Re: [tsvwg] New Version of draft-ietf-tsvwg-transport-encrypt (12)

[Tom Herbert <tom@herbertland.com>]

On Mon, Mar 16, 2020 at 7:52 AM Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
>
>
> On 16/03/2020 13:06, Eric Rescorla wrote:
>
>
>
> On Mon, Mar 16, 2020 at 2:36 AM Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
>>
>> Ekr,
>>
>> On 15/03/2020 13:19, Eric Rescorla wrote:
>>
>> Let me try to expand my point a bit.
>>
>> Longstanding practice is for entities in the middle of the network to
>> use signals that were intended for the endpoint for their own
>> purposes.  With QUIC (and a lesser extent SCTP/DTLS), those signals
>> are being encrypted and thus unavailable to those non-endpoint
>> entities; this draft is mostly devoted to documenting the negative
>> impact of that change on the operations of those entities.
>>
>> I disagree that this is "documenting the negative impact of that change".
>>
>> The draft is about how this protocol information has and is being used. As long as I can remember, there has been devices that utilise some of this information, at the edge of an enterprise there is often at least one device with this role; within a managed network there are devices; etc. If the trend to use encrypted methods continues, some of these practices need to be re-assessed, and the functions more widely understood than in an era when nearly everything was thought to be TCP or "multimedia".
>
>
> I'm not sure what you're arguing here. What I said above is that
> this draft was "mostly devoted to documenting the negative
> impact of that change on the operations of those entities."
> In other words, it lists a bunch of things that people do now
> that will stop working. Do you not think that much of the
> material in this draft is of that form?
>
> -Ekr
>
> So the conclusion, para 2 states:
>
> "   This document has described some current practises, and the
>    implications for some stakeholders, when transport layer header
>    encryption is used.  It does not judge whether these practises are
>    necessary, or endorse the use of any specific practise.
>
Gorry,

Section 5.2 states:

"Current measurement results suggest that it could currently be
undesirable to rely on methods requiring end-to-end support of network
options or extension headers across the Internet."

That _is_ a subjective judgment about a technique that is not
currently used with little discussion on why they're undesirable or
what needs to be done to make them desirable. As I've said before, I
think the document is too easily dismisses this alternative. If the
point of this document is to describe the implications of transport
header encryption without any diligent consideration of alternatives
to expose the necessary transport information to the network, then I
suggest that the discussion of extension headers and other
alternatives should be removed and deferred to other documents.

Tom


> I agree many existing tools would stop working if IPsec formed the majority of traffic, same for QUIC. I think when considering what to do next, it can be useful to work from the current position and understand the implications of changes that are being proposed/used/whatever.
>
> At least from my personal position, this document was providing some input to that thinking. So, I do not understand your issue.
>
> Gorry