Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Thu, 10 October 2019 08:45 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A7B12004A for <tsvwg@ietfa.amsl.com>; Thu, 10 Oct 2019 01:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHpXIsM6ON-M for <tsvwg@ietfa.amsl.com>; Thu, 10 Oct 2019 01:45:43 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:42:150::2]) by ietfa.amsl.com (Postfix) with ESMTP id 84D60120033 for <tsvwg@ietf.org>; Thu, 10 Oct 2019 01:45:43 -0700 (PDT)
Received: from Gs-MacBook-Pro.local (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 206951B001C2; Thu, 10 Oct 2019 09:45:39 +0100 (BST)
Message-ID: <5D9EEFB2.9080209@erg.abdn.ac.uk>
Date: Thu, 10 Oct 2019 09:45:38 +0100
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Reply-To: gorry@erg.abdn.ac.uk
Organization: University of Aberdeen
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Joe Touch <touch@strayalpha.com>
CC: Christian Huitema <huitema@huitema.net>, "tsvwg@ietf.org" <tsvwg@ietf.org>
References: <CE03DB3D7B45C245BCA0D2432779493630766752@MX307CL04.corp.emc.com> <e8c30f3f-606f-0c0d-a7dd-b2bb6f31a9fd@huitema.net> <A2F184BB-E352-4AE6-B7A0-FDF6D8851DFB@strayalpha.com> <5D9DF8E3.3020200@erg.abdn.ac.uk> <2D74F74C-C785-4AED-8390-9102FEBCC9F7@strayalpha.com> <5D9DFE77.9010504@erg.abdn.ac.uk> <7D3A8C5A-4E14-4DC1-9202-3DF573B86E98@strayalpha.com>
In-Reply-To: <7D3A8C5A-4E14-4DC1-9202-3DF573B86E98@strayalpha.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/HK1iBgEcSlq5X__SILG6r9zXnPQ>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Oct 2019 08:45:46 -0000
Thanks Joe for this, I'm keen to see if any of your understanding can be translated into a change, so I'd liek to continue this thread a little... On 10/10/2019, 02:45, Joe Touch wrote: > > >> On Oct 9, 2019, at 8:36 AM, Gorry Fairhurst <gorry@erg.abdn.ac.uk >> <mailto:gorry@erg.abdn.ac.uk>> wrote: >> >> On 09/10/2019, 16:25, Joe Touch wrote: >>> >>>> On Oct 9, 2019, at 8:12 AM, Gorry Fairhurst<gorry@erg.abdn.ac.uk >>>> <mailto:gorry@erg.abdn.ac.uk>> wrote: >>>> >>>> On 09/10/2019, 15:38, Joe Touch wrote: >>>>> +1 >>>>> >>>>> IMO, this isn’t a “tussle” so much as “I really want to do >>>>> something I know I shouldn’t be doing”. >>>>> >>>>> A lot of what transport security prevents is - from the middlebox >>>>> view - a problem. >>>>> >>>>> For many of us users, preventing middleboxes from doing things >>>>> like hijacking web, email, and DNS is *exactly* the protection we >>>>> were seeking. >>>>> >>>> I do not understand this particular comment with respect to this >>>> document: How does "hijacking web, email, and DNS" relate to >>>> whether transport headers are encrypted or not? I would have >>>> expected a comment like this had the document been talking about >>>> transport payload (e.g. whether to use TLS). >>>> >>>> Could you point me at some text that leads you to think the >>>> transport header encryption impacts application hi-jacking ? >>> The doc mentions IPsec (encryption the transport headers and >>> payload), TCP AO (authenticating the header and contents), and >>> TLS/DTLS (authenticating contents based on headers). >>> >>> Any of these prevent HTTP from being hijacked and redirected, e.g., >>> as can occur on public WiFi. IMO, >> So, in this respect we agree - but where did the text say otherwise? > > It doesn’t quite, but... > >>> DTLS or DNS over TCP with TLS would protect against DNS hijacking. >> Again, we agree, which text do you think needs improved. > > I’m sorry to say it starts with the title - the impact of security on > network ops and the evolution of the Internet, which starts off on the > assumption that “security is getting in the way”, rather than > “exposure of TRANSPORT information to the network is a privilege”. > That was not intended. The scope we were given was not to describe what we think must be done, but to focus on what is currently being done with respect to how transport information is used. The first para explicitly says "this document strongly supports the increased use of encryption in transport protocols". This document is intended to explicitly NOT say "don't encrypt" "don't use IPsec", "don't use other encryption". - It should read more like if the majority of the traffic uses headers encryption, then there are some implications - (e.g. This news is not exactly new for those running networks that heavily use IPsec..) it this means some people need to think and do some things differently. > Throughout, the assumption is that the network should have access to > this information and/or be able to modify it, rather than that users > have the right to lNOT let the network have that info or change it. > Wait! Where does it say "should be able to modify it" ... that was also NOT intended as a part of this message, and if that can be read into what is said, then I'd like to re-address that. > Encryption and privacy are spoken of as “benefits” and of “interest”, > rather than as rights. Access to transport is spoken of necessary and > denial of that access a threat to providing services. > > IMO, this is both incorrect and inappropriate to promote as an IETF > position. It leads to the very behavior discussed - that development > of legitimate transport protocol mechanisms being hampered by > middleboxes that violate whatever standard or policy interferes with > their revenue model. > I suggest such "middlebox" issues are covered in RFC 8404, and this was not the scope of this document. I had hoped that was already clear, but will look again. The intended the focus is on providing transport and using network paths (which some SDO's also call "transport"). Examples of inputs received concern: how to debug router queuing; understand congestion/VoIP performance/QoS/QoE/etc; detect and predict traffic patterns; layer 2 interactions with radio; etc. > It’s disingenuous to present this problem as merely two competing > viewpoints, and it’s hard to find a single way to address this issue > the way the document has evolved. It reads more like a warning to the > rest of us not to interfere with whatever middleboxes or network > operators want to do. > > I don’t know how to fix it, but I can’t stand idly by and endorse it > either. > > Joe Sorry to hear that. We will take any comments and try to improve the words. Gorry
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Christian Huitema
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Gorry Fairhurst
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Gorry Fairhurst
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Gorry Fairhurst
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Gorry Fairhurst
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Tom Herbert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Tom Herbert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Scharf, Michael
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Scharf, Michael
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lars Eggert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Scharf, Michael
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Christian Huitema
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Joe Touch
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Scharf, Michael
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Gorry Fairhurst
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Christian Huitema
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lubashev, Igor
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lubashev, Igor
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Tom Herbert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Tom Herbert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lubashev, Igor
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lubashev, Igor
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Tom Herbert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Roni Even (A)
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lubashev, Igor
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Tom Herbert
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Christian Huitema
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Kuhn Nicolas
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… philip.eardley
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Mirja Kuehlewind
- Re: [tsvwg] TSVWG WGLC: draft-ietf-tsvwg-transpor… emile.stephan
- Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-t… Lubashev, Igor
- Re: [tsvwg] TSVWG WGLC: draft-ietf-tsvwg-transpor… Peter Gutmann
- Re: [tsvwg] TSVWG WGLC: draft-ietf-tsvwg-transpor… Eric Rescorla
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… Joel M. Halpern
- Re: [tsvwg] TSVWG WGLC: draft-ietf-tsvwg-transpor… Peter Gutmann
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… Joe Touch
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… Joel M. Halpern
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… Gorry Fairhurst
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… S Moonesamy
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… Colin Perkins
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… S Moonesamy
- Re: [tsvwg] [OPSAWG] TSVWG WGLC: draft-ietf-tsvwg… Ian Swett
- Re: [tsvwg] [ippm] [OPSAWG] TSVWG WGLC: draft-iet… MORTON, ALFRED C (AL)