Re: [Spud] Extensibility considered harmful? was Re: [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 01 August 2016 01:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FD3D12B02A for <spud@ietfa.amsl.com>; Sun, 31 Jul 2016 18:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.588
X-Spam-Level:
X-Spam-Status: No, score=-5.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8Wem3tgI2c0 for <spud@ietfa.amsl.com>; Sun, 31 Jul 2016 18:01:29 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F7AC128874 for <spud@ietf.org>; Sun, 31 Jul 2016 18:01:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 15DECBE3E; Mon, 1 Aug 2016 02:01:27 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jj48LbCw8CX4; Mon, 1 Aug 2016 02:01:24 +0100 (IST)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3C2EABE25; Mon, 1 Aug 2016 02:01:24 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1470013284; bh=fSmXt3u7i27dZZWXLiulQFvB/ghmzgVPYOeNjmx8aaQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=YPEcSiM/iQMZT6rzPt9zoz5GEzZjdl+O3IhU5AnyM3pbJrYSwY4gvsuppeyEoh7cM /thk0czi/XzrItv2lfxE+MD8CT8ZVC0TtNmQqnfNzwr8x4ejk9m4Bwam+vBuClNmz9 WuorhISJ8kVYeOoPY9FqM3qwrYO2r6s4rO0WJb3k=
To: Brian Trammell <ietf@trammell.ch>
References: <409B6F52-B637-4333-915B-A8127C80C98B@trammell.ch> <d27266cf-87f6-17b1-3038-e0f614c6c773@cs.tcd.ie> <84F6AEC6-7DE3-4D1F-9014-201279F70E56@tik.ee.ethz.ch> <5194f988-0e25-7f5a-75cf-6ed3646e012d@cs.tcd.ie> <402A30BB-1A20-4D54-95CA-7C50D8C0F26B@tik.ee.ethz.ch> <dc29fa73-88fd-3dc4-7497-f1bd2fa60422@cs.tcd.ie> <8722FE8E-1026-43D5-BE17-1D6B4031C0D8@tik.ee.ethz.ch> <1b261e1e-a543-53df-8a2a-7dddae415a14@cs.tcd.ie> <D2CEDF13-E508-4732-B8F6-98FBBDDC7EE6@tik.ee.ethz.ch> <f5c06c8a-5bef-86f6-5c62-302e7f6f75bf@cs.tcd.ie> <B58C7986-4B91-41FB-A6B6-F8E7BD25E799@tik.ee.ethz.ch> <6a61c305-c1f6-d14d-d0c4-d9809cfb5f78@cs.tcd.ie> <F7541B2E-86C2-49C6-B616-BDCC567CDAFC@lurchi.franken.de> <92b31df8-f557-a935-a3d8-1f7bf7ee8689@cs.tcd.ie> <E9B17055-DB61-41C6-9D9F-7510E9EC1ADE@lurchi.franken.de> <45d1e4f8-43fd-181f-b902-73f129e8518b@cs.tcd.ie> <B018BDCD-64EF-4F86-9B0B-FA73EA63A5C9@trammell.ch>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <b4a87191-0bb9-7c3a-9717-68ae6ef33406@cs.tcd.ie>
Date: Mon, 1 Aug 2016 02:01:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <B018BDCD-64EF-4F86-9B0B-FA73EA63A5C9@trammell.ch>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="QWoWKCBe0SFaWd78bGSP1VVgKpucn4utE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/RuiC1ZcnlRm2xeMPc_FhfxJqvko>
Cc: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>, =?UTF-8?Q?Mirja_K=c3=bchlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>, spud <spud@ietf.org>
Subject: Re: [Spud] Extensibility considered harmful? was Re: [Privsec-program] Detecting and Defeating TCP/IP Hypercookie Attacks
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 01:01:32 -0000

Hiya,

On 01/08/16 00:33, Brian Trammell wrote:
> hi Stephen,
> 
> A couple of points inline:
> 
>> On 31 Jul 2016, at 22:13, Stephen Farrell
>> <stephen.farrell@cs.tcd.ie>; wrote:
>> 
>> 
>> 
>> On 31/07/16 20:06, Michael Tuexen wrote:
>>> So do you think that there is no need for middleboxes to support
>>> transport protocols?
>> 
>> I have no strong opinions on that.
>> 
>> I would be surprised if middleboxes wanted to support PLUS if they
>> think that QUIC is what will be widely deployed. But then I am
>> often surprised;-)
> 
> QUIC is a single transport protocol, designed for a fairly specific
> kind of interaction (H2, and things that look a lot like it;
> "fully-reliable discrete object transfer" might be a suitable name
> for this class of application).
> 
> Despite the fact that "web" and "internet" (in the lower-case,
> AP-style-guide sense) are often used interchangeably, other
> applications exist. Interactive video is one of the biggest of these
> by volume on the Internet. While it can be and has been wedged into
> HTTP (largely due to the ossification PLUS is intended to combat), it
> is a bad fit. Even the design of non-interactive video over HTTP
> implies a good deal of inefficiency, in part due to that
> "fully-reliable".

There are of course many suboptimal ways in which people can
get stuff they need to work... to work. My experience is that
people are more interested in "working" and not in "optimal."
The point here is that the web model is sufficiently close to
many many things applications need to be just usable enough. So
while I'd love to see evidence that application developers
care deeply about transport efficiency/purity, I suspect we
might all here agree that such evidence would be surprising.

> 
> If we would like the benefits of transport header integrity to accrue
> to these applications as well (and I hope I've made the case that we
> do), 

IMO that case has not been made to the point where I would
consider it justifies privacy downsides. IOW, while I am of
course in favour of endpoints being able to signal to one
another without middlebox interference, I am not at all on
side with transport header integrity being counted as a major
win in the analysis of PLUS, if that "win" inherently requires
a significant privacy cost. (And I am clearly happy to endlessly
repeat myself that in this particular case:

	extensibility == privacy unfriendly

> there are a few things we can do:
> 
> 
> (1) Design a common wire image for new transports (most of which in
> the intermediate term will probably have to slot over UDP, as QUIC
> does). This is the PLUS approach.
> 
> (2) Realize we'll probably only get one more chance to deploy a new
> transport in the next two decades, and make QUIC work well for other
> points in the application design space. This would come at a cost of
> complexity in the design and implementation of QUIC.
> 
> (3) Don't expand QUIC's design, but wedge these new applications over
> QUIC even though it's a terrible fit. This at least has the benefit
> of complying with tradition. :)
> 
> (4) Have other new transports' wire images look like a transport that
> is already widely deployed. If QUIC becomes successful, I would
> expect to see at least experiments to get other non-QUIC protocols to
> look like QUIC on the wire, a la TCP Minion.
> 

I don't myself back that set of options as the identifiable set of
possibly credible options. Minimally, option (0) is omitted, which is
to do nothing at all and to let the SPUD/PLUS idea languish as OBE.

And options (1)-(4) as presented all seem to assume knowledge of
the future - I think at least some options that ack that the
future is uncertain would need to be considered too.

> 
> Note that when discussing QUIC, it is of course important to
> distinguish the Google QUIC experiment from the protocol that the
> QUIC WG (which I presume will be formed) will standardize. So (3) and
> (4) might actually be talking about two subtly different QUICs when
> considering the transition to the standard. SPDY/H2 has at least
> shown that we know how to make this transition work relatively
> quickly (or is that speedily? ;) )

Sure. I'd hope/expect a similar dynamic to emerge within the IETF
participants working on PLUS. As you say, the h2 experience should
be one to learn and benefit from.

>> Hence my wondering about PLUS being OBE, despite SCTP etc 
>> substantially pre-dating QUIC. I do think significant port 443
> 
> Nope: HTTPS over tcp/443 does nothing at all for making it possible
> to deploy applications that don't wedge nicely atop HTTP, nothing at
> all for running those over anything but TCP, and nothing for
> transport header integrity.

I really don't agree about "nothing at all." People are very very
inventive in how they can squeeze their new applications into
whatever the hell works to get the bits from A to B. (And are also
quite willing to redefine the things about which they care to be
those that allow them to deploy applications that get stuff from A
to B with currently deployed infrastructure.)

> 
>> and QUIC deployment may change the landscape in ways that the 
>> definition and implementation of SCTP did not.
> 
> QUIC deployment did indeed change the landscape: it added 2 and 3 to
> the list above. Both are extremely suboptimal.
> 
>>> That would be an important point also when looking into the
>>> requirements of QUIC.
>> 
>> As I've said a number of times, I think the extensibility as
>> proposed at the PLUS BoF is the major privacy problem.
> 
> Speaking for myself: I've heard you.

Great. I look forward to seeing how we all figure out those trade offs.

> I continue to disagree
> (vehemently) that zero bits of extensibility is the right amount of
> extensibility, simply based on what I know about the history of bad
> engineering. However, I will say that my thinking, at least, has gone
> from unlimited permissionless definition of signals (the SPUD
> prototype, which was expressly experimental) to highly restricted
> definition of signals (PLUS as described in the charter) to
> restricted definition of signals with severely limited header /
> codepoint space, to address privacy as well as overhead concerns.
> This implies a tradeoff in the ability to fix things we got wrong
> later, of course.

Yes. Trade-offs are like that. Noting that in this case, I don't
think anyhting bigger than a miniscule space of codepoints can be
part of a privacy friendly solution - once there are enough codepoints
that the two endpoints in a randomly selected transport connection can
unambiguously agree to (ab)use a codepoint as their chosen signal, then
the game is over. ISTM, that means even a very very few bits can be
very privacy unfriendly.

> 
>> I've also said that I'm so far neutral on a non-extensible way of
>> exposing some transport information to the path (if one exists and
>> is useful, which I also don't claim to know).
> 
> There appears to us to exist a useful set of signals that are
> transport-agnostic, the minimal set of which we hope to have a full
> description of (with bits, yay!!) shortly, as in my message to
> Eliot.

Consider my breath bated:-)

> 
>> I would however be opposed if "transport information" is so broadly
>> interpreted as to include identifiers or generic attributes of the
>> endpoints that are not otherwise exposed.
> 
> As would I. 

I'm totally unshocked at that:-) Seriously though, I do fully
accept the bone-fides of all of the main disputants here.

> I am frankly a little baffled as to who you think is
> proposing this interpretation.

If we provide enough bits to allow such mappings, then those will be
abused. MSISDN enrichment as a popular mechanism tells me that if we
provide a way to do even the silliest stuff, then some folks will do
just that. (Because it's not silly from their POV.)

> 
>> And that's before we consider the coercion attack raised at the BoF
>> and (so far) briefly mentioned in Brian's draft.
> 
> As noted, I'm convinced the threat posed by coercion attack is very
> real, today. 

That's a newish one for me so I need to learn more about it. (Not having
been a student of net neutrality:-)

> I still don't buy the assertion that PLUS expands this
> surface.

I think you and I earlier disagreed as to whether or not standardising
X-that-was-already-possible does or does not expand the attack surface
for threats-due-to-X. I do think a standard has at least that effect.

Cheers,
S.

> 
> Regards,
> 
> Brian
>