Just before IETF 101 in London in March, the MAMI project hosted an invitation-only MAMI Management and Measurement Summit (M3S), bringing together researchers, engineers, and vendors for a focused discussion on how to meet the challenges posed to network measurement and network management by the increasing deployment of strong encryption and the extension of encryption down the stack. Today, we release “Challenges in Network Management of Encrypted Traffic”, a white paper covering the discussions and distilling the recommendations that came out of the meeting.
This discussion has played out in multiple forums, including the IETF, for some time, underpinning discussions and debates from the (failed) proposal to include static keys in TLS, to continue to provide for “business as usual” monitoring, to the spin bit proposal in QUIC, which replaces implicit passive measurability of RTT with an explicit signal. Recognizing that neither business as usual, nor forging forward with the deployment of strong crypto down the stack and invalidating most of the current practice of network management, are tenable positions, the attendees converged on a set of recommendations for future protocol design and network architecture to partially meet these challenges:
- Protocols and networks must provide for independent measurability of important metrics when these measurements may be contested: one outcome of increasing encryption is that existing independent passive measurement techniques will become less effective.
- Future secure protocols should support different security associations at different layers: approaches that integrate transport and application-layer security (such as QUIC) make limited or no provision for network management that need to interact with the transport protocol while not breaking application layer security, in contrast to the TLS-over-TCP status quo.
- Transparent middleboxes should be replaced with middlebox transparency: the dominant architectural pattern for in-network functions today is that of the “transparent middlebox”, which attempts to the extent possible to be undetectable to the endpoint(s). While this has benefits for initial deployment, it makes it impossible to build cooperative protocols, where the middlebox and its functions are visible to the endpoints, and the endpoints have some control over how their traffic is treated by the network (in the last instance by detecting a middlebox with which they do not wish to cooperate, and cease using the path).