IETF Logo Mail Archive

Re: [tsvwg] [saag] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC

Tom Herbert <tom@herbertland.com> Thu, 11 February 2021 19:43 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E07BF3A18B3 for <tsvwg@ietfa.amsl.com>; Thu, 11 Feb 2021 11:43:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EDw6gxZ3zA1 for <tsvwg@ietfa.amsl.com>; Thu, 11 Feb 2021 11:43:32 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B02A3A18B0 for <tsvwg@ietf.org>; Thu, 11 Feb 2021 11:43:32 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id df22so8233006edb.1 for <tsvwg@ietf.org>; Thu, 11 Feb 2021 11:43:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0jygqf0GD78AcMehZjtbZQJoMxcDzKe6UAGycWDfsV4=; b=rhR+I3A119NXhIL0H1Qkh9Jo33wFMjycmSS5fwUfxEYqgj8w4mLVJobLC6ZmbW65HZ /ZwciTG0r+pL3/J9slwPLjHC9a0KSg9FCJcSy6sI5Jd1H8BHwWUwLqA/camiYJ/CQYwW 02mEhiqrkEZRLk2DmFyYLeldaLMMNboMJt/NeuBnQTBYSNoiNsxKmAd4W93Jlio2/Zrj z58jFhuGa1zgfzPjXcJCZYSW5O4PQAn4c1VM+kBUkaVDufMbQ8cMWUdTw6d0tXgu/6zT LQEEUr42VhHgBKVgBs5enepoxSafd2+t4SD9TVuk6Ee9BlqapAwdam4OyHYcoDk34kO9 wg5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0jygqf0GD78AcMehZjtbZQJoMxcDzKe6UAGycWDfsV4=; b=JU1y+0nPpX740SmQaBt6rlkNTZLohv1AhGUGAcAQM7B0yURvt3gafPSxW5LaeyCNqq Aonb2a5AZ9oSJxCCTo55zJVn6rM7S05f6NaCSfg+4kULTenabJcG8Uz2puZEIZ4tzgx2 Epgjs1ARB9V2y/3NbNzkTS/gRLK88QeL/B0kKZh7TJXCKZrEF+YKpHgKZyI22rEgTfVJ 94lqVFrvXcJHTmfIy6aPoldrgFy6P4tc3w4N/oYSA1W2hFBpUn+c1LpS+2I4kgVqn0jG 84IwR6qj5oNDylOrZdtjkMYmjFJ3SgS1otco+rZrovfGQXEC/g0XZflBQE+ysEAvEh0j pdgg==
X-Gm-Message-State: AOAM5333wBI/JmooIZkHosyAue+uusbRYe6FvruILnVhWzWgZltvJPDe UsxdYZOLwcpi4i0PEg4eFxWXra3lxPk2bX/0RJTGDA==
X-Google-Smtp-Source: ABdhPJzz0r1/KipVW/Q5Atc/z6X+vDHk8cCZkSf+G9p4meI2pRDt+DXXRIlB0ol51zeYvDCLD6WmcjEzDJl1yxz90DI=
X-Received: by 2002:aa7:c418:: with SMTP id j24mr9982019edq.293.1613072610635; Thu, 11 Feb 2021 11:43:30 -0800 (PST)
MIME-Version: 1.0
References: <161257199785.16601.5458969087152796022@ietfa.amsl.com> <20210210062551.GI21@kduck.mit.edu> <f1a1aaef-5400-89ca-fe26-786686800036@gont.com.ar> <MN2PR19MB4045B25A78B3C0841CC8EAFE838D9@MN2PR19MB4045.namprd19.prod.outlook.com> <2fb9d724-7f8a-93cd-9045-eb3852345a9e@erg.abdn.ac.uk> <1416490d-6532-59ce-e09f-388db716af8f@si6networks.com> <CALx6S35_Rb_vUyDddaiJtt2iT2Gvev=bLs7Rip8TQ8yZppMLDQ@mail.gmail.com> <1005a57d-d24b-a71e-e977-2be84ad63695@si6networks.com> <CALx6S35U_Re0T5f9m4AbNyvv7Gk6s9UoN1wdo7_j_phSMm+2gg@mail.gmail.com> <1dcb48f6-f621-11f8-9e9a-067b65c44818@si6networks.com>
In-Reply-To: <1dcb48f6-f621-11f8-9e9a-067b65c44818@si6networks.com>
From: Tom Herbert <tom@herbertland.com>
Date: Thu, 11 Feb 2021 12:43:19 -0700
Message-ID: <CALx6S351GUy=FJAZ1h6YYfmvJv2yGVVDma26r=Fu56bgzwhFpQ@mail.gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, "Black, David" <David.Black@dell.com>, Fernando Gont <fernando@gont.com.ar>, Benjamin Kaduk <kaduk@mit.edu>, "saag@ietf.org" <saag@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/zCuOeJWQvpeczgV4NOX59_f_rZM>
Subject: Re: [tsvwg] [saag] Fwd: Last Call: <draft-ietf-tsvwg-transport-encrypt-19.txt> (Considerations around Transport Header Confidentiality, Network Operations, and the Evolution of Internet Transport Protocols) to Informational RFC
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:43:34 -0000

On Thu, Feb 11, 2021 at 12:28 PM Fernando Gont <fgont@si6networks.com> wrote:
>
> On 11/2/21 16:11, Tom Herbert wrote:
> > On Thu, Feb 11, 2021 at 11:40 AM Fernando Gont <fgont@si6networks.com> wrote:
> >>
> >> On 11/2/21 15:18, Tom Herbert wrote:
> >> [...]
> >>>
> >>> When the transport layer is encrypted, network devices would only see
> >>> the plaintext EH and that is only what that is what they can act on.
> >>> At the destination, we could try to rectify transport information in
> >>> HBH with decrypted plaintext transport headers, but I suspect that
> >>> wouldn't typically be done. The HBH information is only operationally
> >>> useful to the network, not the transport endpoints that have access to
> >>> the transport header.
> >>
> >> Then this is what an attacker would do:
> >> He/she would advertise on a HBH option something that looks sensible to
> >> the guy enforcing a network-based security policy, and then at transport
> >> would do what he/she needs to do. :-)
> >>
> >>
> >> e.g., HBH could advertise that my packets are directed to ports 80/443,
> >> while in transport they are actually directed to port, say, 22.
> >>
> > It's more likely that information in the HBH would be generic and
> > abstract, afterall the whole point of encrypting the transport header
> > is to hide information from the network that it doesn't require, not
> > to just blindly volunteer the same information somewhere else in the
> > packet. Port numbers, for instance, are not required for delivery and
> > in fact are prone to misinterpretation in the network (RFC7605)-- IMO
> > it makes no sense to put those in a HBH option.
> >
> > Regardless of HBH though, if the preponderence of transport headers
> > are encrytped then network security policiy that relies on the
> > information will need to change.
>
> The folks running networks might as well argue that if you want your
> protocol to be successfully deployed (or at all deployed), your protocol
> might need to change.
>
Perhaps, but in order to change the protocol to satisfy the
requirements of folks running networks, we'd need to know *what* the
requirements are. For instance, if someone were to say that networks
require more information than what is in the IP header to successfully
deliver packets, then I will immediately ask that they specify
*exactly* what information they need. Until/unless that is answered we
are left guessing as to what may or may not be acceptable in various
networks and the tussle continues.

> It's a tussle. ANd I see valid arguments on both sides.
>
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>

v2.23.0 | Report a Bug | By Email