Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno

"Holland, Jake" <jholland@akamai.com> Thu, 02 February 2017 22:16 UTC

Return-Path: <jholland@akamai.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B931129A2A for <tcpinc@ietfa.amsl.com>; Thu, 2 Feb 2017 14:16:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.9
X-Spam-Level:
X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Um2uV-VVnO-3 for <tcpinc@ietfa.amsl.com>; Thu, 2 Feb 2017 14:16:25 -0800 (PST)
Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 0B69912943D for <tcpinc@ietf.org>; Thu, 2 Feb 2017 14:16:25 -0800 (PST)
Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 74DC120017C for <tcpinc@ietf.org>; Thu, 2 Feb 2017 22:16:24 +0000 (GMT)
Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id 5505A200177 for <tcpinc@ietf.org>; Thu, 2 Feb 2017 22:16:24 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1486073784; bh=hwHA+LKF2MIBYurLrLrp/dMflKpP+AScfdUAa5SVk8M=; l=2978; h=From:To:Date:From; b=mOHnW18s6bHIzsImZ6TsU+6Gbje3k2lwP+IejhvYf96lQp6UoSuTdkKGuHuiOC2ft Tsvp54WCiQXLLvT2LGdiIkrdN1VKGvgisCkDLO9JmkUNlKPqFmrwh70F4oFuiUvRTG Fsl0limvW2NBMaPqUawSk9chlX9Q73hgg0O+oxGk=
Received: from email.msg.corp.akamai.com (usma1ex-cas3.msg.corp.akamai.com [172.27.123.32]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id 1F4F898082 for <tcpinc@ietf.org>; Thu, 2 Feb 2017 22:16:24 +0000 (GMT)
Received: from usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 2 Feb 2017 17:16:23 -0500
Received: from usma1ex-dag1mb6.msg.corp.akamai.com ([172.27.123.65]) by usma1ex-dag1mb6.msg.corp.akamai.com ([172.27.123.65]) with mapi id 15.00.1178.000; Thu, 2 Feb 2017 14:16:23 -0800
From: "Holland, Jake" <jholland@akamai.com>
To: "tcpinc@ietf.org" <tcpinc@ietf.org>
Thread-Topic: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
Thread-Index: AQHSfaH8bHX24B8Ba06t1pm3vEt1nQ==
Date: Thu, 02 Feb 2017 22:16:23 +0000
Message-ID: <D668D28F-42BB-40A4-81D1-1FF2D3D95ECB@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1d.0.161209
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.114.37]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9A429D337A1D834687064D46B0BB74F8@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/tlB5zOVj71Bem_Bi0Q9kAMjNRmA>
Subject: Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 22:16:26 -0000

Hello tcpinc members,

I’m new to the group, and joined at Kyle and David’s invitation to give a review of this draft before the WGLC expires:
"TCP-ENO: Encryption Negotiation Option"
https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpeno/


The doc mostly looks pretty good to me. I couldn’t find anything that would make it impossible to transport data and opportunistically encrypt it with ENO where available, nor anything inherently dangerous for an app that doesn’t use any ENO-specific API extensions, but which is running on a network stack that silently turns on ENO underneath.

A few suggestions that I think might improve the doc:

1. There should be a MUST for an API that an application can use to discover whether a connection ended up encrypted, unless it’s there and I missed it. I couldn’t find one in the doc, but it seems a likely vital point for anything that satisfies the application-aware definition.

2. I’d like to see a section that lists a use case or 2 that can be solved by knowing the remote host’s a-bit (or with the mandatory application-aware mode), and how the a-bit solves them. I assume I’m missing something obvious, but I haven’t been able to come up with a use case that does anything useful with the remote a-bit.
(An example guess: is the whole point so that you can avoid sending sensitive data if the remote app itself hasn’t done anything to become secure? And if so, is there some reason the application-layer protocol shouldn’t be in charge of determining that?)

3. All 3 instances of “manual(ly)” in the doc seem better if changed to “explicit(ly)” (sections 4.2 and 7.4)

4. In section 7.1, the hopes of increasing TCP’s SYN option space seem exaggerated. EDO does not apply to SYN, and of the other 2 cited drafts, one is expired over a year ago and the other looks, I guess I’d call it "tricky", in addition to being experimental. It might be better to remove the second and third paragraphs of section 7.1, or at least reduce to just the one example of a live and applicable draft (and maybe noting that it’s experimental).

I hope that helps.

- Jake