idnits 2.17.1 draft-trammell-wire-image-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 10, 2018) is 2201 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-13) exists of draft-ietf-quic-invariants-01 == Outdated reference: A later version (-18) exists of draft-ietf-quic-manageability-01 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) == Outdated reference: A later version (-10) exists of draft-fairhurst-tsvwg-transport-encrypt-07 == Outdated reference: A later version (-04) exists of draft-thomson-use-it-or-lose-it-01 Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Trammell 3 Internet-Draft M. Kuehlewind 4 Intended status: Informational ETH Zurich 5 Expires: October 12, 2018 April 10, 2018 7 The Wire Image of a Network Protocol 8 draft-trammell-wire-image-04 10 Abstract 12 This document defines the wire image, an abstraction of the 13 information available to an on-path non-participant in a networking 14 protocol. This abstraction is intended to shed light on the 15 implications on increased encryption has for network functions that 16 use the wire image. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on October 12, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 1. Introduction 52 A protocol specification defines a set of behaviors for each 53 participant in the protocol: which lower-layer protocols are used for 54 which services, how messages are formatted and protected, which 55 participant sends which message when, how each participant should 56 respond to each message, and so on. 58 Implicit in a protocol specification is the information the protocol 59 radiates toward nonparticipant observers of the messages sent among 60 participants, often including participants in lower layer protocols. 61 Any information that has a clear definition in the protocol's message 62 format(s), or is implied by that definition, and is not 63 cryptographically confidentiality-protected can be unambiguously 64 interpreted by those observers. 66 This information comprises the protocol's wire image, which we define 67 and discuss in this document. It is the wire image, not the 68 protocol's specification, that determines how third parties on the 69 network paths among protocol participants will interact with that 70 protocol. 72 Several documents currently under discussion in IETF working groups 73 and the IETF in general, for example [QUIC-MANAGEABILITY], 74 [EFFECT-ENCRYPT], and [TRANSPORT-ENCRYPT], discuss in part impacts on 75 the third-party use of wire images caused by a migration from 76 protocols whose wire images are largely not confidentiality protected 77 (e.g. HTTP over TCP) to protocols whose wire images are 78 confidentiality protected (e.g. H2 over QUIC). 80 This document presents the wire image abstraction with the hope that 81 it can shed some light on these discussions. 83 2. Definition 85 More formally, the wire image of a protocol consists of the sequence 86 of messages sent by each participant in the protocol, each expressed 87 as a sequence of bits with an associated arbitrary-precision time at 88 which it was sent. 90 3. Discussion 92 This definition is so vague as to be difficult to apply to protocol 93 analysis, but it does illustrate some important properties of the 94 wire image. 96 Key is that the wire image is not limited to merely "the unencrypted 97 bits in the header". In particular, interpacket timing, packet size, 98 and message sequence information can be used to infer other 99 parameters of the behavior of the protocol, or to fingerprint 100 protocols and/or specific implementations of the protocol; see 101 Section 3.1. 103 An important implication of this property is that a protocol which 104 uses confidentiality protection for the headers it needs to operate 105 can be deliberately designed to have a specified wire image that is 106 separate from that machinery; see Section 3.3. Note that this is a 107 capability unique to encrypted protocols. Parts of a wire image may 108 also be made visible to devices on path, but immutable through end- 109 to-end integrity protection; see Section 3.2. 111 Portions of the wire image of a protocol that are neither 112 confidentiality-protected nor integrity-protected are writable by 113 devices on the path(s) between the endpoints using the protocol. A 114 protocol with a wire image that is largely writable operating over a 115 path with devices that understand the semantics of the protocol's 116 wire image can modify it, in order to induce behaviors at the 117 protocol's participants. This is the case with TCP in the current 118 Internet. 120 Note also that the wire image is multidimensional. This implies that 121 the name "image" is not merely metaphorical, and that general image 122 recognition techniques may be applicable to extracting patterns and 123 information from it. 125 From the point of view of a passive observer, the wire image of a 126 single protocol is rarely seen in isolation. The dynamics of the 127 application and network stacks on each endpoint use multiple 128 protocols for any higher level task. Most protocols involving user 129 content, for example, are often seen on the wire together with DNS 130 traffic; the information from these two wire images can be correlated 131 to infer information about the dynamics of the overlying application. 133 3.1. Obscuring timing and sizing information 135 Cryptography can protect the confidentiality of a protocol's headers, 136 to the extent that forwarding devices do not need the 137 confidentiality-protected information for basic forwarding 138 operations. However, it cannot be applied to protecting non-header 139 information in the wire image. Of particular interest is the 140 sequence of packet sizes and the sequence of packet times. These are 141 characteristic of the operation of the protocol. While packets 142 cannot be made smaller than their information content, nor sent 143 faster than processing time requirements at the sender allow, a 144 sender may use padding to increase the size of packets, and add delay 145 to transmission scheduling in order to increase interpacket delay. 147 However, it does this as the expense of bandwidth efficiency and 148 latency, so this technique is limited to the application's tolerance 149 for latency and bandwidth inefficiency. 151 3.2. Integrity Protection of the Wire Image 153 Adding end-to-end integrity protection to portions of the wire image 154 makes it impossible for on-path devices to modify them without 155 detection by the endpoints, which can then take action in response to 156 those modifications, making these portions of the wire image 157 effectively immutable. However, they can still be observed by 158 devices on path. This allows the creation of signals intended by the 159 endpoints solely for the consumption of these on-path devices. 161 Integrity protection can only practically be applied to the sequence 162 of bits in each packet, which implies that a protocol's visible wire 163 image cannot be made completely immutable in a packet-switched 164 network. Interarrival timings, for instance, cannot be easily 165 protected, as the observable delay sequence is modified as packets 166 move through the network and experience different delays on different 167 links. Message sequences are also not practically protectable, as 168 packets may be dropped or reordered at any point in the network, as a 169 consequence of the network's operation. Intermediate systems with 170 knowledge of the protocol semantics in the readable portion of the 171 wire image can also purposely delay or drop packets in order to 172 affect the protocol's operation. 174 3.3. Engineering the Wire Image 176 Understanding the nature of a protocol's wire image allows it to be 177 engineered. The general principle at work here, observed through 178 experience with deployability and non-deployability of protocols at 179 the network and transport layers in the Internet, is that all 180 observable parts of a protocol's wire image will eventually be used 181 by devices on path; consequently, changes or future extensions that 182 affect the observable part of the wire image become difficult or 183 impossible to deploy. 185 A network function which serves a purpose useful to its deployer will 186 use the information it needs from the wire image, and will tend to 187 get that information from the wire image in the simplest way 188 possible. 190 For example, consider the case of the ubiquitous TCP [RFC0793] 191 transport protocol. As described in [PATH-SIGNALS], several key in- 192 network functions have evolved to take advantage of implicit signals 193 in TCP's wire image, which, as TCP provides neither integrity or 194 confidentiality protection for its headers, is inseparable from its 195 internal operation. Some of these include: 197 o Determining return routability and consent: For example, TCP's 198 wire image contains both an implicit indication that the sender of 199 a packet is at least on the path toward its source address (in the 200 acknowledgement number during the handshake), as well as an 201 implicit indication that a receiving device consents to continue 202 communication. These are used by stateful network firewalls. 204 o Measuring loss and latency: For example, examining the sequence of 205 TCP's sequence and acknowledgement numbers, as well as the ECN 206 [RFC3168] control bits allows the inference of congestion, loss 207 and retransmission along the path. The sequence and 208 acknowledgement numbers together with the timestamp option 209 [RFC7323] allow the measurement of application-experienced 210 latency. 212 During the design of a protocol, the utility of features such as 213 these shoud be considered, and the protocol's wire image should 214 therefore be designed to explicitly expose information to those 215 network functions deemed important by the designers in an obvious 216 way. The wire image should expose as little other information as 217 possible. 219 However, even when information is explicitly provided to the network, 220 any information that is exposed by the wire image, even that 221 information not intended to be consumed by an observer, must be 222 designed carefully as it might ossify, making it immutable for future 223 versions of the protocol. For example, information needed to support 224 decryption by the receiving endpoint (cryptographic handshakes, 225 sequence numbers, and so on) may be used by devices along the path 226 for their own purposes. 228 3.3.1. Declaring Protocol Invariants 230 One approach to reduce the extent of the wire image that will be used 231 by devices on the path is to define a set of invariants for a 232 protocol during its development. Declaring a protocol's invariants 233 represents a promise made by the protocol's developers that certain 234 bits in the wire image, and behaviors observable in the wire image, 235 will be preserved through the specification of all future versions of 236 the protocol. QUIC's invariants [QUIC-INVARIANTS] are an initial 237 attempt to apply this approach to QUIC. 239 While static aspects of the wire image - bits with simple semantics 240 at fixed positions in protocol headers - can easily be made 241 invariant, different aspects of the wire image may be more or less 242 appropriate to define as invariants. For a protocol with a version 243 and/or extension negotiation mechanism, the bits in the header and 244 behaviors tied to those bits which implement version negotiation 245 should be made invariant. More fluid aspects of the wire image and 246 behaviors which are not necessary for interoperability are not 247 appropriate as invariants. 249 Parts of a protocol's wire image not declared invariant but intended 250 to be visible to devices on path should be protected against 251 "accidental invariance": the deployment of on-path devices over time 252 that make simplifying assumptions about the behavior of those parts 253 of the wire image, making new behaviors not meeting those assumptions 254 difficult to deploy. Integrity protection of the wire image may 255 itself help protect against accidental invariance, because read-only 256 wire images invite less meddling than path-writable wire images. The 257 techniques discussed in [USE-IT] may also be useful in further 258 preventing accidental invariance and ossification. 260 Likewise, parts of a protocol's wire image not declared invariant and 261 not intended to be visible to the path should be encrypted to protect 262 their confidentiality. When confidentiality protection is either not 263 possible or not practical, then, as above, the approaches discussed 264 in [USE-IT] may be useful in ossification prevention. 266 3.3.2. Trustworthiness of Engineered Signals 268 Since they are separate from the signals that drive an encrypted 269 protocol's mechanisms, the veracity of integrity-protected signals in 270 an engineered wire image intended for consumption by the path may not 271 be verifiable by on-path devices; see [PATH-SIGNALS]. Indeed, any 272 two endpoints with a secret channel between them (in this case, the 273 encrypted protocol itself) may collude to change the semantics and 274 information content of these signals. This is an unavoidable 275 consequence of the separation of the wire image from the protocol's 276 operation afforded by confidentiality protection of the protocol's 277 headers. 279 4. Acknowledgments 281 Thanks to Martin Thomson, Thomas Fossati, Ted Hardie, Mark 282 Nottingham, and the membership of the IAB Stack Evolution Program, 283 for text, feedback, and discussions that have improved this document. 285 This work is partially supported by the European Commission under 286 Horizon 2020 grant agreement no. 688421 Measurement and Architecture 287 for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat 288 for Education, Research, and Innovation under contract no. 15.0268. 289 This support does not imply endorsement. 291 5. Informative References 293 [EFFECT-ENCRYPT] 294 Moriarty, K. and A. Morton, "Effects of Pervasive 295 Encryption on Operators", draft-mm-wg-effect-encrypt-25 296 (work in progress), March 2018. 298 [PATH-SIGNALS] 299 Hardie, T., "Path Signals", draft-hardie-path-signals-03 300 (work in progress), April 2018. 302 [QUIC-INVARIANTS] 303 Thomson, M., "Version-Independent Properties of QUIC", 304 draft-ietf-quic-invariants-01 (work in progress), March 305 2018. 307 [QUIC-MANAGEABILITY] 308 Kuehlewind, M. and B. Trammell, "Manageability of the QUIC 309 Transport Protocol", draft-ietf-quic-manageability-01 310 (work in progress), October 2017. 312 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 313 RFC 793, DOI 10.17487/RFC0793, September 1981, 314 . 316 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 317 of Explicit Congestion Notification (ECN) to IP", 318 RFC 3168, DOI 10.17487/RFC3168, September 2001, 319 . 321 [RFC7323] Borman, D., Braden, B., Jacobson, V., and R. 322 Scheffenegger, Ed., "TCP Extensions for High Performance", 323 RFC 7323, DOI 10.17487/RFC7323, September 2014, 324 . 326 [TRANSPORT-ENCRYPT] 327 Fairhurst, G. and C. Perkins, "The Impact of Transport 328 Header Confidentiality on Network Operation and Evolution 329 of the Internet", draft-fairhurst-tsvwg-transport- 330 encrypt-07 (work in progress), April 2018. 332 [USE-IT] Thomson, M., "Long-term Viability of Protocol Extension 333 Mechanisms", draft-thomson-use-it-or-lose-it-01 (work in 334 progress), March 2018. 336 Authors' Addresses 338 Brian Trammell 339 ETH Zurich 340 Gloriastrasse 35 341 8092 Zurich 342 Switzerland 344 Email: ietf@trammell.ch 346 Mirja Kuehlewind 347 ETH Zurich 348 Gloriastrasse 35 349 8092 Zurich 350 Switzerland 352 Email: mirja.kuehlewind@tik.ee.ethz.ch