Re: [tsvwg] [saag] Comments on draft-ietf-tsvwg-transport-encrypt-08.txt

Bernard Aboba <bernard.aboba@gmail.com> Mon, 04 November 2019 17:05 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F3A4120AB8; Mon, 4 Nov 2019 09:05:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcwACM8UBg_A; Mon, 4 Nov 2019 09:05:37 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FDAA120B0C; Mon, 4 Nov 2019 09:05:36 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id 195so12792899lfj.6; Mon, 04 Nov 2019 09:05:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=O5dFTh2vdcAfmP2Jccfmj7BZSHYc4DpnWpV5kTSvW84=; b=AqL7RZTMLcwyCaA7lyFb65IN3RzX+NnYVxMwwvxO6WvcS07PVxScKRBDgfEgojjD6g p4CLYAXrnk/be+V6Q2M1cRgoI7gpVFNXrOR/spKW84flFdh8uQDSRIY5pKv8NPX4VZmJ 0qs+lnFuUAbOaKU8c17ufJSfDNna1juQLBravdHwu6wb23NgTIKdD6U9TPc0frgS0jwA inx+tqfqu2kE/wW3PvK0eU1Aryi3hbhEHc24NnLJQ8uz6AJn71EGqduhswkk9nO33qDd 9VRkmdh/jsCkEC2yRyJReyrB/q8YAzyesuWYwQq1Np9sYTPMhbRC2mVBslw0TK9qm4Vr jWUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=O5dFTh2vdcAfmP2Jccfmj7BZSHYc4DpnWpV5kTSvW84=; b=lpicZhJkDxKm4eTxEKOyboTvNjqnL5VjUF8w1PPWgTLjvapG+d4skPKRnZSutrpSEG hFAJtNcxUsWfse82ieRawAQ8dde5+P71wcfJY6qZNFEh3b+0+s3o181HGWa30CPuOGIx GpaYH0mm7ZAe6pCH7Av7Hfg3eUIQ3eYVnDc4bW2c4+e2oGUe2DBbI0rzr8uffcgxihcQ TzWVsjUwza2K3lII1Th2Itk9oMgGzaLwzKqIlYq4K5HqbiOBooN1IA7/9xYFA+eaWUd4 lyU4uXVHnc0j5LVzGvTbthGdFw8hClIoBBKY3nJJZkYOBOmqIulfvqenYn44p6wVrb6M 3wJg==
X-Gm-Message-State: APjAAAXHj3JEq1GQsfxs/HHel6HmvF/8Z5cINTUCGPcAJPwx7ZRqxGio B6nIPYpAkXAB0Ypc4vzSiuP6fk1JTPzxY5mw0ss=
X-Google-Smtp-Source: APXvYqw8aylXA/Th3zj6aXPnVsZbkTujS3/6npehal9N7jJknTpi934X6TVuOwJfidciHh52mLBpzJC0rSY7CudHnPw=
X-Received: by 2002:ac2:4856:: with SMTP id 22mr16446807lfy.131.1572887134135; Mon, 04 Nov 2019 09:05:34 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBPajzuEdw8=M1g1i-TAniJ9O+H5dEMxv8c6N3tD=7mSvw@mail.gmail.com> <6E8A313A-2A3B-45D1-813C-029F90BA624B@gmail.com> <FB244C01-0695-4C6F-8EB5-95D1CD78E971@ericsson.com>
In-Reply-To: <FB244C01-0695-4C6F-8EB5-95D1CD78E971@ericsson.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 4 Nov 2019 09:05:23 -0800
Message-ID: <CAOW+2dt4C5knrZPV-5ETnOChwWKw81kof=UsuvZ1bDQ0F6r+oQ@mail.gmail.com>
To: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
Cc: Eric Rescorla <ekr@rtfm.com>, tsvwg IETF list <tsvwg@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6e9950596885280"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/hETGhT7cefr0wqXEuzvNnN4_5PM>
Subject: Re: [tsvwg] [saag] Comments on draft-ietf-tsvwg-transport-encrypt-08.txt
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 17:05:42 -0000

[MK] Yes, these issues are not new but that makes it even more important to
document them in a well written RFC, so we have a common basis for any
further discussion. RFC8404 touches these points but also others. This
document has a more narrow focus and gives more detail which I think is
valuable for future discussion and therefore I support publication of this
document.

[BA] I would argue that this work item, even when combined with
draft-ietf-quic-manageability, does not document the current state of
operations and regulation nor the potential solutions in a comprehensive
way. Over the last decade, with the revolution in "big data" and machine
learning, there has been a sea change in the way performance data is
collected, analyzed and regulated.  The move to "cloud services" has
resulted in applications developers (who also represent large consumers and
sometimes operators of network services) routinely collecting large amounts
of performance data (e.g. see:  https://w3c.github.io/webrtc-stats/ ) so as
to support performance analysis and capacity planning. At the same time,
the collection, use and retention of performance data is increasingly
subject to regulation (e.g. GDPR and "network neutrality" regulations,
among others).  Today, to accommodate the increasing concerns by regulators
and civil society, SDOs such as W3C  are conducting increasingly detailed
privacy reviews of their specifications.

This situation is quite different from the  that which existed a decade
ago, when application deployment and monitoring was often a customer
responsibility delegated to network operators, network operations
management techniques were unregulated and operators routinely built
network management systems relying upon Deep Packet Inspection (DPI) and
other snooping techniques.   Given these major changes, documents such as
this one need to acknowledge the changes in operational practice and
broaden their definition of "manageability".

[MK] The issue here IS loss of visibility.

[BA] If appropriate manageability standards are developed, it should still
be possible for applications developers to manage applications and network
performance.  The extent to which this is possible is a good question for
the document to answer - but it does not attempt to answer that question
because it is stuck in a decade-old mindset.

Nothing prevents applications developers from sharing appropriately
aggregated and anonymized data with network operators. What IS lost is the
ability of third parties to collect performance information without
authorization or regulatory scrutiny - but in many parts of the world, that
door closed quite a while ago.

On Mon, Nov 4, 2019 at 1:26 AM Mirja Kuehlewind <
mirja.kuehlewind@ericsson.com> wrote:

> Hi Bernard, hi all,
>
> please see below, marked with [MK].
>
> Mirja
>
> On 04.11.19, 01:11, "tsvwg on behalf of Bernard Aboba" <
> tsvwg-bounces@ietf.org on behalf of bernard.aboba@gmail.com> wrote:
>
>     This document appears to have a *lot* of overlap with RFC 8404. So
> given that the basic point has already been made, it seems to me that this
> document needs to focus on new points and/or practical recommendations to
> make its publication worthwhile.
>
>     The issues raised here are by no means new - they first arose with the
> introduction of IPsec. Endpoint monitoring makes it possible for endpoint
> owners to collect information on performance that they can choose to share
> with operators.
>
> [MK] Yes, these issues are not new but that makes it even more important
> to document them in a well written RFC, so we have a common basis for any
> further discussion. RFC8404 touches these points but also others. This
> document has a more narrow focus and gives more detail which I think is
> valuable for future discussion and therefore I support publication of this
> document.
>
>     Thus the issue here is not really the loss of transport performance
> information since that remains available if consent can be obtained, but
> rather the collection of that information by unauthorized third parties.
>
> [MK] The issue here IS loss of visibly. Yes it's not great that we have
> all the mechanisms in the network now that use the information that were
> not supposed to be used by the network. However, we can't deny that if we
> change the end-to-end protocol that this will have an impact on the network
> and how we mange networks today. In some cases we can be happy that some of
> the boxes will just go away but in other case this can cause problems and
> can noticeably impact end-to-end performance, e.g. when an operator is not
> able to quickly locate the root cause of a problem anymore.
>
> [MK] Providing equivalent information based on consent is the solution to
> the problem described in this draft and something we should be working on
> but is not there yet.
>
> [MK] Collection of information by unauthorized third party is another
> problem which still exists and is now just shifted to another layer but
> would for sure need another draft (or multiple ones).
>
>
>     > On Nov 3, 2019, at 2:20 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>     >
>     >
>     > After reviewing this document, I share Christian Huitema's concern
>     > about the tone and perspective of this document, which, while saying
>     > that encryption is good, then proceeds to mostly lament how difficult
>     > it makes life for various entities other than the endpoints. It seems
>     > to me rather problematic to publish this document as an RFC for
>     > several reasons:
>     >
>     > - Yes, it's true that the trend towards encrypting everything has
>     >   and continues to make a number of entities sad, but that's a point
>     >   which is already made in RFC 8404. How does all of the additional
>     >   detail here help?
>     >
>     > - The community of people designing new transport protocols has
>     >   already weighed all the considerations here and come down pretty
>     >   decisively on the side of "encrypt all the things". Given that
>     >   both SCTP-over-DTLS and QUIC do this, it seems pretty unlikely
>     >   we're going to design a new transport protocol that doesn't.
>     >
>     > - Having an IETF Consensus RFC that is so heavily weighted on the
> side
>     >   of "this is how encryption inconveniences us" and so light on
> "these
>     >   are the attacks we are preventing" gives a misleading picture of
> the
>     >   IETF community's view of the relative priority of these
>     >   concerns. ISTM that RFC 8558 -- though perhaps imperfect -- far
> more
>     >   closely reflects that consensus.
>     >
>     > In short, I do not think this draft should be published as an RFC.
>     >
>     > I have appended a number of detailed comments which IMO need to be
>     > addressed in any case, but even if they were resolved, that would not
>     > address my primary concern.
>     >
>     >
>     > COMMENTS
>     > S 2.1.
>     > >   2.1.  Use of Transport Header Information in the Network
>     > >
>     > >      In-network measurement of transport flow characteristics can
> be used
>     > >      to enhance performance, and control cost and service
> reliability.
>     > >      Some operators have deployed functionality in middleboxes to
> both
>     > >      support network operations and enhance performance.  This
> reliance on
>     >
>     > This seems like a contested point. My understanding is that while
>     > these middleboxes are *intended* to enhance performance that there is
>     > doubt that they actually do.
>     >
>     >
>     > S 2.1.
>     > >      to enhance performance, and control cost and service
> reliability.
>     > >      Some operators have deployed functionality in middleboxes to
> both
>     > >      support network operations and enhance performance.  This
> reliance on
>     > >      the presence and semantics of specific header information
> leads to
>     > >      ossification, where an endpoint could be required to supply a
>     > >      specific header to receive the network service that it
> desires.  In
>     >
>     > Well, not just the network service it desires but *any* service.
>     >
>     >
>     > S 2.1.
>     > >      specific header to receive the network service that it
> desires.  In
>     > >      some cases, this could be benign or advantageous to the
> protocol
>     > >      (e.g., recognising the start of a connection, or explicitly
> exposing
>     > >      protocol information can be expected to provide more
> consistent
>     > >      decisions by on-path devices than the use of diverse methods
> to infer
>     > >      semantics from other flow properties).  In other cases, the
>     >
>     > Is there evidence of this?
>     >
>     >
>     > S 2.1.
>     > >
>     > >      As an example of ossification, consider the experience of
> developing
>     > >      Transport Layer Security (TLS) 1.3 [RFC8446].  This required
> a design
>     > >      that recognised that deployed middleboxes relied on the
> presence of
>     > >      certain header filed exposed in TLS 1.2, and failed if those
> headers
>     > >      were changed.  Other examples of the impact of ossification
> can be
>     >
>     > I think you mean "fields" and it wasn't headers so much as handshake
>     > data.
>     >
>     >
>     > S 2.2.
>     > >      This supports use of this information by on-path devices, but
> at the
>     > >      same time can be expected to lead to ossification of the
> transport
>     > >      header, because network forwarding could evolve to depend on
> the
>     > >      presence and/or value of these fields.  To avoid unwanted
> inspection,
>     > >      a protocol could intentionally vary the format or value of
> exposed
>     > >      header fields [I-D.ietf-tls-grease].
>     >
>     > It's not just a matter of unwanted inspection. There's a real
> question
>     > about whether we want these on-path devices to have this information
>     > at all, as it is potentially used for surveillance, traffic
>     > analysis, etc.
>     >
>     >
>     >
>     > S 2..2.
>     > >
>     > >      While encryption can hide transport header information, it
> does not
>     > >      prevent ossification of the network service.  People seeking
> to
>     > >      understand network traffic could come to rely on pattern
> inferences
>     > >      and other heuristics as the basis for network decision and to
> derive
>     > >      measurement data.  This can create new dependencies on the
> transport
>     >
>     > This also seems quite contested. Do you have any evidence of such a
>     > thing happening?
>     >
>     >
>     > S 2.3.
>     > >         anomalies, and failure pathologies at any point along the
> Internet
>     > >         path.  In many cases, it is important to relate
> observations to
>     > >         specific equipment/configurations or network segments.
>     > >
>     > >         Concealing transport header information makes performance/
>     > >         behaviour unavailable to passive observers along the path,
>     >
>     > While also making traffic analysis more difficult.
>     >
>     >
>     > S 2.3.
>     > >         applications it is important to relate observations to
> specific
>     > >         equipment/configurations or particular network segments.
>     > >
>     > >         Concealing transport header information can make analysis
> harder
>     > >         or impossible.  This could impact the ability for an
> operator to
>     > >         anticipate the need for network upgrades and roll-out.  It
> can
>     >
>     > Or to reduce the opportunities for traffic discrimination.
>     >
>     >
>     > S 2.3.
>     > >
>     > >      Different parties will view the relative importance of these
> issues
>     > >      differently.  For some, the benefits of encrypting some, or
> all, of
>     > >      the transport headers may outweigh the impact of doing so;
> others
>     > >      might make a different trade-off.  The purpose of
> highlighting the
>     > >      trade-offs is to make such analysis possible.
>     >
>     > This whole section seems to really just ignore the fact that many of
>     > these practices are unwanted.
>     >
>     >
>     > S 3.1.
>     > >      Firewalls).  Common issues concerning IP address sharing are
>     > >      described in [RFC6269].
>     > >
>     > >   3.1.  Observing Transport Information in the Network
>     > >
>     > >      If in-network observation of transport protocol headers is
> needed,
>     >
>     > Why is this needed? I know some people might want it.
>     >
>     >
>     > S 3.1.1.
>     > >   3.1.1.  Flow Identification Using Transport Layer Headers
>     > >
>     > >      Flow identification is a common function.  For example,
> performed by
>     > >      measurement activities, QoS classification, firewalls, Denial
> of
>     > >      Service, DOS, prevention.  This becomes more complex and less
> easily
>     > >      achieved when multiplexing is used at or above the transport
> layer.
>     >
>     > Also traffic discrimination and blocking.
>     >
>     >
>     > S 3.1.1.
>     > >      use heuristics to infer that short UDP packets with regular
> spacing
>     > >      carry audio traffic.  Operational practices aimed at inferring
>     > >      transport parameters are out of scope for this document, and
> are only
>     > >      mentioned here to recognize that encryption does not prevent
>     > >      operators from attempting to apply practices that were used
> with
>     > >      unencrypted transport headers.
>     >
>     > This has a really threatening tone. If you don't give us what we
> want,
>     > look what could happen.
>     >
>     >
>     > S 3.1.2.
>     > >
>     > >      This information can support network operations, inform
> capacity
>     > >      planning, and assist in determining the need for equipment
> and/or
>     > >      configuration changes by network operators.  It can also
> inform
>     > >      Internet engineering activities by informing the development
> of new
>     > >      protocols, methodologies, and procedures.
>     >
>     > What is the point of this exhaustive list?
>     >
>     >
>     > S 3.1.3.
>     > >
>     > >         AQM and ECN offer a range of algorithms and configuration
> options.
>     > >         Tools therefore need to be available to network operators
> and
>     > >         researchers to understand the implication of configuration
> choices
>     > >         and transport behaviour as the use of ECN increases and new
>     > >         methods emerge [RFC7567].
>     >
>     > QUIC sort of hides ECN feedback but not ECN marking.
>     >
>     >
>     > S 3.2.4.
>     > >
>     > >         A network operator needs tools to understand if datagram
> flows
>     > >         (e.g., using UDP) comply with congestion control
> expectations and
>     > >         therefore whether there is a need to deploy methods such
> as rate-
>     > >         limiters, transport circuit breakers, or other methods to
> enforce
>     > >         acceptable usage for the offered service.
>     >
>     > Does it *need* it or does it just want it. Note that we have had
> DTLS-
>     > SCTP with WebRTC without this property for some time now. Can you
> provide
>     > some evidence that operators have been inconvenienced by not having
> it.
>     >
>     >
>     > S 3.3.
>     > >      operators bring together heterogeneous types of network
> equipment and
>     > >      seek to deploy opportunistic methods to access radio spectrum.
>     > >
>     > >      A flow that conceals its transport header information could
> imply
>     > >      "don't touch" to some operators.  This could limit a
> trouble-shooting
>     > >      response to "can't help, no trouble found".
>     >
>     > We have quite a bit of QUIC traffic now. I'd be interested in hearing
>     > from the gQUIC team whether they have seen anything like this.
>     >
>     >
>     > S 4.
>     > >
>     > >      There are several motivations for encryption:
>     > >
>     > >      o  One motive to use encryption is a response to perceptions
> that the
>     > >         network has become ossified by over-reliance on
> middleboxes that
>     > >         prevent new protocols and mechanisms from being deployed.
> This
>     >
>     > This isn't just a perception, it's a demonstrable reality.
>     >
>     >
>     > S 4.
>     > >
>     > >      o  One motive to use encryption is a response to perceptions
> that the
>     > >         network has become ossified by over-reliance on
> middleboxes that
>     > >         prevent new protocols and mechanisms from being deployed.
> This
>     > >         has lead to a perception that there is too much
> "manipulation" of
>     > >         protocol headers within the network, and that designing to
> deploy
>     >
>     > Not just manipulation, also inspection.
>     >
>     >
>     > S 4.
>     > >
>     > >         One example of encryption at the network layer is the use
> of IPsec
>     > >         Encapsulating Security Payload (ESP) [RFC4303] in tunnel
> mode.
>     > >         This encrypts and authenticates all transport headers,
> preventing
>     > >         visibility of the transport headers by in-network
> devices.  Some
>     > >         VPN methods also encrypt these headers.
>     >
>     > This seems like a bad example as part of the point of a VPN is to
>     > conceal the headers form the network.
>     >
>     >
>     > S 6.1.
>     > >
>     > >   6.1.  Independent Measurement
>     > >
>     > >      Independent observation by multiple actors is important if the
>     > >      transport community is to maintain an accurate understanding
> of the
>     > >      network.  Encrypting transport header encryption changes the
> ability
>     >
>     > This is ironic because QUIC is much better for endpoint measurement
>     > than TCP because the details are accessible at the application layer.
>     >
>     >
>     > S 8.
>     > >      example, an attacker could construct a DOS attack by sending
> packets
>     > >      with a sequence number that falls within the currently
> accepted range
>     > >      of sequence numbers at the receiving endpoint, this would then
>     > >      introduce additional work at the receiving endpoint, even
> though the
>     > >      data in the attacking packet may not finally be delivered by
> the
>     > >      transport layer.  This is sometimes known as a "shadowing
> attack".
>     >
>     > This doesn't seem to be an issue with protocols that authenticate
> the SN.
>     >
>     >
>     > S 8.
>     > >
>     > >      An attack can, for example, disrupt receiver processing,
> trigger loss
>     > >      and retransmission, or make a receiving endpoint perform
> unproductive
>     > >      decryption of packets that cannot be successfully decrypted
> (forcing
>     > >      a receiver to commit decryption resources, or to update and
> then
>     > >      restore protocol state).
>     >
>     > This is not a real issue for QUIC or similar protocols
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     >
>     > _______________________________________________
>     > saag mailing list
>     > saag@ietf.org
>     > https://www.ietf.org/mailman/listinfo/saag
>
>
>
>