Re: [tsvwg] Comments on draft-ietf-tsvwg-transport-encrypt-14

Tom Herbert <tom@herbertland.com> Tue, 07 April 2020 18:11 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1183A0BDF for <tsvwg@ietfa.amsl.com>; Tue, 7 Apr 2020 11:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kGOI-et0p7c6 for <tsvwg@ietfa.amsl.com>; Tue, 7 Apr 2020 11:11:46 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B2823A0BC6 for <tsvwg@ietf.org>; Tue, 7 Apr 2020 11:11:45 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id i16so5201101edy.11 for <tsvwg@ietf.org>; Tue, 07 Apr 2020 11:11:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=A8DSccbsKNbbWQ+7x+g2wojFnMp4WpsKogHaRf2iAXw=; b=jmQeGGTGiV7hPj4YqQ09HF+Cu6l0gp2TZvFABm79LQJqfePF/RBR7XXA2mIQ5yGkFh iacDOJaTSWBmcBHlkhgZRW3tQNCSvwE3fBexyhGJfjw9y0zh7FAW/xwZRyKo/9QQXUjS eLp+GhkJAuznXKfQZkfdogFn+1DinOllmrYWB/r5nPUBlEW6CWadL8vB9TlJIr5tB7Rt nhVD/qMG5nmmVdCkb+yRBCDuBjopjej46g3eFwUlJUxLMhRnuDvzNy1I6TZ4/6PNKeQp dAHs1/IWgmzQlr4Ft8g0CvfVG01RT5Ju91O3wFbfgq/HDhJGAi4Pgh7UCbU/auL4rEjP RuPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=A8DSccbsKNbbWQ+7x+g2wojFnMp4WpsKogHaRf2iAXw=; b=dO3557xVRajPPS8BnXhqPoI+fwJAIG6SELJhZigUvjxaq/cWObHDp12bVESYbV4epJ z0U2XJS63gNAFuPIQzdfiSMQ53KUUN4tRk4VtM5lBBLvohNeJxDkQzEWjYvluoUfOV1x CrfKFCj6lrwY0cVah6gBz2kffr8zxC6ZeFzw30CEIWOQSxigFEtRT1ptG9ELkNUP4Yov eZERUgHUY5FqVLlvJ7Dx67PuX4+00SvgmqXt/Y6vo7WmCF6Ov45cTP/ACTfmBgruOXWL XFnOLVHSHd0znwAJd0NDY84xixcFPcziK0qICG74VeBCB77B78/vpP58DzjY7dkOVtcI 7k+Q==
X-Gm-Message-State: AGi0Pua7LzSMMmydRc6+n8BDmx4e8JZFEeE7opGHFZs1JameIW2G0oWc tvvu7iSrrKQst56A+1Kg9Stq9OtmoYB08/NnAPoZ3Qdm
X-Google-Smtp-Source: APiQypI4YL6xoME2odOsik9rKOsEJ/PKJ8oYfuCFYClMEAa1mAiRsJXMl/xDcDr+oSfqc9HQ9V8idvanDNMir8SVKGM=
X-Received: by 2002:a17:906:7383:: with SMTP id f3mr3130835ejl.197.1586283104173; Tue, 07 Apr 2020 11:11:44 -0700 (PDT)
MIME-Version: 1.0
References: <CALx6S345Ta5LjSkZ+XmNmH8dxKnM++VRCej2iGxfdUqDc+M-Jw@mail.gmail.com> <MN2PR19MB4045652C80DB5348A5A3505F83C70@MN2PR19MB4045.namprd19.prod.outlook.com> <CALx6S36yzDTLaxUhWibZjmK5Cxu2zfzxiawFRCbVn9aPF4rs1A@mail.gmail.com> <MN2PR19MB4045E873D0908044343F8C2283C40@MN2PR19MB4045.namprd19.prod.outlook.com> <42914e6a-5602-7911-7447-e400d36eb0e6@erg.abdn.ac.uk> <MN2PR19MB404585DB4796DD1EF29FDF0C83C50@MN2PR19MB4045.namprd19.prod.outlook.com> <6CC67993-37FF-4B02-A45A-4F30E9D6686C@strayalpha.com> <fc94ff59-4972-3960-7c25-85f8953463f9@erg.abdn.ac.uk> <62B8E2A9-2347-44E2-8B14-DD3CD81937AB@strayalpha.com> <737cf948-065b-0702-ca15-6cc216d73bc9@erg.abdn.ac.uk> <10E067D5-0C17-400B-BA7F-3CB49C2C94B6@strayalpha.com> <CALx6S36_HGekVYSBTiP-=uDigk+nzf2Yw2AtqopPrK5Y1gozgQ@mail.gmail.com> <2856BD08-BFCD-476D-AD1E-FE1EA94C92C7@strayalpha.com> <CALx6S34vazUp+ttxqqJ2S6U_uN8oRNt-MATdGgKvbLRFz=BLsA@mail.gmail.com> <7CC3D01B-8E86-4898-BED4-A93149D13666@strayalpha.com> <MN2PR19MB404509A876B1A187755202AD83C30@MN2PR19MB4045.namprd19.prod.outlook.com>
In-Reply-To: <MN2PR19MB404509A876B1A187755202AD83C30@MN2PR19MB4045.namprd19.prod.outlook.com>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 7 Apr 2020 11:11:33 -0700
Message-ID: <CALx6S34B9+0OgSJnqazqK5K1BWAA-oXHPCn8C0PkQwa0O0RJng@mail.gmail.com>
To: "Black, David" <David.Black@dell.com>
Cc: Joseph Touch <touch@strayalpha.com>, Gorry Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/vw-V8ruAf_J4dqSDerodM2VsycQ>
Subject: Re: [tsvwg] Comments on draft-ietf-tsvwg-transport-encrypt-14
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 18:11:49 -0000

On Tue, Apr 7, 2020 at 9:20 AM Black, David <David.Black@dell.com> wrote:
>
> >> Also, a corollary should be the hard requirement:
>
> >> "Intermediate nodes MUST NOT ever modify transport payload”.
>
>
>
> > As a general principle, yes - agreed. There’s always the caveat that it’s always OK
>
> > *with the consent of the endpoints*, e.g., if an enterprise wants to set up the
>
> > network that way for their users. But in the arbitrary “middle” of the network, it
>
> > *should* IMO always be MUST NOT.
>
>
>
> As a general requirement, that’s fine, but it should be stated somewhere other than in this draft, e.g., as this draft is intended to become an Informational RFC.
>
David,

Changing transport layer header, e.g. for traffic flow optimization
such as those devices doing receive window modulation, might also be
another use of transport header information that could be included in
section 2.1. Currently, the draft only seems to consider uses based on
passive observation of transport headers.

Tom

>
>
> Thanks, --David (as draft shepherd)
>
>
>
> From: tsvwg <tsvwg-bounces@ietf.org> On Behalf Of Joseph Touch
> Sent: Tuesday, April 7, 2020 11:43 AM
> To: Tom Herbert
> Cc: Gorry Fairhurst; tsvwg
> Subject: Re: [tsvwg] Comments on draft-ietf-tsvwg-transport-encrypt-14
>
>
>
> [EXTERNAL EMAIL]
>
>
>
>
>
> On Apr 7, 2020, at 8:34 AM, Tom Herbert <tom@herbertland.com> wrote:
>
>
>
> On Tue, Apr 7, 2020 at 8:12 AM Joseph Touch <touch@strayalpha.com> wrote:
>
>
> Hi, Tom,
>
>
> On Apr 7, 2020, at 7:40 AM, Tom Herbert <tom@herbertland.com> wrote:
>
> On Mon, Apr 6, 2020 at 6:42 PM Joseph Touch <touch@strayalpha.com> wrote:
>
>
> Hi, Gorry,
>
> I’d suggest as follows (just to follow through on the changes):
>
>
> In some uses, an assigned transport port (e.g., 0..49151) can identify the protocol [RFC7605]. However, port information alone is not sufficient to guarantee identification. Applications can use arbitrary ports and do not need to use assigned port numbers. The use of an assigned port number is also not limited to the protocol for which the port is intended.
>
>
> Joe,
>
> RFC7605 acknowledges that port numbers are used to identify the
> application protocol, but clearly doesn't condone the practice. I
> suggest the text should just paraphrase RFC7605:’
>
>
> I don’t quite understand the above, esp. the use of “condone”. Port numbers are assigned *exactly* for endpoints to identify application protocols *in the absence of any other more explicit coordination* (the draft doesn’t say it so directly, but that’s the summary).
>
> Joe,
>
> I meant by using port numbers at intermediate nodes for identifying
> application protocols.
>
>
>
> Oh, sorry. I didn’t get that from the text, but agreed.
>
>
>
> For example, QUIC is assigned UDP port number
> 80 and the spinbit was created to be visible and processed by
> intermediate nodes. The only generic way intermediate nodes can
> identify QUIC is by matching the assigned UDP port number. RFC7605
> says that such matching may not be correct, so consideration needs to
> be taken what happens if things are misinterpreted (IIRC, processing
> of spinbit for a packet misinterpreted as being QUIC is considered
> innocuous).
>
>
>
> Agreed.
>
>
>
> Also, a corollary should be the hard requirement: "Intermediate nodes
> MUST NOT ever modify transport payload”.
>
>
>
> As a general principle, yes - agreed. There’s always the caveat that it’s always OK *with the consent of the endpoints*, e.g., if an enterprise wants to set up the network that way for their users. But in the arbitrary “middle” of the network, it *should* IMO always be MUST NOT.
>
>
>
> I don't believe this draft
> mentions the fact that some intermediate nodes modify unencrypted
> transport layer headers in flight, but this does happen. For instance,
> there are devices that will modify the TCP receive window to optimize
> traffic flow (I believe there are some routers for satellite links
> that do this).
>
>
>
> Yes, and they then complain that mechanisms like IPsec “interfere” with that “feature”. Some of what they do might be relatively innocuous, but some - esp. forging ACKs to reduce endpoint-perceived RTT - runs a significant risk of undermining TCP semantics of reliable delivery.
>
>
>
> If this technique were applied to QUIC where the
> network modified some "exposed" fields in the QUIC header then this
> would risk systematic data corruption for UDP packets misinterpreted
> as QUIC (putting the transport layer in a modifiable HBH option would
> not have this problem).
>
> Tom
>
>
>
> That said, I was OK with the resolved text I had suggested, with or without the text below - which is also fine.
>
> Joe
>
>
>
> "Port numbers are sometimes used by intermediate devices on a network
> path to interpret transport protocol payload, however any
> interpretation of port numbers -- except at the endpoints -- may be
> incorrect, because port numbers are
> meaningful only at the endpoints [RFC7605]."
>
> Tom
>
>
>
>
> Joe
>
>