[tcpinc] Benoit Claise's No Objection on draft-ietf-tcpinc-tcpeno-13: (with COMMENT)

Benoit Claise <bclaise@cisco.com> Fri, 10 November 2017 08:39 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: tcpinc@ietf.org
Delivered-To: tcpinc@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A282A12EBF9; Fri, 10 Nov 2017 00:39:40 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benoit Claise <bclaise@cisco.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tcpinc-tcpeno@ietf.org, David Black <david.black@dell.com>, tcpinc-chairs@ietf.org, david.black@dell.com, tcpinc@ietf.org, evyncke@cisco.com
X-Test-IDTracker: no
X-IETF-IDTracker: 6.65.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <151030318065.29910.2393429976619659592.idtracker@ietfa.amsl.com>
Date: Fri, 10 Nov 2017 00:39:40 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/qYvVpaaqSflyxXT3zvz1XYBAFNs>
Subject: [tcpinc] Benoit Claise's No Objection on draft-ietf-tcpinc-tcpeno-13: (with COMMENT)
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Nov 2017 08:39:41 -0000

Benoit Claise has entered the following ballot position for
draft-ietf-tcpinc-tcpeno-13: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpeno/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Nothing against the publication of this document but ... as for any
experimental RFCs, we must describe the criteria for a successful experiment
(evaluation)? Same remark for draft-ietf-tcpinc-tcpcrypt-09 I have seen section
9, which explains why this is experimental. It's only part of the info.

Note sure that everybody has seen Eric Vyncke's OPS DIR review:

The document describes an _experimental_ TCP option to negotiate at the TCP
layer the use of opportunistic encryption at layer-4 for the transparent
benefit of applications (which do not support TLS for example).

Section 4.2 describes an 'application-aware' bit which seems to tell the other
TCP party that the upper-layer are aware but to be honest the text describing
this bit could really be improved. Does it allow a responder to signal that it
supports TLS? Or something else? I like the idea of application giving hints to
the other TCP party to avoid useless double encryption but the description of
this bit is really unclear.

The specification takes really care of the TCP option size by compressing a lot
of the information pieces. I wonder whether allowing only 95 'TEP' (TCP
encryption protocols) is not a constraint... suggestion to allow a specific TEP
value signaling that the value is on 16 bits for example.

This is an experimental protocol, so, we can guess that the authors will
experiment around the following issues in order to improve the protocol:

-          Lack of authentication (and encryption without authentication has
little value) even if section 5 talks about it

-          No wording around MSS negotiation (as encryption could potentially
reduce the useful MSS)

-          The role of middle boxes will be important (see also section 8.1
where SLB proved to an annoyance), removing the ENO

-          Suggestion to also test NAT64 middle boxes
I hope this helps to improve this useful proposal