IETF Logo Mail Archive

Re: [Spud] SPUD Scope?

Ken Calvert <calvert@netlab.uky.edu> Sat, 06 June 2015 17:44 UTC

Return-Path: <calvert@netlab.uky.edu>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EE551A9045 for <spud@ietfa.amsl.com>; Sat, 6 Jun 2015 10:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.488
X-Spam-Level: ****
X-Spam-Status: No, score=4.488 tagged_above=-999 required=5 tests=[BAYES_99=3.5, BAYES_999=0.2, DKIM_ADSP_ALL=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PiEKKAsld-Xn for <spud@ietfa.amsl.com>; Sat, 6 Jun 2015 10:44:38 -0700 (PDT)
Received: from mail3.netlab.uky.edu (wonder.netlab.uky.edu [128.163.140.37]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55701A9042 for <spud@ietf.org>; Sat, 6 Jun 2015 10:44:38 -0700 (PDT)
Received: from culp.local (cpe-96-29-182-38.kya.res.rr.com [96.29.182.38]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail3.netlab.uky.edu (Postfix) with ESMTPSA id 2B6A6C05D; Sat, 6 Jun 2015 13:44:35 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ken Calvert <calvert@netlab.uky.edu>
In-Reply-To: <87oaktvjhi.fsf@alice.fifthhorseman.net>
Date: Sat, 6 Jun 2015 13:44:33 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1FA5B1A9-6011-4F39-8503-ACAAB5B649A8@netlab.uky.edu>
References: <EA4C43BE752A194597B002779DF69BAE23D47A3E@ESESSMB303.ericsson.se> <87h9qn1dkr.fsf@alice.fifthhorseman.net> <DM2PR0301MB0655E175AD817C6D896F7E7DA8B30@DM2PR0301MB0655.namprd03.prod.outlook.com> <EA4C43BE752A194597B002779DF69BAE23D48602@ESESSMB303.ericsson.se> <87oaktvjhi.fsf@alice.fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/zbGFk7W4ej7Q7KvLUPdbX5j57BE>
Cc: "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD Scope?
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 17:44:40 -0000

> You know why we can't innovate in transport protocol development, right?
> Because too many middleboxes like to block traffic that they find
> surprising.  If they were to stop blocking much of that traffic, we
> could run things like SCTP or TCPCrypt reliably on the open Internet
> instead of everyone pretending to be TLS-on-port-443, without the need
> of anything like SPUD.

Some middleboxes are paranoid for good (or at least understandable) reason:  they are there to implement trust domain boundaries.  Because those boundaries don't exist in the original architecture, firewalls work by overloading mechanisms that are poorly suited for the job.

A well-designed mechanism that enables a packet to certify policy-compliance in-band, without DPI, would at least help with firewalls.  It seems to be a necessary condition for reducing the need to force everything through the TLS-over-443 tube, while still allowing end-to-end encryption.

Yes, the path is fraught with challenges; I don't disagree with most of your points.  On the other hand, call me an optimist, but I believe such a mechanism could not only help break the "ossification" logjam, but perhaps eventually shift the balance of power back toward the end users by giving them more choices w.r.t. network services.

Ken Calvert

v2.8.7 | Report a Bug | By Email