Re: [tsvwg] New Version Notification for draft-fairhurst-tsvwg-transport-encrypt-07.txt
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Tue, 22 May 2018 08:30 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A84F512EACD for <tsvwg@ietfa.amsl.com>; Tue, 22 May 2018 01:30:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p8h2OCLsUkuU for <tsvwg@ietfa.amsl.com>; Tue, 22 May 2018 01:30:51 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [139.133.204.173]) by ietfa.amsl.com (Postfix) with ESMTP id 863A712E76A for <tsvwg@ietf.org>; Tue, 22 May 2018 01:30:51 -0700 (PDT)
Received: from Gs-MacBook-Pro.local (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPA id 31AC81B001AA; Tue, 22 May 2018 09:30:17 +0100 (BST)
Message-ID: <5B03D519.9050709@erg.abdn.ac.uk>
Date: Tue, 22 May 2018 09:30:17 +0100
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Reply-To: gorry@erg.abdn.ac.uk
Organization: University of Aberdeen
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: tsvwg@ietf.org, Joe Touch <touch@strayalpha.com>
References: <152334654802.13452.17469061242049682843.idtracker@ietfa.amsl.com> <5ACC6E04.8070107@erg.abdn.ac.uk> <BB4499D9-4E55-4666-83B4-367B5EFC4369@strayalpha.com>
In-Reply-To: <BB4499D9-4E55-4666-83B4-367B5EFC4369@strayalpha.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/39dHJS70wKJPhFBxFZogqHAJmKQ>
Subject: Re: [tsvwg] New Version Notification for draft-fairhurst-tsvwg-transport-encrypt-07.txt
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 May 2018 08:31:08 -0000
Thanks Joe for your comments. See our editorial notes below, but please have a look at our revised ID. New text introduced, this was a mistake in revising the abstract, we think it is in scope to discuss the benefits/drawbacks of integrity protection also: the title and abstract focus on transport header confidentiality; this begs the need for sections 3.1, 3.2, and parts of 3.4 which have nothing to do with *transport header* confidentiality -- the doc reports in other ways to address transport encryption in general; that’s a much larger issue to include, with entirely different implications Para rephrased. We do agree with this statement and have stated this publically when presenting this draft -- the doc speaks of ossification as if it is only harmful; that same ossification provides the stability on which other upper layer protocols often rely, so having a “stable” (ossified) protocol could be considered an advantage too (beyond merely allowing in-network devices to predict their location) I agree with your disagreement -- I disagree that encryption of transport headers would prevent ossification; they could similarly be ossified by being the only ones supported using encryption at the endpoints This is true, I'd love to find text we can all agree upon that says how we should do things in the future: but I am also aware of a wide range of intense feelings and operational practice in our community ... from those who have reacted to privacy concerns, some countries push for net neutrality, others on a digital divide with concerns over cost; etc etc. I think an important outcome of the document is to capture what is being done, wording has been updated -- the doc focuses on the impact of transport header encryption on a number of “features” that have emerged, but fails to address whether those “features” are desirable (i.e., just because we CAN do certain things, and HAVE DONE certain things, is independent of whether we should continue to design protocols to support those things) It states: "Using encryption to provide confidentiality of the transport layer brings some well-known privacy and security benefits and can therefore help reduce ossification of the transport layer.", we also added text -- the intro fails to address the valid privacy motivations for obscuring transport information, esp. given transport protocols are themselves meaningful ONLY at the endpoints e.g., I could easily modify two hosts to exchange packets that look like UDP but are actually TCP this is akin to port renumbering at the endpoints fundamentally, in the Internet, transport headers have meaning ONLY at the two endpoints engaging in a given communication, so we really are “living on borrowed time” to assume that in-network devices can - or should - be able to interpret them at all, even when they appear not to be encrypted. I do NOT agree of nearly anything in section 2.1, especially as it is then used to justify the remainder of section 2 this entire section reads a lot like “the government needs to track your every move so we can build better roads for you”; it’s quite creepy. Text was updated-- section 3 omits discussions of encrypted tunnels (IPsec or otherwise), all of which obscure access to transport headers As far as I know TCP-AO-ENC is still an individual submission, I don't know of operational use. -- sec 3.2 (if retained, and I hope it is not), should include tcp-ao-enc (yes, still a draft, but relevant to the discussion if retained) Added reference to TCPcrypt: draft-ietf-tcpinc-tcpcryp -- sec 3 omits TCPcrypt too (not sure where to put it because I haven’t cared to track how it has (d)evolved). Changed the wording introducing transport to "The transport layer provides end-to-end interactions between endpoints (processes) using an Internet path." -- not sure I agree that the transport layer is the first end-to-end interaction across the Internet; the same is true for the IP layer (esp, e.g., IPv6 Destination Options, among other things). This was not an intention -- finally, this doc seems oblivious to the reality that encryption is coming, like it or not - esp across the backbone, and that this has been the case for a while now (with VPNs). Best wishes, Colin and Gorry On 11/05/2018, 05:20, Joe Touch wrote: > Hi, Gorry, et al., > > I disagree with the tone and focus of this document. > > It appears to give many reasons why hiding transport info from on-path observers is bad - bad for the network, bad for operators, and bad for everyone. > > It reads like an Orwellian propaganda brochure on how Big Brother is only here to help - won’t you leave the cameras on? > > The doc fails to recognize: > - the fact that encryption (via tunneling, esp) is already undermining a lot of this sort of “help” > - the fact that users can - and should - find a lot of what passes for “help” quite a bit creepy > - the fact that transport protocols were never intended to have any meaning anywhere but the endpoints > and that, in fact, that’s the only place where they do have meaning anyway > > If this doc goes forward, I sincerely hope there will be a more balanced presentation of the CONS of the kind of on-path snooping of traffic that this document largely presents as beneficial. > > Joe > > ——— > > Some details follow: > > - the title and abstract focus on transport header confidentiality; this begs the need for sections 3.1, 3.2, and parts of 3.4 - which have nothing to do with *transport header* confidentiality > - the doc reports in other ways to address transport encryption in general; that’s a much larger issue to include, with entirely different implications > > - the doc speaks of ossification as if it is only harmful; that same ossification provides the stability on which other upper layer protocols often rely, so having a “stable” (ossified) protocol could be considered an advantage too (beyond merely allowing in-network devices to predict their location) > - I disagree that encryption of transport headers would prevent ossification; they could similarly be ossified by being the only ones supported using encryption at the endpoints > > - the doc focuses on the impact of transport header encryption on a number of “features” that have emerged, but fails to address whether those “features” are desirable (i.e., just because we CAN do certain things, and HAVE DONE certain things, is independent of whether we should continue to design protocols to support those things) > > - the intro fails to address the valid privacy motivations for obscuring transport information, esp. given transport protocols are themselves meaningful ONLY at the endpoints > e.g., I could easily modify two hosts to exchange packets that look like UDP but are actually TCP > this is akin to port renumbering at the endpoints > fundamentally, in the Internet, transport headers have meaning ONLY at the two endpoints engaging in a given communication, so we really are “living on borrowed time” to assume that in-network devices can - or should - be able to interpret them at all, even when they appear not to be encrypted > > - I do NOT agree of nearly anything in section 2.1, especially as it is then used to justify the remainder of section 2 > this entire section reads a lot like “the government needs to track your every move so we can build better roads for you”; it’s quite creepy. > > - section 3 omits discussions of encrypted tunnels (IPsec or otherwise), all of which obscure access to transport headers > > - sec 3.2 (if retained, and I hope it is not), should include tcp-ao-enc (yes, still a draft, but relevant to the discussion if retained) > > - sec 3 omits TCPcrypt too (not sure where to put it because I haven’t cared to track how it has (d)evolved). > > - not sure I agree that the transport layer is the first end-to-end interaction across the Internet; the same is true for the IP layer (esp, e.g., IPv6 Destination Options, among other things). > > - finally, this doc seems oblivious to the reality that encryption is coming, like it or not - esp across the backbone, and that this has been the case for a while now (with VPNs) > > ---- > >
- [tsvwg] Fwd: New Version Notification for draft-f… Gorry Fairhurst
- Re: [tsvwg] New Version Notification for draft-fa… Joe Touch
- Re: [tsvwg] New Version Notification for draft-fa… Gorry Fairhurst