Re: [Stackevo] draft-thomson-use-it-or-lose-it

Brian Trammell (IETF) <ietf@trammell.ch> Mon, 06 August 2018 10:51 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: stackevo@ietfa.amsl.com
Delivered-To: stackevo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3676130DE2 for <stackevo@ietfa.amsl.com>; Mon, 6 Aug 2018 03:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aE_osu_hCvfu for <stackevo@ietfa.amsl.com>; Mon, 6 Aug 2018 03:51:57 -0700 (PDT)
Received: from gozo.iway.ch (gozo.iway.ch [212.25.24.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD24130DDF for <stackevo@iab.org>; Mon, 6 Aug 2018 03:51:57 -0700 (PDT)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 5C7F0340D94; Mon, 6 Aug 2018 12:51:55 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/6030.5223); Mon, 6 Aug 2018 12:51:54 +0200 (CEST)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Mon, 6 Aug 2018 12:51:54 +0200 (CEST)
Received: from [195.176.111.11] (account ietf@trammell.ch HELO public-docking-cx-4089.ethz.ch) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 63334112; Mon, 06 Aug 2018 12:51:54 +0200
From: Brian Trammell <ietf@trammell.ch>
Message-Id: <5BDD973D-BEA3-41A8-8555-975143177415@trammell.ch>
Content-Type: multipart/signed; boundary="Apple-Mail=_045E95A8-03B7-41BE-9406-776F5570DEE4"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Mon, 06 Aug 2018 12:51:53 +0200
In-Reply-To: <CABkgnnXyNAHHTCx_pWtuNdQmFkSjt2b+ytGr7G636-_VtG6mTA@mail.gmail.com>
Cc: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>, Stackevo <stackevo@iab.org>
To: Martin Thomson <martin.thomson@gmail.com>
References: <991AD90C-A84A-4302-BB25-C5FAB33C8E80@trammell.ch> <3C07107C-D373-4E4B-ABBA-B025AC3A7B2A@tik.ee.ethz.ch> <CABkgnnXyNAHHTCx_pWtuNdQmFkSjt2b+ytGr7G636-_VtG6mTA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stackevo/-RBtAoJnu-KPCJ8kL0m7lrvi1o0>
Subject: Re: [Stackevo] draft-thomson-use-it-or-lose-it
X-BeenThere: stackevo@iab.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IP Stack Evolution Program Mailing List <stackevo.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/stackevo>, <mailto:stackevo-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stackevo/>
List-Post: <mailto:stackevo@iab.org>
List-Help: <mailto:stackevo-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/stackevo>, <mailto:stackevo-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 10:52:00 -0000

Back from holidays. Slowly digging out of the mailpile...

> On 3 Aug 2018, at 04:03, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
<snip>

> There is talk now about shipping new TLS versions every few months.
> Not major revisions, but revisions that rearrange the protocol in
> different ways that exercise various capabilities that we might like
> to preserve.  It's still essentially grease, so apply the same
> skepticism, but the idea is that you can't just say that x&0x0f0f ==
> 0x0a0a is safe to ignore because everything changes.  For instance,
> one change might add 13 to all extension codepoints, another might
> reorder the fields in some messages.

This reminds me a bit of some defensive computer architecture work done about a decade ago, that attempted to fix buffer overflow attacks by dynamically compiling executables to an encrypted instruction set, with the idea that the shell code would not decrypt to a valid instruction stream without a key. Applying this analogy to protocol design (where it seems to be a generalization of the TLS every six weeks approach), complicated sub-parts of the version number space would act in effect as encryption “keys” for the protocol’s codepoint and state transition space.

IMO the challenge here is to make sure that the cost of the complexity added is much less than the amortized cost of the complexity of dealing with ossification after the fact. The encrypted state/codepoint space idea is reductio ad absurdum: iirc the POC for the encrypted instruction set (basically valgrind-as-VM) made it into one of the top three security conferences because it only induced a four-order-of-magnitude performance penalty.

>> Then I’m really not sure about section 4.2. Maybe I’m just not a full believer in greasing but I really think it worked „well" for TLS because you used it as a mechanism to detect deployed brokenness afterwards. I really don’t think you will have the same result if you reserve something for greasing at the time of the first specification, because then people will implement this as an extra case (even if it would be easier to just implement the versioning mechanism correctly, because this is just how people work).
> 
> I tried hard to capture some of this skepticism, because I share your
> view.  That it sort of worked for TLS isn't a great proof that the
> general technique is effective.

This is the main reason I’d like to see the document expand beyond TLS/H2-derived experience: I'm mostly convinced that version-negotiation-agility is a desirable protocol feature in its own right, but evidence that greasing's effect isn't just a property of the vagaries of how TLS 1.2 negotiation was supposed to work would be nice to have.

Cheers,

Brian

> As it says "Incorrect implementations
> might still be able to correctly identify these code points and ignore
> them."  I've added some more negative language as well :)
> 
>> Also section 4.3: I have the feeling that the middlebox problem is a bit a different question. It’s a good note to spell out that middleboxes are protocol participants (as done in section 2.2), however, explicitly only exposing what should be expose is rather the message of the path-signals and wire-image drafts and I think I would rather refer to these drafts instead.
> 
> I will do that.  That document had rather uncertain status when this
> was first written.  That no longer true :)
> 
>> Not sure if section 4.4. should be rather an own section because it is something additional and not really a migration technique/design principle for protocols, is it?
> 
> It's a separate concept, but Section 4 is more broadly about
> strategies, and while Section 4.4 isn't a strategy on its own, it's
> complementary to the other strategies.  I've made this clearer in the
> lead-in to prevent there from being any misapprehension about why that
> section is there.  (I was originally going to put this with grease,
> because it's so essential there, but it's really a separate
> technique.)
> 
> _______________________________________________
> Stackevo mailing list
> Stackevo@iab.org
> https://www.iab.org/mailman/listinfo/stackevo