Re: [tsvwg] transport-encrypt-14 review, pt 1

Tom Herbert <> Fri, 10 April 2020 15:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 548E23A02BD for <>; Fri, 10 Apr 2020 08:51:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7OZ-JshI8Zux for <>; Fri, 10 Apr 2020 08:50:59 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9505D3A02BC for <>; Fri, 10 Apr 2020 08:50:59 -0700 (PDT)
Received: by with SMTP id p6so2891418edu.10 for <>; Fri, 10 Apr 2020 08:50:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=dtwEksD4szmnUtooVd//w9Ba8X8fAMw2JCA/CSCtkEA=; b=yBwrJ8Bb/keQcjjvtr91qw04zkTnpChmv3O1CjYGJRbHju2ZdTdWCa7GslFSNbYgs2 StsVTngMBqR4ZBOwvzGnhjOmqJPx00Jn+84cr/ubHm6QbZt0BjoRxLDvA7mTmn8AKDow kKjTbFj2ShRi5oe/KZsdc1nJ+9yWDQs0tFlIfVlR0H+OTLHCnovZDeWGz9ei0s+HqMok mhXI0e93OHcEBHNomckuvv6wf9m3V3fYtfh5EvrJ3k44EgJFobN+tFxpiP/XiLDxAsUC uVTkur3zckaJ1DeDA/yxInXq9jwC2MedgnDvtppjqegfeRzP7UtVOqGeDE4wWE3P4wT2 c3SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=dtwEksD4szmnUtooVd//w9Ba8X8fAMw2JCA/CSCtkEA=; b=nrmU4F2qdyjUCzSSdmW6aDq5dZnQ/5lxkV6uepFBuk+5C9TshpybN8YPnp5HivLbxe zN6toyC/gYCIzUX+nktA5R4qJqeZHGkF4nf/8hwLDVa3aEXmzaXEQtfI3Z64XI4fbGrw +hE3M6qbfvypAQeaolMmf3LQlk/AWAQa4yA7Nixl9cqnDKL2YfYJqu01YhWAeW3yTZY4 YawDanj+2xps3Oqi+IRFK4PojUQ46X8CnDkXxjXLASN0HwpRX6yiJDSzzDTvc+aC/ZNS pIP8aF5q4secmBOonFkTdxuS3rNr8pWlFSy6rMZ57NBMz7PFnOZdSQom3EpsOTq/RcGV zY5w==
X-Gm-Message-State: AGi0PuZ7doqMuCXAtT8NBeN7djSfkrMNmBefYhZLb6iogSZEmOWepZb5 Jtx4pdNYaPOzieRWvWHPikkRYGe+sr8GULaA1H0nMA==
X-Google-Smtp-Source: APiQypIDYtwfJPL5BF0KEX0O8t9EP3PP/RgIan5+e4CSEcaXFlX7dcyMtmmkUmVybq4z5S0Gc1PldeDrfNBmCFEW674=
X-Received: by 2002:a50:d5c8:: with SMTP id g8mr5537138edj.370.1586533857773; Fri, 10 Apr 2020 08:50:57 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Tom Herbert <>
Date: Fri, 10 Apr 2020 08:50:46 -0700
Message-ID: <>
To: Gorry Fairhurst <>
Cc: Joseph Touch <>,, tsvwg <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [tsvwg] transport-encrypt-14 review, pt 1
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Apr 2020 15:51:01 -0000

On Fri, Apr 10, 2020 at 8:24 AM Gorry Fairhurst <> wrote:
> On 10/04/2020 15:51, Tom Herbert wrote:
> On Fri, Apr 10, 2020 at 12:45 AM Gorry Fairhurst <> wrote:
> On 09/04/2020 21:20, Joseph Touch wrote:
> On Apr 9, 2020, at 12:44 PM, Martin Duke <> wrote:
> - Conversely, middlebox interference with headers does enable performance enhancing proxies for extraordinary link types like satellite.
> Those are only “extraordinary” only in the “been around for 50 years in the Arpanet/Internet”. That understanding goes back as far as RFC 346 and IEN 8.
> Additionally, ground nets often experience similar BW delay products, which can be the dominant driver.
> There are known ways to help TCP over such links that don’t involve these sort of steps, documented as far back as RFC 2488, some of which are now being incorporated (faster window growth and recovery, ala Hybla).
> I.e., just because a mechanism CAN rely on these headers doesn’t mean that’s the only - or even safe - way to do so.
> Joe
> I'm with Joe there are MANY ways that devices sitting in the network *do* presently change TCP headers. This is not at all restricted to specific technologies such as Satellite. TCP ACK filtering/decimation/etc is commonly used on a variety of paths to reduce return link traffic in WiFi, Docsis, LTE, etc. PEPs have split TCP in many ways where delay and/or loss is important, devices that track or change rwnd are out there, as are other devices that have modified other things for better or worese. However we already have RFC3135, RFC3449, a variety of header compression specs, and more recently RFC8404. All of which delve into these topics.
> In an earlier thread, I motivated restoring the focus on methods that observe headers and do not "manipulate" these. It's true that when the WG decided to add the "ossification" examples at the start iof the document, that these were nearly all related to changing headers, but still I think the focus of the remainder should be on methods that do not change headers - That also is the set of methods that could be compatible with end-to-end authentication.
> Gorry,
> I think the draft is trying to walk a fine line.
> Yes. That's a very useful observation. I'm hoping if I disect this reply, I'll be able to see exactly the part(s) you are talking to.
> The draft provides
> several examples of presumably benevolent instances of passive
> observation,
> I do *NOT* think the draft claims passive observation is benevolent, it may be, it may not be, that even might depend on usage.
> The draft explicitly says in section 2:
>    "This analysis does not judge
>    whether specific practises are necessary, or endorse the use of any
>    specific approach."
> however doesn't acknowledge there are deployed use cases
> of modification.
> It was *NOT* intended to ignore that, only to note that any modification can be detected by authentication, and to set the context section 2.1 did provide examples of this. There are other RFCs that talk more about that.
> There are people that would probably agree that maybe
> observation is okay but modification is detrimental. There are also
> those that might say any use of transport information by intermediate
> nodes is bad
> It should *NOT* be making that call.
> *EXCEPT* it should assert privacy concerns were appropriate.
> and leads to ossification,
> It *SHOULD* state that.
> so both observation and modification should be prevented.
> That's a judgement call this did *NOT* plan to make.
> A third camp might say we've been modifying TCP fields
> This modification is a (sometimes sad, sometime not sad) reality.
> and our users are seeing great benefits so it's
> okay.
> The intent is explicitly *NOT* to decide whether the spectrum of modifications are good or bad.
> I don't think there is consensus on which of these viewpoints is
> correct,
> So, I think we may agree?
> however I believe that the goal of the draft is trying to
> establish a balanced position without judgement,
> I agree.
> so not mentioning a
> known use case that would definitely be affected by transport layer
> encryption seems like an omission.
> ---
> If we happen to agree on scope, then I think your present comment relates to section 2.1 and I assume this is somewhere around the text that starts:
>    In-network measurement of transport flow characteristics can be used
>    to enhance performance, control cost and improve service reliability.
>    To support network operations and enhance performance, some operators
>    have deployed functionality that utilises on-path observations of the
>    transport headers of packets passing through their network.
> ... examples ...
>    When network devices rely on the presence of a header field or the
>    semantics of specific header information, this can lead to
>    ossification where an endpoint has to supply a specific header to
>    receive the network service that it desires.
>    In all these cases, middleboxes with a hard-coded, but incomplete,
>    understanding of transport behaviour, interacted poorly with
>    transport protocols after the transport behaviour was changed.
>    In contrast, transport header encryption prevents an on-path device
>    from observing the transport headers, and therefore stops mechanisms
>    being built that directly rely on or infer semantics of the transport
>    header information.
> Which sentences should be improved?
> I'd also point out that if a transport protocol developer makes a
> conscious decision to not encrypt some data in the transport layer for
> the benefit of observation at intermediate nodes, it's just as easy
> for them to also purposely not authenticate data so that intermediate
> nodes could modify it (again this is independent of any judgement as
> to whether intermediate nodes observing or modifying end-to-end data
> is a good thing).
> Agree (with the NiT that modification isn't necessarilly prevented by authentication: it's detected - that allows it to be prevented).
> Is that somehow made unclear by a sentence somewhere that should be fixed?


Here is the pertinent sentence from the draft:

"It is important to understand how transport header information is
used by networks, to allow future protocol designs to make an informed
choice on what, if any, transport layer information to expose to the

If this draft isn't going to dive into the uses of transport header
information being modified by the network then I suggest this sentence
should followed by a statement like:

"This document highlights uses of passive observation of transport
headers by network. Use cases where network nodes may modify transport
layer information are out of scope and described in [RFC...]."

Also, I'm not sure the term "expose" is well defined. Does this mean
to only make visible for observation, or to make it both visible and
modifiable? It might not matter here since there are no normative
requirements, but if the term were used elsewhere in a normative
context we may end up regretting any ambiguity.


> Gorry
> Gorry