IETF Logo Mail Archive

Re: [Spud] What middleboxes are allowed to know (Re: [Stackevo-discuss] Fwd: Possible WG-forming follow-on to SPUD BoF)

Brian Trammell <ietf@trammell.ch> Mon, 23 May 2016 14:17 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BB0512D92A for <spud@ietfa.amsl.com>; Mon, 23 May 2016 07:17:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.328
X-Spam-Level:
X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJE0aopY0ems for <spud@ietfa.amsl.com>; Mon, 23 May 2016 07:17:44 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id 221BF12D929 for <spud@ietf.org>; Mon, 23 May 2016 07:17:44 -0700 (PDT)
Received: from [IPv6:2001:67c:64:49:b0cc:febd:b2ea:c9b0] (unknown [IPv6:2001:67c:64:49:b0cc:febd:b2ea:c9b0]) by trammell.ch (Postfix) with ESMTPSA id 6067D1A01F8; Mon, 23 May 2016 16:17:43 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_8C1BC4A4-267E-4823-B45D-3DA2BFECE4BB"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Brian Trammell <ietf@trammell.ch>
In-Reply-To: <20160523134348.GB15064@cisco.com>
Date: Mon, 23 May 2016 16:17:44 +0200
Message-Id: <AE4A0343-030D-4ACE-BBA7-2894E4DF795F@trammell.ch>
References: <20160523134348.GB15064@cisco.com>
To: Toerless Eckert <eckert@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/TlnJuzZyd7OeuHVpTN2jGzWO4_Q>
Cc: mirja.kuehlewind@tik.ee.ethz.ch, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] What middleboxes are allowed to know (Re: [Stackevo-discuss] Fwd: Possible WG-forming follow-on to SPUD BoF)
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 May 2016 14:17:46 -0000

hi Toerless,

> On 23 May 2016, at 15:43, Toerless Eckert <eckert@cisco.com> wrote:
> 
> 
> Mirja: Your answer below "i don't want the middleboxes to require anything here"
> is letting me totally confused. If PLUS wants to define how talk with the
> middlebox (or however you want to call it "pass info to it, get info from it"),
> then it is clear that the resut of this interaction is that you will not
> achieve desirable outcomes if you do not send specific info to the middlebox
> 
> Please give me an example how you think PLUS will help firewall middleboxes
> to decide whether or not to less some traffic flow pass. Lets assume that
> same firewall today is using TCP port number policies and/or DPI. What
> in your opinion should the firewall do.

I don't think this is what we're trying to do with PLUS: declarative information about network traffic *properties* doesn't match well to policies described in terms of particular fields in headers. Certainly, port number based firewall rules would still work for applications over PLUS if PLUS itself doesn't use UDP port numbers to identify itself (which, IMO, it shouldn't -- I'm a big fan of magic numbers for this).

One could certainly ask for an "application ID" as an application to path key for firewall use, but among indistinguishable applications, this is simply an invitation to lie, so I'm not optimistic about its usefulness.

Cheers,

Brian

> 
> 
>>> What i really want to see is this:
>>> 
>>> - Allow the application to learn from the network devices what information
>>> it must present in the clear to have its traffic be passed through
>>> and/or receive additional treatment by the network.
>>> 
>>> Aka: "Security guard: Sure, you can go through this door if you show me your <credential> else not"
>>> 
>>> Then the app can decide if it wants to show <credential>. Otherwise the
>>> apps have to operate like corporate drones, carrying around their corp-ID
>>> in the open all the time hoping that thats the right credential.
>>> 
>>> Or to rephrase: if we do not even attempt to overcome TCP port numbers as
>>> credentials then we're lame and will not be successful.
>> 
>> Okay??? I first of all have to simply say no here. I don???t want the middleboxes to require anything here, because why would a middlebox not just say ???either you show me all you content in plain or I don???t transport you data???. I believe that???s something we all don???t want and building a mechanism that could lead to this, it the last thing I want. I know what you intention is here, but we have to be more than careful here and the way you???ve just phrased it, I can just disagree. However, I would propose to have this discussion in a separate thread.
> 
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud

v2.23.0 | Report a Bug | By Email