IETF Logo Mail Archive

Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, -> logging

Tom Herbert <tom@herbertland.com> Wed, 16 October 2019 01:10 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 085F5120843 for <tsvwg@ietfa.amsl.com>; Tue, 15 Oct 2019 18:10:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id inAVh80du4BS for <tsvwg@ietfa.amsl.com>; Tue, 15 Oct 2019 18:10:00 -0700 (PDT)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CCCC120830 for <tsvwg@ietf.org>; Tue, 15 Oct 2019 18:10:00 -0700 (PDT)
Received: by mail-ed1-x535.google.com with SMTP id v38so19887579edm.7 for <tsvwg@ietf.org>; Tue, 15 Oct 2019 18:10:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=TjF2/DNcsCn/qRI5OUcHhRP9Mc5Zy1gAn5r14TUfKY4=; b=PUVrhWuK5i9LxFCRDr3skjCv62FW0wVFPHcQY91pJhtC0KVumtHDxzuj7OD66mw7ym TOq4HVozwvvkwG0zm3nV+lbRC83nCBKh75O8fywxTx0EqI2FViPImPiJg/5SCFdY5+qW 4ujan4sQldXeE7VLufBy/ypMC+jYg/d/VNJfkJZJZD+4g2G9z1Cg5jABrYodZAnyDTyN o/SaHHgRvVhVJq//BdM8YGJMNwt1vhTb6ritNd0RysG6WlIY8QLddbcYyhGl68F3Fx1F oDOIcE2ljuZ+XJGm7BSIEP1F/KWMbrewwxueiju+YGglqF9gf5O9zEVxc4aNwdnKGV3r fujQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=TjF2/DNcsCn/qRI5OUcHhRP9Mc5Zy1gAn5r14TUfKY4=; b=idfH+yahjyrIh16PpRHMkxqznpq7CAWmZLIhNWgyYbxJQczVta/O/hE/kjGhHsVPnK G7wA+Z0NHFEO9xKNWof/7Kd4LabYOW9kLPUJMie54vctqde1+xCYhvXgWSNfl72KyNon o928ls6/QXvSgjGoRSXnVYC99H83lHEF56lPDEBdQR2zEk6K3aQJ4hO9DYVktS5bu2dk M2EKrD8cI0hqysjojlavGyk7AV9mdEqZCxgObOKjyOy9SsT8c4B27TNDpoy4DBQYuGby ubMXWN2MKRyLhTxCzKiLUVGjFVoQSH85dAM0q1kJ+THl5q3DJkUlvbiRtsCB2Qww8XLJ 8m3Q==
X-Gm-Message-State: APjAAAU8cjgEI9N4wxrVq9tMg2ghA25KKV9iiyTXZy2D3V5tW3ZQj9TA 0Ca1lh9geicojM74zzZs6LH7Qvclf8ugWNnEs0D/yA==
X-Google-Smtp-Source: APXvYqwrlxm1h5MJ5MRIRG8+vsDkAnQ6NG0AE/WkgIimT0vbS9NZB7r0Gc1myi2pam+B9zFwbxRV6juMI9PvOqU/DoU=
X-Received: by 2002:a17:906:c49:: with SMTP id t9mr37399252ejf.267.1571188198394; Tue, 15 Oct 2019 18:09:58 -0700 (PDT)
MIME-Version: 1.0
References: <CE03DB3D7B45C245BCA0D2432779493630766752@MX307CL04.corp.emc.com> <e8c30f3f-606f-0c0d-a7dd-b2bb6f31a9fd@huitema.net> <5DA18567.9060400@erg.abdn.ac.uk> <31A50740-E9D4-4BC2-BAED-1D979C76F16D@strayalpha.com> <f81b200a24e64fb0abc04b922d458f08@ustx2ex-dag1mb6.msg.corp.akamai.com>
In-Reply-To: <f81b200a24e64fb0abc04b922d458f08@ustx2ex-dag1mb6.msg.corp.akamai.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 15 Oct 2019 18:09:46 -0700
Message-ID: <CALx6S3502v=MEFo3mU1ukGcsaM1nuZB8uWGKcNT9GVtMB1LqJQ@mail.gmail.com>
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Joe Touch <touch@strayalpha.com>, "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>, Christian Huitema <huitema@huitema.net>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/FKIR-lkKEfASof09HZp9LTrdCMg>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, -> logging
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 01:10:03 -0000

On Tue, Oct 15, 2019 at 2:11 PM Lubashev, Igor <ilubashe@akamai.com> wrote:
>
> > From: Joe Touch <touch@strayalpha.com> on Sunday, October 13, 2019 12:00 AM
> >
>
> > Hi, Gorry,
>
> >
> >> On Oct 12, 2019, at 12:48 AM, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
>
> >>
>
> >> I'm intrigued by how far we can understand opportunities for open client logs to replace pcap dumps, and would like to delve a little deeper into what we understand - there seem many possible actors and that may be interesting to look at a few viewpoints:
>
> >>
>
> >> * a user of a transport protocol (e.g., understanding cost/benefit of feature choices);
>
> >
>
> > There’s only one viewpoint that drives this conversation. It’s the user’s.
>
> >
>
> > If the user wants to encrypt, that’s their prerogative. We should not be recommending or assuming otherwise,
>
>
>
> Most users would likely say that they want Internet that is as fast as possible (low latency/high throughput), very reliable, secure (passwords and emails are safe from peeping toms) and reasonably private. Different people will make different trade-offs between the above, especially about the degree of privacy vs performance and reliability.
>
Sure, but who are the "people" making the tradeoff? If the tradeoff of
what information to expose is left up to the user then that is
reasonable. But if network operators or IETF are arbitrarily making
this tradeoff for the user that's a problem. As Joe stated, the only
viewpoint that really matters is that of the user; their needs and
wishes come first. So if a user wants strong security and privacy,
then that's their prerogative-- in no way should they be penalized for
that.

>
>
> I see this draft to be about the trade-off between benefits of an attempts at extreme privacy at a single layer and the effects of these design choices on performance and reliability of the Internet.
>
>
>
> >> * a service provider (e.g., trying to understand performance impairments in the network);
>
> >
>
> > They should never need to look at others’ transport headers to do this.
>
>
>
> What else should they look at?  They have to look at packets flowing via their networks and make sense of what’s going – both proactively in terms of monitoring QoS that their customers are getting and reactively in terms of troubleshooting specific issues.  AOM only works within a single network (when it works) and does not help at all with identifying problems and narrowing down responsibility for a problem upstream or downstream from own network.

As  mentioned several times, the arguments the network providers are
making against header encryption are nearly identical to the ones made
when payload encryption was being turned. This conversation is almost
an exact replay of those discussions! I'm still finding it hard to
believe the outcome will be any different, like it or not any new
transport protocols are likely to encrypt as much as possible. This
shouldn't surprise anyone, it's been known for years that encryption
resolves the tussle that lead to protocol ossification. So the open
question still seems to be what is the path forward to allow strong
user privacy and yet give the network the necessary visibility above
the network layer in a secure and robust fashion.

>
>
> <snip>
>
>
>
> >> * researchers/equipment developers seeking to correlate/tune transport timing with network policies (e.g., interactions between congestion control and link scheduling);
>
> >
>
> > And if we’re part of their experiment, it needs to be by opt-in and with full understanding of what data they use and how they use it.
>
>
>
> We should add “network operators” to the list of entities trying to tune network policies.  Users expect their ISPs (and their upstreams) to do traffic engineering (including running experiments) to improve their network performance/reliability. Browser vendors and server operators do the same all the time.  No opt-in expected/required.  As Christian points out elsewhere, it is no easy task in the face of diverse and sometimes selfish players, but that’s the Internet we have. Everyone has to be able to keep optimizing their part of the Internet ecosystem or users’ experience will suffer.
>
>
> <snip>
>
>
>
> > The doc currently states, in that area (sec 6) largely as somewhat of a conclusion:
>
> >
>
> >   The choice of whether future transport protocols encrypt their
>
> >   protocol headers needs to be taken based not solely on security and
>
> >   privacy considerations, but also taking into account the impact on
>
> >   operations, standards and research.
>
> >
>
> > That, in a nutshell, is the problem.
>
> >
>
> > NO. Security does NOT need to “take into account” the impact on the supposed “rights” of others to make our traffic part of an experiment.
>
>
>
> It is, indeed, very hard to compromise on security “a little bit” and still have much of any security left.  There are many aspects to privacy (which sites you visit, when you go online, where you are located – geo-location/ISP/city/country, which devices you use, who else uses your devices, what bandwidth cap you have, are you on a lan or wifi, how many devices you have at home, etc).  It is reasonable to discuss a balance of performance/reliability and degrees of privacy afforded by a general-purpose transport. Users who need extreme privacy already know to use specialized transports like TOR/VPNs/etc (and use specialized measures to protect their privacy on other layers).
>
>
>
> I think it is unfortunate that security is even mentioned in this draft. Header encryption is not about security; it is about privacy and protocol ossification resistance.
>
>From draft-ietf-quic-transport-23:

"QUIC authenticates all of its headers and encrypts most of the data
it exchanges, including its signaling, to avoid incurring a dependency
on middleboxes."

In other words to prevent middleboxes from ossifying the QUIC protocol.

>
>
> Igor
>
>
>
> > Joe
>
> >>Gorry
>
>
> On 09/10/2019, 15:32, Christian Huitema wrote:
>
>
> As the draft mentions:
>
>    The use of transport layer authentication and encryption exposes a
>    tussle between middlebox vendors, operators, applications developers
>    and users
>
> Much of the draft reads like a lamentation of the horrible consequences of encrypting transport headers, which looks very much like embracing the point of view of the middlebox vendors. Expressing that point of view is of course fine, and it might be enough to change the title, abstract and introduction to reflect that this is an opinion piece. But as a transport working group document I would like something a bit more balanced. It should spend more time acknowledging the ossification and privacy issues. It should ideally lay the ground work for alternative management solutions, such as controlled exposure like the spin bit in QUIC, IP header information, or standardized logs like the QLOG effort.
>
> -- Christian Huitema
>
>
> On 10/8/2019 2:08 PM, Black, David wrote:
>
>
> FYI – some OPS area and SEC area eyes on this TSVWG draft now (during WGLC) would be a good thing ;-).
>
> Thanks, --David (TSVWG co-chair)
>
> *From:* Black, David <david.black@emc.com>
> *Sent:* Tuesday, October 8, 2019 5:06 PM
> *To:* tsvwg@ietf.org
> *Cc:* Black, David
> *Subject:* WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
>
> This email announces a TSVWG Working Group Last Call (WGLC) on:
>
> The Impact of Transport Header Confidentiality on Network Operation and
>
>                       Evolution of the Internet
>
>                 draft-ietf-tsvwg-transport-encrypt-08
>
> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-transport-encrypt/
>
> This draft is intended to become an Informational RFC.
>
> This WGLC will run through the end of the day on Wednesday, October 23.
>
> That should allow time before the Singapore draft submission cutoff for
>
> the authors to revise the draft with any changes that result from WGLC.
>
> Comments should be sent to the tsvwg@ietf.org <mailto:tsvwg@ietf.org> list, although purely
>
> editorial comments may be sent directly to the authors. Please cc: the
>
> WG chairs at tsvwg-chairs@ietf.org <mailto:tsvwg-chairs@ietf.org>  if you would like the chairs to
>
> track such editorial comments as part of the WGLC process.
>
> No IPR disclosures have been submitted directly on this draft.
>
> Thanks,
>
> David, Gorry and Wes
>
> (TSVWG Co-Chairs)
>
>

v2.23.0 | Report a Bug | By Email