IETF Logo Mail Archive

Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-forming follow-on to SPUD BoF

Tom Herbert <tom@herbertland.com> Fri, 20 May 2016 16:04 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96A8012DA57 for <spud@ietfa.amsl.com>; Fri, 20 May 2016 09:04:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vq1JOCbjpBFh for <spud@ietfa.amsl.com>; Fri, 20 May 2016 09:04:47 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C58112DD48 for <spud@ietf.org>; Fri, 20 May 2016 09:03:50 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id p64so59683766ioi.2 for <spud@ietf.org>; Fri, 20 May 2016 09:03:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-transfer-encoding; bh=gavuXWLgxbidfVCFdUOJhxiZ+xaAJAvELamXYSXs33w=; b=KhCAmUWTC3CsZfz8JLUVyKx5Jsseh0AkFzVk9x5CylhQCcywRbmrMtzP/MIc0dCE3L 5qkuw8de/e4LdnMoUMgSkXo/tThgarWPgL/vxxOrCopv19tT8zsdWEhaqw+78aoIslSt wE46NaJiSeiven0JkejYMupryE/o6NWAZB7iQ5M2+vlv6B0Vwz52j9fCz5z3rpqHOrDF fJeB9JzBWV8ifWk69zbEoKByN2nOXy08zOH8todQkFVRHMlhEDadcofTgra/s4BmjLBh TmeJ8+nAsLf61IBgLr24FntARpVWTc/6j+i7FWGM+yTeSQSLsOAW5LTX9bDKT8aHXgl2 wyGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=gavuXWLgxbidfVCFdUOJhxiZ+xaAJAvELamXYSXs33w=; b=SE9ORQd/F1HLlvMOGjdCmNLFglR7jcXnxyqMa6R+NeiZ+5KAbbQPoPECPaPIam42Xd aLn+Ekk6M88wAFNsvElyd6oBBYk9MrQg5Av68Id5kRVl7hsrgb2C6+ivswbyCL/XKYw9 UT0ySEb6a8bO1GcO43WeDHNlincOCCf/6qYs189btiVl7oD04UVQg3Z3LJFnfV1VbsqP e49VhhZLVRNchdWJy9Avg5pfWYO87wBvwrwR6HZDZBf3wuXjE/ANr6WqeQc22l8vFjP3 I1dwWwXf5Efn1UA4L7K/J+k7mUGYEjJ3h57zsO1qdWB19TEJsslu5IYzf2+p/1OCU2Mz 8V2w==
X-Gm-Message-State: AOPr4FXwSjzcmFHOyQcFgMOv35BMqYiGOpXf/GQK3JdPdBTuzNrJmQD340+uzGFiHDAYH9nJVJWR+C92BvPpFQ==
MIME-Version: 1.0
X-Received: by 10.36.46.76 with SMTP id i73mr3759078ita.91.1463760229289; Fri, 20 May 2016 09:03:49 -0700 (PDT)
Received: by 10.107.56.67 with HTTP; Fri, 20 May 2016 09:03:49 -0700 (PDT)
In-Reply-To: <BC2E47D5-1B2B-4848-BBA0-0E5254F125FF@trammell.ch>
References: <7EE2C4F8-98D4-493A-9778-FB6697B4A4DF@trammell.ch> <825141DA-F346-412A-A52C-53BF81EC6502@trammell.ch> <655C07320163294895BBADA28372AF5D4885CF80@FR712WXCHMBA15.zeu.alcatel-lucent.com> <CALx6S37br_VkDrggO1gAh2LzZtm=BTNTEecRU3sRQmUrnR+r7g@mail.gmail.com> <BC2E47D5-1B2B-4848-BBA0-0E5254F125FF@trammell.ch>
Date: Fri, 20 May 2016 09:03:49 -0700
Message-ID: <CALx6S35syvAFGbgOYvNf-n23T3-QrrUn=9ymyoEvoDvYruoANQ@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
To: Brian Trammell <ietf@trammell.ch>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/o-bD2km0zhC8ECcpclzwAmGSD7M>
Cc: "Scharf, Michael (Nokia - DE)" <michael.scharf@nokia.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] [Stackevo-discuss] Fwd: Possible WG-forming follow-on to SPUD BoF
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 May 2016 16:04:48 -0000

On Fri, May 20, 2016 at 3:08 AM, Brian Trammell <ietf@trammell.ch> wrote:
> hi Tom,
>
>> On 19 May 2016, at 19:50, Tom Herbert <tom@herbertland.com> wrote:
>>
>> On Thu, May 19, 2016 at 10:12 AM, Scharf, Michael (Nokia - DE)
>> <michael.scharf@nokia.com> wrote:
>>> Does the sentence ...
>>>
>>>  The current Internet protocol stack has no layer for explicit signaling of flow semantics and characteristics to network elements ...
>>>
>>> actually wants to say something like
>>>
>>>  The current Internet protocol stack has no layer for explicit *in-band* signaling of flow semantics and characteristics ... ?
>>>
>>> I may be wrong, but there is no shortage of IETF and non-IETF protocols that can signal flow semantics and characteristics out-of-band, either path-coupled or path-decoupled, e.g., in the control or management plane. As a result, there are protocol "layers" for that signaling, but they are not in-band. There may also be other ways to fix this problem (e.g., by adding "end-to-end" or "inter-domain" instead of "in-band").
>>>
>> Not to mention that TOS and diff-serv are in-band signaling mechanisms
>> to the network, ECN is explicitly signaling from the network.
>
> DSCP is properly network-layer. If you believe in a "path layer" (which I'm pretty sure I do), you can argue that ECN is the first path layer protocol.
>
I'm not sure what "path layer" is. Yes every packet takes some path,
but the Internet is packet-switched not circuit-switched, so not all
packets for a flow are required to always take the same path.
Maintaining flow state in intermediate nodes is only best effort. In
the presence of multi-homing and mobility intermediate devices that
track flow state will inevitably have it wrong. Anyone who has ever
tried to build a front-end L4 load balancer understands this problem
all too well :-)

>> Given
>> that they've been around for many years but have never been widely
>> deployed on the Internet
>
> DCSP was defined in such a way that it makes little sense in an interdomain context, and its widespread intradomain deployment means that it will never deploy across domains in the general case.
>
Sure, but can you give a specific example of information exposure that
is useful in interdomain context, does not diminish end user security,
and does have any detrimental effects if the information is
fabricated?

> I still hold out a (potentially irrational) hope for ECN's deployment.
>
>> makes me wonder if any in-band signaling
>> mechanism will ever catch on. The use of out of band signaling should
>> be considered, especially considered that in many cases like NAT and
>> firewall the network elements that need signaling are likely in local
>> networks of one side of the connection.
>
> As noted, out of band signaling is not explicitly out of scope in the current
>
Great.

>> I have a similar concern about the statement that IP options/EH and
>> extension headers are being left off the table as part of a solution.
>
> I don't think they are off the table; a protocol such as what we propose to develop in PLUS could certainly use IPv6 extension headers, provided they can be implemented such that applications actually get access to those headers. IPv4 options are more of a stretch, simply due to questions about how well the path treats them.
>
Considering that there's already talk of sunsetting IPv4 I think it's
less of a concern-- IPv6 is the future of the Internet. In fact,
optimizing SPUD for IPv6 seems perfectly inline with encouraging
adoption wider adoption of IPv6.

>> The fact that neither have these caught on in the Internet and that
>> tells me two things 1) No IP option is needed for the Internet to
>> operate and be successful which makes me wonder if signaling between
>> network and hosts is even required 2) If the extensibility mechanisms
>> of IP are chronically not deployable, I wonder why any alternative
>> that does not yet exist but intends to solve the same problem would be
>> any more deployable.
>
> I'd assert that encapsulating things in UDP is certainly much more deployable *at the endpoints*. The open question is about adoption by on-path devices.
>
I'm not sure in this specific case that UDP necessarily make things
more deployable. For instance, there's the pesky problem of
fragmentation. If L3 information is put into UDP and that packet is
fragmented, only the first fragment contains the L3 information the
others don't. Either the application needs to pick some minimal MTU
and hope that packets make it through, or needs to implement PMTU
discovery (rather or not ICMP PTB is delivered to the application is
another story, in Linux it is at least). IPv6 nicely great here since
minimum MTU is 1280, IPv4 might be harder to nail down.

Tom

> Cheers,
>
> Brian
>
>>
>> Tom
>>
>>> Michael
>>>
>>>
>>> -----Original Message-----
>>> From: Stackevo-discuss [mailto:stackevo-discuss-bounces@iab.org] On Behalf Of Brian Trammell
>>> Sent: Thursday, May 19, 2016 5:07 PM
>>> To: stackevo-discuss@iab.org
>>> Subject: [Stackevo-discuss] Fwd: Possible WG-forming follow-on to SPUD BoF
>>>
>>> Greetings, all,
>>>
>>> Forwarding this to the correct address for this mailing list (oops). Please discuss at spud@ietf.org.
>>>
>>> Thanks, cheers,
>>>
>>> Brian
>>>
>>>> Begin forwarded message:
>>>>
>>>> From: Brian Trammell <ietf@trammell.ch>
>>>> Subject: Possible WG-forming follow-on to SPUD BoF
>>>> Date: 19 May 2016 at 17:04:50 GMT+2
>>>> To: spud@ietf.org
>>>> Cc: stackevo-discuss@ietf.org, tsv-area@ietf.org, "Mirja Kuehlewind
>>>> (IETF)" <ietf@kuehlewind.net>, Spencer Dawkins at IETF
>>>> <spencerdawkins.ietf@gmail.com>
>>>>
>>>> Greetings, all,
>>>>
>>>> We propose to hold a working-group forming BoF in Berlin as a follow-on to the SPUD work, to define a common substrate protocol for encrypted transports based on the requirements derived from experimentation with the SPUD prototype.
>>>>
>>>> First, note that since the acronym "SPUD" refers primarily to the prototype itself, any follow-on working group should have a different name. We're using the derived requirements, not starting for the prototype. The name is a subject for discussion, and suggestions are welcome. To have something to put in the proposed charter, we'd propose "Path Layer UDP Substrate" (PLUS) as a starting point.
>>>>
>>>> The proposed charter appears below. We're interested in hearing initial feedback on the proposed charter in preparation for a BoF proposal (the cutoff date is two weeks from tomorrow, on Friday 3 June). Is there work to do here within the IETF? Is the scope of the proposed charter appropriate? Is there energy to do this work?
>>>>
>>>> Thanks, cheers,
>>>>
>>>> Brian and Mirja
>>>>
>>>>
>>>> Path Layer UDP Substrate (PLUS)
>>>> ===============================
>>>>
>>>> The PLUS working group’s goal is to enable the deployment of new,
>>>> encrypted transport protocols, while providing a transport-independent
>>>> method to signal flow semantics under transport and application control.
>>>>
>>>> The current Internet protocol stack has no layer for explicit
>>>> signaling of flow semantics and characteristics to network elements,
>>>> nor an integrated signaling mechanism from network elements to back to
>>>> endpoints and applications. This layer never evolved within the stack,
>>>> because middleboxes and other devices on path could simply inspect and
>>>> modify headers and payload of unencrypted traffic at every layer. This
>>>> implicit use of information from the transport and application layers
>>>> is a key origin of the ossification that makes it hard or impossible to deploy new protocols.
>>>>
>>>> In order to support more ubiquitous deployment of encryption, explicit
>>>> signaling must be added to the stack, and it must be transport
>>>> protocol independent. While IP would seem to be the natural home for
>>>> this facility, both IPv4 and IPv6 options and extensions have
>>>> deployment problems on their own, which makes it hard to include any
>>>> additional information in these protocols.  Additionally, a feedback
>>>> channel that provides information from on-path devices back to
>>>> endpoints and applications, e.g. for error handling, is essential for
>>>> the deployment and success of an explicit cooperation approach.
>>>>
>>>> The PLUS working group will specify a new protocol as a Path Layer
>>>> User Substrate (PLUS), to support experimental deployment of explicit
>>>> cooperation between endpoints and devices on path, with the following goals:
>>>>
>>>> - enable ubiquitous deployment of encrypted higher layer protocols by
>>>> providing exposure of similar semantics to existing protocols (e.g.
>>>> TCP) to devices on path (e.g. NATs and firewalls)
>>>>
>>>> - allow applications and transport protocols to explicitly provide
>>>> limited information to devices on path
>>>>
>>>> - allow devices on path to provide feedback and information about the
>>>> path to sending endpoints, under sending endpoint control
>>>>
>>>> - allow devices on path to provide information about the path to
>>>> receiving endpoints, with feedback to the sending endpoint, under
>>>> sending endpoint control
>>>>
>>>> Note that this approach explicitly gives the control of information
>>>> exposure back the application and/or transport layer protocol on the
>>>> end host. It is the goal of PLUS to minimize the information exposed
>>>> at the level of detail that is useful for the network, while
>>>> encrypting everything else. This is important to avoid future implicit
>>>> treatment and the resulting ossification, as well as to leverage the
>>>> principle of least exposure to minimize privacy risks presented by explicit cooperation.
>>>>
>>>> Given that the primary goal of PLUS is to enable the deployment of
>>>> arbitrary, fully encrypted transport protocols, we assume that the
>>>> higher layer protocol can provide an encryption context that can be
>>>> used by PLUS to provide authentication, integrity, and encryption
>>>> where needed. The primary threat model to defend against will be
>>>> modification or deletion of exposed information by middleboxes and
>>>> other devices on path, by allowing a remote endpoint to detect modifications.
>>>>
>>>> The working group will start with an initial set of use cases (see
>>>> draft-kuehlewind-spud-use-cases) and requirements (see
>>>> draft-trammell-spud-req), taken from experience with the Substrate Protocol for User Datagrams prototype.
>>>> The working group's main output will be an experimental protocol
>>>> specification, together with an initial registry of types of
>>>> information that can be exposed using PLUS, clearly aligned to these
>>>> use cases and requirements. The working group will close if it is not
>>>> able to come to consensus on a protocol design to meet these requirements.
>>>>
>>>> The working group will additionally aim to identify other working
>>>> groups that could or should address parts of these requirements within
>>>> existing protocols, e.g. by specifying new protocol extensions or as
>>>> input for on-going standardization work. It will aim to work with
>>>> working groups defining encryption protocols (e.g. TLS) which could be
>>>> used for encryption of transport protocols running over PLUS.
>>>>
>>>
>>> _______________________________________________
>>> Spud mailing list
>>> Spud@ietf.org
>>> https://www.ietf.org/mailman/listinfo/spud
>
>
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud
>

v2.23.0 | Report a Bug | By Email