IETF Logo Mail Archive

Re: [Spud] Possible WG-forming follow-on to SPUD BoF

Brian Trammell <ietf@trammell.ch> Wed, 01 June 2016 07:04 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7B212D0F8 for <spud@ietfa.amsl.com>; Wed, 1 Jun 2016 00:04:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.328
X-Spam-Level:
X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPkRVu0fWNBJ for <spud@ietfa.amsl.com>; Wed, 1 Jun 2016 00:04:26 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id C4D94128E19 for <spud@ietf.org>; Wed, 1 Jun 2016 00:04:20 -0700 (PDT)
Received: from [IPv6:2001:470:26:9c2::7ea] (unknown [IPv6:2001:470:26:9c2::7ea]) by trammell.ch (Postfix) with ESMTPSA id 502BC1A0F1F; Wed, 1 Jun 2016 09:04:18 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_4BE909AB-D578-4C8A-AAFF-0915C124765D"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Brian Trammell <ietf@trammell.ch>
In-Reply-To: <CALx6S35ZRoNjD6JZ8g6g90RS50ZtUC-370sJMbA5sGKhH8y=LA@mail.gmail.com>
Date: Wed, 01 Jun 2016 09:04:16 +0200
Message-Id: <409F4136-9596-4195-88AD-569567979218@trammell.ch>
References: <2b0e574586dd955-00039.Richmail.00049889758880203458@139.com> <CALx6S352MynSJRHYo3J+SCh8TbMha_w4-66Jcv9OfK84rzVimw@mail.gmail.com> <EA4C43BE752A194597B002779DF69BAE240EA3F9@ESESSMB303.ericsson.se> <FC7CBE59-B21F-446A-ACBE-20BBCBBE34F5@trammell.ch> <CALx6S35ZRoNjD6JZ8g6g90RS50ZtUC-370sJMbA5sGKhH8y=LA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/bBFrVqI_Vb81uGGQFqzD57cr5g4>
Cc: Szilveszter Nadas <Szilveszter.Nadas@ericsson.com>, spud <spud@ietf.org>
Subject: Re: [Spud] Possible WG-forming follow-on to SPUD BoF
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 07:04:28 -0000

hi Tom,

snipping a bunch of the message; replies inline...

>> Unbreaking firewalls in the face of transport encryption is a necessary first step. What you do after that is a separate question.
>> 
> Brian,
> 
> Like Szilveszter mentions the choice to encrypt must be up to the
> application or TP. Applications should not have to ask for permission
> from the network to use encryption,

Of course not.

> nor can deployment of encryption
> be gated on middleboxes being updated with PLUS (it's unrealistic to
> think we are going to wait N years for PLUS deployment in middleboxes
> before starting to encrypt transport headers).

And of course not. I'm having a hard time seeing where anyone has proposed otherwise in this thread.

Since the protocol bounded by draft-trammell-spud-req relies on the superstrate to provide secrets for integrity protection, we presume encryption of the superstrate by default. Indeed, one could envision PLUS' selective exposure and transport state exposure mechanisms being implemented as extensions to DTLS, since it already provides most of the pieces we'd need.

The difficulty we see in PLUS is what happens when an application/transport chooses *not* to encrypt; when the superstrate doesn't provide exchange of secrets, you get no integrity protection for the PLUS information either. Indeed, in this case the *only* benefit PLUS provides is a common framing and data model for information exposed to middleboxes, which as you note is rather useless in the initial phases of deployment. And this might be an acceptable corner case anyway: a decision not to encrypt can at this point be taken as an explicit statement that the endpoint is unconcerned about its packets being thoroughly inspected and mangled by the network.

> As for "Unbreaking firewalls in the face of transport encryption is a
> necessary first step" can you elaborate exactly how firewalls are
> broken in this regard? I don't see a good description of this problem
> in RFC7663 and your UDP data as well as the fact that QUIC is
> currently being deployed don't seem to be illustrating a widespread
> reachability issue using UDP in the Internet.

Two issues: blocking and state maintenance.

On the former: QUIC falls back to TCP 6%-9% of the time; our RIPE Atlas numbers, which undercount enterprise access networks, point to 3.3% to 3.6% of measured networks blocking outbound UDP (on ports other than 53). These are acceptable numbers if you always have a fallback (which QUIC does built-in, since H2 runs acceptably over TCP, and where something like TAPS comes in for other applications). But it seems to me we can do better than that. Providing firewall vendors and administrators with an incentive to unblock would help here, and exposure of state information so that new transports over UDP can be managed like TCP is, I think, a good one.

On the latter: have a look at the spectrum of NAT timeouts between TCP and UDP in the paper Lars sent to maprg (in the "Is UDP a trash heap?" thread): population median (and mode) UDP timeout for tested devices on flows that look like QUIC was 3 minutes (figures 4,5), versus 60 minutes for TCP (figure 6). See also Jim's slide on NAT unbinding from tsvarea in Vancouver (https://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf): this test is, I believe, roughly equivalent to the one shown in figure 3 in Lars' paper, with equivalent results: median is about 1.5 min. Both datasets suggest a simple heuristic for keepalives: send a useless packet every thirty seconds if you care about keeping the connection up and don't have anything to say.

The reason these timeouts are longer for TCP is that TCP exposes state maintenance information to the path. If there is a common mechanism for UDP-based transport protocols for exposing equivalent information, with an equivalent level of trust as we can place in TCP flags (formally zero), then the timeouts can tend over time to be longer, reducing the need for unproductive keepalive traffic.

Cheers,

Brian

> Thanks,
> Tom
> 
>> Cheers,
>> 
>> Brian
>> 
>> _______________________________________________
>> Spud mailing list
>> Spud@ietf.org
>> https://www.ietf.org/mailman/listinfo/spud
>> 
> 
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud

v2.23.0 | Report a Bug | By Email