Re: [Spud] SPUD Scope?

Szilveszter Nadas <Szilveszter.Nadas@ericsson.com> Fri, 05 June 2015 10:37 UTC

From: Szilveszter Nadas <Szilveszter.Nadas@ericsson.com>
To: Christian Huitema <huitema@microsoft.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "spud@ietf.org" <spud@ietf.org>
Thread-Topic: [Spud] SPUD Scope?
Thread-Index: AdCe42kWUfK3mg2YQc2lRPihacOmIwAB/SYAAABSZ4AAIPnEsA==
Date: Fri, 5 Jun 2015 10:37:53 +0000
Message-ID: <EA4C43BE752A194597B002779DF69BAE23D48602@ESESSMB303.ericsson.se>
References: <EA4C43BE752A194597B002779DF69BAE23D47A3E@ESESSMB303.ericsson.se> <87h9qn1dkr.fsf@alice.fifthhorseman.net> <DM2PR0301MB0655E175AD817C6D896F7E7DA8B30@DM2PR0301MB0655.namprd03.prod.outlook.com>
In-Reply-To: <DM2PR0301MB0655E175AD817C6D896F7E7DA8B30@DM2PR0301MB0655.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/CL-YGh-uSODno53mA71s7gOhqyI>
Subject: Re: [Spud] SPUD Scope?
Precedence: list

Hi,

My concern is whether the whole SPUD exercise is worth the effort without extensibility. Assume that we can agree in a minimal set for b). What if in a few years' time we realize that we need more? Have not we already ossified the middlebox layer? My vision is that SPUD shall allow both Transport Protocol evolution and Middlebox Cooperation evolution in the same flexible way. :) The goal in my mind if to not ossify transport and not ossify the cooperation functionality. 

Also is not b) + extensibility = c)? Or is there more in c), which is of concern?

About "metadata that our protocols leak", I completely agree that protocols should minimize this leaking. I think that explicit conversation is not leaking though and hopefully also discourages the middlebox owners to try to look into the protocol data itself.

Any device/firmware/Operating System/app still have and will have ways to leak whatever it wants, just by not allowing extensibility in SPUD we cannot stop it. At the same time extensible SPUD can be an engine for "good" cooperation. I believe we can potentially gain more than we lose. The only way to stop leaking is to have a "purging proxy", but even that proxy would have pretty hard time to remove all unwanted interactions. Also there are places where you simply cannot place a purging proxy e.g. between your access device and the ISP/mobile operator middlebox.

About "keeping the smarts at the edge" the IAB program at least includes a goal to "(2) Improving path transparency in the presence of firewalls and middleboxes: guidelines for the detection of and cooperation with these devices to evolve away from present limitations on which protocols can be used across network boundaries, in order to facilitate innovation in transport protocol development. ". In a sense it means for me to embrace middlebox functionality, but make it much more explicit. I think that these functions are important to keep our networks working, but I agree that it has to be much more explicit than in the past. But limiting it looks like a way to keep it in the grey.

I agree that security of the metadata layer will be often equally important than the security of user content. I am not quite sure whether it could/should be handled in SPUD or whether SPUD shall "only" allow secure metadata conversions as a substrate. 

About the UI/UX concern. This is definitely an issue and not an easy one to solve. Trust chains, delegation of trust, market apps controlling app rights are pieces of the puzzle to solve this. I think it is possible to find a solution for this with a good balance of ease of use and control. 

Sz.

-----Original Message-----
From: Christian Huitema [mailto:huitema@microsoft.com] 
Sent: Thursday, June 04, 2015 21:34
To: Daniel Kahn Gillmor; Szilveszter Nadas; spud@ietf.org
Subject: RE: [Spud] SPUD Scope?

On  Thursday, June 4, 2015 12:25 PM, Daniel Kahn Gillmor wrote:
> To: Szilveszter Nadas; spud@ietf.org
> Subject: Re: [Spud] SPUD Scope?
> 
> On Thu 2015-06-04 12:28:34 -0400, Szilveszter Nadas wrote:
> 
> > The rage looked like this to me on a high level:
> >
> > a) only start/stop, hide everything in DTLS
> >
> > b) Some declarative, safe to ignore, trust but verify markings are 
> > OK, but it shall be minimized.
> >
> > c) "common, middlebox friendly connection/packet signaling layer", 
> > extensibility, any communication and behavior is OK as long as it is 
> > explicit.
> 
> [...]
>
> This far-from-trivial authentication mechanism, combined with the 
> UI/UX concern about helping people to understand exactly who they are 
> leaking their metadata to, presents a really serious obstacle to 
> deploying something like this in a way that is safe for end users.

Absolutely. This might only work if the client, server, and middleboxes incentives are well aligned. That may be the case for some basic QOS-type parameters, which is very much what (b) should be about. 

> ...
>
> I don't think something like (c) is a good idea.  let's try to keep 
> the smarts (and the knowledge of both content and metadata) at the 
> edges of the network, and avoid blessing mechanisms that facilitate centralized surveillance.

And a variety of security issues. The unauthenticated data channel is subject to spoofing, which enables a variety of packet injection attacks. 

-- Christian Huitema

[Spud] SPUD Scope? Szilveszter Nadas
Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
Re: [Spud] SPUD Scope? Christian Huitema
Re: [Spud] SPUD Scope? Szilveszter Nadas
Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
Re: [Spud] SPUD Scope? Ken Calvert
Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
Re: [Spud] SPUD Scope? Mirja Kühlewind
Re: [Spud] SPUD Scope? FOSSATI, Thomas (Thomas)
Re: [Spud] SPUD Scope? Szilveszter Nadas
Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
Re: [Spud] SPUD Scope? Tom Herbert