idnits 2.17.1 draft-trammell-wire-image-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 03, 2018) is 2215 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-13) exists of draft-ietf-quic-invariants-01 == Outdated reference: A later version (-18) exists of draft-ietf-quic-manageability-01 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-10) exists of draft-fairhurst-tsvwg-transport-encrypt-06 Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Trammell 3 Internet-Draft M. Kuehlewind 4 Intended status: Informational ETH Zurich 5 Expires: October 5, 2018 April 03, 2018 7 The Wire Image of a Network Protocol 8 draft-trammell-wire-image-03 10 Abstract 12 This document defines the wire image, an abstraction of the 13 information available to an on-path non-participant in a networking 14 protocol. This abstraction is intended to shed light on the 15 implications on increased encryption has for network functions that 16 use the wire image. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on October 5, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Introduction 52 A protocol specification defines a set of behaviors for each 53 participant in the protocol: which lower-layer protocols are used for 54 which services, how messages are formatted and protected, which 55 participant sends which message when, how each participant should 56 respond to each message, and so on. 58 Implicit in a protocol specification is the information the protocol 59 radiates toward nonparticipant observers of the messages sent among 60 participants. Any information that has a clear definition in the 61 protocol's message format(s), or is implied by that definition, and 62 is not cryptographically confidentiality-protected can be 63 unambiguously interpreted by those observers. 65 This information comprises the protocol's wire image, which we define 66 and discuss in this document. It is the wire image, not the 67 protocol's specification, that determines how third parties on the 68 network paths among protocol participants will interact with that 69 protocol. 71 Several documents currently under discussion in IETF working groups 72 and the IETF in general, for example [QUIC-MANAGEABILITY], 73 [EFFECT-ENCRYPT], and [TRANSPORT-ENCRYPT], discuss in part impacts on 74 the third-party use of wire images caused by a migration from 75 protocols whose wire images are largely not confidentiality protected 76 (e.g. HTTP over TCP) to protocols whose wire images are 77 confidentiality protected (e.g. H2 over QUIC). 79 This document presents the wire image abstraction with the hope that 80 it can shed some light on these discussions. 82 2. Definition 84 More formally, the wire image of a protocol consists of the sequence 85 of messages sent by each participant in the protocol, each expressed 86 as a sequence of bits with an associated arbitrary-precision time at 87 which it was sent. 89 3. Discussion 91 This definition is so vague as to be difficult to apply to protocol 92 analysis, but it does illustrate some important properties of the 93 wire image. 95 Key is that the wire image is not limited to merely "the unencrypted 96 bits in the header". In particular, interpacket timing, packet size, 97 and message sequence information can be used to infer other 98 parameters of the behavior of the protocol, or to fingerprint 99 protocols and/or specific implementations of the protocol; see 100 Section 3.1. 102 An important implication of this property is that a protocol which 103 uses confidentiality protection for the headers it needs to operate 104 can be deliberately designed to have a specified wire image that is 105 separate from that machinery; see Section 3.3. Note that this is a 106 capability unique to encrypted protocols. Parts of a wire image may 107 also be made visible to devices on path, but immutable through end- 108 to-end integrity protection; see Section 3.2. 110 Portions of the wire image of a protocol that are neither 111 confidentiality-protected nor integrity-protected are writable by 112 devices on the path(s) between the endpoints using the protocol. A 113 protocol with a wire image that is largely writable operating over a 114 path with devices that understand the semantics of the protocol's 115 wire image can modify it, in order to induce behaviors at the 116 protocol's participants. This is the case with TCP in the current 117 Internet. 119 Note also that the wire image is multidimensional. This implies that 120 the name "image" is not merely metaphorical, and that general image 121 recognition techniques may be applicable to extracting patterns and 122 information from it. 124 From the point of view of a passive observer, the wire image of a 125 single protocol is rarely seen in isolation. The dynamics of the 126 application and network stacks on each endpoint use multiple 127 protocols for any higher level task. Most protocols involving user 128 content, for example, are often seen on the wire together with DNS 129 traffic; the information from these two wire images can be correlated 130 to infer information about the dynamics of the overlying application. 132 3.1. Obscuring timing and sizing information 134 Cryptography can protect the confidentiality of a protocol's headers, 135 to the extent that forwarding devices do not need the 136 confidentiality-protected information for basic forwarding 137 operations. However, it cannot be applied to protecting non-header 138 information in the wire image. Of particular interest is the 139 sequence of packet sizes and the sequence of packet times. These are 140 characteristic of the operation of the protocol. While packets 141 cannot be made smaller than their information content, nor sent 142 faster than processing time requirements at the sender allow, a 143 sender may use padding to increase the size of packets, and add delay 144 to transmission scheduling in order to increase interpacket delay. 145 However, it does this as the expense of bandwidth efficiency and 146 latency, so this technique is limited to the application's tolerance 147 for latency and bandwidth inefficiency. 149 3.2. Integrity Protection of the Wire Image 151 Adding end-to-end integrity protection to portions of the wire image 152 makes it impossible for on-path devices to modify them without 153 detection by the endpoints, which can then take action in response to 154 those modifications, making these portions of the wire image 155 effectively immutable. However, they can still be observed by 156 devices on path. This allows the creation of signals intended by the 157 endpoints solely for the consumption of these on-path devices. 159 Integrity protection can only practically be applied to the sequence 160 of bits in each packet, which implies that a protocol's visible wire 161 image cannot be made completely immutable in a packet-switched 162 network. Interarrival timings, for instance, cannot be easily 163 protected, as the observable delay sequence is modified as packets 164 move through the network and experience different delays on different 165 links. Message sequences are also not practically protectable, as 166 packets may be dropped or reordered at any point in the network, as a 167 consequence of the network's operation. Intermediate systems with 168 knowledge of the protocol semantics in the readable portion of the 169 wire image can also purposely delay or drop packets in order to 170 affect the protocol's operation. 172 3.3. Engineering the Wire Image 174 Understanding the nature of a protocol's wire image allows it to be 175 engineered. The general principle at work here, observed through 176 experience with deployability and non-deployability of protocols at 177 the network and transport layers in the Internet, is that all 178 observable parts of a protocol's wire image will eventually be used 179 by devices on path; consequently, changes or future extensions that 180 affect the observable part of the wire image become difficult or 181 impossible to deploy. 183 A network function which serves a purpose useful to its deployer will 184 use the information it needs from the wire image, and will tend to 185 get that information from the wire image in the simplest way 186 possible. 188 For example, consider the case of the ubiquitous TCP [RFC0793] 189 transport protocol. As described in [PATH-SIGNALS], several key in- 190 network functions have evolved to take advantage of implicit signals 191 in TCP's wire image, which, as TCP provides neither integrity or 192 confidentiality protection for its headers, is inseparable from its 193 internal operation. Some of these include: 195 o Determining return routability and consent: For example, TCP's 196 wire image contains both an implicit indication that the sender of 197 a packet is at least on the path toward its source address (in the 198 acknowledgement number during the handshake), as well as an 199 implicit indication that a receiving device consents to continue 200 communication. These are used by stateful network firewalls. 202 o Measuring loss and latency: For example, examining the sequence of 203 TCP's sequence and acknowledgement numbers, as well as the ECN 204 [RFC3168] control bits allows the inference of congestion, loss 205 and retransmission along the path. The sequence and 206 acknowledgement numbers together with the timestamp option 207 [RFC7323] allow the measurement of application-experienced 208 latency. 210 During the design of a protocol, the utility of features such as 211 these shoud be considered, and the protocol's wire image should 212 therefore be designed to explicitly expose information to those 213 network functions deemed important by the designers in an obvious 214 way. The wire image should expose as little other information as 215 possible. 217 However, even when information is explicitly provided to the network, 218 any information that is exposed by the wire image, even that 219 information not intended to be consumed by an observer, must be 220 designed carefully as it might ossify, making it immutable for future 221 versions of the protocol. For example, information needed to support 222 decryption by the receiving endpoint (cryptographic handshakes, 223 sequence numbers, and so on) may be used by devices along the path 224 for their own purposes. 226 3.3.1. Invariants 228 One approach to reduce the extent of the wire image that will be used 229 by devices on the path is to define a set of invariants for a 230 protocol during its development. Invariants are, in essence, a 231 promise made by the protocol's developers that certain bits in the 232 wire image, and behaviors observable in the wire image, will be 233 preserved through the specification of all future versions of the 234 protocol. QUIC's invariants [QUIC-INVARIANTS] are an initial attempt 235 to apply this approach to QUIC. 237 While static aspects of the wire image - bits with simple semantics 238 at fixed positions in protocol headers - can easily be made 239 invariant, different aspects of the wire image may be more or less 240 appropriate to define as invariants. For a protocol with a version 241 and/or extension negotiation mechanism, the bits in the header and 242 behaviors tied to those bits which implement version negotiation 243 should be made invariant. More fluid aspects of the wire image and 244 behaviors which are not necessary for interoperability are not 245 appropriate as invariants. 247 3.3.2. Trustworthiness of Engineered Signals 249 Since they are separate from the signals that drive an encrypted 250 protocol's mechanisms, the veracity of integrity-protected signals in 251 an engineered wire image intended for consumption by the path may not 252 be verifiable by on-path devices; see [PATH-SIGNALS]. Indeed, any 253 two endpoints with a secret channel between them (in this case, the 254 encrypted protocol itself) may collude to change the semantics and 255 information content of these signals. This is an unavoidable 256 consequence of the separation of the wire image from the protocol's 257 operation afforded by confidentiality protection of the protocol's 258 headers. 260 4. Acknowledgments 262 Thanks to Martin Thomson, Thomas Fossati, Ted Hardie, and the 263 membership of the IAB Stack Evolution Program, for discussions that 264 have improved this document. 266 This work is partially supported by the European Commission under 267 Horizon 2020 grant agreement no. 688421 Measurement and Architecture 268 for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat 269 for Education, Research, and Innovation under contract no. 15.0268. 270 This support does not imply endorsement. 272 5. Informative References 274 [EFFECT-ENCRYPT] 275 Moriarty, K. and A. Morton, "Effects of Pervasive 276 Encryption on Operators", draft-mm-wg-effect-encrypt-25 277 (work in progress), March 2018. 279 [PATH-SIGNALS] 280 Hardie, T., "Path Signals", draft-hardie-path-signals-03 281 (work in progress), April 2018. 283 [QUIC-INVARIANTS] 284 Thomson, M., "Version-Independent Properties of QUIC", 285 draft-ietf-quic-invariants-01 (work in progress), March 286 2018. 288 [QUIC-MANAGEABILITY] 289 Kuehlewind, M. and B. Trammell, "Manageability of the QUIC 290 Transport Protocol", draft-ietf-quic-manageability-01 291 (work in progress), October 2017. 293 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 294 RFC 793, DOI 10.17487/RFC0793, September 1981, 295 . 297 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 298 of Explicit Congestion Notification (ECN) to IP", 299 RFC 3168, DOI 10.17487/RFC3168, September 2001, 300 . 302 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 303 Scheffenegger, Ed., "TCP Extensions for High Performance", 304 RFC 7323, DOI 10.17487/RFC7323, September 2014, 305 . 307 [TRANSPORT-ENCRYPT] 308 Fairhurst, G. and C. Perkins, "The Impact of Transport 309 Header Confidentiality on Network Operation and Evolution 310 of the Internet", draft-fairhurst-tsvwg-transport- 311 encrypt-06 (work in progress), February 2018. 313 Authors' Addresses 315 Brian Trammell 316 ETH Zurich 317 Gloriastrasse 35 318 8092 Zurich 319 Switzerland 321 Email: ietf@trammell.ch 323 Mirja Kuehlewind 324 ETH Zurich 325 Gloriastrasse 35 326 8092 Zurich 327 Switzerland 329 Email: mirja.kuehlewind@tik.ee.ethz.ch