Re: [Stackevo] draft-thomson-use-it-or-lose-it

Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> Mon, 06 August 2018 09:46 UTC

Return-Path: <mirja.kuehlewind@tik.ee.ethz.ch>
X-Original-To: stackevo@ietfa.amsl.com
Delivered-To: stackevo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 555CE130EB2 for <stackevo@ietfa.amsl.com>; Mon, 6 Aug 2018 02:46:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xR4G0cqnuMaQ for <stackevo@ietfa.amsl.com>; Mon, 6 Aug 2018 02:46:17 -0700 (PDT)
Received: from virgo01.ee.ethz.ch (virgo01.ee.ethz.ch [129.132.2.226]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A57A130EB7 for <stackevo@iab.org>; Mon, 6 Aug 2018 02:46:16 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by virgo01.ee.ethz.ch (Postfix) with ESMTP id 41kXpZ6pwpzMlm6; Mon, 6 Aug 2018 11:46:14 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at virgo01.ee.ethz.ch
Received: from virgo01.ee.ethz.ch ([127.0.0.1]) by localhost (virgo01.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MaNZwOlTCdZb; Mon, 6 Aug 2018 11:46:14 +0200 (CEST)
X-MtScore: NO score=0
Received: from [192.168.178.24] (mue-88-130-61-218.dsl.tropolys.de [88.130.61.218]) by virgo01.ee.ethz.ch (Postfix) with ESMTPSA; Mon, 6 Aug 2018 11:46:13 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
In-Reply-To: <CABkgnnXyNAHHTCx_pWtuNdQmFkSjt2b+ytGr7G636-_VtG6mTA@mail.gmail.com>
Date: Mon, 06 Aug 2018 11:46:12 +0200
Cc: Stackevo <stackevo@iab.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FD6FAB0-8C32-4FB8-8836-3538A6B463BF@tik.ee.ethz.ch>
References: <991AD90C-A84A-4302-BB25-C5FAB33C8E80@trammell.ch> <3C07107C-D373-4E4B-ABBA-B025AC3A7B2A@tik.ee.ethz.ch> <CABkgnnXyNAHHTCx_pWtuNdQmFkSjt2b+ytGr7G636-_VtG6mTA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stackevo/y-s8raypbxTLgGBJeFQpJUujSkQ>
Subject: Re: [Stackevo] draft-thomson-use-it-or-lose-it
X-BeenThere: stackevo@iab.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IP Stack Evolution Program Mailing List <stackevo.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/stackevo>, <mailto:stackevo-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stackevo/>
List-Post: <mailto:stackevo@iab.org>
List-Help: <mailto:stackevo-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/stackevo>, <mailto:stackevo-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 09:46:19 -0000

Hi Martin, hi all,

I agree with the main point this document makes which is only using a versioning mechanism actively helps to avoid ossification. And reading through the doc, I also thought that maybe we should recommend to have a versioning plan while developing the protocol (as you say below is under discussion for TLS). However, thinking further about it and given were TLS is right now, I have the feeling that we really don’t have enough experience to make a recommendation here. So I wonder, should we maybe rather try to just document what we have experienced so far and not even try to give a recommendation, or it that not what we want in the StackEvo program?

Mirja



> Am 03.08.2018 um 10:03 schrieb Martin Thomson <martin.thomson@gmail.com>:
> 
> Thanks for reading Mirja,  Comments inline.
> 
> On Fri, Aug 3, 2018 at 12:42 AM Mirja Kühlewind
> <mirja.kuehlewind@tik.ee.ethz.ch> wrote:
>> 
>> Hi Martin,
>> 
>> I finally reviewed the doc completely and I really like the „use-it-or-lose-it“ message and the background explanations. However, I’m less sure about the migration techniques you propose (sec 4).
>> 
>> First section 4.1. (Active Use), I think, could be more concrete: does it make sense to specify two versions in parallel just to use this mechanism? Or just make sure you actually have a plan to specify a next version soon. And does it also mean that you should not have a versioning mechanism if you don’t plan to specify another version soon?
> 
> I don't think that we know the answer to this question just yet.  So
> I'm not confident in writing anything concrete.
> 
> I seriously doubt that deploying two versions from day 0 would be
> effective.  There were cases of TLS extension points that shipped with
> a small set of options, which ultimately ossified: though each of
> those values would work, new values couldn't be deployed.  That
> happened because the entire set remained unchanged over a fairly long
> period.  Greasing revealed and ultimately fixed those, hence some of
> the enthusiasm for that mechanism - but you might easily argue that
> this was something that could be found by other means (and I would
> agree with you).
> 
> TLS version negotiation is another example of this as well.  SSLv3,
> TLS 1.0 through 1.2 could all be negotiated, but even attempting to
> advertise TLS 1.3 caused enough things to break that deployment was
> untenable.  And TLS version negotiation couldn't be greased.  Moving
> to a new mechanism means that it can be greased now, but we don't know
> how effective that will be.
> 
> So my guess is that shipping with any small N isn't effective.  What
> we know is effective is continual addition of new values.  That plan
> you have for v2 isn't useful until you ship v2.  And you don't know
> that v3 can be shipped until you ship v3.  As long as N is small, I
> don't think that you can ever be confident that N+1 will work.  I
> don't know what the value of N is when you can be confident in the
> success of N+1 either.  Maybe the only measure of defense is velocity
> - any sufficiently stable target will be nailed down, but a moving
> target evades capture.
> 
> There is talk now about shipping new TLS versions every few months.
> Not major revisions, but revisions that rearrange the protocol in
> different ways that exercise various capabilities that we might like
> to preserve.  It's still essentially grease, so apply the same
> skepticism, but the idea is that you can't just say that x&0x0f0f ==
> 0x0a0a is safe to ignore because everything changes.  For instance,
> one change might add 13 to all extension codepoints, another might
> reorder the fields in some messages.
> 
>> Then I’m really not sure about section 4.2. Maybe I’m just not a full believer in greasing but I really think it worked „well" for TLS because you used it as a mechanism to detect deployed brokenness afterwards. I really don’t think you will have the same result if you reserve something for greasing at the time of the first specification, because then people will implement this as an extra case (even if it would be easier to just implement the versioning mechanism correctly, because this is just how people work).
> 
> I tried hard to capture some of this skepticism, because I share your
> view.  That it sort of worked for TLS isn't a great proof that the
> general technique is effective.  As it says "Incorrect implementations
> might still be able to correctly identify these code points and ignore
> them."  I've added some more negative language as well :)
> 
>> Also section 4.3: I have the feeling that the middlebox problem is a bit a different question. It’s a good note to spell out that middleboxes are protocol participants (as done in section 2.2), however, explicitly only exposing what should be expose is rather the message of the path-signals and wire-image drafts and I think I would rather refer to these drafts instead.
> 
> I will do that.  That document had rather uncertain status when this
> was first written.  That no longer true :)
> 
>> Not sure if section 4.4. should be rather an own section because it is something additional and not really a migration technique/design principle for protocols, is it?
> 
> It's a separate concept, but Section 4 is more broadly about
> strategies, and while Section 4.4 isn't a strategy on its own, it's
> complementary to the other strategies.  I've made this clearer in the
> lead-in to prevent there from being any misapprehension about why that
> section is there.  (I was originally going to put this with grease,
> because it's so essential there, but it's really a separate
> technique.)