Re: [Spud] SPUD Scope?
"FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com> Mon, 08 June 2015 11:27 UTC
Return-Path: <thomas.fossati@alcatel-lucent.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id F07871A1B9E
for <spud@ietfa.amsl.com>; Mon, 8 Jun 2015 04:27:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5
tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01]
autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id rzXaXnAtciYK for <spud@ietfa.amsl.com>;
Mon, 8 Jun 2015 04:27:00 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com
[135.245.210.21])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 447E91A036D
for <spud@ietf.org>; Mon, 8 Jun 2015 04:26:59 -0700 (PDT)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (unknown [135.239.2.42])
by Websense Email Security Gateway with ESMTPS id 18511A691F518;
Mon, 8 Jun 2015 11:26:56 +0000 (GMT)
Received: from FR711WXCHHUB02.zeu.alcatel-lucent.com
(fr711wxchhub02.zeu.alcatel-lucent.com [135.239.2.112])
by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id t58BQm3U001564
(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL);
Mon, 8 Jun 2015 13:26:56 +0200
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.234]) by
FR711WXCHHUB02.zeu.alcatel-lucent.com ([135.239.2.112]) with mapi id
14.03.0195.001; Mon, 8 Jun 2015 13:26:51 +0200
From: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
To: Ken Calvert <calvert@netlab.uky.edu>, Daniel Kahn Gillmor
<dkg@fifthhorseman.net>
Thread-Topic: [Spud] SPUD Scope?
Thread-Index: AdCe42kWUfK3mg2YQc2lRPihacOmIwAB/SYAAABSZ4AAIPnEsAAY51qAACbgyYAAWXdigA==
Date: Mon, 8 Jun 2015 11:26:50 +0000
Message-ID: <D19B3889.2C97B%thomas.fossati@alcatel-lucent.com>
References: <EA4C43BE752A194597B002779DF69BAE23D47A3E@ESESSMB303.ericsson.se>
<87h9qn1dkr.fsf@alice.fifthhorseman.net>
<DM2PR0301MB0655E175AD817C6D896F7E7DA8B30@DM2PR0301MB0655.namprd03.prod.outlook.com>
<EA4C43BE752A194597B002779DF69BAE23D48602@ESESSMB303.ericsson.se>
<87oaktvjhi.fsf@alice.fifthhorseman.net>
<1FA5B1A9-6011-4F39-8503-ACAAB5B649A8@netlab.uky.edu>
In-Reply-To: <1FA5B1A9-6011-4F39-8503-ACAAB5B649A8@netlab.uky.edu>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.1.150515
x-originating-ip: [135.239.27.38]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <98714A3F86F9D34C975CEAC86CFB758A@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/TSHGleeBfqzZ4zUoCjw2mFcImxA>
Cc: "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD Scope?
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>,
<mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>,
<mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 11:27:02 -0000
On 06/06/2015 18:44, "Ken Calvert" <calvert@netlab.uky.edu> wrote: >>You know why we can't innovate in transport protocol development, right? >> Because too many middleboxes like to block traffic that they find >> surprising. If they were to stop blocking much of that traffic, we >> could run things like SCTP or TCPCrypt reliably on the open Internet >> instead of everyone pretending to be TLS-on-port-443, without the need >> of anything like SPUD. > >Some middleboxes are paranoid for good (or at least understandable) >reason: they are there to implement trust domain boundaries. Because >those boundaries don't exist in the original architecture, firewalls work >by overloading mechanisms that are poorly suited for the job. > >A well-designed mechanism that enables a packet to certify >policy-compliance in-band, without DPI, would at least help with >firewalls. It seems to be a necessary condition for reducing the need to >force everything through the TLS-over-443 tube, while still allowing >end-to-end encryption. > >Yes, the path is fraught with challenges; I don't disagree with most of >your points. On the other hand, call me an optimist, but I believe such >a mechanism could not only help break the "ossification" logjam, but >perhaps eventually shift the balance of power back toward the end users >by giving them more choices w.r.t. network services. I totally agree with you, as long as the underlying principles are: - explicit vs implicit service; - ability of endpoints to choose based on clear information about the service value vs leaked meta-data; - preservation of e2e security properties. I think the biggest (though not insurmountable) challenges are: - UX (as already noted by Daniel); - scale mechanism to n middle boxes. We probably need a good deal of research to solve scale and UX, and I hope stackevo has enough breath to account for this. Cheers, t
- [Spud] SPUD Scope? Szilveszter Nadas
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Christian Huitema
- Re: [Spud] SPUD Scope? Szilveszter Nadas
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Ken Calvert
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Mirja Kühlewind
- Re: [Spud] SPUD Scope? FOSSATI, Thomas (Thomas)
- Re: [Spud] SPUD Scope? Szilveszter Nadas
- Re: [Spud] SPUD Scope? Daniel Kahn Gillmor
- Re: [Spud] SPUD Scope? Tom Herbert