[tsvwg] draft-ietf-tsvwg-transport-encrypt-13.txt - concern summaries

"Black, David" <David.Black@dell.com> Mon, 23 March 2020 13:12 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745A03A07FF for <tsvwg@ietfa.amsl.com>; Mon, 23 Mar 2020 06:12:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com header.b=haP+Bpdw; dkim=pass (1024-bit key) header.d=dell.onmicrosoft.com header.b=VDrAfYRw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gs-BMIv4Iyi for <tsvwg@ietfa.amsl.com>; Mon, 23 Mar 2020 06:12:17 -0700 (PDT)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A0383A07EC for <tsvwg@ietf.org>; Mon, 23 Mar 2020 06:12:17 -0700 (PDT)
Received: from pps.filterd (m0170389.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02ND8sHJ031343; Mon, 23 Mar 2020 09:12:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : content-type : mime-version; s=smtpout1; bh=PzI+qqy1QQIXEKiN7lxN6cqjxxN/DNHk9XlTLokAcoM=; b=haP+Bpdw9/nlbviLOIgl6Ih28Nr3UGSRtu4g8YCNnFER7k7mwznijToG4U1xGEuB3Jgw 8CuFxv4vkPEaCFkxTgS2WbcAAzGhPdPJi2hK23TFRT7/2awNY7rXTLoem/k+DZOoc4I+ RPd25yyT92lfZvDoL15SUNm2PFMkRMx4LaSH4n3yqZYiFJnPukXM4UF5TteX7UZf5FzM vUteCNkZaFHj67BJm5elYAinUgoCV/E7N673bUWV8orxqFxFkXca/jDKZauMRHaks3kt Sxk33tzs7dpcqv8JQBsF7MZwgTo3kKICZd4lfdA8e49pNVP/iaj3liGxgms3BkJPr5xU /Q==
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0a-00154904.pphosted.com with ESMTP id 2ywexk0jc0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 23 Mar 2020 09:12:11 -0400
Received: from pps.filterd (m0144102.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02NDAwpo065599; Mon, 23 Mar 2020 09:12:10 -0400
Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2101.outbound.protection.outlook.com [104.47.70.101]) by mx0b-00154901.pphosted.com with ESMTP id 2ywd6uq9fs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 23 Mar 2020 09:12:10 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DEDcmEqzFjg/9wRtPwE1cpjiwmtgNggSmePcqfjn9CvrP0Pme3/Cm7nvi3qA05?= =?utf-8?q?DhMaVSmgyhNK4joPiym/huoze45TW+u55wTjvm24h1XWJ16upVut8oc6qQvyv3oeq?= =?utf-8?q?RfSRzKOOLHjc060Aprbp1Its2BJCIFyLHG8EnttXVeFYYSnbt6LIe576iQ44mtIYY?= =?utf-8?q?1g97zTACwSb7sYTuGJwT7yRxy49kRWOieMKkuAlCkw01E9Z/Aaw5OcHOj0e9wb1WW?= =?utf-8?q?uFUia/v5bHU2c+3D/FBy76QMsMLnrvBJTBppqfrCbISkZUiRPrASmusiln7Nb40IJ?= =?utf-8?q?VC/dQPCj4JjwHtZ1nyJjQ=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DPzI+qqy1QQIXEKiN7lxN6cqjxxN/DNHk9XlTLokAcoM=3D=3B_b=3DjdLvx3?= =?utf-8?q?I0D4Gv4FpfwpzaqBHq3TIS4FRbIvQMKLlr6pHw5G9F9DMdq+lS+9bz+z0Udm90coS?= =?utf-8?q?1+eJPPVHwLmkVUFwI+Fv/JcZWYLSjcdC2MwR9yS6b8Gks8RZa25VQTKJI/VmoAZr2?= =?utf-8?q?NkGFPE+aBrnFQ3G9puOgY9cNLw5fr48gyTEgWHAyYDlveiI+ItFf6ZwIt1LNjPpRg?= =?utf-8?q?692MsuwQCrHXY8A9ofYpCacpTWLhRyEnGimf2s7GsJZKxruhJqkm2hZ3DADzFGSmm?= =?utf-8?q?uvsdpSzrnmcArY8hKjvhtDFeJIZB+FhwEzWd3Q+eITMrnhcpmHOarLm4my1irTvBk?= =?utf-8?q?r+gWAcss4og=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Dell.onmicrosoft.com; s=selector1-Dell-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMe?= =?utf-8?q?ssage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCh?= =?utf-8?q?eck=3B_bh=3DPzI+qqy1QQIXEKiN7lxN6cqjxxN/DNHk9XlTLokAcoM=3D=3B_b?= =?utf-8?q?=3DVDrAfYRwDoHFmKm+dgNOnsp0xk5U9Ag63No57h7ff1Kv5OQ/qVC0vx46yNbas4?= =?utf-8?q?gWYUFWMqyU9hGNMW0AvESTgbtY4qBlBnYP1ZBAyW9uyEoDJXv9j2wH9yswce4J0ux?= =?utf-8?q?0V+F1gkL/CWw/Mcfq4DvyX84zz1AJ4Xfm9Uzcz+Q0bSI=3D?=
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB2576.namprd19.prod.outlook.com (2603:10b6:208:103::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.20; Mon, 23 Mar 2020 13:12:09 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8d12:8a24:ccb2:b2bd]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8d12:8a24:ccb2:b2bd%3]) with mapi id 15.20.2835.021; Mon, 23 Mar 2020 13:12:09 +0000
From: "Black, David" <David.Black@dell.com>
To: David Schinazi <dschinazi.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>
CC: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg IETF list <tsvwg@ietf.org>, "Black, David" <David.Black@dell.com>
Thread-Topic: draft-ietf-tsvwg-transport-encrypt-13.txt - concern summaries
Thread-Index: AdYBFKXkmYt4htCzSVmeaKpjlxYIQQ==
Date: Mon, 23 Mar 2020 13:12:08 +0000
Message-ID: =?utf-8?q?=3CMN2PR19MB4045B2134AF023AAF484A8A983F00=40MN2PR19MB4?= =?utf-8?q?045=2Enamprd19=2Eprod=2Eoutlook=2Ecom=3E?=
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; =?utf-8?q?MSIP=5FLabel=5F17cb76b2-10b8-4fe1-93d4-2202842406cd=5FSiteId=3D94?= =?utf-8?q?5c199a-83a2-4e80-9f8c-5a91be5752dd=3B?= =?utf-8?q?MSIP=5FLabel=5F17cb76b2-10b8-4fe1-93d4-2202842406cd=5FOwner=3Ddav?= =?utf-8?q?id=2Eblack=40emc=2Ecom=3B_MSIP=5FLabel=5F17cb76b2-10b8-4fe1-93d4-?= =?utf-8?q?2202842406cd=5FSetDate=3D2020-03-23T12=3A54=3A49=2E6266518Z=3B?= MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual; aiplabel=External Public
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4fc99961-381e-4167-5315-08d7cf2bcae8
x-ms-traffictypediagnostic: MN2PR19MB2576:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CMN2PR19MB25760EA4C7378997DDDF2CFE83F?= =?utf-8?q?00=40MN2PR19MB2576=2Enamprd19=2Eprod=2Eoutlook=2Ecom=3E?=
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0351D213B3
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzOTg2MDQwMDAwMikoMTM2MDAzKSgzNjYwMDQpKDM0NjAwMikoMzc2?= =?utf-8?b?MDAyKSgzOTYwMDMpKDE5OTAwNCkoMjkwNjAwMikoMzM2NTYwMDIpKDUzNTQ2?= =?utf-8?b?MDExKSg5Njg2MDAzKSg1NTAxNjAwMikoOTY2MDA1KSg2NTA2MDA3KSg0Nzg2?= =?utf-8?q?00001=29=287696005=29=2854906003=29=28110136005=29=2886362001=29?= =?utf-8?q?=28786003=29=284326008=29=28316002=29=28107886003=29=285660300002?= =?utf-8?b?KSg2NjQ0NjAwOCkoNjY1NTYwMDgpKDE4NjAwMykoNjY5NDYwMDcpKDY2NDc2?= =?utf-8?b?MDA3KSg3NjExNjAwNikoNjQ3NTYwMDgpKDUyNTM2MDE0KSg4OTM2MDAyKSg2?= =?utf-8?q?6574012=29=2826005=29=2881156014=29=2871200400001=29=288676002=29?= =?utf-8?q?=2881166006=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR19MB2576; H:MN2PR19MB4045.namprd19.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: dell.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?nKr0dSGLkN00mZ0xWHrWFderWdFKARt?= =?utf-8?q?Yp5esX1C5cC9m4Mbmaub0KyEgY3dqRikBTuBJ4PGwJxFPM/WpxlHILoXxxG7EdQX5?= =?utf-8?q?RqG13SHiTKgaFJzsFx7VcWV3YddjqvopMJcD96ItQzlGUuyFfTNx/5KnFgmDKB8Ah?= =?utf-8?q?zhaL1WEWFXbGSa2otAPuQUbr+gbU+Q83ALC/q+UKY5pTsSeruYIenUzUY0WTCuaQE?= =?utf-8?q?cK9vTBzABxXNfPt3mtV8Cst2QabQ3Arg0RcvODIl/6xo3nWbhSq0H7ZcQleApvMSc?= =?utf-8?q?OwdV4SuTTcsnylfFbE3369Le3/JRWjs4/QTn61MxkM+Hq6+jz05xhIWlP3epTYGVh?= =?utf-8?q?xWq80MKKJVQFEHL5M5t2rLPL3WNd6g8L6LOndlAk409gw1MLETt2crOrTAHbI6oA5?= =?utf-8?q?MQmoW3daTC1PGccyWLIGuLaWPX2XYYUMv6OEQ/BUdGVR8lcgDh2oRY2iFn4Orzdjl?= =?utf-8?q?U2nhYaAF8ssiak0KoxfKGQ4dyH?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?Ujh3gMMDS8/NYEjyn2kvxSbG3uVqP4?= =?utf-8?q?8akFcEqyE9XzrtD08mkXRsRXYgH8YyQT+dyk5CMT0jyWP6YzB/Qdz0jMt7+yWtkmu?= =?utf-8?q?nrothsd5kDZ2h5v+OZIoF0OeEUaa0Tld+cNrOvSRtpf4tqncybG4iGA=3D=3D?=
Content-Type: multipart/alternative; boundary="_000_MN2PR19MB4045B2134AF023AAF484A8A983F00MN2PR19MB4045namp_"
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4fc99961-381e-4167-5315-08d7cf2bcae8
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2020 13:12:08.9945 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?xCgfQ3OIqtvQ6IMtjoa8g?= =?utf-8?q?7POZEapA44a5Z2nUv9rGnmMYzfbKSbkNwD2w8zzh95Nwk+BomBYgAQv2uA4QuXRFg?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB2576
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.645 definitions=2020-03-23_04:2020-03-21, 2020-03-23 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1011 mlxscore=0 spamscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 lowpriorityscore=0 priorityscore=1501 malwarescore=0 phishscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003230075
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxscore=0 suspectscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 clxscore=1015 malwarescore=0 bulkscore=0 impostorscore=0 phishscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003230076
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/HQp4DYEokMDARpQDYTam3wM-vvY>
Subject: [tsvwg] draft-ietf-tsvwg-transport-encrypt-13.txt - concern summaries
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 13:12:20 -0000

David (S) and Ekr,

The prompt reviews are appreciated, thank you.  I first want to make sure that there’s a clear understanding of the concerns.

Looking at the email that David Schinazi referenced, this appears to be a good summary of his concerns:

As such, I'm now more confused than I was before reading the draft, as it doesn't help me answer the question of "when designing a new transport protocol, should I be encrypting my transport headers or not?".

I personally oppose publication of the document as it stands, because I find it confusing and non-actionable. I would like to see this useful content in a BCP document once we have enough
information to actually recommend something.

I’m having more difficulty in finding a good summary of Ekr’s concerns.   Going back to his comments on the -08 version during the first WGLC, I found this:

Having an IETF Consensus RFC that is so heavily weighted on the side of "this is how encryption inconveniences us" and so light on "these are the attacks we are preventing" gives a misleading picture of the IETF community's view of the relative priority of these concerns.  ISTM that RFC 8558 -- though perhaps imperfect -- far more closely reflects that consensus.

So, are those reasonable summaries of each of your concerns?  If not, please revise and send to the list, making effort avoid significant extensions (so that the results are still summaries).

Thanks, --David (as draft shepherd)

From: tsvwg <tsvwg-bounces@ietf.org> On Behalf Of David Schinazi
Sent: Sunday, March 22, 2020 7:56 PM
To: Eric Rescorla
Cc: Gorry Fairhurst; tsvwg IETF list
Subject: Re: [tsvwg] Rev 13 of : draft-ietf-tsvwg-transport-encrypt-13.txt


[EXTERNAL EMAIL]
I went through the diff from -12 and -13 and didn't see that addressing my concerns [1].

I still personally oppose publication of the document as-is.

[1] https://mailarchive.ietf.org/arch/msg/tsvwg/nnSr8_nrw7YepWFWA7tLc1k3Nv0/

Thanks,
David

On Sat, Mar 21, 2020 at 6:40 AM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
I do not believe that this version of the document addresses my concerns. The overall tonal issues remain unchanged.

-Ekr


On Sat, Mar 21, 2020 at 5:18 AM Gorry Fairhurst <gorry@erg.abdn.ac.uk<mailto:gorry@erg.abdn.ac.uk>> wrote:
Thanks to all who provided comments on and off list, this document was improved by understanding the feedback. We worked with the document shepherd (David) to address the issues, and expect this revision is now in good shape to proceed.

Gorry (as Co-Editor)

Sent from my iPad

> On 21 Mar 2020, at 10:07, internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> wrote:
>
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Transport Area Working Group WG of the IETF.
>
>        Title           : Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols
>        Authors         : Godred Fairhurst
>                          Colin Perkins
>    Filename        : draft-ietf-tsvwg-transport-encrypt-13.txt
>    Pages           : 50
>    Date            : 2020-03-21
>
> Abstract:
>   To protect user data and privacy, Internet transport protocols have
>   supported payload encryption and authentication for some time.  Such
>   encryption and authentication is now also starting to be applied to
>   the transport protocol headers.  This helps avoid transport protocol
>   ossification by middleboxes, while also protecting metadata about the
>   communication.  Current operational practice in some networks inspect
>   transport header information within the network, but this is no
>   longer possible when those transport headers are encrypted...  This
>   document discusses the possible impact when network traffic uses a
>   protocol with an encrypted transport header.  It suggests issues to
>   consider when designing new transport protocols or features.  These
>   considerations arise from concerns such as network operations,
>   prevention of network ossification, enabling transport protocol
>   evolution and respect for user privacy.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-transport-encrypt/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-tsvwg-transport-encrypt-13
> https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-transport-encrypt-13
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-tsvwg-transport-encrypt-13
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>