Re: Continuing to draft mux WG charter

From: by way of Henrik Frystyk Nielsen (brian@hursley.ibm.com)
Date: Fri, Feb 12 1999


Message-Id: <3.0.5.32.19990212063658.03eaadd0@localhost>
Date: Fri, 12 Feb 1999 06:36:58 -0500
To: ietf-http-ng@w3.org
From: Brian E Carpenter <brian@hursley.ibm.com> (by way of Henrik Frystyk Nielsen <frystyk@w3.org>)
Subject: Re: Continuing to draft mux WG charter

I agree with Chris re security, but I have another concern or possibly
a confusion. The draft is written very aggressively to assume TCP
as the substrate; IMHO this is wrong. If a new transport protocol
of the general flavour of T/TCP emerges, MEMUX must be able to use
it.

Another thing I would like to see is a clear goal of being
independent of IPv4 v IPv6, and able to function in a dynamic
address environment such as NAT. In fact this is key to success.

   Brian

Chris Newman wrote:
> 
> On Wed, 10 Feb 1999, Mike Spreitzer wrote:
> > OK, I've taken Chris Newman's hint and expanded a bit on security, and
> > also Jim Whitehead's hint to clarify the nature of the goals document.
> > You can view the latest draft at:
> > <http://www.w3.org/Protocols/HTTP-NG/1999/02/mux-Charter-210.html>
> 
> What I don't find acceptable is wording akin to "security's not our
> problem" which is basically what this proposed charter says.
> 
> Here an example of wording I would find acceptable:
> 
> ----
>    The MEMUX WG will not design new security services.  The document will
>    describe how MEMUX interacts with existing security services (such as
>    IPsec, TLS and SASL) and what impact it will have on higher or
>    lower-level security services.
> ----
> 
> There are subtle issues which need to be dealt with:
> 
> * If user authentication is done below the MEMUX layer, how will
>   higher-level protocols "know" that?
> * If user authentication is done above the MEMUX layer, what
>   damage can passive or active attacks at the MEMUX layer cause?
> * What impact will MEMUX have on firewalls when used to multiplex
>   multiple services on the same port?
> 
> Security most definitely is part of the problem.
> 
>                 - Chris