Network Working Group J. Hildebrand
Internet-Draft Cisco Systems, Inc.
Intended status: Informational January 15, 2014
Expires: July 19, 2014
Erosion of the moral authority of middleboxes
draft-hildebrand-middlebox-erosion-00
Abstract
Many middleboxes on the Internet attempt to add value to the
connections that traverse that point on the network. Problems in
their implementations erode the moral authority that otherwise might
accrue to the legitimate value that they add.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 19, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Hildebrand Expires July 19, 2014 [Page 1]
Internet-Draft I-D January 2014
1. Introduction
There are several middlebox use cases that typically stand in the way
of better encryption helping to mitigate perpass-style attacks.
o Local caching
o Enterprise policy controls, including Data Loss Prevention (DLP)
and monitoring for acceptable use
o Service provider acceleration of mobile data
o Advertisement insertion for "free" networks
These use cases may cause third parties to an end-to-end conversation
to have legitimate legal and moral rights that grant them
participation in the conversation. This document discusses several
reasons why the legitimacy of these use cases is undermined in the
minds of some who build products for the Internet.
2. Similarity to attacks
Some middlebox capabilities are currently implemented using the same
mechanisms employed by attackers, including passive capturing of
plaintext data, active impersonation, and denial of service.
It is difficult to design protocols that simultaneously prevent a
given vulnerability and simultaneously selectively allow legitimate
access, and arguments that particular attacks cannot therefore be
mitigated are greeted by end-users with skepticism - particularly
when the benefit added by the middlebox does not accrue directly to
those users.
3. Unintentional breakage
The experiences of living with a wide variety of middleboxes in the
real world lead developers to realize that they all have defects that
go years without being addressed. Even when the vendor fixes a given
bug, software is updated so infrequently at this layer that often the
bug must just be worked around.
Developers that have to add multiple special cases to their products
as they discover every new way to incorrectly implement what they
previously thought were simple protocols often overreact by using
protocols that are harder to manage, have worse security properties,
or perform poorly.
Hildebrand Expires July 19, 2014 [Page 2]
Internet-Draft I-D January 2014
4. Support cost appropriation
When a middlebox subtly fails, end users never call the entity that
deployed the middlebox, much less the vendor that built that box.
Instead, they file a support request with the services that they are
trying to access. The team that developed that service typically
spends many hours finally tracking down the issue, only to finally
find the problem with the middlebox. The original end user never has
the authority to fix the middlebox, so they demand the service owner
work around the problem.
When the costs associated with broken behavior are not paid by the
developers of that behavior, it is easy for those developers to
assume that everyone is happy with their product.
5. Other monetary incentives
Developers of new services will often try to make their network
traffic as similar as possible to an existing essential service.
This approach maximizes the chances that they will be able to develop
a user base, however it can stress middleboxes beyond their design
constraints causing them to fail in new ways.
When middlebox developers bring about their own downfall by pushing
application providers outside of natural design patterns, they do not
impress the community with their desire to be trustable elements of
the Internet architecture.
6. Conclusions
When the moral authority of middleboxes is eroded, arguments by their
developers to allow unfettered access to the plaintext of traffic
that traverses those boxes may be called into question.
As an industry, we should look for other mechanisms to provide
legitimate third-party value.
7. References
Author's Address
Joe Hildebrand
Cisco Systems, Inc.
Email: jhildebr@cisco.com
Hildebrand Expires July 19, 2014 [Page 3]