Surfin' the Internet Wave

or - what happened at the March 1996 IETF?

To me, it's actually more amazing for the things that didn't happen.
Consider:

Dave Perkins didn't get mad when the IAB laid the last bone to rest on the grave of SNMPv2
The IP Security chair didn't get mad enough to actually attempt to physically remove Bill Simpson from the discussion
The HTML working group didn't insist that they were the One True Definers of what should be used in the Web
The sky didn't fall.

More on these topics, and others, later.

One reason for the relative peace and quiet of this session may be the short time since the last meeting: Only 3 months, with a large hole in the middle labelled "holiday season"; the number of groups that didn't have all the intended drafts out before the meeting probably exceeded those that did, and the last-minute flurry of I-Ds was even more dense than usual.

This was also the "changing of the guard meeting"; 6 members of the IESG and 6 members of the IAB had terms that were running out, and new candidates were being placed in the slots, including the IESG chair, by the Nominating Comittee.

More of this later.

Of princes and knights errant

As I mentioned, the spring IETF is the time of the changing of the guard.

Some claim that anyone wanting to be renominated for the IESG is a raving lunatic, but still, a fair number do.

The following replacements were made:

IETF Chair: Fred Baker took over from Paul Mockapetris
Internet AD (1 of 2): Jeffrey Burgan took over from Sue Thompson
Applications AD (1 of 2): Keith Moore took over from John Klensin

In the IAB, the leavetakers were Steve Crocker, Phil Gross, Christian Huitema and Lixia Zhang; new people were Steve Bellovin, Jon Crowcroft, John Klensin and Radia Perlman.

Terms run for 2 years, so only half the team of each comittee was up for possible renomination.
All others continued as before.

SNMP: Last ripples from the wave

Somehow, we survived the SNMPv2 battles of Dallas. Somehow, life has gone on.
The last outstanding item was the complaint by Dave Perkins that there were fundamental flaws in the ASN.1 used to define the SNMPv2 macros, and that it was therefore wrong to let the thing go to Draft Standard.
The IAB held a ruling on this on Wednesday night, and came to a multipont conclusion, the high points of which were:

YES, the ASN.1 is not like ISO's ASN.1, and it isn't documented how they differ. This should be done ASAP.
NO, the differences don't matter to many, and SNMPv2 won't be changed because of this. The documents stay at Draft Standard.

The other item of note in the SNMPv2 camp was that Marshall Rose (who was seen wearing a nametag saying "fnord") has gotten an Experimental framework for SNMPv2 security published, and that his competitors seem to be hard on his heels with their own RFC publication. As planned, no meeting on SNMP security was held in LA.

Now that the storm is over, the rest of the network management area seems to be waking up; multiple sessions were held, including beginning work related to application management; the "applmib" WG, the "madman" WG and the "httpmib" BOF relate strongly to "upper layer stuff".

However, there is another movement in the shipment of products to disregard SNMP altogether for application management and just ship equipment with builtin HTTP servers; what could be simpler than finding the status of a printer's paper trays in a Web form? (Well, if you had 1000 of them to manage, life might not be so simple....) Anyway, it's time and beyond time to get the issues surrounding application management out on the table.

The Mail Must Go On (securely)

Secure E-mail is The Rage these days. Everyone "knows" how to do it, with or without the help of the ever-confusing RSA Data Security patent-holding company (which has now started granting "fair and equitable licensing" at $25.000 per year and up).

However, getting from knowing how to do it to the point of getting everyone to agree that it should be done that way is proving a hard, hard struggle; PEM, MOSS, S/MIME and MSP are just a few of the acronyms being hurled like hand grenades across the battlefield, together with ElGamal, RSA, IDEA, RC4, Triple-DES and the NSA bogeyman, with the export control rules being everyone's favourite target for throwing ripe tomatoes.
It's a mess, and shows little sign of growing cleaner.

However, a few bright lights in the wilderness:

A workshop convened by startup "Internet Messaging Consortium" seemed to get all parties into more-or-less supporting a single type, multipart/signed, for carrying signed E-mail.
The strong industrial backing behind the technically worst standard, S/MIME, seems to have all the solidity of well-chewed gum; movement is not only possible, it's the default.
"Everyone" seems eager to get to a single standard (provided it's compatible with their own, of course).

Unfortunately, cryptography has the nasty habit of making things black and white in a grey world; there's no such thing as a "slightly damaged" signed message - one estimate was that 20% of all current signed mail (mostly PGP) couldn't be verified because of "slight damage" in E-mail transit. And interworking between signature/encryption systems isn't just hard; it's flat out impossible without creating Manhattan-sized security holes in the "security armor plate".

Go figure.

I know that you know that I know.....

IP security, however, seems to be moving forward after a period whose details are best cloaked in obscurity; everyone seems to agree that Bill Simpson is a brilliant engineer with a very problematic interpretation of the word "cooperation".

The net result of some rather incredible verbal exchanges seems to be that the IPSEC WG now has no document edited by anyone called Simpson.
The basic property that they have two competing proposals (SKIP and the Diffie-Hellman based model, now called "Oakley") hasn't changed, however.

In this case, 2 may be less than one.

The good thing is that the stuff is implemented, and seems to work: Given two entities that have never cooperated before, they can now set up a secure channel that cannot be tapped, and that can then be used to exchange information needing this protection.

The IP security framework hasn't solved the basic question of WHY you should trust this random stranger, of course; that is left to other parts of the puzzle.

These other parts include the DNS Security (storing key information for hosts, signing zones and lots of other stuff), certificate formats (SPKI - the Simple Public Key Infrastructure - is now an official competitor to the X.509-based PKIX effort) and trust webs.

This ain't easy, and it's only getting worse. AND - "everyone" agrees that this is "critical to getting commerce on the Web", which translates to "everyone with a patent in the area is making maximum trouble" - to make a bad situation worse, add money.

Lost in a Web of Deception

One of the bizarre facts of the standardization game is that the face that major players show to the media and to the standards organizations often bear little or no resembleance to each other.

Consider the World Wide Web Consortium, which is not a standards organization, and wholeheartedly supports the IETF standardization efforts, but nonetheless insists on finishing its proposals for standards and asking their members to implement them before suggesting that they should be discussed in the IETF.

Or consider Microsoft and Netscape, who will both claim support for HTTP/1.1 and HTML/3.0, even before the IETF has reached closure on what is going to be in that standards, but with only a few people, if any, in the Web groups.

Or consider the rising star of the Web firmament, Sun's Java, which was literally nowhere to be seen in the standardization activities, including the "agents BOF", but nonetheless claims that its product will be an "Internet standard", whatever they mean by that.

But a good many people were there, and with lots of proposals for further work. And perhaps we even got some progress made....

Anyway, the promises made by the main Web groups were:

HTTP will have a new, standards-track HTTP protocol out by May.
HTML will abandon "strict versions", and have a discussion on how to accomodate browsers with differing capabilities. Resolution must be soon!

And time is of the essence; Web traffic is already the biggest consumer of bandwidth on the Internet, with the special properties of Web traffic (short connections, many destinations) making life for Internet routers even harder than it was before.
Caching may help, perhaps by a factor of 2, but some people estimate that the Web traffic will increase at least by a factor of 1000 before starting to level off - this is a LOT.
And one newspaper mentioned dialup IP users growing at 30% a month - that, if it is maintained for one year, means an increase of 1500%. That's a lot too.

I am not terribly optimistic about standardization in such a field. Standards take months to make, may take years to get agreement on, and even then may fail in the marketplace, while products that are 6 months old on the Web are regarded as "hopelessly old-fashioned". Go figure.

But we're working on it, and we're making progress. That's the optimistic view of things.

See you on the front lines....

Harald.T.Alvestrand@uninett.no

Last modified: Tue Apr 16 09:32:25 1996