idnits 2.17.1 draft-trammell-wire-image-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 21, 2018) is 2250 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-25) exists of draft-mm-wg-effect-encrypt-21 == Outdated reference: A later version (-03) exists of draft-hardie-path-signals-02 == Outdated reference: A later version (-18) exists of draft-ietf-quic-manageability-01 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-10) exists of draft-fairhurst-tsvwg-transport-encrypt-06 Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Trammell 3 Internet-Draft M. Kuehlewind 4 Intended status: Informational ETH Zurich 5 Expires: August 25, 2018 February 21, 2018 7 The Wire Image of a Network Protocol 8 draft-trammell-wire-image-02 10 Abstract 12 This document defines the wire image, an abstraction of the 13 information available to an on-path non-participant in a networking 14 protocol. This abstraction is intended to shed light on the 15 implications on increased encryption has for network functions that 16 use the wire image. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on August 25, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Introduction 52 A protocol specification defines a set of behaviors for each 53 participant in the protocol: which lower-layer protocols are used for 54 which services, how messages are formatted and protected, which 55 participant sends which message when, how each participant should 56 respond to each message, and so on. 58 Implicit in a protocol specification is the information the protocol 59 radiates toward nonparticipant observers of the messages sent among 60 participants. Any information that has a clear definition in the 61 protocol's message format(s), or is implied by that definition, and 62 is not cryptographically confidentiality-protected can be 63 unambiguously interpreted by those observers. 65 This information comprises the protocol's wire image, which we define 66 and discuss in this document. It is the wire image, not the 67 protocol's specification, that determines how third parties on the 68 network paths among protocol participants will interact with that 69 protocol. 71 Several documents currently under discussion in IETF working groups 72 and the IETF in general, for example [QUIC-MANAGEABILITY], 73 [EFFECT-ENCRYPT], and [TRANSPORT-ENCRYPT], discuss in part impacts on 74 the third-party use of wire images caused by a migration from 75 protocols whose wire images are largely not confidentiality protected 76 (e.g. HTTP over TCP) to protocols whose wire images are 77 confidentiality protected (e.g. H2 over QUIC). 79 This document presents the wire image abstraction with the hope that 80 it can shed some light on these discussions. 82 2. Definition 84 More formally, the wire image of a protocol consists of the sequence 85 of messages sent by each participant in the protocol, each expressed 86 as a sequence of bits with an associated arbitrary-precision time at 87 which it was sent. 89 3. Discussion 91 This definition is so vague as to be difficult to apply to protocol 92 analysis, but it does illustrate some important properties of the 93 wire image. 95 Key is that the wire image is not limited to merely "the unencrypted 96 bits in the header". In particular, interpacket timing, packet size, 97 and message sequence information can be used to infer other 98 parameters of the behavior of the protocol, or to fingerprint 99 protocols and/or specific implementations of the protocol; see 100 Section 3.1. 102 An important implication of this property is that a protocol which 103 uses confidentiality protection for the headers it needs to operate 104 can be deliberately designed to have a specified wire image that is 105 separate from that machinery; see Section 3.3. Note that this is a 106 capability unique to encrypted protocols. Parts of a wire image may 107 also be made visible to devices on path, but immutable through end- 108 to-end integrity protection; see Section 3.2. 110 Portions of the wire image of a protocol that are neither 111 confidentiality-protected nor integrity-protected are writable by 112 devices on the path(s) between the endpoints using the protocol. A 113 protocol with a wire image that is largely writable operating over a 114 path with devices that understand the semantics of the protocol's 115 wire image can modify it, in order to induce behaviors at the 116 protocol's participants. This is the case with TCP in the current 117 Internet. 119 Note also that the wire image is multidimensional. This implies that 120 the name "image" is not merely metaphorical, and that general image 121 recognition techniques may be applicable to extracting patterns and 122 information from it. 124 3.1. Obscuring timing and sizing information 126 Cryptography can protect the confidentiality of a protocol's headers, 127 to the extent that forwarding devices do not need the 128 confidentiality-protected information for basic forwarding 129 operations. However, it cannot be applied to protecting non-header 130 information in the wire image. Of particular interest is the 131 sequence of packet sizes and the sequence of packet times. These are 132 characteristic of the operation of the protocol. While packets 133 cannot be made smaller than their information content, nor sent 134 faster than processing time requirements at the sender allow, a 135 sender may use padding to increase the size of packets, and add delay 136 to transmission scheduling in order to increase interpacket delay. 137 However, it does this as the expense of bandwidth efficiency and 138 latency, so this technique is limited to the application's tolerance 139 for latency and bandwidth inefficiency. 141 3.2. Integrity Protection of the Wire Image 143 Adding end-to-end integrity protection to portions of the wire image 144 makes it impossible for on-path devices to modify them without 145 detection by the endpoints, which can then take action in response to 146 those modifications, making these portions of the wire image 147 effectively immutable. However, they can still be observed by 148 devices on path. This allows the creation of signals intended by the 149 endpoints solely for the consumption of these on-path devices. 151 Integrity protection can only practically be applied to the sequence 152 of bits in each packet, which implies that a protocol's visible wire 153 image cannot be made completely immutable in a packet-switched 154 network. Interarrival timings, for instance, cannot be easily 155 protected, as the observable delay sequence is modified as packets 156 move through the network and experience different delays on different 157 links. Message sequences are also not practically protectable, as 158 packets may be dropped or reordered at any point in the network, as a 159 consequence of the network's operation. Intermediate systems with 160 knowledge of the protocol semantics in the readable portion of the 161 wire image can also purposely delay or drop packets in order to 162 affect the protocol's operation. 164 3.3. Engineering the Wire Image 166 Understanding the nature of a protocol's wire image allows it to be 167 engineered. The general principle at work here, observed through 168 experience with deployability and non-deployability of protocols at 169 the network and transport layers in the Internet, is that all 170 observable parts of a protocol's wire image will eventually be used 171 by devices on path; consequently, changes or future extensions that 172 affect the observable part of the wire image become difficult or 173 impossible to deploy. 175 A network function which serves a purpose useful to its deployer will 176 use the information it needs from the wire image, and will tend to 177 get that information from the wire image in the simplest way 178 possible. 180 For example, consider the case of the ubiquitous TCP [RFC0793] 181 transport protocol. As described in [PATH-SIGNALS], several key in- 182 network functions have evolved to take advantage of implicit signals 183 in TCP's wire image, which, as TCP provides neither integrity or 184 confidentiality protection for its headers, is inseparable from ints 185 internal operation. Some of these include: 187 o Determining return routability and consent: For example, TCP's 188 wire image contains both an implicit indication that the sender of 189 a packet is at least on the path toward its source address (in the 190 acknowledgement number during the handshake), as well as an 191 implicit indication that a receiving device consents to continue 192 communication. These are used by stateful network firewalls. 194 o Measuring loss and latency: For example, examining the sequence of 195 TCP's sequence and acknowledgement numbers, as well as the ECN 196 [RFC3168] control bits allows the inference of congestion, loss 197 and retransmission along the path. The sequence and 198 acknowledgement numbers together with the timestamp option 199 [RFC7323] allow the measurement of application-experienced 200 latency. 202 During the design of a protocol, the utility of features such as 203 these shoud be considered, and the protocol's wire image should 204 therefore be designed to explicitly expose information to those 205 network functions deemed important by the designers in an obvious 206 way. The wire image should expose as little other information as 207 possible. 209 However, even when information is explicitly provided to the network, 210 any information that is exposed by the wire image, even that 211 information not intended to be consumed by an observer, must be 212 designed carefully as it might ossify, making it immutable for future 213 versions of the protocol. For example, information needed to support 214 decryption by the receiving endpoint (cryptographic handshakes, 215 sequence numbers, and so on) may be used by devices along the path 216 for their own purposes. 218 Since they are separate from the signals that drive an encrypted 219 protocol's mechanisms, the veracity of integrity-protected signals in 220 an engineered wire image intended for consumption by the path may not 221 be verifiable by on-path devices; see [PATH-SIGNALS]. Indeed, any 222 two endpoints with a secret channel between them (in this case, the 223 encrypted protocol itself) may collude to change the semantics and 224 information content of these signals. This is an unavoidable 225 consequence of the separation of the wire image from the protocol's 226 operation afforded by confidentiality protection of the protocol's 227 headers. 229 4. Acknowledgments 231 Thanks to Martin Thomson, Thomas Fossati, and Ted Hardie for 232 discussions that have improved this document. 234 This work is partially supported by the European Commission under 235 Horizon 2020 grant agreement no. 688421 Measurement and Architecture 236 for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat 237 for Education, Research, and Innovation under contract no. 15.0268. 238 This support does not imply endorsement. 240 5. Informative References 242 [EFFECT-ENCRYPT] 243 Moriarty, K. and A. Morton, "Effects of Pervasive 244 Encryption on Operators", draft-mm-wg-effect-encrypt-21 245 (work in progress), February 2018. 247 [PATH-SIGNALS] 248 Hardie, T., "Path signals", draft-hardie-path-signals-02 249 (work in progress), November 2017. 251 [QUIC-MANAGEABILITY] 252 Kuehlewind, M. and B. Trammell, "Manageability of the QUIC 253 Transport Protocol", draft-ietf-quic-manageability-01 254 (work in progress), October 2017. 256 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 257 RFC 793, DOI 10.17487/RFC0793, September 1981, 258 . 260 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 261 of Explicit Congestion Notification (ECN) to IP", 262 RFC 3168, DOI 10.17487/RFC3168, September 2001, 263 . 265 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 266 Scheffenegger, Ed., "TCP Extensions for High Performance", 267 RFC 7323, DOI 10.17487/RFC7323, September 2014, 268 . 270 [TRANSPORT-ENCRYPT] 271 Fairhurst, G. and C. Perkins, "The Impact of Transport 272 Header Confidentiality on Network Operation and Evolution 273 of the Internet", draft-fairhurst-tsvwg-transport- 274 encrypt-06 (work in progress), February 2018. 276 Authors' Addresses 278 Brian Trammell 279 ETH Zurich 280 Gloriastrasse 35 281 8092 Zurich 282 Switzerland 284 Email: ietf@trammell.ch 285 Mirja Kuehlewind 286 ETH Zurich 287 Gloriastrasse 35 288 8092 Zurich 289 Switzerland 291 Email: mirja.kuehlewind@tik.ee.ethz.ch