Re: [Spud] updated PLUS charter
Aaron Falk <aaron.falk@gmail.com> Wed, 25 May 2016 14:41 UTC
Return-Path: <aaron.falk@gmail.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E016A12D097 for <spud@ietfa.amsl.com>; Wed, 25 May 2016 07:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JaUSWhHnb9Mx for <spud@ietfa.amsl.com>; Wed, 25 May 2016 07:41:57 -0700 (PDT)
Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D97C112D776 for <spud@ietf.org>; Wed, 25 May 2016 07:41:45 -0700 (PDT)
Received: by mail-vk0-x22c.google.com with SMTP id k1so11761458vka.3 for <spud@ietf.org>; Wed, 25 May 2016 07:41:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3L210ZbvHS9bvK2rZUIIB+cMrHQUSF9OS0iI+Klh0fo=; b=lA92J8K1jvzqjXTeUNbxzo2mWIjh1NMjxdRfLnOSPXuiIBVRuL95GOCmqYewgSD8Kf WKo3EWZW+9P1oqxP05UUWyiN/fj7swXdy8PMd06HE+IaLBOOmPxJEl9iOfDDfbzNpMgq dbxOqu9S+CybP2p+534pfAtwAPQ2q2azlIB2fPJKpfh0vir/g5THJXrjraWzQBMjffJi rx5H2fX2l16BT2WMK6XF9EBjZRu6lKIIDocavlwt/LtycBDCIFtylEeRrA/SNNjTdCKe SZxC+G6IXWftfhpAn3TdGuBlZwbM8FUoRg9eOvQR5Ppes3U5czvtknUs6c6fDIdXG3cW lPbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3L210ZbvHS9bvK2rZUIIB+cMrHQUSF9OS0iI+Klh0fo=; b=X0R3QS+8CQwvwcacbVyphLIb3OD2QzkdqYmKxThB0FCUUSheGd9OPKj21ef5Pj0Isd T3OqqWrJq34oNLinBF+EtmeElpnWEYc1MgnnacCCLtilatZrnNI6lmoQPYjYslrzmrj3 0ROJxWXWbUWsnkhtbaqXc4gFHgz8Z6nK5yYuAYRgelzGbPQnWuvua8b388u24B+N2m53 Q+XG7pf3xIQuPSVSoS70HBe4C1V8PZqaQDG8QjY4xO9nPBhmsTHzp8KYJTS9bKK0yaE3 R7ahWm2XEmNIRlI6TsXcz9FnsJCwH3vNZs5qDgRE3UchsDZ8bpWhCTM0ubJcz5wbagh3 krlw==
X-Gm-Message-State: ALyK8tLRRKltykAt41YgRuXErgsP8V3yKmrEOwvnabbcBMQqBb9QBZyxdZmgjcDz/mk+X8395+Vu5FoD0GbZFg==
X-Received: by 10.176.69.248 with SMTP id u111mr2566775uau.138.1464187304840; Wed, 25 May 2016 07:41:44 -0700 (PDT)
MIME-Version: 1.0
References: <D854766A-83D6-4605-8484-4ED06BB5F9CC@trammell.ch> <F7783B9F-8D1D-4251-8DAF-2E9A3EA4D9A7@netapp.com>
In-Reply-To: <F7783B9F-8D1D-4251-8DAF-2E9A3EA4D9A7@netapp.com>
From: Aaron Falk <aaron.falk@gmail.com>
Date: Wed, 25 May 2016 14:41:30 +0000
Message-ID: <CAD62q9VQD_TX0mSAZZHFD_70jtR7qLStyHxCWzNLseDU6sbKDA@mail.gmail.com>
To: "Eggert, Lars" <lars@netapp.com>, Brian Trammell <ietf@trammell.ch>
Content-Type: multipart/alternative; boundary="94eb2c0482b03094e30533abac2c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/p-zeiHyL1RidF_KFHprOHRt1ayw>
Cc: spud <spud@ietf.org>
Subject: Re: [Spud] updated PLUS charter
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2016 14:42:00 -0000
There's a fair bit of redundancy which encourages nitpicking. Suggest cutting the 1st three paragraphs. Start with "The PLUS working group will specify a new protocol as a Path Layer User Substrate (PLUS)..." --aaron On Wed, May 25, 2016 at 8:33 AM Eggert, Lars <lars@netapp.com> wrote: > Hi, > > a few comments: > > On 2016-05-24, at 12:08, Brian Trammell <ietf@trammell.ch> wrote: > > Path Layer UDP Substrate (PLUS) > > =============================== > > > > The PLUS working group's goal is to enable the deployment of new, > encrypted > > transport protocols, while providing a transport-independent method to > signal > > flow semantics under transport and application control. > > Using the plural here ("new, encrypted transport protocols") sounds > awfully broad. At the end of the charter, the text says "an experimental > protocol specification" is the deliverable, which is much more constrained. > Suggest to use similar wording here also. > > > The approach from > > which the working group will start is a shim layer based on the User > Datagram > > Protocol (UDP), which provides compatibility with existing middleboxes > in the > > Internet as well as ubiquitous support in endpoints, and provides for > > userspace implementation. > > > > The current Internet protocol stack does not provide explicit, transport- > > independent signaling of flow characteristics to on-path network devices. > > I think it's been pointed out that this broad statement is incorrect in > several ways, since we have many explicit, transport-independent signaling > protocols (RSVP, NSIS, etc.) They are neither in-band (which I think you > want here) nor are they generally deployed or deployable (which is also > what I think you want here), so I suggest that this text be tightened, so > that folks like me don't overreact :-) > > > This > > has led to the deployment of devices which perform implicit discovery of > these > > characteristics, through inspection of protocol headers all they way up > to the > > application layer, a practice made possible because these headers are > sent in > > the clear. > > Another reason for DPI is that the network can't really in general trust > what is signaled by the end points, and so it is attractive to try and > obtain "the truth" by DPI (whether that is possible or not in all cases.) > I'd like to raise that any new endpoint signaling method - i.e., the work > proposed here - will have similar issues. It would be good to have some > argument as to why PLUS will be different. > > > Inspection and modification of unencrypted protocol headers is a > > key cause of the ossification that makes it hard or impossible to deploy > new > > protocols. > > > > In order to support more ubiquitous deployment of encryption, and the > > encryption of transport headers to allow deployment of new transport > > protocols, explicit signaling must be added to the stack, and it must be > > transport protocol independent. > > I again think you mean "in-band" signaling, since we have out-of-band > signaling - well, at least many specs for it :-) > > > While IP would seem to be the natural home for > > this facility, both IPv4 and IPv6 options and extensions have deployment > > problems on their own, which makes it hard to include any additional > > information in these protocols. Additionally, a feedback channel that > provides > > information from on-path devices back to endpoints and applications, > e.g. for > > error handling, is essential for the deployment and success of an > explicit > > cooperation approach. > > > > The PLUS working group will specify a new protocol as a Path Layer > > User Substrate (PLUS), to support experimental deployment of > > explicit cooperation between endpoints and devices on path, with the > following goals: > > > > - enable ubiquitous deployment of encrypted higher layer protocols > > by providing exposure of basic TCP-like semantics (e.g. SYN, FIN, > > RST flags) to devices on path (e.g. NATs and firewalls). > > > > - allow applications and transport protocols to explicitly provide > > limited information in cleartext to devices on path > > > > - allow devices on path to provide feedback and information about > > the path in cleartext to sending endpoints, under sending endpoint > > control > > > > - allow devices on path to provide information about the path in > cleartext > > to receiving endpoints, with feedback to the sending endpoint, under > > sending endpoint control > > Can we find a better word than "cleartext"? At least my mind immediately > jumps to think about unstructured ASCII data in protocol headers. Maybe > "unencrypted" or "not integrity-protected"? > > > Note that this approach explicitly gives the control of information > > exposure back the application and/or transport layer protocol on > > the end host. It is the goal of PLUS to minimize the information > > exposed at the level of detail that is useful for the network, > > while encrypting everything else. > > It would be good to add a half-sentence on how PLUS can achieve that goal > (i.e., how can it limit what an app decides to signal)... > > > This is important to avoid future > > implicit treatment and the resulting ossification, as well as to > > leverage the principle of least exposure to minimize privacy risks > > presented by explicit cooperation. > > ...because as you say that is important. > > > Given that the primary goal of PLUS is to enable the deployment of > arbitrary > > transport protocols, encrypting transport protocol headers, we assume > that > > the higher-layer protocol can provide an encryption context that can be > used by > > PLUS to provide authentication, integrity, and encryption where needed. > The > > primary threat model to defend against will be modification or deletion > of > > exposed information by middleboxes and other devices on path, by > allowing a > > remote endpoint to detect modifications. > > > > The working group will start with an initial set of use cases (see > > draft-kuehlewind-spud-use-cases) and requirements (see > > draft-trammell-spud-req), taken from experience with the Substrate > > Protocol for User Datagrams (SPUD) prototype. > > The working group's main output will be an experimental protocol > > specification, together with an initial registry of types of > > information that can be exposed using PLUS, clearly aligned to > > these use cases and requirements. The working group will close if > > it is not able to come to consensus on a protocol design to meet > > these requirements. > > > > The working group will additionally aim to identify other working > > groups that could or should address parts of these requirements > > within existing protocols, e.g. by specifying new protocol > > extensions or as input for on-going standardization work. It will > > aim to work with working groups defining encryption protocols (e.g. > > TLS) which could be used for encryption of transport protocols > > running over PLUS. > > Lars > _______________________________________________ > Spud mailing list > Spud@ietf.org > https://www.ietf.org/mailman/listinfo/spud >
- [Spud] updated PLUS charter Brian Trammell
- Re: [Spud] updated PLUS charter Eggert, Lars
- Re: [Spud] updated PLUS charter Aaron Falk
- Re: [Spud] Lars: updated PLUS charter Toerless Eckert
- Re: [Spud] updated PLUS charter Brian Trammell