency in the protocol for a certain set of cases). It allows the ADs to delay such a proposal for 3 months without any controversy (âuntil the next IETF meetingâ), and for 6 months if it turns out to need a WG (âfirst DISPATCH, then you write a charter, then you meetâ). (Sometimes such delay is a good thing; some bad ideas just need the time to die.) Once the proposal reaches a DISPATCH meeting agenda, it gets some review, it gets some comments, it gets some recommendation (maybe) - and then it can move on, if the proposers still have energy for the push, and if any of the experts in the area have bought into the idea enough to give it the guidance it needs to achieve non-conflict with all the other small patches people are working on. What the DISPATCH process fails to achieve is what a good directorate should have been doing: Taking a view of the whole area of the protocol suite, and noticing things like: * SIP is largely non-interoperable. Itâs useful to connect islands of a single product while claiming standards conformance, and itâs easier to wrangle into some semblance of interoperability than proprietary protocols - but itâs not âplug and playâ. * SDP is a world picture that is not capable of representing a significant subset of the interesting ways in which people want to interconnect. This means that solutions that use SDP have to work around SDP, not with it. * RTP is showing its age. Security is a bolt-on, and RTCP is more of an extension platform than it is an useful set of features in the base spec. Itâs clear that the industry needs a robust, interoperable, secure protocol suite for real time communication. Itâs also clear that the IETF is the logical venue for that to happen. But DISPATCH isnât the way to get there. -- Surveillance is pervasive. Go Dark.
- [secdir] a different thing (was: Fwd: DISPATCH an… Stephen Farrell