IETF Logo Mail Archive

Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Tom Herbert <tom@herbertland.com> Mon, 21 October 2019 14:31 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D7A120870 for <tsvwg@ietfa.amsl.com>; Mon, 21 Oct 2019 07:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sc2wbqqcqHS6 for <tsvwg@ietfa.amsl.com>; Mon, 21 Oct 2019 07:31:37 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF13D120857 for <tsvwg@ietf.org>; Mon, 21 Oct 2019 07:31:36 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id l21so10179652edr.5 for <tsvwg@ietf.org>; Mon, 21 Oct 2019 07:31:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uJ98eBp2qNVMvtwc5jxWXbm47aX4ZnIfvHcmQgzL4ZE=; b=JNNroOcYhYN3BzWLLDaizK4uXPqlDlncQgVgvJFAyZW2awwJNxongUysZt90yQO4Xl xSb5iIQ79oqb/rWyacML8Q7PcSqyvPUcavbf/Sn3My3O5kgrEXBEZ4odNPJ2MruCTiUm m4myF50uRO5bgWJQTKqnW2F7jX4lLGYqtBn4RwgGxfofhxyNlcJJ+yPbDpAZ4XS/H0Mn RD2XoqYhctZpFPlSxNHSfN6MhfEpkdAs6OVTU2AgxA8TSXvP8GfXa5MimIy3/WjZel23 PmconBPSUDbywmNiUybCu9/HlyZMPuApNDFceFO2wqZgVytTF6XekCzd3TJJFAafQ82W 3S/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uJ98eBp2qNVMvtwc5jxWXbm47aX4ZnIfvHcmQgzL4ZE=; b=CqtuG2hW3Ijtwqx0MmEMSikn5LdvwlCHbHAx+RIPgQM308WqFDDcvTpgILybzvgQxx 70ntabNUg8FcXoyq82TZbVLLKHQrFtDavl58QQPKUCohb/qbXAEMeCh36gkRd+HbUoVm mM8i02gCvXXD3TTUD9sidF5+chUnTVaSs3XGsMjPkfHEyFttnavW9QAkn0PRW3gpXr4x sN1UM+fMfGjEZT7re2xF1JGXdqCWONWJ+bIzHLNRyaPcQdjh/p8YLdz9BmjQj1ujXUJJ D+825YAt4Zffo/cZO77Z8j4mxzRsVWYL7b/8S8q0X+kWBzoWsXKVgGGYh48+uiuwrV/f HsWA==
X-Gm-Message-State: APjAAAXNiIE2SjaRv5jZbQFSdbt5NPa+5titilwuyqXyfM2tsHUmSph7 q8uEi5K86DSBZwxkLPfXst8TFp6tAcIwWNlMJpK31uVa
X-Google-Smtp-Source: APXvYqxayQyv7OMYkwrT7kZhEr+XWJag3JODbZFzXcRNfDl948dXOUlhIEFDjkTEn5IMXacMArRb/93xkG1+Pg9xbGo=
X-Received: by 2002:a17:906:418:: with SMTP id d24mr22495583eja.305.1571668294972; Mon, 21 Oct 2019 07:31:34 -0700 (PDT)
MIME-Version: 1.0
References: <CE03DB3D7B45C245BCA0D2432779493630766752@MX307CL04.corp.emc.com> <e8c30f3f-606f-0c0d-a7dd-b2bb6f31a9fd@huitema.net> <A2F184BB-E352-4AE6-B7A0-FDF6D8851DFB@strayalpha.com> <CALx6S36VYt+LVxWM_ZRos7VK6GArNbenpFD3yaPdqedvkoHpoQ@mail.gmail.com> <9c7df6fe717c43739454a91f8080cffa@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S361-wmgGWcTQHNsXnJEPkdCbvOhSCGwd5a9R0RQ_E=CCg@mail.gmail.com> <8543343a39a04d5baca64ce2a3085ac9@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S36FonVeU25YJEq_7PaNrfvX4ABLFv5VLbb6QKE==G5Xfg@mail.gmail.com> <00cf55e3462e44be8bcb908c453c3eef@ustx2ex-dag1mb5.msg.corp.akamai.com>
In-Reply-To: <00cf55e3462e44be8bcb908c453c3eef@ustx2ex-dag1mb5.msg.corp.akamai.com>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 21 Oct 2019 07:31:21 -0700
Message-ID: <CALx6S34aQOUwqd5a2EJK10noUwW4qJQaEfsL4i-2VFpUU5=ytA@mail.gmail.com>
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Joe Touch <touch@strayalpha.com>, Christian Huitema <huitema@huitema.net>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d4b6805956c8aa6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/l7Xv16EaT61TsPt-Hz9ZXB-XB3g>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 14:31:41 -0000

On Sun, Oct 20, 2019, 9:04 PM Lubashev, Igor <ilubashe@akamai.com> wrote:

> > On Wed, Oct 16, 2019 at 6:25 PM Tom Herbert <tom@herbertland.com> wrote:
> >
> > On Wed, Oct 16, 2019 at 2:49 PM Lubashev, Igor <ilubashe@akamai.com>
> > wrote:
> > >
> > > > On Tue, Oct 15, 2019 at 7:22 PM From: Tom Herbert
> > <tom@herbertland.com> wrote:
> > > >
> > > > On Tue, Oct 15, 2019 at 2:32 PM Lubashev, Igor <ilubashe@akamai.com>
> > > > wrote:
> > > > >
> > > > > > On Sat, Oct 12, 2019 at 12:02 PM Tom Herbert
> > > > > > <tom@herbertland.com>
> > > > wrote:
> > > > > >
> > > > > > I do believe that there will be valid use cases for hosts to
> > > > > > signal the network for services. There is a least one robust,
> > > > > > explicit, and transport agnostic method to allow hosts to signal
> > > > > > the network with transport related information and even
> > > > > > application layer
> > > > > > information-- that's Hop-by-Hop Options extension header. A
> > > > > > critical difference with parsing transport layers, is that the
> > > > > > end host is in control of what information is exposed in HBH
> > > > > > options. As I've said several times, I believe this draft is
> > > > > > missing on the opportunity to propose this as the "solution" to
> > > > > > middleboxes losing visibility because of
> > > > encryption.
> > > > >
> > > > > +1
> > > > > An explicit signal-to-network, such as IPv6 HBH option, is
> > > > > architecturally far
> > > > superior to a hotch-podge of protocol-specific signals.  I think it
> > > > would be great for this draft to encourage design and
> > > > standardization of such explicit signal.
> > > > >
> > > > > We know too well, unfortunately, that such signal, IPv6 HBH
> > > > > option, will
> > > > not work for most of Internet traffic today (IPv4 traffic and IPv6
> > > > traffic flowing over links blocking IPv6 HBH option). The speed with
> > > > which we can deploy encrypted-header protocols (i.e. QIUC) and a
> > > > reliable explicit-signal- to-network HBH option differ greatly. What
> are we
> > to do in the interim?
> > > > >
> > > > Hi Igor,
> > > >
> > > > The statement that IPv6 HBH will not work for most of the Internet
> > > > traffic today is a rather broad generalization. In a sense, we could
> > > > also that IPv6 doesn't work for most of the Internet traffic. I will
> > > > accept that there is not ubiquitous support for HBH EH in all
> > > > networks, but in the same way that IPv6 can be deployed before
> > > > there's 100% support we need to be able to deploy things like HBH
> > options.
> > >
> > > I am NOT saying "don't define an IPv6 HBH EH that would solve this
> > problem, because it would not work everywhere".  Quite the opposite -- we
> > should do something like IPv6 HBH EH, because all traffic should be IPv6
> w/
> > HBH EH working in the future.
> > >
> > > The argument is that we should _also_ do something, possibly
> > > temporary, to take care of the very significant portion of the network
> > > where IPv6 w/ HBH EH does not work today.  (I know that temporary
> > > things have a tendency to last forever, and it stinks, but we are
> > > talking about a very large portion of the traffic today.)
> > >
> > > <snip>
> > >
> > > > So to me the fundamental question is more about how do we deploy new
> > > > protocols or existing protocols that are hard to deploy because of
> > > > ossification. The answer lies in answering these two questions: 1)
> > > > how do we work around the existing brokenness 2) how do we motivate
> > > > fixing the brokenness.
> > > >
> > > > For the workaround, we can apply the philosophy of IPv6 "happy
> > eyeballs"
> > > > which is essentially using probing or external information to
> > > > determine if the path to the destination supports a certain protocol
> > > > (e.g. IPv6, HBH EH, UDP, etc.).
> > >
> > > The "brokenness" this draft points to is the lack of network signals.
> IPv6
> > HBH workaround is good, but it would not help for the majority of
> > connections today.  So the workaround is incomplete.
> > >
> > > <snip>
> > >
> > > > For motivation, this seems to be a matter of demonstrating incentive
> > > > for middlebox vendors to fix their solutions. Network signaling
> > > > should be a good incentive.
> > >
> > > Yes, complete agreement here. A useful signal that cannot be received
> by a
> > device is a good incentive for the operators to fix the device or to buy
> a
> > different one. But while filtering IPv6 HBH EH is up to the operators,
> the use
> > of IPv4 instead of IPv6 on a dual-protocol network is out of operators'
> > control, so operator incentives are not a complete solution,
> unfortunately.
> > >
> >
> > That's why we're looking at HBH options for IPv4 also
> (draft-herbert-ipv4-
> > hbh-destopt-00).
>
> The concern expressed here is the encryption of usable signals and the
> lack of alternatives deployed within the same timeframe.  The language in
> draft-herbert-ipv4-hbh-destopt-00 states that "it is unlikely that packets
> with IPv4 Hop-by-Hop Options or Destination Options extension headers can
> be ubiquitously deployed over the Internet".
>

Igor,

>
That misses the point of the statement. There are many protocols that don't
have ubiquitous support over the Internet-- EH, IP fragmentation, any
transport protocol other than TCP and sometimes UDP, and even IPv6. If
"ubiquitous support" is required for deployment then we can never deploy
new protocols or any protocol that is atypical to intermediate devices. So,
unless we're planning on never doing anything new on the Internet, we need
to address this.


> The goal of any "for the network" signal is improved QoS.  Hence, if there
> is a non-trivial chance that inclusion of such signal will actually degrade
> QoS (by causing packets with the signal to be dropped), no sender will
> include such signals (and "happy eyeballs" style code is too complex and
> risky for the benefit).
>
> As architecturally "ugly" as it sounds, I can only see the QUIC header and
> the most significant TTL bits as viable alternatives to be deployable
> widely on the Internet for IPv4.  For IPv6, even HBH and Dest Options are
> still too "risky" for packets, but that is likely to be improving.
>

You forgot to mention efforts to encode information in IP addresses,
overload bits in the flow label, or other DPI parsing of UDP payload (like
tunnels over UDP), and other creative ways to "find" bits that can be
repuposed. There're all hacks! IP is designed to be an extensible protocol
without the need for these. Pursuing such hacks, instead of using the
defined mechanisms of extensibility, ostensibly solves some short term
problems, but in the long run perpetuates protocol ossification and stifles
evolution of the Internet.

Tom

>
> (Tom, are you interested in something like ConEx RFC 7837, except with HBH
> Options instead of Destination Options?)
>
> - Igor
>
> > Tom
>

v2.23.0 | Report a Bug | By Email