IETF Logo Mail Archive

Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Tom Herbert <tom@herbertland.com> Wed, 16 October 2019 22:25 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F72A120052 for <tsvwg@ietfa.amsl.com>; Wed, 16 Oct 2019 15:25:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00Dc-frPzvDz for <tsvwg@ietfa.amsl.com>; Wed, 16 Oct 2019 15:24:58 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB9DA12004A for <tsvwg@ietf.org>; Wed, 16 Oct 2019 15:24:57 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id f20so53302edv.8 for <tsvwg@ietf.org>; Wed, 16 Oct 2019 15:24:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=FHq0pFvNdlkioPm9KJBgfi8MQhkqnA4x6k+lYO+X9VA=; b=Vy9F45zi1g2q3/AJQP3T63YELiwF8bBdrkuxE33YH/ydOObe4lfddOSm5WmJy3xkbQ YJJI/UtE8vRIrOvpL76oAaesm8GKsYGdG+zQcdDLpSq8f5s1MKWoLjvqY6I6fur1J72p 7V1Nxtwvp8UHL6ylXzhQ6l+aMRIrIKH/WLC8A9qVkwCWtn9XkH2NiWsKeB2BRlgaqe1M DPoXUCMc4ULCz4u6QUICsP/uYgR2OUlSFe+cBl7aVN6NSvATS+We/XE6by0EFNcUkrae jn/G+AjqkCkoxrDWJILFXBN7eK2vmxTKZrwFLxx8qAP5sfCm7eCUzS/+Oal4YRQaJvGk pftA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=FHq0pFvNdlkioPm9KJBgfi8MQhkqnA4x6k+lYO+X9VA=; b=Hw0CRgfiwVBEVrJRWZ+kQiverObRBS6OJ/+W05by91jTivsLN8oZutLQ+rZmBP+lY1 toDsELx1Fn4aK8eV04crwlZUjAI4MQls6UHnC8YABDSHhb999S4XNmMK6htt1OIbtSb7 XV/J/1+InzY70BySIazufPV1qOOSEQgU0h+IAIi4ApjzTjWm57FiNWGbZR9RsDB5Z6DC 9oZGOQVgxx6LXHbMZ6JdSYK1Mj52UAOV0vljMBadoniCd+9bzPNj32tihzQuFySRzStx MEaYT9U9xgMTRuZMmwymgTWEBQBMEYWqFQcSUqzkevI06ZVFFFcfT8ljlfQstS7gPBiB apmg==
X-Gm-Message-State: APjAAAU3Gq2V9eYLJ8asQQiIeFNKaArw1Nt90Fo4LtapRMq+QZRwmzTd HXS5cla8rXDIIxDJHs1dYXUlQgRBp9YSIgfh0mKc2A==
X-Google-Smtp-Source: APXvYqwyTeiT4faaQ8gcQf1s2bOArDSLtCq3nPZhB3kOlNo23Ehi5OYB7piC83tWrUe1wik4fBb82jnwOp4kIIgs8QE=
X-Received: by 2002:a17:906:2319:: with SMTP id l25mr579734eja.309.1571264696356; Wed, 16 Oct 2019 15:24:56 -0700 (PDT)
MIME-Version: 1.0
References: <CE03DB3D7B45C245BCA0D2432779493630766752@MX307CL04.corp.emc.com> <e8c30f3f-606f-0c0d-a7dd-b2bb6f31a9fd@huitema.net> <A2F184BB-E352-4AE6-B7A0-FDF6D8851DFB@strayalpha.com> <CALx6S36VYt+LVxWM_ZRos7VK6GArNbenpFD3yaPdqedvkoHpoQ@mail.gmail.com> <9c7df6fe717c43739454a91f8080cffa@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S361-wmgGWcTQHNsXnJEPkdCbvOhSCGwd5a9R0RQ_E=CCg@mail.gmail.com> <8543343a39a04d5baca64ce2a3085ac9@ustx2ex-dag1mb6.msg.corp.akamai.com>
In-Reply-To: <8543343a39a04d5baca64ce2a3085ac9@ustx2ex-dag1mb6.msg.corp.akamai.com>
From: Tom Herbert <tom@herbertland.com>
Date: Wed, 16 Oct 2019 15:24:45 -0700
Message-ID: <CALx6S36FonVeU25YJEq_7PaNrfvX4ABLFv5VLbb6QKE==G5Xfg@mail.gmail.com>
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Joe Touch <touch@strayalpha.com>, Christian Huitema <huitema@huitema.net>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/jr4HrleYYUZjT4smSHuDF4SQl14>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 22:25:01 -0000

On Wed, Oct 16, 2019 at 2:49 PM Lubashev, Igor <ilubashe@akamai.com> wrote:
>
> > On Tue, Oct 15, 2019 at 7:22 PM From: Tom Herbert <tom@herbertland.com> wrote:
> >
> > On Tue, Oct 15, 2019 at 2:32 PM Lubashev, Igor <ilubashe@akamai.com>
> > wrote:
> > >
> > > > On Sat, Oct 12, 2019 at 12:02 PM Tom Herbert <tom@herbertland.com>
> > wrote:
> > > >
> > > > I do believe that there will be valid use cases for hosts to signal
> > > > the network for services. There is a least one robust, explicit, and
> > > > transport agnostic method to allow hosts to signal the network with
> > > > transport related information and even application layer
> > > > information-- that's Hop-by-Hop Options extension header. A critical
> > > > difference with parsing transport layers, is that the end host is in
> > > > control of what information is exposed in HBH options. As I've said
> > > > several times, I believe this draft is missing on the opportunity to
> > > > propose this as the "solution" to middleboxes losing visibility because of
> > encryption.
> > >
> > > +1
> > > An explicit signal-to-network, such as IPv6 HBH option, is architecturally far
> > superior to a hotch-podge of protocol-specific signals.  I think it would be
> > great for this draft to encourage design and standardization of such explicit
> > signal.
> > >
> > > We know too well, unfortunately, that such signal, IPv6 HBH option, will
> > not work for most of Internet traffic today (IPv4 traffic and IPv6 traffic
> > flowing over links blocking IPv6 HBH option). The speed with which we can
> > deploy encrypted-header protocols (i.e. QIUC) and a reliable explicit-signal-
> > to-network HBH option differ greatly. What are we to do in the interim?
> > >
> > Hi Igor,
> >
> > The statement that IPv6 HBH will not work for most of the Internet traffic
> > today is a rather broad generalization. In a sense, we could also that IPv6
> > doesn't work for most of the Internet traffic. I will accept that there is not
> > ubiquitous support for HBH EH in all networks, but in the same way that IPv6
> > can be deployed before there's 100% support we need to be able to deploy
> > things like HBH options.
>
> I am NOT saying "don't define an IPv6 HBH EH that would solve this problem, because it would not work everywhere".  Quite the opposite -- we should do something like IPv6 HBH EH, because all traffic should be IPv6 w/ HBH EH working in the future.
>
> The argument is that we should _also_ do something, possibly temporary, to take care of the very significant portion of the network where IPv6 w/ HBH EH does not work today.  (I know that temporary things have a tendency to last forever, and it stinks, but we are talking about a very large portion of the traffic today.)
>
> <snip>
>
> > So to me the fundamental question is more about how do we deploy new
> > protocols or existing protocols that are hard to deploy because of
> > ossification. The answer lies in answering these two questions: 1) how do we
> > work around the existing brokenness 2) how do we motivate fixing the
> > brokenness.
> >
> > For the workaround, we can apply the philosophy of IPv6 "happy eyeballs"
> > which is essentially using probing or external information to determine if the
> > path to the destination supports a certain protocol (e.g. IPv6, HBH EH, UDP,
> > etc.).
>
> The "brokenness" this draft points to is the lack of network signals.  IPv6 HBH workaround is good, but it would not help for the majority of connections today.  So the workaround is incomplete.
>
> <snip>
>
> > For motivation, this seems to be a matter of demonstrating incentive for
> > middlebox vendors to fix their solutions. Network signaling should be a good
> > incentive.
>
> Yes, complete agreement here. A useful signal that cannot be received by a device is a good incentive for the operators to fix the device or to buy a different one. But while filtering IPv6 HBH EH is up to the operators, the use of IPv4 instead of IPv6 on a dual-protocol network is out of operators' control, so operator incentives are not a complete solution, unfortunately.
>

That's why we're looking at HBH options for IPv4 also
(draft-herbert-ipv4-hbh-destopt-00).

Tom

> > Tom
>
> - Igor

v2.23.0 | Report a Bug | By Email