Re: [TLS] TLS renegotiation issue

["David Harrington" <ietfdbh at comcast.net>]

Hi,

I am one of the authors of RFC3411, and lead editor for the ISMS WG as
we added support for security protocols at lower layers. I was also
involved in the failed EOS WG (Evolution of SNMP) and SMING WG (next
generation SMI).

I was probably the strongest proponent of using abstract APIs
(actually ASIs - abstract service interfaces) to depict data flows
between parts of the system. 

Let me observe that those ASIs have made it almost impossible to
update the pieces of SNMPv3, because the ASIs act as design
constraints. The strong architectural model made it very difficult to
update the SMI without forcing changes to the ASIs. The strong
architectural model made it very difficult to update the operations
set of the SNMP protocol. Both of these efforts resulted in failed
WGs. Adding support for existing SSH security infrastructure took
three documents because we had  to modify the architecture, including
all the affected ASIs. What might have taken months to complete took
years - largely because of the use of ASIs in the architecture.

Many of the people who worked developed Netconf were involved in the
SNMPv3 architecture effort, and subsequent updates. Look at the
Netconf architecural model - it uses very simple, very nebulous
layering as the borders between portions, not ASIs. This is a
dramatically simpler and easier approach to work with.

I strongly advise you to be careful what you wish for. 


 

> -----Original Message-----
> From: tls-bounces at ietf.org [mailto:tls-bounces at ietf.org] On 
> Behalf Of Blumenthal, Uri - 0662 - MITLL
> Sent: Friday, November 06, 2009 11:24 PM
> To: Nicolas Williams; Marsh Ray
> Cc: tls at ietf.org
> Subject: Re: [TLS] TLS renegotiation issue
> 
> There's an example of using such abstract API in SNMPv3. 
> Where it was also
> debated ("IETF doesn't do API" :-), but the common sense prevailed.
> 
> 
> On 11/5/09  17:31 , "Nicolas Williams" 
> <Nicolas.Williams at sun.com> wrote:
> 
> > On Thu, Nov 05, 2009 at 04:28:57PM -0600, Marsh Ray wrote:
> >> Nicolas Williams wrote:
> >>> I don't think it was ever really true that "the IETF 
> doesn't do APIs".
> >> 
> >> I would add here that if the IETF had compared the way TLS 
> looks on the
> >> wire with how it is presented by SSL APIs in practice, 
> this defect could
> >> not have gone unnoticed.
> > 
> > Indeed.  Larry Zhu described to me how the SSPI models TLS 
> just a few
> > days ago.  I should have noticed immediately the lack of 
> binding, but
> > because I wasn't also thinking of HTTPS, I didn't.
> > 
> > I'd go far enough to say that we must consider at least 
> abstract APIs to
> > protocols such as TLS.
> > 
> > Nico
> 
> -- 
> Regards,
> Uri         uri at ll.mit.edu
> <Disclaimer>
> 
> _______________________________________________
> TLS mailing list
> TLS at ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>