Network Working Group                                   B. Trammell, Ed.
Internet-Draft                                                ETH Zurich
Intended status: Informational                        September 23, 2015
Expires: March 26, 2016


Architectural Considerations for Transport Evolution with Explicit Path
                              Cooperation
                draft-trammell-stackevo-explicit-coop-00

Abstract

   The IAB Stack Evolution in a Middlebox Internet (SEMI) workshop in
   Zurich in January 2015 and the follow-up Substrate Protocol for User
   Datagrams (SPUD) BoF session at the IETF 92 meeting in Dallas in
   March 2015 identified the potential need for a UDP-based
   encapsulation to allow explicit cooperation with middleboxes while
   using encryption at the transport layer and above to protect user
   payload and metadata from inspection and interference.  This document
   proposes a set of architectural considerations for such approaches.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 26, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Trammell                 Expires March 26, 2016                 [Page 1]


Internet-Draft            Explicit Cooperation            September 2015


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

1.  Introduction and Motivation

   The IAB IP Stack Evolution Program aims to support the evolution of
   the Internet's transport layer and its interfaces to other layers in
   the Internet Protocol stack.  The need for this work is driven by two
   trends.  First is the development and increased deployment of
   cryptography in Internet protocols to protect against pervasive
   monitoring [RFC7258], which will break many middleboxes used in the
   operation and management of Internet-connected networks and which
   assume access to plaintext content.  An additional encapsulation
   layer to allow selective, explicit metadata exchange between the
   endpoints and devices on path to replace ad-hoc packet inspection is
   one approach to retain network manageability in an encrypted
   Internet.

   Second is the increased deployment of new applications (e.g.
   interactive media as in RTCWEB [I-D.ietf-rtcweb-overview]) for which
   the abstractions provided by today's transport protocols (i.e.,
   either a single reliable stream as in SOCK_STREAM over TCP, or an
   unreliable, unordered packet sequence as in SOCK_DGRAM over UDP) are
   inadequate.  This evolution is constrained by the presence of
   middleboxes which interfere with connectivity or packet invariability
   in the presence of new transport protocols or transport protocol
   extensions.

   The core issue is one of layer violation.  The boundary between the
   network and transport layers was originally defined to be the
   boundary between information used (and potentially modified) hop-by-
   hop, and that only used end-to-end.  The widespread deployment of
   network address and port translation (NAPT) in the Internet has
   eroded this boundary.  The first four bytes after the IP header or
   header chain - the source and destination ports - are now the de
   facto boundary between the layers.  This erosion has continued into
   the transport and application layer headers and down into content, as
   the capabilities of deployed middleboxes have increased over time.
   Evolution above the network layer is only possible if this layer
   boundary is reinforced.  Asking on-path devices nicely not to muck
   about in the transport layer and below - stating in an RFC that
   devices on path MUST NOT use or modify some header field - has not
   proven to be of much use here, so we need a new approach.

   This boundary can be reinforced by encapsulating new transport
   protocols in UDP and encrypting everything above the UDP header.



Trammell                 Expires March 26, 2016                 [Page 2]


Internet-Draft            Explicit Cooperation            September 2015


   However, this brings with it other problems.  First, middleboxes
   which maintain state must use timers to expire that state for UDP
   flows, since there is no exposure of flow lifetime and bidirectional
   establishment as with TCP's SYN, ACK, FIN, and RST flags.  These
   timers are often set fast enough to require a relatively high rate of
   heartbeat traffic to maintain this state.  A limited facility to
   expose basic semantics of the underlying transport protocol would
   allow these devices to keep state as they do with TCP, with no worse
   characteristics with respect to state management than those of TCP.

   This is a specific case of a more general issue: some of the
   inspection of traffic done by middleboxes above the network-transport
   boundary is operationally useful.  However, the use of transport
   layer and higher layer headers is an implicit feature of the
   architecture: middleboxes are exploiting the fact that these headers
   are transmitted in cleartext.  There is no explicit cooperation here:
   the endpoints have no control over the information exposed to the
   path, and the middleboxes no information about the intentions of the
   endpoint application other than that inferred from the inspected
   traffic.  We propose a change to the architecture to remedy this
   condition.

2.  Explicit Cooperation as Architectural Principle

   The principle behind this change is one of explicit cooperation.

   The present Internet architecture is rife with implicit cooperation
   between endpoints and devices on the path between them.  It is this
   implicit cooperation which has led to the ossification of the
   transport layer in the Internet.  Implicit cooperation requires
   devices along the path to make assumptions about the format of the
   packets and the nature of the traffic they are forwarding, which in
   turn leads to problems using protocols which don't meet these
   assumptions.  It also forces application and transport protocol
   developers to build protocols that operate in this presumed, least-
   common-denominator network environment.

   This situation can be improved by making this cooperation explicit.
   We first explore the properties of an ideal architecture for explicit
   cooperation, then consider the constraints imposed by the present
   configuration of the Internet which would make transition to this
   ideal architecture infeasible.  From this we derive a set of
   architectural principles and protocol design requirements which will
   support an incrementally deployable approach to explicit cooperation
   between applications on endpoints and middleboxes in the Internet.






Trammell                 Expires March 26, 2016                 [Page 3]


Internet-Draft            Explicit Cooperation            September 2015


2.1.  What does good look like?

   We can take some guidance for the future from the original Internet
   architecture.

   The original Internet architecture defined the split between TCP and
   IP by defining IP to contain those functions the gateways need to
   handle (and possibly de- and re-encapsulate, including
   fragmentation), while defining TCP to contain functions that can be
   handled by hosts end-to-end [RFC0791].  Gateways were essentially
   trusted not to meddle in TCP.

   As a first principle, a strict division between hop-to-hop and end-
   to-end functions is desirable to restore and maintain end-to-end
   service in the Internet.

   In the original architecture, there was no provision for "in-network
   functionality" beyond forwarding, fragmentation, and basic
   diagnostics.  Forwarding is inherently explicit: placing an address
   in the destination address field, the endpoint (and by extension, the
   application) indicates that a packet should be sent to a given
   address.  Fragmentation was implicit in IPv4, though in-network
   fragmentation was removed in IPv6 [RFC2460].  This was as much a
   function of adherence to the end-to-end-principle [Saltzer84] as it
   was an engineering reaction to limited computational and state
   capacity on the gateways.

   We note that layer boundaries can be enforced using sufficiently
   strong cryptography.

   As a second principle, in-network functionality along a path which
   results in the modification of packet streams received at the other
   end of a connection should be explicitly visible (and, where
   appropriate to the nature of the functionality, controllable) by the
   endpoints.

   This explicitness extends into the transport stack in the endpoint.
   When applications can clearly define transport requirements, instead
   of implicitly lensing them through known implementations of each
   socket type, these transport requirements can be exposed to and/or
   matched with properties of devices along the path, where that is
   useful.

2.2.  What keeps us from getting there?

   The clear separation of network and transport layer has been steadily
   eroded over the past twenty years or so.  Network address and port
   translation (NAPT) have effectively made the first four bytes of the



Trammell                 Expires March 26, 2016                 [Page 4]


Internet-Draft            Explicit Cooperation            September 2015


   transport header a de-facto part of the network layer, and have made
   it difficult to deploy protocols where NAPT devices don't know that
   the ports are safe to touch: anything other than UDP and TCP.
   Protocols to support NAT traversal (e.g.  Interactive Connectivity
   Establishment [RFC5245]) do not address this fundamental issue.

   Mechanisms that could be used to support explicit cooperation between
   applications and middleboxes could be supported within the network
   layer.  The IPv6 Hop-by-Hop Options Header is intended for this
   purpose, and a new hop-by-hop option could be defined.  However,
   there are some limitations to using this header: it is only supported
   by IPv6, it may itself cause packets to be dropped, it may not be
   handled efficiently (or indeed at all) by currently deployed routers
   and middleboxes [I-D.baker-6man-hbh-header-handling], and it requires
   changes to operating system stacks at the endpoints to allow
   applications to access these headers.

   One of the effects of the fact that cryptography enforces layer
   boundaries is that applications and transports run over HTTPS de
   facto [I-D.blanchet-iab-internetoverport443], since HTTPS is the most
   widely implemented, accessible, and deployable way for application
   developers to get this enforcement.

   However, the greatest barriers to explicit cooperation between
   applications and devices along the path is the lack of explicit trust
   among them.  While it is possible to assign trust within the "first
   hop" administrative domains, especially when the endpoint and network
   operator are the same entity, building and operating an
   infrastructure for assigning and maintaining these trust
   relationships within an Internet context is currently impractical.

   Finally, the erosion of the end-to-end principle has not occurred in
   a vacuum.  There are incentives to deploy in-network functions, and
   services that are impaired by them have already worked around these
   impairments.  For example, the present trend toward service
   recentralization can be seen in part as the market's response to the
   end of end-to-end.  If every application-layer transaction is
   mediated by services owned by the application's operator, two-end NAT
   traversal is no longer important.  This new architecture for services
   has additional implications for the types of interactions supported,
   and for the types of business models encouraged, which may in turn
   make some of the concerns about limited deployability of new
   transport protocols moot.








Trammell                 Expires March 26, 2016                 [Page 5]


Internet-Draft            Explicit Cooperation            September 2015


2.3.  What can we do?

   First we turn to the problem of re-separation of the network layer
   from the transport layer.  NAPT, as noted, has effectively made the
   ports part of the network layer, and this change is not easy to undo,
   so we can make this explicit.  In many NAPT environments only UDP and
   TCP traffic will be forwarded, and a packet with a TCP header may be
   assumed by middleboxes to have TCP semantics; therefore, the solution
   space is most probably constrained to putting the "new" separation
   between the network and transport layers within a UDP encapsulation.

   Since the relative delay in getting new transport protocols into
   widely deployed kernel implementations has historically been another
   impediment to deploying these new protocols in the Internet, a UDP
   encapsulation based approach has a further implication for
   incremental deployability: it is possible to implement UDP-based
   encapsulations in userspace.  While userspace implementations may
   lack some of the interfaces to lower layers available to kernelspace
   implementations necessary to build high-performance transport
   implementations, the ability to deploy widely and quickly may help
   break the chicken-and-egg problem of getting a transport protocol
   adopted into kernelspace.

   To support explicit cooperation in an environment where trust
   relationships are variable and there may be no context with which to
   authenticate every device along a path with which a

3.  Properties of encapsulation and signaling mechanisms

   We now turn to observations about and probable constraints on an
   encapsulation and signaling-based approaches to explicit cooperation.
   These thoughts are presently unordered, some having come from initial
   efforts at defining requirements for SPUD.

3.1.  The narrowness of encapsulation

   A good deal of experience with tunnels has shown that the per-stream
   overhead of a given encapsulation is generally less important than
   its impact on MTU.  For instance, the SPUD prototype as presently
   defined needs at least 20 additional bytes in the header per packet:
   2 each for source and destination UDP port, 2 for UDP length, 2 for
   UDP checksum, 8 to identify tubes, 1 for control bits for SPUD
   itself, and 3 for the smallest possible CBOR map containing a single
   opaque higher layer datagram.  For 1500-byte Ethernet frames, the
   marginal cost of SPUD before is therefore 1.33% in byte terms, but it
   does imply that 1450 byte application datagrams will no longer fit in
   a single SPUD-over-UDP-over-IPv4-over Ethernet packet.




Trammell                 Expires March 26, 2016                 [Page 6]


Internet-Draft            Explicit Cooperation            September 2015


   This fact has two implications for encapsulation design: First,
   maximum payload size per packet should be communicated up to the
   higher layer, as an explicit feature of the transport layer's
   interface.  Second, link-layer MTU is a fundamental property of each
   link along a path, so any signaling protocol allowing path elements
   to communicate to the endpoint should treat MTU as one of the most
   important properties along the path to explicitly signal.

3.2.  Implicit trust in endpoint-path signaling

   In a perfect world, the trust relationships among endpoints and
   elements on path would be precisely and explicitly defined: an
   endpoint would explicitly delegate some processing to a network
   element on its behalf, network elements would be able to trust any
   command from any endpoint, and the integrity and authenticity of
   signaling in both directions would be cryptographically protected.

   However, both the economic reality that the users at the endpoints
   and the operators of the network may not always have aligned
   interests, as well as the difficulty of universal key exchange and
   trust distribution among widely heterogeneous devices across
   administrative domain boundaries, require us to take a different
   approach toward building deployable, useful metadata signaling.

   We observe that imperative signaling approaches in the past have
   often failed in that they give each actor incentives to lie.
   Markings to ask the network to explicitly treat some packets as more
   important than others will see their value inflate away - i.e., most
   packets from most sources will be so marked - unless some mechanism
   is built to police those markings.  Reservation protocols suffer from
   the same problem: for example, if an endpoint really needs 1Mbps, but
   there is no penalty for reserving 1.5Mbps "just in case", a
   conservative strategy on the part of the endpoint leads to over-
   reservation.

3.3.  Declarative marking

   An alternate approach is to treat these markings as declarative and
   advisory, and to treat all markings on packets and flows as relative
   to other markings on packets and flows from the same sender.  In this
   case, where neither endpoints nor path elements can reliably predict
   the actions other elements in the network will take with respect to
   the marking, and where no endpoint can ask for special treatment at
   the expense of other endpoints, the incentives to marking inflation
   are greatly diminished.






Trammell                 Expires March 26, 2016                 [Page 7]


Internet-Draft            Explicit Cooperation            September 2015


3.4.  Verifiable marking

   Second, markings and declarations should be defined in such a way
   that they are verifiable, and verification built end to endpoints and
   middleboxes wherever practical.  Suppose for example an endpoint
   declares that it will send constant-bitrate, loss-insensitive traffic
   at 192kbps.  The average data rate for the given flow is trivially
   verifiable at any endpoint.  A firewall which uses this data for
   traffic classification and differential quality of service may spot-
   check the data rate for such flows, and penalize those flows and
   sources which are clearly mismarking their traffic.

   We note that it is optimistic to assume, especially in an environment
   with ubiquitous opportunistic encryption [RFC7435], that it is
   possible to define a useful marking vocabulary such that every
   marking will be so easily verifiable.  However, using verifiability
   as a design goal can lead to marking vocabularies which are less
   likely, on balance, to be be gameable and gamed.

3.5.  Privacy Tradeoffs in Metadata Signaling

   Protocol engineering experience has shown that extensibility is a key
   design goal for new protocols: especially in this case, an attempt to
   "de-ossify" the protocol stack is really an attempt to "re-ossify" it
   around new realities and requirements, so it makes sense to ensure
   this effort must not be repeated.  However, extensibility brings with
   it the potential for adding new metadata which can be used to
   increase linkability and surveillability of traffic.  Identifiers
   used internally by the signaling mechanism may also increase
   linkability.  Care must be taken when designing identifier spaces and
   extensibility mechanisms to minimize these risks.

3.6.  In-band, out-of-band, piggybacked, and interleaved signaling

   Signaling channels may be in-band (that is, using the same 5 tuple as
   the encapsulated traffic) or out-of-band (using another channel and
   different flows).  Here there are also many tradeoffs to consider.
   In-band signaling has the advantage that it does not require
   foreknowledge of the identity and addresses of devices along the path
   by endpoints and vice versa, but does add complexity to the signaling
   protocol.

   In-band signaling can be either piggybacked on the overlying
   transport or interleaved with it.  Piggybacked signaling uses some
   number of bits in each packet generated by the overlying transport to
   achieve signaling.  It requires either reducing the MTU available to
   the encapsulated transport and/or opportunistically using bits




Trammell                 Expires March 26, 2016                 [Page 8]


Internet-Draft            Explicit Cooperation            September 2015


   between the network-layer MTU and the bits actually used by the
   transport.

   This is even more complicated in the case of middleboxes that wish to
   add information to piggybacked-signaling packets, and may require the
   endpoints to introduce "scratch space" in the packets for potential
   middlebox signaling use, further increasing complexity and overhead.

   In contrast, interleaved signaling uses signaling packets on the same
   5-tuple.  This reduces complexity and sidesteps MTU problems, but is
   only applicable when the signaling can be considered valid for the
   entire flow or bound to some subset of packets in the flow via an
   identifier.

   Out-of-band signaling uses direct connections between endpoints and
   middleboxes, separate from the encapsulated transport - connections
   that are perhaps negotiated by in-band signaling.  A key disadvantage
   here is that out-of-band signaling packets may not take the same path
   as the packets in the encapsulated transport; therefore connectivity
   cannot be guaranteed.

   Signaling of path-to-endpoint information, in the case that a
   middlebox wants to signal something to the sender of the packet,
   raises the added problem of either (1) requiring the middlebox to
   send the information to the receiver for later reflection back to the
   sender, which has the disadvantage of complexity, or (2) requiring
   out-of-band direct signaling back to the sender, which in turn either
   requires the middlebox to spoof the source address and port of the
   receiver to ensure equivalent NAT treatment, or some other NAT-
   traversal approach.

   The tradeoffs here must be carefully weighed, and a comprehensive
   approach may use a mix of all these communication patterns.

3.7.  Reflection protection and return routability

   The ease of forging source addresses in UDP together with the only
   limited deployment of network egress filtering [RFC2827] means that
   UDP traffic presently lacks a return routability guarantee.  This
   leads to UDP being useful for reflection and amplification attacks,
   which in turn has led in part to the present situation wherein UDP
   traffic may be blocked by firewalls when not explicitly needed by an
   organization as part of its Internet connectivity.

   Return routability is therefore a minimal property of any transport
   that can be responsibly deployed at scale in the Internet.





Trammell                 Expires March 26, 2016                 [Page 9]


Internet-Draft            Explicit Cooperation            September 2015


4.  IANA Considerations

   This document has no actions for IANA.

5.  Security Considerations

   This revision of this document presents no security considerations.
   A more rigorous definition of the limits of declarative and
   verifiable marking would need to be evaluated against a specified
   threat model, but we leave this to future work.

6.  Acknowledgments

   Many thanks to the attendees of the IAB Workshop on Stack Evolution
   in a Middlebox Internet (SEMI) in Zurich, 26-27 January 2015; most of
   the thoughts in this document follow directly from discussions at
   SEMI and the subsequent SPUD BoF in Dallas in March 2015.  Some text
   for this revision of this document has been taken from
   [I-D.trammell-spud-req], written with Mirja Kuehlewind, David Black,
   Ken Calvert, Ted Hardie, Joe Hildebrand, Jana Iyengar, and Eric
   Rescorla.  This work is partially supported by the European
   Commission under Grant Agrement FP7-318627 mPlane; support does not
   imply endorsement by the Commission of the content of this work.

7.  Informative References

   [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791, September
              1981.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.

   [RFC5245]  Rosenberg, J., "Interactive Connectivity Establishment
              (ICE): A Protocol for Network Address Translator (NAT)
              Traversal for Offer/Answer Protocols", RFC 5245, DOI
              10.17487/RFC5245, April 2010,
              <http://www.rfc-editor.org/info/rfc5245>.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
              2014, <http://www.rfc-editor.org/info/rfc7258>.

   [RFC7435]  Dukhovni, V., "Opportunistic Security: Some Protection
              Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
              December 2014, <http://www.rfc-editor.org/info/rfc7435>.



Trammell                 Expires March 26, 2016                [Page 10]


Internet-Draft            Explicit Cooperation            September 2015


   [I-D.ietf-rtcweb-overview]
              Alvestrand, H., "Overview: Real Time Protocols for
              Browser-based Applications", draft-ietf-rtcweb-overview-14
              (work in progress), June 2015.

   [I-D.ietf-taps-transports]
              Fairhurst, G., Trammell, B., and M. Kuehlewind, "Services
              provided by IETF transport protocols and congestion
              control mechanisms", draft-ietf-taps-transports-06 (work
              in progress), July 2015.

   [I-D.hildebrand-spud-prototype]
              Hildebrand, J. and B. Trammell, "Substrate Protocol for
              User Datagrams (SPUD) Prototype", draft-hildebrand-spud-
              prototype-03 (work in progress), March 2015.

   [I-D.huitema-tls-dtls-as-subtransport]
              Huitema, C., Rescorla, E., and J. Jana, "DTLS as
              Subtransport protocol", draft-huitema-tls-dtls-as-
              subtransport-00 (work in progress), March 2015.

   [I-D.blanchet-iab-internetoverport443]
              Blanchet, M., "Implications of Blocking Outgoing Ports
              Except Ports 80 and 443", draft-blanchet-iab-
              internetoverport443-02 (work in progress), July 2013.

   [I-D.baker-6man-hbh-header-handling]
              Baker, F., "IPv6 Hop-by-Hop Header Handling", draft-baker-
              6man-hbh-header-handling-02 (work in progress), July 2015.

   [I-D.trammell-spud-req]
              Trammell, B. and M. Kuehlewind, "Requirements for the
              design of a Substrate Protocol for User Datagrams (SPUD)",
              draft-trammell-spud-req-00 (work in progress), July 2015.

   [Saltzer84]
              Saltzer, J., Reed, D., and D. Clark, "End-to-End Arguments
              in System Design (ACM Trans. Comp. Sys.)", 1984.

   [RFC0792]  Postel, J., "Internet Control Message Protocol", STD 5,
              RFC 792, DOI 10.17487/RFC0792, September 1981,
              <http://www.rfc-editor.org/info/rfc792>.

   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
              Defeating Denial of Service Attacks which employ IP Source
              Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
              May 2000, <http://www.rfc-editor.org/info/rfc2827>.




Trammell                 Expires March 26, 2016                [Page 11]


Internet-Draft            Explicit Cooperation            September 2015


   [RFC4821]  Mathis, M. and J. Heffner, "Packetization Layer Path MTU
              Discovery", RFC 4821, March 2007.

   [RFC7510]  Xu, X., Sheth, N., Yong, L., Callon, R., and D. Black,
              "Encapsulating MPLS in UDP", RFC 7510, DOI 10.17487/
              RFC7510, April 2015,
              <http://www.rfc-editor.org/info/rfc7510>.

   [I-D.trammell-stackevo-newtea]
              Trammell, B., "Thoughts a New Transport Encapsulation
              Architecture", draft-trammell-stackevo-newtea-01 (work in
              progress), May 2015.

   [I-D.iab-semi-report]
              Trammell, B. and M. Kuehlewind, "IAB Workshop on Stack
              Evolution in a Middlebox Internet (SEMI) Report", draft-
              iab-semi-report-01 (work in progress), July 2015.

   [I-D.ietf-dart-dscp-rtp]
              Black, D. and P. Jones, "Differentiated Services
              (DiffServ) and Real-time Communication", draft-ietf-dart-
              dscp-rtp-10 (work in progress), November 2014.

Author's Address

   Brian Trammell (editor)
   ETH Zurich
   Gloriastrasse 35
   8092 Zurich
   Switzerland

   Email: ietf@trammell.ch



















Trammell                 Expires March 26, 2016                [Page 12]