Re: [tsvwg] Review of draft-fairhurst-tsvwg-transport-encrypt
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 17 May 2018 13:06 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C6012DA29 for <tsvwg@ietfa.amsl.com>; Thu, 17 May 2018 06:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3_OnyrDIPak for <tsvwg@ietfa.amsl.com>; Thu, 17 May 2018 06:06:03 -0700 (PDT)
Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E037212DB6D for <tsvwg@ietf.org>; Thu, 17 May 2018 06:06:02 -0700 (PDT)
Received: by mail-yb0-x235.google.com with SMTP id 140-v6so1418102ybc.9 for <tsvwg@ietf.org>; Thu, 17 May 2018 06:06:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=szQvB25rWTfgKGVeuukV9DTCNKDDzXBprqDpXTvOqKQ=; b=Yr4+eTV0GOQ7WdDcPR6knyMs6g+ik7npcSLJvz3tvnUD4D6SuA8PvLK1F2AFx38gz5 GdoH7ggs/kCBZxVME+PtKjp9RoVcYqF0nwL9faRJdsXUH435DHCAXYlkpd7kh+VxxW5u tDP0wzXQZ4rJfAelpn7TyE7wbhVuIgq/OIk2WG7HhQsRn7/fk9GftRkKhQfCuFqmCjQ3 DNCFYUzoBbSgGHFG2AYa/SuN7IXfB6w6xdy843rlUBwCHsZz6FD9InbAGlv2qY1QFvzg CwKL8jmL5rnftlKVh73f0BBqY33/K4I3CapkoBnCdgIudoPr2vg5TMyW79YHQQHBpE2a 9TJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=szQvB25rWTfgKGVeuukV9DTCNKDDzXBprqDpXTvOqKQ=; b=TKJz00AtStVWIbniefRlmRhNyCrPLi0Z0EAJ6tzYmxVG5lxroGPan9u7BZWeKIct9C 8rQ8hPUKSFMohHG9cjSwXP8/5CKyL9XROXjI+TAj/SxH8BUeRyt0lM56Hyja8ilofg7S ZM1z7yObiyJuyM8WeevPQwfmoSg7A90t0CroeVyCsnp5OnrTJep181sCduRojZrzYzEh +g1jLNwePtaYc+wa2NHYR0Oc93YtZb01VK2XTR+96IIn9WcarlOIfkzD1gpHUv/ASkN4 FRNMZ7z4gPGgHAmV7Jx9yqtJKXmXLHs5JFOALRkYsJ1oH2lQ8Fqyph/GXVmEj5Lbg+yv S0KQ==
X-Gm-Message-State: ALKqPweQf5zoqf/c0t9m+qDltBAayPSLyquI7CbJYkhGpcv8XCw1IdZa PI3e0KD87V8lLzJU/vgaE1x306fYWzOU7I0bEZo=
X-Google-Smtp-Source: AB8JxZp8l44BDDMUysKmutS8lPxaguWLXKxZ+SK2er6ZNiaD5SBDepDx9PRuGEDb4/rPiFvr1YFNnrFqUjfB9KDNH2Y=
X-Received: by 2002:a25:6a55:: with SMTP id f82-v6mr2589964ybc.235.1526562361851; Thu, 17 May 2018 06:06:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH7DND0uz9bv9YSD_9BW02AfWB+YmONHMBMV+Xg7w-RDPw@mail.gmail.com> <5AFD188F.2050309@erg.abdn.ac.uk>
In-Reply-To: <5AFD188F.2050309@erg.abdn.ac.uk>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Thu, 17 May 2018 08:05:49 -0500
Message-ID: <CAKKJt-ch3KMERQpiJj7-GxYJ3UfpCBU16q8xGcHmECO06LiCPg@mail.gmail.com>
To: G Fairhurst <gorry@erg.abdn.ac.uk>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, tsvwg@ietf.org, Colin Perkins <csp@csperkins.org>
Content-Type: multipart/alternative; boundary="0000000000004e44b6056c667f6b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/zIkZCqkEcDJfEYkAklO7HJx-y4Y>
Subject: Re: [tsvwg] Review of draft-fairhurst-tsvwg-transport-encrypt
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 13:06:07 -0000
Hi, Kathleen, On Thu, May 17, 2018 at 12:53 AM Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote: > Thanks Kathleen, > > it really helps to receive reviews, My thanks for your review as well. One point for Gorry, which might or might not be helpful ... > I'll try to respond to each in turn. > > On 08/05/2018, 18:22, Kathleen Moriarty wrote: > > Hello Gorry& Colin, > > > > Thanks for your work on this draft. In my opinion, it is very > > important to dig through the implications of encrypting transport > > headers. The document is well written and easy to read, thanks for > > that as well. Al and I had a hard time with that since ours was > > contribution driven and controversial. > > > > Here's some feedback from my review that I hope you find helpful: > > > > General: > > If you added section references to mm-wg-encrypt where it is > > referenced, that may be helpful to the reader. > I have now tried to do this where I could. > > Specific feedback: > > The apps side will object to this phrasing as they don't see the need > > for any 'help'. I agree with your point, just warning of the obstacle > > in case you can reword it to prevent objections. > > Choosing to encrypt all information may reduce > > the ability for networks to "help" (e.g., in response to tracing > > issues, making appropriate QoS decisions). > We aded more clarity on the ability for networks to "help" users and > subscribers. > > Section 3 intro text > > > > Encrypted traffic can also be profiled to identify threat actors. > > This will continue to be important as threat actors may have advanced > > capabilities and may modify the encrypted streams in identifiable ways > > that can differentiate their traffic from others. > > > > I was expecting to see some text toward the end of 3 on adoption of > > these protocols. We can put out protocols, but it's up to industry to > > decide when and where to adopt protocols. > I'd be happy to improve this section, but at the moment I'm unsure what > you have in mind. > In discussions about https://datatracker.ietf.org/doc/draft-dawkins-panrg-what-not-to-do/, I've been reminded that the IAB RFC on "What Makes for a Successful Protocol?" would be a good thing for me to include as a reference ( https://datatracker.ietf.org/doc/rfc5218/). Perhaps that would be useful for this draft as well? Spencer > > From a few recent talks, > > what I saw from the audiences is that those aware of QUIC are outright > > blocking it. The business imperative is not there for the > > applications using QUIC to justify it's use within the business > > network, at least not yet. > Indeed. I have seen similar talks and discussions that take this view. > We are trying to the base the draft on what has been deployed and > approaches that have been used - do you think we could/should say more? > > Section 3.3 > > Do you want to make this specific to IPsec tunnel mode since that > > hides the true end points as well? Transport mode isn't well deployed > > because of interoperability issues and not current use case driving > > it's usage, but that does leave the true IP source and destination > > addresses exposed, more than what you see with tunnel mode. > Yes. I have done this. > > Section 5.3 > > This is starting to touch on NetNeutrality and if you are going to go > > there, you should state it explicitly. At the enterprise level (it > > doesn't seem like you are covering that in this draft), I am hearing > > QUIC is outright blocked by those that are aware of it on the network, > > so it's not just NetNeutrality that will impact it's deployment. > > Perhaps rephrasing may help? Here's the text I'm talking about: > > A lack of data reduces the level of precision with which mechanisms > > are applied, and this needs to be considered when evaluating the > > impact of designs for transport encryption. This could lead to > > increased use of rate limiting, circuit breaker techniques [RFC8084], > > or even blocking of uncharacterised traffic. This would hinder > > deployment of new mechanisms and/or protocols. > I would love a suggestion? > > Section 5.4 > > I think you have a typo here: > > Integrity checks can undetected modification of protocol fields by > > network devices, > Indeed, and now resolved. > Gorry > >
- [tsvwg] Review of draft-fairhurst-tsvwg-transport… Kathleen Moriarty
- Re: [tsvwg] Review of draft-fairhurst-tsvwg-trans… Gorry Fairhurst
- Re: [tsvwg] Review of draft-fairhurst-tsvwg-trans… Spencer Dawkins at IETF
- Re: [tsvwg] Review of draft-fairhurst-tsvwg-trans… Kathleen Moriarty