IETF Logo Mail Archive

Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Christian Huitema <huitema@huitema.net> Mon, 21 October 2019 18:20 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A953B12010D for <tsvwg@ietfa.amsl.com>; Mon, 21 Oct 2019 11:20:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMS4XDdKKVfA for <tsvwg@ietfa.amsl.com>; Mon, 21 Oct 2019 11:20:03 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8ECD120108 for <tsvwg@ietf.org>; Mon, 21 Oct 2019 11:20:02 -0700 (PDT)
Received: from xse232.mail2web.com ([66.113.196.232] helo=xse.mail2web.com) by mx148.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1iMcHf-000uJO-EI for tsvwg@ietf.org; Mon, 21 Oct 2019 20:20:00 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 46xlKn130fzLjV for <tsvwg@ietf.org>; Mon, 21 Oct 2019 11:19:57 -0700 (PDT)
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1iMcHd-0001Rb-1J for tsvwg@ietf.org; Mon, 21 Oct 2019 11:19:57 -0700
Received: (qmail 25375 invoked from network); 21 Oct 2019 18:19:56 -0000
Received: from unknown (HELO [192.168.1.101]) (Authenticated-user:_huitema@huitema.net@[172.58.43.199]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tsvwg@ietf.org>; 21 Oct 2019 18:19:56 -0000
To: Tom Herbert <tom@herbertland.com>, "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Joe Touch <touch@strayalpha.com>, "tsvwg@ietf.org" <tsvwg@ietf.org>
References: <CE03DB3D7B45C245BCA0D2432779493630766752@MX307CL04.corp.emc.com> <e8c30f3f-606f-0c0d-a7dd-b2bb6f31a9fd@huitema.net> <A2F184BB-E352-4AE6-B7A0-FDF6D8851DFB@strayalpha.com> <CALx6S36VYt+LVxWM_ZRos7VK6GArNbenpFD3yaPdqedvkoHpoQ@mail.gmail.com> <9c7df6fe717c43739454a91f8080cffa@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S361-wmgGWcTQHNsXnJEPkdCbvOhSCGwd5a9R0RQ_E=CCg@mail.gmail.com> <8543343a39a04d5baca64ce2a3085ac9@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S36FonVeU25YJEq_7PaNrfvX4ABLFv5VLbb6QKE==G5Xfg@mail.gmail.com> <00cf55e3462e44be8bcb908c453c3eef@ustx2ex-dag1mb5.msg.corp.akamai.com> <CALx6S34aQOUwqd5a2EJK10noUwW4qJQaEfsL4i-2VFpUU5=ytA@mail.gmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <e5679768-6d59-8c5e-3f96-1f89fd8a21af@huitema.net>
Date: Mon, 21 Oct 2019 11:19:57 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <CALx6S34aQOUwqd5a2EJK10noUwW4qJQaEfsL4i-2VFpUU5=ytA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FDF92664AFC5EFEED1FB13AC"
Content-Language: en-US
X-Originating-IP: 66.113.196.232
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.232/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.232/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.51)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0QRKNbAP+Q7R/EWH3Kru/cipSDasLI4SayDByyq9LIhV0mlX/ZTmgjxV 0gysleUXxkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDAxcDYLQWPWOwvKJpm+ErX5j9 EvBvwu01uVCaGVBWGqsa24uItZzLxlr2fkJJv4QX2rBNMmEsKEibQwSU1xBeOHButNDpi1WUXRkr He1vFsZaZad0VL/QynhFAlbT36L8uVc/BdU0fNdSBkjWwnzvewZ6weYgSzquK2hxskqXvy8woCTx LKweTbuJ+19zsyHVGVmhMAaQ/AfCRwRe7yHm5oY+NYmsSGn+svMubxnbgm1cr18FZBEPC2/c16Xd 7sC9aC4xteE1WLqGS9YoqrsZ2DyteN0e+ECCv9/f+GPymkgDVo7QBKA4MctKq4ifYPcXFRL2K3LA EfDXVOdt7wDbuhdxf5Dwg9wMBX5ckCo48ayVGvgdM/14NhEhsQ0jllqEE9ykbJ7I9co1MAEE3ruN Xsm8UJsAPvDcVSKtDCYkioPY5Qx4fJOk03R5fJtf/Dv/dkIzS7m4GUpXCY1Y3j3ileOfMnQTuxRu w7b3K/aRb5jEMDQiNsTxs76hah9Uw3RGtZPen4xxnM/sEP8BQbZFG+f4MG1fWx9wgPursioG1YNk DBiQWxoMMt9CeSOhI+q17GKYkJq+Ghv6kNwpH0NiKBg66gs5OuzYxJgw5atIxeNDvjI/CYe5WPy0 +t1RP0aztuXmTqcfSesh2DeIYFN+dpxMPnetLBJMh51NiRRoHIBWVoRJXVJo1x3SaTk4BfW0miK7 x42VjdzChZMe6O/Did+/hGXTmfhE+Dx2/NyzMXpHhDZ0i9C670xO2QLIVE0uvOnCUbNPgcPcQwzM gKHyQxUo+ql2ySTkvEFH/23XMww2BnTTFGX5/yI4Ky+1ZJcbGqc5H4PEZHeoI/d6LWFf332z7LMw LGdoi9FMQ5j9dQUvMi1YKAun15JQSJLyCT5k+MTObVKxHy/dols381l9r9ft9daDonlwd6LnuX+J u10=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/GMYiVyaAVknSSoebYjxYs7sMP9M>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 18:20:06 -0000

On 10/21/2019 7:31 AM, Tom Herbert wrote:
> Igor,
>
> That misses the point of the statement. There are many protocols that
> don't have ubiquitous support over the Internet-- EH, IP
> fragmentation, any transport protocol other than TCP and sometimes
> UDP, and even IPv6. If "ubiquitous support" is required for deployment
> then we can never deploy new protocols or any protocol that is
> atypical to intermediate devices. So, unless we're planning on never
> doing anything new on the Internet, we need to address this.
>
>
>     The goal of any "for the network" signal is improved QoS.  Hence,
>     if there is a non-trivial chance that inclusion of such signal
>     will actually degrade QoS (by causing packets with the signal to
>     be dropped), no sender will include such signals (and "happy
>     eyeballs" style code is too complex and risky for the benefit).
>
>     As architecturally "ugly" as it sounds, I can only see the QUIC
>     header and the most significant TTL bits as viable alternatives to
>     be deployable widely on the Internet for IPv4.  For IPv6, even HBH
>     and Dest Options are still too "risky" for packets, but that is
>     likely to be improving.
>
>
> You forgot to mention efforts to encode information in IP addresses,
> overload bits in the flow label, or other DPI parsing of UDP payload
> (like tunnels over UDP), and other creative ways to "find" bits that
> can be repuposed. There're all hacks! IP is designed to be an
> extensible protocol without the need for these. Pursuing such hacks,
> instead of using the defined mechanisms of extensibility, ostensibly
> solves some short term problems, but in the long run perpetuates
> protocol ossification and stifles evolution of the Internet.


If we want to not rely on hacks, I believe that we have to somehow
change the network protocol. I have followed the development of the spin
bit in QUIC, and the attempts to use more bits and provide for example
indications of packet losses. There are typically two issues: privacy
and practicality. Let's not discuss privacy here, except by assuming
that privacy-sensitive deployments will find a need to "bleach" the
signals. The signals are still useful for connection management as long
as a large enough fraction of the connections are not bleached.

I think that solving the "practicality" issue requires moving the signal
to the IP layer. The experiments by Orange show that you only need a
small number of bits to monitor latency and loss rate from within the
network - 2 or maybe 3 bits would do. If these bits are in the transport
header, the network monitor has first to find out what transport
protocol is in use, and possibly what version. With encrypted
transports, that could soon become a daunting task. On the other hand,
if the bits are at some fixed position in the IP header, monitoring
becomes much simpler.

My personal preference would be to associate these bits with an IPv6
"flow" label, or for IPv4 the five-tuple. Latency is associated with
routing and with applications, and in theory all packets in a flow share
the same routing and the same kind of end-to-end processing. Of course,
there are deployment issues, bleaching issues, etc. But the logic
remains: associating latency and loss measurement with a packet flow
makes the most sense. Moving that to the IP header also makes sense --
after all, it is very similar to ECN signals. The broad line of the
solution would thus be:

1) Steal a couple of end to end bits, or maybe just 4 to 8 Diffserv code
points

2) Use these bits to encode the "spin" and "loss" indications, and
distinguish them from the "bleached" signal

3) Compute the "spin" and "loss" indications per end-to-end flow, and
make that part of the spec.

There are obvious deployment issue, bleaching paths and all that. But at
the same time, the information is meant to benefit network management,
so there will be a strong incentive for network managers to ensure that
it flows freely. Thus, it is not hopeless.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email