idnits 2.17.1 draft-smith-encrypted-traffic-management-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 13, 2015) is 3087 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2818 (Obsoleted by RFC 9110) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group K. Smith 3 Internet-Draft Vodafone Group 4 Intended status: Informational November 13, 2015 5 Expires: May 16, 2016 7 Network management of encrypted traffic 8 draft-smith-encrypted-traffic-management-04 10 Abstract 12 Encrypted Internet traffic may pose traffic management challenges to 13 network operators. This document recommends approaches to help 14 manage encrypted traffic, without breaching user privacy or security. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at http://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on May 16, 2016. 33 Copyright Notice 35 Copyright (c) 2015 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 1.1. Document structure . . . . . . . . . . . . . . . . . . . 3 52 2. Network management functions . . . . . . . . . . . . . . . . 3 53 3. Persisting traffic management without breaching encryption . 3 54 3.1. Providing hints to and from the network . . . . . . . . . 3 55 3.1.1. DiffServ Code Points (DSCP) . . . . . . . . . . . . . 3 56 3.1.2. Explicit Congestion Notification (ECN) . . . . . . . 4 57 3.1.3. Multiprotocol Label Switching (MPLS) . . . . . . . . 4 58 3.1.4. Substrate Protocol for User Datagrams (SPUD) . . . . 5 59 3.1.5. Mobile throughput Guidance . . . . . . . . . . . . . 5 60 3.1.6. Port Control Protocol Flowdata options . . . . . . . 5 61 3.1.7. IPv6 Flow label . . . . . . . . . . . . . . . . . . . 5 62 3.1.8. DISCUSS . . . . . . . . . . . . . . . . . . . . . . . 6 63 3.2. Inferred flow information . . . . . . . . . . . . . . . . 6 64 3.2.1. Heuristics . . . . . . . . . . . . . . . . . . . . . 6 65 3.3. Co-operation on congestion control . . . . . . . . . . . 6 66 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 67 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 68 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 69 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 70 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 71 7.2. Informative References . . . . . . . . . . . . . . . . . 8 72 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 74 1. Introduction 76 Networks utilise various management techniques to ensure efficient 77 throughput, congestion management, anti-SPAM and security measures. 78 Historically these functions have utilised visibility of the Internet 79 application layer. 81 This visibility is rapidly diminishing - encrypted Internet traffic 82 is expected to continue its upward trend, driven by increased privacy 83 awareness, uptake by popular services, and advocacy from the [IAB], 84 [RFC7258] and W3C [TAG] . 86 [IAB], [RFC7258] and [mm-effect-encrypt] recognise that network 87 management functions may be impacted by encryption, and that 88 solutions to persist these management functions must not threaten 89 user security or privacy. Such solutions can ensure the benefits of 90 encryption do not degrade network efficiency. 92 This document lists such solutions, and points to evolving IETF work 93 addressing the problem. 95 1.1. Document structure 97 This document refers to network management functions that may be 98 hindered by traffic encryption, as described in [mm-effect-encrypt] 100 It then describes the technical details of existing options to fully 101 or partially persist these functions under encryption. The guidance 102 includes existing techniques as well as ongoing IETF work in this 103 area.'Encryption' in this document typically refers to HTTP over TLS 104 [RFC2818]; other forms of encryption are noted where applicable. 106 Finally, a summary is provided of ongoing IETF work which is 107 investigating how network operators, origin servers and clients may 108 co-operate in efficient traffic delivery without the need for 109 pervasive network monitoring. 111 The legal, political and commercial aspects of network management are 112 recgnised but not covered in this technical document. 114 2. Network management functions 116 Please refer to 'Network Service Provider Monitoring' in 117 [mm-effect-encrypt] 119 3. Persisting traffic management without breaching encryption 121 This section involves utilisation of 'Application-based Flow 122 Information Visible to a Network', [mm-effect-encrypt]. 124 3.1. Providing hints to and from the network 126 The following protocols aim to support a secure and privacy-aware 127 dialogue between client, server and the network elements. These 128 hints can allow information item exchange between the endpoints and 129 the network, to assist queuing mechanisms and traffic pacing that 130 accounts for network congestion and variable connection strength. 131 These relate to the cooperative path to endpoint signalling as 132 discussed at the IAB SEMI [SEMI] and MaRNEW [MaRNEW] workshops, with 133 the network following a more clearly-defined role in encrypted 134 traffic delivery. 136 3.1.1. DiffServ Code Points (DSCP) 138 Data packets may be flagged with a traffic class (class of service). 139 Network operators may honour a DiffServ classification [RFC2474] 140 entering their network, or may choose to override it (since it is 141 potentially open to abuse by a service provider that classifies all 142 its content as high priority). The purpose is to help manage traffic 143 and congestion in the network. 145 This requires the content provider to flag data packets. This is 146 extra work for the provider, and it has potential for abuse if a 147 content provider simply flags all packets with high priorities. The 148 network would need to know which flags to trust and which to 149 override. The use of DiffServ within the operator network is 150 beneficial where the operator determines the class of service itself; 151 but where content is encrypted then heuristics would be needed to 152 predict the traffic type entering the network. HTTP/2 allows several 153 streams to be multiplexed over a single TCP connection. This means 154 that if a provider decides to send Web pages, videos, chat etc. as 155 individual streams over the same connection, then DiffServ would be 156 useless as it would apply to the TCP/IP connection as a whole. 157 However it may be more efficient for such Web providers to serve each 158 content type from separate, dedicated servers - this will become 159 clearer as HTTP/2 deployments are tuned for optimal delivery. 161 3.1.2. Explicit Congestion Notification (ECN) 163 Explicit Congestion Notification [RFC6138] routers can exchange 164 congestion notification headers to ECN compliant endpoints. This is 165 in preference to inferring congestion from dropped packets (e.g. in 166 TCP). The purpose is to help manage traffic and congestion in the 167 network. 169 This solution is required to be implemented at network and service 170 provider. The service provider will utilise the ECN to reduce 171 throughput until it is notified that congestion has eased. 173 As with DiffServ, operators may not trust an external entity to mark 174 packets in a fair/consistent manner. 176 3.1.3. Multiprotocol Label Switching (MPLS) 178 On entering an MPLS-compliant network [RFC3031], IP packets are 179 flagged with a 'Forward Equivalence Class' (FEC). This allows the 180 network to make packet-forwarding decisions according to their 181 latency requirements. MPLS routers within the network parse and act 182 upon the FEC value. The FEC is set according to the source IP 183 address and port. The purpose is to help managing traffic and 184 congestion in the network. This requires deployment of an MPLS 185 'backbone' with label-aware switches/ routers. 187 An up-to-date correspondence table between Websites (or service sites 188 in general) and server IP address must be created. Then, the 189 category(s) of traffic have to be consistently mapped to a set of 190 MPLS labels ,which entails a significant effort to setup and 191 maintain. 193 Note: MPLS can specify how OSI Layer 3 (IP layer) traffic can be 194 routed over Layer 2 (Data Link); DiffServ only operates over Layer 3. 195 DiffServ is potentially a less complex integration as it is applied 196 at the network edge servers only. 198 3.1.4. Substrate Protocol for User Datagrams (SPUD) 200 SPUD [SPUD] is a prototype to research how network devices on the 201 path between endpoints can share information to improve a flow. The 202 network involvement is outside of the end-to-end context, to minimise 203 any privacy or security breach. The initial prototype involves 204 grouping UDP packets into an explicit 'tube', however support of 205 additional transport layers (such as TCP) will also be investigated. 207 3.1.5. Mobile throughput Guidance 209 Mobile Throughput Guidance In-band Signalling [MTG] is a draft 210 proposal to allows the network to inform the server endpoint as to 211 what bandwidth the TCP connection can reasonably expect. This allows 212 the server to adapt their throughput pacing based on dynamic network 213 conditions, which can assist mechanisms such as Adaptive Bitrate 214 Streaming and TCP congestion control. 216 3.1.6. Port Control Protocol Flowdata options 218 PCP Flowdata options [PCPFD] defines a mechanism for a host to signal 219 flow characteristics to the network, and the network to signal its 220 ability to accommodate that flow back to the host. This allows 221 certain network flows to receive service that is differentiated from 222 other network flows, and may be used to establish flow priority 223 before connection establishment. PCP Flowdata operates at IPv4/IPv6 224 level. 226 3.1.7. IPv6 Flow label 228 IPv6 includes a flow label header field. [RFC6438] details how this 229 may be used to identify flows for load balancing and multipath 230 routing, which may be of particular use for application-layer 231 encrypted traffic. The flow label field is part of the main header, 232 which means it is not subject to the disadvantages of extension 233 headers (namely their risk of being dropped by intermediary routers). 234 The flow label may also be exposed as part of the outer IP packet in 235 an IP tunnel, thus providing network flow information without 236 compromising the payload. 238 3.1.8. DISCUSS 240 Differentiated prIorities and Status Code-points Using Stun 241 Signalling [DISCUSS] describes a mechanism for information exchange 242 between an application and the network, viable only for UDP. As such 243 it can be considered in the same bracket as SPUD 245 3.2. Inferred flow information 247 3.2.1. Heuristics 249 Heuristics can be used to map given input data to particular 250 conclusions via some heuristic reasoning. Examples of input data to 251 this reasoning include IP destination address, TCP destination port, 252 server name from SNI, and typical traffic patterns (e.g. occurrence 253 of IP packets and TCP segments over time). The accuracy of 254 heuristics depends on whether the observed traffic originates from a 255 source delivering a single service, or a blend of services. In many 256 scenarios, this makes it possible to directly classify the traffic 257 related to a specific server/service even when the traffic is fully 258 encrypted. 260 If the server/service is co-located on an infrastructure with other 261 services that shares the same IP-address, the encrypted traffic 262 cannot be directly classified. However, commercial traffic 263 classifiers today typically apply heuristic methods, using traffic 264 pattern matching algorithms to be able to identify the traffic. As 265 an example, classifier products are able to identify popular VoIP 266 services using heuristic methods although the traffic is encrypted 267 and mostly peer-to-peer. 269 3.3. Co-operation on congestion control 271 One idea from the IAB 'Managing Radio Networks in an Encrypted World' 272 workshop [MaRNEW] was that of better co-operation between 3GPP mobile 273 networks and Internet services on congestion management. . 3GPP 274 networks are concerned with ensuring that all devices attached to a 275 particular cell receive a fair share of radio resources. This is 276 critical, since these resources are constrained to various licenced 277 spectrum bands, and volatile due to signal strength variation/cell 278 handover/interference etc. The resource sharing process occurs 279 independently to TCP congestion management performed between the 280 client and server connected via the mobile network: the result is 281 that TCP may wrongly infer congestion and react accordingly, or 282 attempt to accelerate throughput without consideration of the 283 available radio resources. Therefore the notion is to investigate 284 co-operation between radio and TCP congestion controls to better 285 manage connection throughput. 287 4. Acknowledgements 289 The editor would like to thank the GSMA Web Working Group for their 290 contributions, in particular to the technical solutions and network 291 management functions; the contributions via the SAAG mailing list 292 (Panos Kampanakis, Brian Carpenter); and Kathleen Moriarty and Al 293 Morton for their guidance in aligning this draft with 294 [mm-effect-encrypt] 296 5. IANA Considerations 298 There are no IANA considerations. 300 6. Security Considerations 302 The intention of this document is to consider how to persist network 303 management of encrypted traffic, without breaching user privacy or 304 end-to-end security. In particular this document does not recommend 305 any approach that intercepts or modifies client-server Transport 306 Layer Security. 308 7. References 310 7.1. Normative References 312 [RFC2474] Nichols, K., "Definition of the Differentiated Services 313 Field (DS Field) in the IPv4 and IPv6 Headers", RFC 2474, 314 Dec 1998. 316 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. 318 [RFC3031] Rosen, E., "Multiprotocol Label Switching Architecture", 319 RFC 3031, Jan 2001. 321 [RFC6138] Ramakrishnan, K., "The Addition of Explicit Congestion 322 Notification (ECN) to IP", RFC 6138, Sep 2001. 324 [RFC6438] Carpenter, B. and S. Amante, "Using the IPv6 Flow Label 325 for Equal Cost Multipath Routing and Link Aggregation in 326 Tunnels", RFC 6438, 2011. 328 [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an 329 Attack", BCP 188, RFC 7258, May 2014. 331 7.2. Informative References 333 [DISCUSS] Cisco, "Differentiated prIorities and Status Code-points 334 Using Stun Signalling", 2015, 335 . 338 [IAB] IAB, "IAB statement on Internet confidentiality", n.d., 339 . 342 [MaRNEW] IAB and GSMA, "Managing Radio Networks in an Encrypted 343 World (MaRNEW)", 2015, 344 . 346 [mm-effect-encrypt] 347 IETF, "Effect of Ubiquitous Encryption", n.d., 348 . 351 [MTG] IETF, "Mobile Throughput Guidance Inband Signaling 352 Protocol", n.d., . 355 [PCPFD] Cisco, "PCP Flowdata option", 2013, 356 . 358 [SEMI] IAB, "IAB workshop, 'Stack Evolution in a Middlebox 359 Internet'", n.d., 360 . 362 [SPUD] IETF, "Substrate Protocol for User Datagrams", n.d., 363 . 366 [TAG] W3C, "Securing the Web", n.d., . 369 Author's Address 371 Kevin Smith 372 Vodafone Group 374 Email: kevin.smith@vodafone.com