Internet DRAFT - draft-hallambaker-presentation
draft-hallambaker-presentation
Internet Engineering Task Force (IETF) Phillip Hallam-Baker
Internet-Draft Comodo Group Inc.
Intended Status: Standards Track October 23, 2014
Expires: April 26, 2015
An Internet Presentation Level
draft-hallambaker-presentation-00
Abstract
Paper submitted to the IAB Middlebox workshop describing an Internet
architectural model.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Hallam-Baker April 26, 2015 [Page 1]
Internet-Draft An Internet Presentation Level October 2014
Table of Contents
1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Success has Consequences . . . . . . . . . . . . . . . . . . . 4
2.1. Middleboxes Emerge as Symptom, not Cause . . . . . . . . 6
2.2. The Deployment Challenge . . . . . . . . . . . . . . . . 7
2.3. Need for a Consistent Discovery Architecture . . . . . . 8
2.4. Limitations of the DNS Infrastructure . . . . . . . . . 9
2.5. Non DNS Discovery Infrastructure . . . . . . . . . . . . 10
2.6. Not Yet Existing Infrastructure . . . . . . . . . . . . 11
2.7. The Administration Gap . . . . . . . . . . . . . . . . . 11
3. An Internet Presentation Level . . . . . . . . . . . . . . . 12
3.1. Authoritative Infrastructures and Ground Truth . . . . . 14
3.2. Anti-Abuse Filtering . . . . . . . . . . . . . . . . . . 15
3.3. IPv6 Transition . . . . . . . . . . . . . . . . . . . . 15
3.4. DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.5. Naming Architecture . . . . . . . . . . . . . . . . . . 16
3.5.1. Account Names . . . . . . . . . . . . . . . . . . . 17
3.5.2. Strong Names . . . . . . . . . . . . . . . . . . . 18
3.6. Discovery Services . . . . . . . . . . . . . . . . . . . 19
3.6.1. Consistent Discovery API . . . . . . . . . . . . . 19
4. Implementation . . . . . . . . . . . . . . . . . . . . . . . 20
4.1. Connection Broker . . . . . . . . . . . . . . . . . . . 20
4.2. Private DNS - Eliminating Legacy DNS restrictions . . . 21
4.3. OmniQuery - A Presentation Level Discovery Service . . . 22
4.4. OmniPublish - A Presentation Level Provisioning Service 23
5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 23
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.1. Normative References . . . . . . . . . . . . . . . . . . 24
6.2. Informative References . . . . . . . . . . . . . . . . . 24
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 24
Hallam-Baker April 26, 2015 [Page 2]
Internet-Draft An Internet Presentation Level October 2014
1. Overview
IETF process traditionally favors incremental change over radical
change. But this approach fails when the problem to be solved is
itself caused by divergent incremental change. Every one of the
problems described in this document has been solved and not once but
multiple times. And it is the proliferation and inconsistency of
those solutions that is now the problem.
This first section of this paper surveys the key problems arising
from the current Internet discovery architecture and the constraints
within which any proposed solution must work. It is the view of the
author that the proliferation of middleboxes is a symptom rather than
the cause of these problems. Middleboxes do however represent a
constraint which any solution must work within.
The second section argues that the areas in which the original
Internet architecture now falls short do not properly belong
exclusively to either the transport layer or the application layer.
The need for middle boxes arises because the Internet model lacks a
level of abstraction between the transport and application layers.
The term 'Presentation Level' is used as a term for this new
interface as the term 'Presentation Layer' is firmly established as
the term of art for what lies between OSI layers 5 and 7.
While the idea that the DNS represents an Internet presentation layer
has been advanced on previous occasions, this paper takes the concept
further using the term presentation level to include host and service
discovery, account presence protocols, Kerberos like key services and
PKI.
The final section describes a realization the architecture described
in the previous section through a compact set of simple Web Services
that are individually of limited scope. Each of these proposals has
been tested in an open source implementation and has been described
previously a separate draft. These are:
* Omni-Query [!I-D.hallambaker-omnibroker]
* Omni-Publish [!I-D.hallambaker-omnipublish]
* Private-DNS [!I-D.hallambaker-privatedns]
* SXS-Connect [!I-D.hallambaker-wsconnect]
Each of the first three proposals has its own independent value
proposition that makes it a candidate for deployment even if neither
of the other two ever advances. The last provides common
infrastructure that supports the first three.
Hallam-Baker April 26, 2015 [Page 3]
Internet-Draft An Internet Presentation Level October 2014
2. Success has Consequences
While the IAB call for papers suggests that the need for change
arises from the deployment of middleboxes in the otherwise perfect
Internet architecture, it is the opinion of the author that
middleboxes are just one of the symptoms of the failure of the
Internet architecture to keep pace with Internet growth.
The fact that the Internet architecture has survived with little
major modification in the quarter century since deployment of DNS is
testament to both the foresight of the original architects and the
immense difficulty of making changes to an infrastructure on which
over two billion people and the majority of global commerce depend.
Denying outright the possibility that the Internet architecture model
devised in the 1980s might fall short of current needs is the mindset
that ossified the telephone network. The Internet was developed by
people who had the skill and the vision to question the status quo.
At the time the foundation of the Internet was laid, computers were
expensive and typically singular. The conception of the Inter-network
as a network of networks was radical at a time when computer
networking at most University campuses referred to the means by which
dumb terminals connected to the central mainframe.
The modern Internet is a very different place. [RFC0801] describing
the plan for the 'flag day' transition to TCP gives the number of NTP
hosts in January 1982 as 200. This is roughly the number of networked
devices I currently have in my house. And while my present
residential computing configuration is an outlier today, such
configurations will become typical in only a few years time.
The modern Internet connects between two and twenty billion hosts,
the difference reflecting the difficulty of agreeing a definition of
a host as much as uncertainty in the count. What is a host? A CPU? A
CPU core? A virtual machine running on a CPU? But regardless of
whether the Internet has grown by seven or eight orders of magnitude,
the notion that every aspect the original architecture should be
maintained unchanged is ideology, not respect.
Further, current estimates suggest that the global population will
ultimately peak at between 8 and 10 billion. Extrapolating from
current trends we should expect that every household item that
currently uses electricity will eventually connect to the network. We
should therefore adopt as a planning estimate that the Internet will
eventually expand to at least ten trillion connected devices.
One architectural consequence of the growth of the Internet is that
the Internet is no longer a network of hosts, it is a network of
services. The so-called cloud is after all merely a name we give to
the place Internet services reside because we no longer consider
their physical location to be important. The core principle that
Hallam-Baker April 26, 2015 [Page 4]
Internet-Draft An Internet Presentation Level October 2014
underpins the cloud is that it is whether a function can be trusted
that is important, not where it takes place. So why get excited over
whether functions happen in a middle box or an end point if place
does not matter?
Another significant architectural consequence is that the Internet is
no longer a network of networks. It is a network of networks of
networks and it is possible there are further levels of recursion.
Middlebox appliances owe their existence in part to the fact that the
interests of the user are not always the same as the interests of the
local area network manager and their interests may in turn diverge
from those of the Internet access provider whose interests are almost
certainly divergent from their carrier.
Yet another difference resulting from scale is the need for security.
When the Internet was a purely academic infrastructure and the users
were members of academic institutions, there were few assets worth
attacking and abuse was effectively controlled by an accountability
model. As a result, the Internet culture many of us grew up with is
profoundly maladapted to life in an Internet of 2 billion users. Even
if only 1% of them were malicious (the usual expectation for a
population is 10%) that would be 20 million malicious actors.
In particular we need to recognize that while everyone has the right
to connect to the Internet, there is not a general right to connect
to my part of it. In particular:
* The fact that it is possible to initiate an SMTP session with a
mail server does not entail a guarantee that the server will
accept an email for delivery
* The fact that an email is delivered does not mean it must be
read
* The fact that a DNS name is registered with ICANN by a
notorious Internet crime ring does not mean that my local DNS
service must resolve it
* The fact that an IP address is assigned does not mean that I
must allow my hosts or services to connect to it.
The received Internet security model is profoundly maladapted through
the insistence of a single failure security model. This leads to the
two arguments that are invariably made against any proposal for a new
security control, that the new control is 'unnecessary' because
another existing control is sufficient or that it will be ineffective
because it does not cover every conceivable corner case.
An architecture that allows a breach to occur as a result of the
failure of a single system is a bad architecture. Thus arguments of
the form 'we don't need firewalls because systems should not be
Hallam-Baker April 26, 2015 [Page 5]
Internet-Draft An Internet Presentation Level October 2014
vulnerable to malware' are profoundly wrong because they assert that
if the breach could have been prevented by control X then it is
somehow bad architecture to insist on also deploying control Y. The
correct security approach is to deploy both controls X and Y and a
further infrastructure Z to provide feedback by reporting on breaches
that should have been caught by one control but were not.
The biggest and most concerning consequence of Internet growth is the
difficulty of changing the Internet infrastructures. IPv6, IPSEC and
DNSSEC were all proposed over two decades ago. All were intended to
become ubiquitous within a few years, no more than five at most. None
has succeeded in becoming ubiquitous, not is there any reason to
expect this to change until the reasons for the lack of deployment
are addressed.
2.1. Middleboxes Emerge as Symptom, not Cause
The term middlebox is a generic term for any network infrastructure
that breaks the pure end-to-end IP architecture. As such they have
been generally regarded as the result of ignorance or malice rather
than a response to real world requirements. Only rarely has the
question been asked if the end-to-end principle might not be
universal in scope.
As previously mentioned, I have 200 network enabled devices in my
residence. Ideally these devices would all be IP enabled devices but
many of them are currently not IP enabled precisely because while it
makes perfect sense to have a light switch to communicate using IP
protocol it does not make sense for a lightswitch to be running an
email server.
The principle of least privilege should be given at least equal
respect as the end-to-end principle. And the least privilege
principle states that my light switch does not need to be able to
send email. Nor does my light switch need to be able to perform any
form of communication that is not essential to its purpose.
Set out in these terms, the role and justification for Internet
firewalls becomes obvious. As does the fact that firewalls are
woefully inadequate for their intended purpose. While my firewalls
could in theory prevent an attacker outside my network mounting an
attack on my toaster oven, if the toaster oven is compromised, they
cannot stop it conspiring with the refrigerator. And that is a
serious concern.
The real problem with firewalls is not that they do not have a useful
purpose but that they are unable to fulfill the purposes they are
designed for. The main consequence of Internet firewall port blocking
is that all new Internet services are layered on port 80 and port 443
rather than protocol specific ports, precisely to avoid 'problems
caused by' middleboxes.
Hallam-Baker April 26, 2015 [Page 6]
Internet-Draft An Internet Presentation Level October 2014
A realistic Internet architecture should respect the fact that the
Internet is a network of networks and a network has a natural and
legitimate interest in patrolling its border. The network perimeter
is after all the point where responsibility for packets being emitted
passes from one party to another. For the same reason, perimeter
security will always have an important place in any serious security
architecture. But that does not mean it should be the only place
where filtering should occur.
In a default deny network, no network communication should take place
that is not expressly permitted by network security policy. The
network communications that are permitted for a light switch would
not normally be as broad as those permitted to a desktop computer.
The idea that the local network is separate from the larger Internet
is not new. It is in fact the origin of the Inter-Network itself. My
private machines and my private network are my private domain. While
the impact of cloud computing means that the precise physical
boundaries are no longer clear, the Domain Name System provides the
infrastructure that denotes the logical boundaries between domains.
2.2. The Deployment Challenge
Changing an infrastructure with ten billion moving parts is
inevitably difficult and slow. But one aspect that makes the Internet
particularly difficult to change is the rigidity of the Internet
application interface.
When the Internet was first developed it was only one of many
networking standards and so there was no 'Internet' API, there was a
network API which supported the Internet as one option. A client
application using one of the standard network stacks of the day,
would connect to an Internet host by means of gethostbyname() system
call to obtain the network address(es) of the host to connect to and
then perform whatever platform specific call is required to establish
a socket (or mailbox) to connect to the specified address.
A quarter century later, the application interface is essentially
unchanged. The only difference being that on some object oriented
platforms a socket is now known as a 'stream'. Meanwhile a large
number of changes have taken place in the Internet infrastructure and
the way it is used:
* The hosts.txt file was replaced by the DNS
* DNS names are typically names of services as opposed to hosts
and clients typically are attempting to connect to services.
Hallam-Baker April 26, 2015 [Page 7]
Internet-Draft An Internet Presentation Level October 2014
* There is no standard approach to support establishment of peer
to peer connections.
* DNS has been extended to support records that advertise
services but these records are not visible to application
clients unless they make use of their own DNS libraries.
Further the decision to make use of SRV or NAPTR records is
left to the application protocol designer.
* DNS has been extended to support authentication of
authoritative DNS Resource Records but this information is not
typically available to the application programmer.
* Many applications make use of TLS over TCP transport in place
of TCP but it is left to the application protocol designer and
implementer to manage this and make security sensitive
decisions on the user's behalf by deciding the PKI
configuration to use.
* IPSEC transport may be available but there is no infrastructure
for delivery of keys.
* Even though IP is designed to support many end-to-end
protocols, the only protocols for which platform support is
ubiquitously available are TCP and UDP.
* Middleboxes of various types intercept and frequently transform
IP and DNS communications for purposes that are rarely
documented and frequently irrational.
* Many network applications, in particular, all successful peer-
to-peer applications employ a variety of techniques to
circumvent the limitations imposed by middleboxes.
One of the problems that has prevented progress in this area is that
the Application programmers desire for a new API that allows them the
advantages of the modern Internet is frequently mistaken for a desire
for an API that exposes more of the underlying complexity of the
Internet and DNS.
2.3. Need for a Consistent Discovery Architecture
What many of these defects have in common is that the Internet lacks
a standard architecture for discovery and negotiation of Internet
connections. While this problem has been solved on many occasions in
many different ways there is no single coherent solution to the
connection discovery problem.
The mechanism used for host discovery was not a choice for
application protocol designers in the days of RFC802. The mechanism
used for establishment of peer to peer or service connections should
Hallam-Baker April 26, 2015 [Page 8]
Internet-Draft An Internet Presentation Level October 2014
not be a choice for application protocol designers today. The IETF
should have one mechanism that is consistently implemented and
applied. And this mechanism should provide for all the needs of the
modern Internet and anticipate future needs:
* Internet Protocol version, address and port number.
* Choice of transport protocol: e.g. TCP, UDP, Multicast or new
transports to be developed
* Choice of security enhancement: e.g. None, TLS, DTLS or new
transport to be developed.
* Authentication credentials to be verified
* Authentication credentials to be supplied
It is a truth universally acknowledged that gethostbyname is not a
suitable application layer interface to the DNS. But the truth that
is rather too frequently ignored is that application programmers
really don't want to have to deal with anything more complex. While
new APIs that expose the internals of DNS and PKI and directory
infrastructures are highly desirable in their own right, these are
not and should not be considered tools for use by the application
protocol designer or implementer.
Application protocol designers are very fond of explaining that the
discovery process is not a one-size-fits-all proposition, that there
are subtleties and complications that mean that it is not possible
for one particular discovery approach to meet every need. And these
reasons are sound and correct and are also the reason why such
decisions should not be taken by the application protocol designer at
all. Such considerations are properly the concern of the network
administrators and user and should be presented in a fashion that
puts those parties in direct control.
2.4. Limitations of the DNS Infrastructure
Another common source of deficiency are the limitations of the DNS
protocol and the DNS infrastructure. While the two are frequently
considered to be equivalent they are in fact very different. It being
far easier to change the former than the latter. Adding a Resource
Record type to DNS requires no more than publication of an RFC.
Changing the DNS infrastructure is much more challenging.
The DNS was originally designed as a mechanism to replace the
hosts.txt file mapping Internet host names to addresses and early use
was largely limited to this requirement. By the time more advanced
uses came to be considered the vast majority of the deployed DNS
infrastructure imposed a 500 byte message limit on DNS messages and
each request packet could only specify one domain and one record type
Hallam-Baker April 26, 2015 [Page 9]
Internet-Draft An Internet Presentation Level October 2014
at a time.
Although the DNS protocol has been updated to remove the 500 byte
limit and every major DNS server implementation updated a decade or
more ago, many deployed residential network gateway boxes truncate
messages to conform to the long obsolete requirement. Another rather
more insidious limitation is that some middle boxes and platforms
impose tight limits on the number of outstanding DNS requests that
have not received responses.
While residential customers of an ISP can usually (but by no means
always) overcome such limitations by providing their own network
gateway box, this is by no means the only middle box attack performed
on DNS. Whoever controls the DNS controls the Internet, a fact not
lost on most ISPs.
It is now routine for DNS resolution services provided by ISPs to
return a redirect to a Web site with an advertising page rather than
the NXDOMAIN response code that should be returned when a domain name
is not found. Some ISPs hijack NXDOMAIN responses from third party
open resolvers to ensure that customers cannot avoid their unwanted
intrusions.
DNS is a trusted infrastructure but the mechanism by which clients
discover DNS resolvers is inherently untrustworthy. Internet clients
depend on the DNS resolver returning trustworthy information. It is
utterly ludicrous and unacceptable that the default DNS service be
chosen by network proximity without regard for trustworthiness.
DNSSEC can alert the user to the fact that perfidy has occurred but
does not provide a means of obtaining the correct, unadulterated
result. While government agencies in most liberal democracies are
anxious to conceal the fact that they are censoring and/or
intercepting network traffic, this constraint does not apply to
authoritarian regimes where the purpose of these practices is to
deter rather than prevent expression of dissent. And there is no
reason to believe that ISPs that have already decided that replacing
NXDOMAIN responses from external DNS services that compromise their
commercial interests will not attempt to strip out DNSSEC data if
they choose.
2.5. Non DNS Discovery Infrastructure
The DNS is the discovery infrastructure of the Internet and the
authoritative infrastructure that maps Internet domain names to
assertions about those names. It is not however the only
infrastructure that applications make use of during service discovery
and connection establishment. Nor should it be.
Hallam-Baker April 26, 2015 [Page 10]
Internet-Draft An Internet Presentation Level October 2014
Modern email infrastructures make extensive use of various types of
blocklist. Although these blocklists are frequently distributed using
DNS protocol they are by no means authoritative DNS responses. On the
contrary, the value of these assertions lies in the very fact that
they are provided by a third party and not the holder of the IP
address.
Email was the first Internet infrastructure to make use of account
identifiers of the form <username>@<domain>. Such identifiers are now
used in a wide range of peer to service and peer to peer applications
including authentication, instant messaging, voice and video.
Despite the ubiquity of such applications, no consistent presence
infrastructure has emerged. Depending on the application designer's
whim, names may be resolved by means of a variety of presence
services including LDAP, OpenID, SAML, WebFinger or XMPP and while
the DNS infrastructure is sometimes used as the means of resolving
the <domain> component of the account identifier, this rather obvious
approach is by no means universal or even the most common.
On many occasions, researchers have attempted to employ the DNS
infrastructure itself as a presence infrastructure. There are
structural factors that make this approach unlikely to succeed. In
most medium or larger enterprises the DNS infrastructure is managed
by a network administration team which is quite separate from the
system administrators and IT support staff who issue user accounts.
At any rate the fact that despite repeated attempts over the course
of three decades, such approaches have invariably remained 'research'
suggests that the approach is not ideal.
2.6. Not Yet Existing Infrastructure
The most important gap in the Internet discovery architecture is the
lack of a coherent security policy infrastructure to tell
applications which security enhancements are supported by an Internet
service and what credentials will be supplied. The lack of such
infrastructure is the reason that twenty years after the deployment
of practical PKI, security remains the exception on the Internet
rather than the norm.
This shortcoming has of course been recognized in recent work and
proposals such as certificate pinning and 'strict security' provide
valuable benefits. But the approach in such proposals is necessarily
tactical rather than strategic, designed to provide the best security
in the difficult circumstances of the legacy Internet rather than a
principled architecture.
Hallam-Baker April 26, 2015 [Page 11]
Internet-Draft An Internet Presentation Level October 2014
2.7. The Administration Gap
There has never been a shortage of proposals for ingenious mechanisms
for extracting important and useful information from the DNS. The
problem that has received far less attention is the problem of how to
ensure the important, useful and accurate information can be inserted
into the DNS in the first place and how to keep the inserted
information up to date.
In the early Internet, DNS configuration was essentially static.
Modern network configurations require a more dynamic approach. One of
the more problematic consequences of middlebox proliferation is that
they typically introduce a veto point into the network that must be
configured to allow Internet services and peer to peer applications
to receive inbound connections. This is also one of the main reasons
that the deployers consider them to be attractive. Rather than
attempting to prevent the network administrators from deploying
devices that provide control through ad-hoc heuristics we should
attempt to design a system that gives them the control they seek.
Deployment in the cloud and PKI based security both introduce a whole
additional dimension of dynamic discovery and administration
challenges. A node in a cloud computing surface might support an
Internet service for only a few hours.
3. An Internet Presentation Level
According to Wikipedia, the Internet Application layer includes BGP,
DHCP and RIP. While these are certainly not transport layer protocols
it is hard to argue that they sit any better in the application
layer. If a new model for describing the Internet architecture were
to be developed these would surely sit in a quite separate
compartment to protocols such as Telnet SMTP, IMAP, POP, NNTP and FTP
that support applications.
The OSI layered model is a poor abstraction for the Internet
architecture because it describes what takes place in the layers
rather than the interfaces between the layers.
It is the interfaces between the levels that are the essential part
of the model. We can replace the data link layer with messages
strapped to pigeons provided that the interface to the Network layer
is maintained.
Every level in the model carries the same data content in different
representations. It is the identifiers used between the levels that
changes.
* Application - Presentation: Domain Name, Service Identifier
Hallam-Baker April 26, 2015 [Page 12]
Internet-Draft An Internet Presentation Level October 2014
* Presentation - Transport: IP Address and Port Number
* Transport - Network: Packet Header
We note in passing but do not have the time to go into the topic in
detail, that understanding the model in terms of interfaces rather
than layers is also key to establishing the proper place for Virtual
Private Networks (VPNs) and Software Defined Networking (SDN). A VPN
is not a 'Layer', it is an object that sits above the Network level
and presents the Network/Transport interface to both the Network and
Transport Level. SDN performs the same role at the Data-Link/Network
layer.
In the now defunct OSI model, the Presentation layer was an
intermediary through which all communications between the Transport
and Application layer passed being transformed in the process.
What is proposed instead is that the discovery, performance and
security features that mediate between the Transport and Application
layers reside in a compartment labelled 'Presentation Service' that
does not necessarily fully extend between the two:
+------------------------------------------+
| Application Layer |
+------------------------------------------+
| | |
+--------------+ +--------------+ |
| Presentation | | Presentation | |
| Services | | Layer | |
+--------------+ +--------------+ |
| | |
+------------------------------------------+
| Transport Layer |
+------------------------------------------+
DNS is a Presentation Service. Following the traditional approach, an
application first discovers the IP address using the DNS and then
establishes a direct connection. Once discovery is completed, the DNS
plays no further role in mediating the connection. Kerberos and PKI
are likewise Presentation Services and follow the same use pattern.
In contrast, TLS is a Presentation Layer since all communications
between the application and transport layers are transformed.
One important protocol that does not fit within this architectural
model is HTTP and this is precisely because HTTP was originally
conceived as an application protocol but is now commonly employed as
a presentation layer. One visible consequence of this inconsistency
is the conflict between the requirements of the Web browser and Web
services communities in the design of HTTP/2.0.
Hallam-Baker April 26, 2015 [Page 13]
Internet-Draft An Internet Presentation Level October 2014
Although HTTP/2 eliminates some of the inefficiency arising from the
use of RFC822 style text headers in the HTTP/1.1 protocol design, it
does not provide the features that one would expect or require from a
fully featured multimedia delivery protocol with multiple content
streams being delivered at individually negotiated Packet layer
Quality of Service. Nor does the traditional Internet architecture
suggest such an approach is even possible.
While the realization of such a presentation layer would likely
require innovation at both the Presentation and Transport layers and
is therefore outside the scope of this document, it should be the
function of the Presentation l ayer to inform an application that
such a capability was available and thus enable a graceful transition
between the current protocol and the new. Thus a browser attempting
to connect to http://example.com/ in a 2020 Internet might discover
that the HTTP/1.1 and HTTP/2 protocols are supported over a TCP
transport and that in addition HTTP/3 is supported over an as-yet-
undefined 'Extended' ETCP transport.
3.1. Authoritative Infrastructures and Ground Truth
The DNS infrastructure is regarded as holding a privileged position
in the Internet architecture as it is the authoritative
infrastructure for resolving DNS names. But what does the term
'authoritative' mean and is a result from an authoritative
infrastructure necessarily better than a result that is not
authoritative?
In considering the issue of naming we distinguish an authoritative
infrastructure from a service protocol. What makes a naming
infrastructure authoritative is that it serves as the 'ground truth'
for a set of names. Thus when in the early 1990s a Sun workstation
used the yellow pages protocol to resolve DNS names, the application
clients did not use DNS protocol to resolve DNS names but they were
still logically connected to the Internet since the DNS
infrastructure provided the ground truth for the name resolution
process.
The DNS infrastructure is, was and will always be the authoritative
infrastructure for resolving Internet names. The DNS protocol is
merely a protocol that supports access to the DNS infrastructure and
can change if necessary to meet changing constraints and
requirements.
While results from the DNS infrastructure are authoritative, they do
not necessarily represent a an objective ground truth that is
guaranteed to be the same regardless of who is asking the question
and when the question is being asked. Only cryptography can provide
ground truth in a communication infrastructure and then only with
respect to a key and not to facts.
Hallam-Baker April 26, 2015 [Page 14]
Internet-Draft An Internet Presentation Level October 2014
3.2. Anti-Abuse Filtering
Consider the case in which a DNS registration is known to be used by
organized crime. This situation has occurred on numerous occasions
and is unavoidable in any system that is designed to provide no
obstacles to legitimate registrations. there have even been cases in
which DNS registrars have existed for the sole purpose of
facilitating criminal activity. The mere fact that a DNS name is
registered does not require a discovery service to resolve it.
There is a clear need for a curated discovery service just as
enabling such a service presents a clear threat of abuse. Curated
discovery introduces a new control point and some see a slippery
slope that begins with filtering out criminal activity expands to
block access to pornography and eventually ends up as government
censorship of political speech.
But slippery slope or not, relying on unfiltered authoritative
services replaces the possibility of abuse with certainty of attack.
The real question should be not whether curated discovery is possible
but who is in control. An infrastructure that puts the end user in
direct control of the choice of discovery service can be used as a
mechanism to evade government censorship rather than enforce it.
3.3. IPv6 Transition
The DNS infrastructure provides us with an authoritative answers to
questions about DNS names but not necessarily answers to the
questions that a particular application needs.
An A record binding the name ipv4.example.com to the address 10.1.2.3
does not answer the question a network host that can only speak IPv6
needs to ask.
In the traditional approach to IPv6 transition we introduce some form
of middlebox performing v4-v6 address translation, some form of
discovery mechanism by which the network host can discover the
translation middlebox and some form of addressing convention allowing
the host to direct an IPv6 packet to an IPv4 endpoint. While this
gets the job done, it requires the IPv6 network host to continue to
support IPv4 for as long as there are any IPv4 hosts remaining in the
network which for practical purposes means forever.
In a simpler approach the network host implements a pure IPv6 stack
with no support for legacy IPv4 or any transition mechanism. When the
host attempts to connect to an Internet service that is only
available in the IPv4 network, it would rely on its DNS resolver to
return a non-authoritative AAAA record giving the IPv6 address of a
translation service.
Hallam-Baker April 26, 2015 [Page 15]
Internet-Draft An Internet Presentation Level October 2014
The second approach makes the DNS resolver the mediator of the IPv4-
to-v6 transition process. If a legacy IPv4 network sets up a local
translation gateway, a single change to the resolver configuration
allows every host using that resolver to take advantage of it.
Centralizing the configuration provides the necessary agility.
3.4. DNSSEC
As we have seen, the authoritative response is not necessarily the
one that answers the right question. Where does this leave DNSSEC
which is designed to allow verification of signatures on
authoritative responses?
While some DNSSEC supporters will no doubt argue that allowing a
client to act on non-authoritative DNS information opens up a
Pandora's box of horrors, the true situation is far less worrisome.
Using DNSSEC to sign A and AAAA records is like using an armored
delivery truck for delivering packages to a person living on a park
bench. An IP address is a means and only sometimes an end-point in an
Internet conversation. Resolver modification of A and AAAA should not
therefore be cause for panic. But what should?
The Presentation service model offers a useful framework for
resolving this question. The interfaces between layers are
characterized by a particular type of identifier. The IP address and
protocol type characterize the interface between the Internet and
Transport layer. The IP address and port number characterize the
interface between the Transport layer and the presentation layer. The
interface between the presentation layer and the Application layer is
characterized by DNS names and cryptographic credentials.
It is appropriate therefore to perform end-to-end validation of
signatures on records that bind cryptographic credentials to a DNS
name and to limit other DNSSEC validation to the DNS resolution
service.
3.5. Naming Architecture
Discovery is the process of resolving names to services and names to
accounts. In order to establish a solid basis for a Discovery
architecture we must first establish a consistent approach to naming.
While Uniform Resource Identifiers are commonly considered to be an
'Internet' naming architecture, the scope of URIs is universal and
not limited to the Internet. URIs therefore represent a naming
infrastructure layer above the Internet rather than a part of the
Internet itself.
In practice the Internet has three naming/addressing infrastructures
that are established with clarity:
Hallam-Baker April 26, 2015 [Page 16]
Internet-Draft An Internet Presentation Level October 2014
* Autonomous Service numbers
* Internet Protocol addresses
* Domain Name System labels.
Of these naming conventions, only the last two are visible to
Internet endpoints in normal circumstances. At a pragmatic level, an
IP address is defined as where packets sent to that address will go
and a DNS label is defined by the responses returned by the DNS
infrastructures.
The interpretation of Internet account identifiers is not established
with similar clarity. While SMTP and XMPP both adopt a reasonable and
consistent approach to interpretation of RFC822 account names, the
lack of a coherent discovery architecture has led to what is at best
an unhelpful divergence of approaches and at worst a demonstration of
the fact that a hundred intelligent and accomplished Internet
protocol developers and a dozen major companies can commit resources
to the notion that users will understand a URI is their account name.
3.5.1. Account Names
Internet account names are account names of the form introduced in
RFC822, i.e. <username>@<domain>.
The authoritative source for resolution of an Internet account name
is an Internet service that is advertised in the DNS by the holder of
the corresponding <domain>.
At present there are application protocols, notably SMTP a nd XMPP
that follow this model but the authoritative resolution of the
account is limited to the application. There is no authoritative
Internet service resolving Internet accounts in the general case.
The problem here is not the lack of a protocol. It would be easy
enough to specify a subset of the OpenID protocol that excluded URIs,
XRIs and other identifiers that are not Internet accounts. The
problem is that the service has to be recognized as authoritative.
And this cannot happen when OpenID is still architected as a vehicle
for establishing a new Internet naming infrastructure for accounts
with all the commercial advantages that would imply for the parties
who control the institutions controlling the alleged IPR.
From a practical point of view, the authoritative infrastructure for
Internet accounts is email. Established practice is that when a user
forgets their account identifier or password they are asked to
respond to a message sent to their Internet account address using the
SMTP protocol. While this approach is expedient, the user experience
is awful and so Web site designers avoid consulting the authoritative
service wherever possible. The user experience and the security of
Hallam-Baker April 26, 2015 [Page 17]
Internet-Draft An Internet Presentation Level October 2014
this infrastructure could be greatly improved if a protocol was
designed to meet this specific purpose.
3.5.2. Strong Names
The Personal Privacy Environment introduced the concept of Strong
Email Addresses. A strong email address is of the form
<fingerprint>?<username>@<domain> where the <username> and <domain>
portions have the usual meaning and <fingerprint> is a cryptographic
digest identifying a public key which represents the root of trust
for establishing communication with the specified Internet account.
In the simplest form of strong email address <fingerprint> is a PGP
public key fingerprint associated with the address. In a more general
approach, <fingerprint> is the fingerprint of a public key that is a
root of trust for a PKI. This may be a formal PKI hierarchy
established by a CA, a lightweight personal hierarchy or a Web of
Trust.
In this paper we extend this approach to DNS labels to establish
ground truth for DNS names. Following the convention established by
punycode domain names, a strong domain name label has the form "xx--"
+ <fingerprint> where <fingerprint> is a cryptographic digest
identifying a public key which represents the root of trust for
authenticating the domain name.
Thus if we wish to describe a domain 'example.com' to be interpreted
with respect to the ICANN DNSSEC root of trust we would write:
example.com.xx--49AAC1-1D7B6-F6446-702E5-4A1607-3716
49AAC11.. being the fingerprint of the ICANN DNSSEC root.
Representing the ICANN DNSSEC root in this way is not particularly
interesting as it is the implicit root of trust for all DNSSEC names
(although it could be very useful in the case of a root roll over).
The strong name representation becomes much more interesting when a
third party trust provider is involved such as a CA:
example.com.xx--cd9b97-e67b74-99a33f-59128e-f2cd46-3156e5-f6bd
The advantage of using a strong email address is that it provides a
layer of abstraction that conceals the complexity of the trust
infrastructure that lies beneath it in the same way that IP addresses
provide a layer of abstraction above the routing infrastructure and
URIs provide a layer above the application protocol stack. This has a
profound impact on how we address the problem.
In the traditional approach to Internet PKI (including SAML and
DNSSEC) the approach we follow is to obtain signed assertions
relevant to the proposition at issue from trusted sources, verify the
Hallam-Baker April 26, 2015 [Page 18]
Internet-Draft An Internet Presentation Level October 2014
provenance of the assertions received by attempting to validate the
signatures and decide if the assertions are valid. In this model an
assertion is either valid or invalid. So when a party is acting as an
intermediary on behalf of another they are forced to respond as if
their answer is based on ground truth when it almost certainly is
not.
Simple Distributed Security Infrastructure (SDSI) by Rivest and
Lampson attempted to resolve this dilemma by introducing a key
centric PKI in which the namespace is intrinsically relative. Thus in
SDSI we talk about 'Bob's Alice' rather than 'Bob'. Ground truth is
introduced into the SDSI scheme by giving a small circle of
privileged parties reserved names (the paper suggests verisign!!,
dns!!, usps!!). This approach left SDSI deferring rather than
resolving the ground truth problem.
Using a fingerprint of a public key provides a ground truth that is
objective and unambiguous. We now have a vocabulary in which Web
Service A can describe to B the trust assertion it has received that
is grounded by trust provider C. And that allows us to be explicit as
to whether a B is relying on A or C as the trust provider.
3.6. Discovery Services
The traditional IETF approach to the discovery and maintenance
problems has been piecemeal. Instead of calling gethostbyname and
opening up a socket, the application programmer is expected to
interact with the half dozen components of a disparate discovery and
network configuration infrastructure, hoping that the network
administrators at the service to which connection is to be
established has done their part correctly. While these piecemeal
approaches generally anticipate a gradual migration of the relevant
functions to the DNS, the only process by which the DNS
infrastructure is expected to improve is through the gradual
attrition of non-conformant systems.
In this paper we take a different approach. Rather than burden the
application programmer with new chores, we reduce the effort expected
of them by providing a new Presentation API that provides an
abstraction layer above all the Presentation services that might be
used to establish a connection.
3.6.1. Consistent Discovery API
To establish a connection to an Internet service, the application
programmer need specify only the domain name of the service to
connect to and the service protocol identifier. The implementation
library then returns either a stream (or socket) connection to the
requested service with the best available security and performance
characteristics as specified by the service security policy or an
error report explaining why a connection was not established.
Hallam-Baker April 26, 2015 [Page 19]
Internet-Draft An Internet Presentation Level October 2014
For example, if a Web browser were to attempt to resolve the URL
http://example.com/ the browser client would call the discovery API
specifying "example.com" as the domain name and "_http._tcp" as the
service protocol identifier. The implementation library finds the
service is supported by five points of presence and determines that
the example.com service security policy is to always offer TLS. A TLS
connection is established to an appropriately selected point of
presence consistent with the security credentials specified in the
security policy and delivered to the application programmer.
Offloading the work of establishing the Internet connection from the
application programmer to the implementation library offers agility
as well as simplicity. If a new high performance transport layer
protocol were devised that replaced TCP, every application using the
high level discovery API running on a platform that supported the new
transport layer protocol can make use of it immediately with no
application update required.
The same API would support peer to peer connections in the same
fashion but specifying the account identifiers of the parties
attempting to connect in place of the domain name.
The only precondition for implementing a consistent discovery API is
that the rules of discovery be clearly and precisely specified. The
discovery process might be uniform across all application protocols
or allow for variations to support legacy approaches. For example the
use of MX records rather than SRV records for SMTP service discovery.
It is not even necessary that all the required information be
provided through the DNS provided that the rules for using
information from other sources are precisely specified.
4. Implementation
While this paper proposes a major change to the Internet
architecture, the implementation of this change is surprisingly
simple. This is because the principal change proposed is to recognize
approaches that have been longstanding practice.
The implementation of the Presentation services follows a modular
approach. Each service is implemented as a JSON/REST style Web
service using either HTTPS or a lightweight UDP transport as the
base.
4.1. Connection Broker
SXS-Connect is a JSON-REST Web Service that is used to establish a
connection to a Web Service. As with a DNS SRV record, a service
connection is a logical connection that may comprise connections to
multiple physical hosts. Unlike an SRV connection, the physical hosts
may advertise services that differ in the protocol versions,
Hallam-Baker April 26, 2015 [Page 20]
Internet-Draft An Internet Presentation Level October 2014
features, transport, syntax etc.
Authentication of client and server is supported by means of public
key or one time use credentials. Irregardless of whether the original
connection to the SXS-Connect service was authenticated or not,
communication between the client and the Web service is typically
secured by means of a shared secret that is used to protect the
confidentiality and integrity of every transaction message.
In normal operation a client discovers the SXS-Connect service
through a 'bootstrap discovery' mechanism based on either DHCP or the
DNS. Depending on the type of service provided, bootstrap discovery
might be repeated on a frequent basis (e.g. each time the bootstrap
DNS parameters expire), whenever the service signals a need for
reconfiguration or never.
4.2. Private DNS - Eliminating Legacy DNS restrictions
As shown earlier, one of the biggest obstacles to making effective
use of the DNS as a comprehensive discovery infrastructure are the
limitations of the legacy DNS client-resolver protocol. In particular
the conflicting demands of lowest possible service latency from the
application programmers and the limits of message size and queries
per request imposed by the legacy middlebox infrastructure.
Attempting to sort out the mess on port 53 is pointless. Any proposal
that inherits the legacy DNS UDP port will inevitably inherit the
legacy DNS restrictions as well. But any solution that does not meet
the severe performance criteria demanded of the Web browser
providers, particularly with respect to latency is doomed, as is any
proposal that does not guarantee compatibility with all legacy
network environments.
Private-DNS is a replacement transport for the DNS client-resolver
interface that offers two alternative transports, a new UDP based
transport that is designed to provide optimum performance while being
compatible with roughly 97% of legacy network configurations and a
HTTP transport which is slow but provides the best practical
guarantee of network compatibility. In either case, every message is
encrypted and authenticated and responses securely bound to requests.
Unlike competing proposals based on DTLS, the Private-DNS transport
is designed to support DNS conversations rather than single
transactions. This permits lower latency and more comprehensive
results.
When connecting to a Web site www.example.com, a Web browser today
typically performs queries for A and AAAA records at www.example.com.
In theory, the DNS protocol permits multiple queries per message, in
practice this capability is not viable as a message can only return a
single response and much of the infrastructure does not support it.
Hallam-Baker April 26, 2015 [Page 21]
Internet-Draft An Internet Presentation Level October 2014
The requirement that every query be performed in a separate query
transaction discourages speculative requests for SRV, DANE or other
DNS records that might contain useful information. This in turn
discourages definition of useful record types.
As in the traditional DNS UDP transport, the UDP transport employed
in Private-DNS requires that the request portion of a DNS
conversation fit within a single UDP packet but up to 16 packets may
be returned in a response.
The practical result of this change is that every reasonable DNS
conversation can be realized in a single Private-DNS interaction
without performance penalty. Instead of protocol designers and DNS
administrators constantly having to worry that an overamitious design
would lead to poor performance or protocol failure, it is quite
unlikely that the limits of the transport would be reached
inadvertently.
4.3. OmniQuery - A Presentation Level Discovery Service
Private-DNS provides a low level interface to the DNS system allowing
a network client to implement a Presentation service on the local
machine. But the responses returned by Private-DNS are limited to
those provided by the DNS and as previously noted, the authoritative
answer is not always the one that is desired.
OmniQuery is a Web service that exposes the Presentation level
discovery API as a Web Service.
A client asks 'How can X connect to Y to perform protocol Z' where X
and Y may be Internet accounts or domain names and Z is the name of
an Internet service. The server then returns all the information that
the client might want to know to establish the best connection for
that purpose. In addition to the IP address and port number, a server
might specify the transport to be used (e.g. UDP, TCP, some new
transport) the cryptographic enhancements to be applied (e.g. TLS),
required credentials and any other information that might be needed.
Unlike the traditional DNS discovery infrastructure, OmniQuery allows
both ends of the communication to be specified. The mechanism by
which alice@example.com connects to example.com might be very
different to the mechanism by which other parties connect.
Connections may also be established between peers (e.g.
alice@example.com connects to bob@example.com).
One consequence of this difference in approach is that rather than
accepting service from the closest discovery service, as is typically
the case with DNS, clients select a particular service for OmniQuery
service which is used regardless of client location.
Hallam-Baker April 26, 2015 [Page 22]
Internet-Draft An Internet Presentation Level October 2014
4.4. OmniPublish - A Presentation Level Provisioning Service
One of the principal weaknesses in the current DNS infrastructure is
that while there is a well developed standards based infrastructure
for extracting data from the DNS, there is no similar standards based
infrastructure for entering information. Provisioning services for
other directory infrastructures and PKI are equally unsatisfactory.
OmniPublish provides a high level interface that allows an Internet
host to advertise an Internet Service and to obtain all the necessary
cryptographic credentials to act in that role. In a typical
deployment, an OmniPublish service is connected the DNS service, PKI
and network firewall so that it can perform all the configuration
steps necessary to configure the network to bring up the service.
For example, consider the case that an Internet host is to be
configured to establish a mail service. In the normal approach, the
network administrator would configure the server on the Internet
host, configure the firewall to permit delivery of mail and finally
configure the local DNS settings.
Not only is this approach complex, it is fragile. Any error in the
network configuration is likely to result in an inoperable service.
Network administrators are therefore understandably reluctant to make
unnecessary changes. DNS records and firewall configuration settings
that are not fully understood tend to be left untouched. This makes
manually configured DNS a rather unreliable source of security policy
records. While the records may be authoritative, they are frequently
out of date. Mail abuse filters do not make mail delivery decisions
on DKIM or SPF records without first applying heuristics designed to
limit the impact of stale records.
Generating the network configuration automatically allows the
OmniPublish service to ensure that it is both correct and up to date.
If a major change in network configuration is to be performed, the
OmniPublish service provides a single point of control through which
the change can be administered.
5. Conclusions
Middleboxes have emerged to meet a set of requirements that cannot be
achieved within the traditional Internet model. Middleboxes are
neither the result of ignorance, nor a 'necessary evil'. It is time
to accept that middleboxes serve functions in the Internet
infrastructure that are equally important to those traditionally
recognized.
Describing the Internet model in terms of interfaces rather than
functions and adding a presentation level clarifies the functions of
middleboxes and how those functions might be achieved in ways that do
not compromise functionality in the ways that legacy middleboxes do.
Hallam-Baker April 26, 2015 [Page 23]
Internet-Draft An Internet Presentation Level October 2014
A set of three JSON based Web services are proposed to properly
encapsulate the interaction between the Presentation layer and the
Applications and Transport layers. These are OmniPublish, OmniQuery
and Private DNS, each of which is built on the service connection
protocol SXS-Connect.
6. References
6.1. Normative References
[I-D.hallambaker-privatedns] Hallam-Baker, P, "Private-DNS",
Internet-Draft draft-hallambaker-privatedns-00, 9 May
2014.
[I-D.hallambaker-wsconnect] Hallam-Baker, P, "JSON Service Connect
(JCX) Protocol", Internet-Draft draft-hallambaker-
wsconnect-05, 21 January 2014.
[I-D.hallambaker-omnibroker] Hallam-Baker, P, "OmniBroker Protocol",
Internet-Draft draft-hallambaker-omnibroker-07, 21 January
2014.
[I-D.hallambaker-omnipublish] Hallam-Baker, P, "OmniBroker
Publication Protocol", Internet-Draft draft-hallambaker-
omnipublish-00, 22 May 2014.
6.2. Informative References
[RFC0801] Postel, J., "NCP/TCP transition plan", RFC 801, 1 November
1981.
Author's Address
Phillip Hallam-Baker
Comodo Group Inc.
philliph@comodo.com
Hallam-Baker April 26, 2015 [Page 24]