idnits 2.17.1 draft-iab-wire-image-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 10, 2018) is 2024 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-18) exists of draft-ietf-quic-manageability-02 == Outdated reference: A later version (-34) exists of draft-ietf-quic-transport-15 == Outdated reference: A later version (-21) exists of draft-ietf-tsvwg-transport-encrypt-00 == Outdated reference: A later version (-13) exists of draft-ietf-quic-invariants-03 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-04) exists of draft-thomson-use-it-or-lose-it-02 Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Trammell 3 Internet-Draft M. Kuehlewind 4 Intended status: Informational ETH Zurich 5 Expires: April 13, 2019 October 10, 2018 7 The Wire Image of a Network Protocol 8 draft-iab-wire-image-00 10 Abstract 12 This document defines the wire image, an abstraction of the 13 information available to an on-path non-participant in a networking 14 protocol. This abstraction is intended to shed light on the 15 implications on increased encryption has for network functions that 16 use the wire image. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on April 13, 2019. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Introduction 52 A protocol specification defines a set of behaviors for each 53 participant in the protocol: which lower-layer protocols are used for 54 which services, how messages are formatted and protected, which 55 participant sends which message when, how each participant should 56 respond to each message, and so on. 58 Implicit in a protocol specification is the information the protocol 59 radiates toward nonparticipant observers of the messages sent among 60 participants, often including participants in lower layer protocols. 61 Any information that has a clear definition in the protocol's message 62 format(s), or is implied by that definition, and is not 63 cryptographically confidentiality-protected can be unambiguously 64 interpreted by those observers. 66 This information comprises the protocol's wire image, which we define 67 and discuss in this document. It is the wire image, not the 68 protocol's specification, that determines how third parties on the 69 network paths among protocol participants will interact with that 70 protocol. 72 The increasing deployment of transport-layer security [RFC8226] to 73 protect application-layer headers and payload, as well as the 74 definition and deployment of QUIC [I-D.ietf-quic-transport], a 75 transport protocol which encrypts most of its own control 76 information, bring new relevance to this question. QUIC is, in 77 effect, the first IETF-defined transport protocol to take care of the 78 minimization of its own wire image, to prevent ossification and 79 improve end-to-end privacy by reducing information radiation. 81 The flipside of this trend is the impact of a less visible wire image 82 on various functions driven by third-party observation of the wire 83 image. [RFC8404] examines this issue from a network operator's 84 viewpoint, and [I-D.ietf-tsvwg-transport-encrypt] focuses on 85 transport-layer implications of increasing encryption. 86 [I-D.ietf-quic-manageability] is, in part, a third-party user's guide 87 to the QUIC wire image. In contrast to those documents, this draft 88 treats the wire image as a pure abstraction, with the hope that it 89 can shed some light on these discussions. 91 2. Definition 93 More formally, the wire image of the set of protocols in use for a 94 communication observed at a given point in the network consists of 95 the sequence of packets sent by each participant in the 96 communication, each expressed as a sequence of bits with the 97 associated arbitrary-precision time at which the packet was observed. 99 3. Discussion 101 This definition appears at first glance to be so impractically formal 102 as to be difficult to apply to protocol analysis, but it does 103 illustrate some important properties of the wire image. 105 Key is that the wire image is not limited to merely "the unencrypted 106 bits in the header". In particular, the sequences of interpacket 107 timing and packet sizes can also be used to infer other parameters of 108 the behavior of the protocols in use, or to fingerprint protocols 109 and/or specific implementations of those protocols; see Section 3.2. 111 An important implication of this property is that a protocol which 112 uses confidentiality protection for the headers it needs to operate 113 can be deliberately designed to have a specified wire image that is 114 separate from that machinery; see Section 4. Note that this is a 115 capability unique to encrypted protocols. Parts of a wire image may 116 also be made visible to devices on path, but immutable through end- 117 to-end integrity protection; see Section 3.3. 119 Portions of the wire image of a protocol stack that are neither 120 confidentiality-protected nor integrity-protected are writable by 121 devices on the path(s) between the endpoints using the protocols. A 122 protocol with a wire image that is largely writable operating over a 123 path with devices that understand the semantics of the protocol's 124 wire image can modify it, in order to induce behaviors at the 125 protocol's participants. This is the case with TCP in the current 126 Internet. 128 The term "wire image" can be applied in different scopes: the wire 129 image of a single packet refers to the information derivable from 130 observing that one packet in isolation; the wire image of a single 131 protocol refers to the information derivable from observing only the 132 headers belonging to that protocol on a sequence of packets, in 133 isolation from other protocols in use for a communication. In 134 general, it refers to everything observable about a communication at 135 a given vantage point; see Section 3.1 for more. 137 For a given packet observed at a given point in the network, the wire 138 image contains information from the entire stack of protocols in use 139 at that observation point. Confidentiality and integrity protection 140 may be added at multiple layers in the stack. However, information 141 at the transport layer and above is presumed to be delivered end-to- 142 end in the the Internet architecture. For example, MAC-layer 143 integrity and confidentiality protection do not prevent modification 144 by the devices terminating those security associations, or by devices 145 on different segments of the path. This document therefore does not 146 concern itself directly with portions of the wire image below the 147 network layer. 149 3.1. The Extent of the Wire Image 151 While we begin this definition as the properties of a sequence of 152 packets in isolation, this is not how wire images are typically used 153 by passive observers. A passive observer will generally consider the 154 union of all the information in the wire image in all the packets 155 generated by a given conversation. 157 Similarly, the wire image of a single protocol is rarely seen in 158 isolation. The dynamics of the application and network stacks on 159 each endpoint use multiple protocols for any higher level task. Most 160 protocols involving user content, for example, are often seen on the 161 wire together with DNS traffic; the information from the wire image 162 from each protocol in use for a given communication can be correlated 163 to infer information about the dynamics of the overlying application. 165 Information from protocol wire images is also not generally used on 166 its own, but is rather additionally correlated with other context 167 information available to the observer: e.g. information about other 168 communications engaged in by each endpoint, information about the 169 implementations of the protocols at each endpoint, information about 170 the network and internetwork topology near those endpoints, and so 171 on. This context can be used together with information from the wire 172 image to reach more detailed inferences about endpoint and end-user 173 behavior. 175 Note also that the wire image is multidimensional. This implies that 176 the name "image" is not merely metaphorical, and that general image 177 recognition techniques may be applicable to extracting patterns and 178 information from it. 180 3.2. Obscuring timing and sizing information 182 Cryptography can protect the confidentiality of a protocol's headers, 183 to the extent that forwarding devices do not need the 184 confidentiality-protected information for basic forwarding 185 operations. However, it cannot be applied to protecting non-header 186 information in the wire image. Of particular interest is the 187 sequence of packet sizes and the sequence of packet times. These are 188 characteristic of the operation of the protocol. While packets 189 cannot be made smaller than their information content, nor sent 190 faster than processing time requirements at the sender allow, a 191 sender may use padding to increase the size of packets, and add delay 192 to transmission scheduling in order to increase interpacket delay. 193 However, it does this as the expense of bandwidth efficiency and 194 latency, so this technique is limited to the application's tolerance 195 for latency and bandwidth inefficiency. 197 3.3. Integrity Protection of the Wire Image 199 Adding end-to-end integrity protection to portions of the wire image 200 makes it impossible for on-path devices to modify them without 201 detection by the endpoints, which can then take action in response to 202 those modifications, making these portions of the wire image 203 effectively immutable. However, they can still be observed by 204 devices on path. This allows the creation of signals intended by the 205 endpoints solely for the consumption of these on-path devices. 207 Integrity protection can only practically be applied to the sequence 208 of bits in each packet, which implies that a protocol's visible wire 209 image cannot be made completely immutable in a packet-switched 210 network. Interarrival timings, for instance, cannot be easily 211 protected, as the observable delay sequence is modified as packets 212 move through the network and experience different delays on different 213 links. Message sequences are also not practically protectable, as 214 packets may be dropped or reordered at any point in the network, as a 215 consequence of the network's operation. Intermediate systems with 216 knowledge of the protocol semantics in the readable portion of the 217 wire image can also purposely delay or drop packets in order to 218 affect the protocol's operation. 220 4. Engineering the Wire Image 222 Understanding the nature of a protocol's wire image allows it to be 223 engineered. The general principle at work here, observed through 224 experience with deployability and non-deployability of protocols at 225 the network and transport layers in the Internet, is that all 226 observable parts of a protocol's wire image will eventually be used 227 by devices on path; consequently, changes or future extensions that 228 affect the observable part of the wire image become difficult or 229 impossible to deploy. 231 A network function which serves a purpose useful to its deployer will 232 use the information it needs from the wire image, and will tend to 233 get that information from the wire image in the simplest way 234 possible. 236 For example, consider the case of the ubiquitous TCP [RFC0793] 237 transport protocol. As described in [PATH-SIGNALS], several key in- 238 network functions have evolved to take advantage of implicit signals 239 in TCP's wire image, which, as TCP provides neither integrity or 240 confidentiality protection for its headers, is inseparable from its 241 internal operation. Some of these include: 243 o Determining return routability and consent: For example, TCP's 244 wire image contains both an implicit indication that the sender of 245 a packet is at least on the path toward its source address (in the 246 acknowledgement number during the handshake), as well as an 247 implicit indication that a receiving device consents to continue 248 communication. These are used by stateful network firewalls. 250 o Measuring loss and latency: For example, examining the sequence of 251 TCP's sequence and acknowledgement numbers, as well as the ECN 252 [RFC3168] control bits allows the inference of congestion, loss 253 and retransmission along the path. The sequence and 254 acknowledgement numbers together with the timestamp option 255 [RFC7323] allow the measurement of application-experienced 256 latency. 258 During the design of a protocol, the utility of features such as 259 these shoud be considered, and the protocol's wire image should 260 therefore be designed to explicitly expose information to those 261 network functions deemed important by the designers in an obvious 262 way. The wire image should expose as little other information as 263 possible. 265 However, even when information is explicitly provided to the network, 266 any information that is exposed by the wire image, even that 267 information not intended to be consumed by an observer, must be 268 designed carefully as it might ossify, making it immutable for future 269 versions of the protocol. For example, information needed to support 270 decryption by the receiving endpoint (cryptographic handshakes, 271 sequence numbers, and so on) may be used by devices along the path 272 for their own purposes. 274 4.1. Declaring Protocol Invariants 276 One potential approach to reduce the extent of the wire image that 277 will be used by devices on the path is to define a set of invariants 278 for a protocol during its development. Declaring a protocol's 279 invariants represents a promise made by the protocol's developers 280 that certain bits in the wire image, and behaviors observable in the 281 wire image, will be preserved through the specification of all future 282 versions of the protocol. QUIC's invariants [QUIC-INVARIANTS] are an 283 initial attempt to apply this approach to QUIC. 285 While static aspects of the wire image - bits with simple semantics 286 at fixed positions in protocol headers - can easily be made 287 invariant, different aspects of the wire image may be more or less 288 appropriate to define as invariants. For a protocol with a version 289 and/or extension negotiation mechanism, the bits in the header and 290 behaviors tied to those bits which implement version negotiation 291 should be made invariant. More fluid aspects of the wire image and 292 behaviors which are not necessary for interoperability are not 293 appropriate as invariants. 295 Parts of a protocol's wire image not declared invariant but intended 296 to be visible to devices on path should be protected against 297 "accidental invariance": the deployment of on-path devices over time 298 that make simplifying assumptions about the behavior of those parts 299 of the wire image, making new behaviors not meeting those assumptions 300 difficult to deploy. Integrity protection of the wire image may 301 itself help protect against accidental invariance, because read-only 302 wire images invite less meddling than path-writable wire images. The 303 techniques discussed in [USE-IT] may also be useful in further 304 preventing accidental invariance and ossification. 306 Likewise, parts of a protocol's wire image not declared invariant and 307 not intended to be visible to the path should be encrypted to protect 308 their confidentiality. When confidentiality protection is either not 309 possible or not practical, then, as above, the approaches discussed 310 in [USE-IT] may be useful in ossification prevention. 312 4.2. Trustworthiness of Engineered Signals 314 Since they are separate from the signals that drive an encrypted 315 protocol's mechanisms, the accuracy of integrity-protected signals in 316 an engineered wire image intended for consumption by the path may not 317 be verifiable by on-path devices; see [PATH-SIGNALS]. Indeed, any 318 two endpoints with a secret channel between them (in this case, the 319 encrypted protocol itself) may collude to change the semantics and 320 information content of these signals. This is an unavoidable 321 consequence of the separation of the wire image from the protocol's 322 operation afforded by confidentiality protection of the protocol's 323 headers. 325 5. Acknowledgments 327 Thanks to Martin Thomson, Stephen Farrell, Thomas Fossati, Ted 328 Hardie, Mark Nottingham, Tommy Pauly, and the membership of the IAB 329 Stack Evolution Program, for text, feedback, and discussions that 330 have improved this document. 332 This work is partially supported by the European Commission under 333 Horizon 2020 grant agreement no. 688421 Measurement and Architecture 334 for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat 335 for Education, Research, and Innovation under contract no. 15.0268. 336 This support does not imply endorsement. 338 6. Informative References 340 [I-D.ietf-quic-manageability] 341 Kuehlewind, M. and B. Trammell, "Manageability of the QUIC 342 Transport Protocol", draft-ietf-quic-manageability-02 343 (work in progress), July 2018. 345 [I-D.ietf-quic-transport] 346 Iyengar, J. and M. Thomson, "QUIC: A UDP-Based Multiplexed 347 and Secure Transport", draft-ietf-quic-transport-15 (work 348 in progress), October 2018. 350 [I-D.ietf-tsvwg-transport-encrypt] 351 Fairhurst, G. and C. Perkins, "The Impact of Transport 352 Header Confidentiality on Network Operation and Evolution 353 of the Internet", draft-ietf-tsvwg-transport-encrypt-00 354 (work in progress), September 2018. 356 [PATH-SIGNALS] 357 Hardie, T., "Path Signals", draft-hardie-path-signals-03 358 (work in progress), April 2018. 360 [QUIC-INVARIANTS] 361 Thomson, M., "Version-Independent Properties of QUIC", 362 draft-ietf-quic-invariants-03 (work in progress), October 363 2018. 365 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 366 RFC 793, DOI 10.17487/RFC0793, September 1981, 367 . 369 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 370 of Explicit Congestion Notification (ECN) to IP", 371 RFC 3168, DOI 10.17487/RFC3168, September 2001, 372 . 374 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 375 Scheffenegger, Ed., "TCP Extensions for High Performance", 376 RFC 7323, DOI 10.17487/RFC7323, September 2014, 377 . 379 [RFC8226] Peterson, J. and S. Turner, "Secure Telephone Identity 380 Credentials: Certificates", RFC 8226, 381 DOI 10.17487/RFC8226, February 2018, 382 . 384 [RFC8404] Moriarty, K., Ed. and A. Morton, Ed., "Effects of 385 Pervasive Encryption on Operators", RFC 8404, 386 DOI 10.17487/RFC8404, July 2018, 387 . 389 [USE-IT] Thomson, M., "Long-term Viability of Protocol Extension 390 Mechanisms", draft-thomson-use-it-or-lose-it-02 (work in 391 progress), June 2018. 393 Authors' Addresses 395 Brian Trammell 396 ETH Zurich 397 Gloriastrasse 35 398 8092 Zurich 399 Switzerland 401 Email: ietf@trammell.ch 403 Mirja Kuehlewind 404 ETH Zurich 405 Gloriastrasse 35 406 8092 Zurich 407 Switzerland 409 Email: mirja.kuehlewind@tik.ee.ethz.ch