Re: [Spud] Possible WG-forming follow-on to SPUD BoF
Tom Herbert <tom@herbertland.com> Thu, 02 June 2016 16:29 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73E3D12D105 for <spud@ietfa.amsl.com>; Thu, 2 Jun 2016 09:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efXsGtBP_gJx for <spud@ietfa.amsl.com>; Thu, 2 Jun 2016 09:29:40 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2CD12B05A for <spud@ietf.org>; Thu, 2 Jun 2016 09:29:38 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id e62so130580366ita.1 for <spud@ietf.org>; Thu, 02 Jun 2016 09:29:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-transfer-encoding; bh=ciZEzIXgg78nIRoMP5Jon8fFwlvcozIwbkXk/h14dL8=; b=WgtgwIwkiokP/PXAyGoh6Bw3HRHdrK9UxrG2mpQqTq++tyX+qVPUzYYa8fwglztvSz G3ETjiyP8ILizBaVaqanZxQR0+bQE3fbCmt3Gq3hqt8mw5abYT/1TBr5Bqr3OXh9V08C jlGibjQmCR4RqvOc9VxuMtXMTKhzfnSz+ouoWDwm4AaISR7hV6acui2SDBdWxPnjzfyr DKvgIe3dFEN5cc7wxTl80pYI93YEHUOj64Ti4HosCuEqyJJzVhOqV+biD33RDX4vx/Ut Mx/EkLfU6RW6GEPosTGskH669FeRrKaCNoNOpT7f1gQqf1Gv2UWJ/v+F8chCPePg5FQT 4ctg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=ciZEzIXgg78nIRoMP5Jon8fFwlvcozIwbkXk/h14dL8=; b=QmGe5aSuKG7FOutNrZ4D1+ResetiHXVfpos8Fg8xMEG28N4wl6rT3KyRndnLyFjQiQ fWvfzLS02LiCq7gdfcp889pz5eV5fc58QEUm2ZK4aEl2ePbx3h17Q6AJuMH938OC+kE2 OjY1WJP/hkn2H0VYkJbkKUuiQGI/GFVPpkQz7oJWqikTXSth5PIvWcAkbvK7+JJGVIPo NfpiGCWEOASjfr9zjDRcvzf+OF06pCrkFFjwnoAAStvkirzvmlrZR2HA0G2B/qvseYYs no1UKTV8Xr1LFiNyJ8t3eq82/dNO1rI5QKgEQSyLRbVtiqPcUGdGJ2C9mb5QhvaXeC/i aVbg==
X-Gm-Message-State: ALyK8tIU31/4+GLN2rC6JJRuHnJ2B5ESFcYzuJVu5ynW02+5TSp1+nabt+K0nymR+P6KY9/mbwK2zpQ5793Rlg==
MIME-Version: 1.0
X-Received: by 10.36.80.4 with SMTP id m4mr4788070itb.37.1464884977506; Thu, 02 Jun 2016 09:29:37 -0700 (PDT)
Received: by 10.107.44.203 with HTTP; Thu, 2 Jun 2016 09:29:37 -0700 (PDT)
In-Reply-To: <409F4136-9596-4195-88AD-569567979218@trammell.ch>
References: <2b0e574586dd955-00039.Richmail.00049889758880203458@139.com> <CALx6S352MynSJRHYo3J+SCh8TbMha_w4-66Jcv9OfK84rzVimw@mail.gmail.com> <EA4C43BE752A194597B002779DF69BAE240EA3F9@ESESSMB303.ericsson.se> <FC7CBE59-B21F-446A-ACBE-20BBCBBE34F5@trammell.ch> <CALx6S35ZRoNjD6JZ8g6g90RS50ZtUC-370sJMbA5sGKhH8y=LA@mail.gmail.com> <409F4136-9596-4195-88AD-569567979218@trammell.ch>
Date: Thu, 02 Jun 2016 09:29:37 -0700
Message-ID: <CALx6S36+1yK5n9S8fAF+mZdmvKk+dDyxmR0KJ3zYh3vihhozDQ@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
To: Brian Trammell <ietf@trammell.ch>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/TXwBuJQGY_3zfxqxoxN1fmsAMJQ>
Cc: Szilveszter Nadas <Szilveszter.Nadas@ericsson.com>, spud <spud@ietf.org>
Subject: Re: [Spud] Possible WG-forming follow-on to SPUD BoF
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 16:29:42 -0000
On Wed, Jun 1, 2016 at 12:04 AM, Brian Trammell <ietf@trammell.ch> wrote: > hi Tom, > > snipping a bunch of the message; replies inline... > >>> Unbreaking firewalls in the face of transport encryption is a necessary first step. What you do after that is a separate question. >>> >> Brian, >> >> Like Szilveszter mentions the choice to encrypt must be up to the >> application or TP. Applications should not have to ask for permission >> from the network to use encryption, > > Of course not. > >> nor can deployment of encryption >> be gated on middleboxes being updated with PLUS (it's unrealistic to >> think we are going to wait N years for PLUS deployment in middleboxes >> before starting to encrypt transport headers). > > And of course not. I'm having a hard time seeing where anyone has proposed otherwise in this thread. > Brian, >From the proposed charter: "In order to support more ubiquitous deployment of encryption, and the encryption of transport headers to allow deployment of new transport protocols, explicit in-band signaling must be added to the stack." It's the word "must" here that is problematic, that implies a requirement for deployment of encryption and new transport protocols. I think there are two mostly orthogonal goals being expressed in the proposal: 1) Encryption of transport layers 2) An extensible signaling mechanism between hosts and networks. There seems to be general agreement that encrypting the transport layer is a solution to protocol ossification and provides better security for users. But implementing this is non-trivial and will require new specifications. We can't just encapsulate TCP, SCTP, etc. packets within UDP and expect it to work-- the presence of NAT makes this a hard problem. For instance, I already posted draft-herbert-transports-over-udp which generally attempts to describe host to encapsulate existing protocols within UDP (encapsulation of TCP is detailed). So my question per the proposed WG is: are development and specifications to encapsulate and encrypt specific existing transport protocols within UDP is within the scope? For instance would a first milestone be an RFC that describes how to encapsulate TCP within UDP (or within DTLS)? Thanks, Tom > Since the protocol bounded by draft-trammell-spud-req relies on the superstrate to provide secrets for integrity protection, we presume encryption of the superstrate by default. Indeed, one could envision PLUS' selective exposure and transport state exposure mechanisms being implemented as extensions to DTLS, since it already provides most of the pieces we'd need. > > The difficulty we see in PLUS is what happens when an application/transport chooses *not* to encrypt; when the superstrate doesn't provide exchange of secrets, you get no integrity protection for the PLUS information either. Indeed, in this case the *only* benefit PLUS provides is a common framing and data model for information exposed to middleboxes, which as you note is rather useless in the initial phases of deployment. And this might be an acceptable corner case anyway: a decision not to encrypt can at this point be taken as an explicit statement that the endpoint is unconcerned about its packets being thoroughly inspected and mangled by the network. > >> As for "Unbreaking firewalls in the face of transport encryption is a >> necessary first step" can you elaborate exactly how firewalls are >> broken in this regard? I don't see a good description of this problem >> in RFC7663 and your UDP data as well as the fact that QUIC is >> currently being deployed don't seem to be illustrating a widespread >> reachability issue using UDP in the Internet. > > Two issues: blocking and state maintenance. > > On the former: QUIC falls back to TCP 6%-9% of the time; our RIPE Atlas numbers, which undercount enterprise access networks, point to 3.3% to 3.6% of measured networks blocking outbound UDP (on ports other than 53). These are acceptable numbers if you always have a fallback (which QUIC does built-in, since H2 runs acceptably over TCP, and where something like TAPS comes in for other applications). But it seems to me we can do better than that. Providing firewall vendors and administrators with an incentive to unblock would help here, and exposure of state information so that new transports over UDP can be managed like TCP is, I think, a good one. > > On the latter: have a look at the spectrum of NAT timeouts between TCP and UDP in the paper Lars sent to maprg (in the "Is UDP a trash heap?" thread): population median (and mode) UDP timeout for tested devices on flows that look like QUIC was 3 minutes (figures 4,5), versus 60 minutes for TCP (figure 6). See also Jim's slide on NAT unbinding from tsvarea in Vancouver (https://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf): this test is, I believe, roughly equivalent to the one shown in figure 3 in Lars' paper, with equivalent results: median is about 1.5 min. Both datasets suggest a simple heuristic for keepalives: send a useless packet every thirty seconds if you care about keeping the connection up and don't have anything to say. > > The reason these timeouts are longer for TCP is that TCP exposes state maintenance information to the path. If there is a common mechanism for UDP-based transport protocols for exposing equivalent information, with an equivalent level of trust as we can place in TCP flags (formally zero), then the timeouts can tend over time to be longer, reducing the need for unproductive keepalive traffic. > > Cheers, > > Brian > >> Thanks, >> Tom >> >>> Cheers, >>> >>> Brian >>> >>> _______________________________________________ >>> Spud mailing list >>> Spud@ietf.org >>> https://www.ietf.org/mailman/listinfo/spud >>> >> >> _______________________________________________ >> Spud mailing list >> Spud@ietf.org >> https://www.ietf.org/mailman/listinfo/spud >
- [Spud] Possible WG-forming follow-on to SPUD BoF Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Scharf, Michael (Nokia - DE)
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Toerless Eckert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Scharf, Michael (Nokia - DE)
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Dave Dolson
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Dave Dolson
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Toerless Eckert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Dave Dolson
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Ian Swett
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Mirja Kühlewind
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Ian Swett
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Dave Dolson
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Toerless Eckert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Dave Dolson
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Phillip Hallam-Baker
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Michael Welzl
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Toerless Eckert
- Re: [Spud] Fwd: Possible WG-forming follow-on to … Mark Nottingham
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Michael Welzl
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Mirja Kühlewind
- Re: [Spud] Fwd: Possible WG-forming follow-on to … Mirja Kühlewind
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] Fwd: Possible WG-forming follow-on to … Brian Trammell
- Re: [Spud] Fwd: Possible WG-forming follow-on to … Toerless Eckert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Mirja Kühlewind
- Re: [Spud] Fwd: Possible WG-forming follow-on to … Mirja Kühlewind
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Joe Touch
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Joe Touch
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] Fwd: Possible WG-forming follow-on to … Toerless Eckert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Joe Touch
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Joe Touch
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] Possible WG-forming follow-on to SPUD … Mark Nottingham
- Re: [Spud] Possible WG-forming follow-on to SPUD … Brian Trammell
- Re: [Spud] Possible WG-forming follow-on to SPUD … Mark Nottingham
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Brian Trammell
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Mirja Kühlewind
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Mirja Kühlewind
- Re: [Spud] Possible WG-forming follow-on to SPUD … Fan, Peng
- Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-fo… Tom Herbert
- Re: [Spud] Possible WG-forming follow-on to SPUD … Tom Herbert
- Re: [Spud] Possible WG-forming follow-on to SPUD … Brian Trammell
- Re: [Spud] Possible WG-forming follow-on to SPUD … Szilveszter Nadas
- Re: [Spud] Possible WG-forming follow-on to SPUD … Brian Trammell
- Re: [Spud] Possible WG-forming follow-on to SPUD … Tom Herbert
- Re: [Spud] Possible WG-forming follow-on to SPUD … Brian Trammell
- Re: [Spud] Possible WG-forming follow-on to SPUD … Szilveszter Nadas
- Re: [Spud] Possible WG-forming follow-on to SPUD … Tom Herbert