Re: [DNSOP] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
Mirja Kuehlewind <ietf@kuehlewind.net> Tue, 07 September 2021 16:43 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489DB3A1390; Tue, 7 Sep 2021 09:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0I-Sm0XCBRY; Tue, 7 Sep 2021 09:43:03 -0700 (PDT)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 780B53A1392; Tue, 7 Sep 2021 09:43:03 -0700 (PDT)
Received: from p200300dee7444400786b7913b3071882.dip0.t-ipconnect.de ([2003:de:e744:4400:786b:7913:b307:1882]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1mNeBX-0006CX-IV; Tue, 07 Sep 2021 18:42:59 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <79387CF2-2A23-4B04-BCAC-53ECD85447A4@verisign.com>
Date: Tue, 07 Sep 2021 18:42:58 +0200
Cc: "tsv-art@ietf.org" <tsv-art@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9B3DDFF6-B5BA-4F96-B853-C1A3D8E9E532@kuehlewind.net>
References: <162990671395.10583.8870779506155492851@ietfa.amsl.com> <79387CF2-2A23-4B04-BCAC-53ECD85447A4@verisign.com>
To: "Wessels, Duane" <dwessels@verisign.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1631032983;1f5dcdb4;
X-HE-SMSGID: 1mNeBX-0006CX-IV
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AehLFWh1SRoqZuCyIU9zRhWLtTQ>
Subject: Re: [DNSOP] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2021 16:43:09 -0000
Thanks for the updates! One quick comment below. > On 7. Sep 2021, at 18:23, Wessels, Duane <dwessels@verisign.com> wrote: > > > >> On Aug 25, 2021, at 8:51 AM, Mirja Kühlewind via Datatracker <noreply@ietf.org> wrote: >> >> >> >> First a minor comment here: >> "TCP connection timeout, which is often around 60-120 seconds." >> I guess this value relates to an RTO of 1s and 6 SYN retries which is the >> default in Linux. Maybe say that...? I also recommend to add a link to RFC6298. > > I've made this addition to the paragraph in section 4.1: > > ... rather than > rely on the host operating system's TCP connection timeout, which is > often around 60-120 seconds (i.e., due to an initial retransmission > timeout of 1 second, the exponential back off rules of [RFC6298], and > a limit of six retries as is the default in Linux). > > >> >> And a more general comment on section 4.2: this section takes about various >> limits but doesn't recommend any values. I understand that there is not a >> one-fits-all solution here but not knowing how to set these values correctly >> might scared people aways from supporting TCP. So I think having a discussion >> either of default values or how to derives these values based on a certain >> configuration would be a very valuable contribution in this document. > > I've added some recommendations to the paragraphs in section 4.2. > > For the limit on total number of connections: "Absent any other information, > 150 is a reasonable value for this limit in most cases." > > For the limit on connections per source address: "Absent any other > information, 25 is a reasonable value for this limit in most cases." > > For the timeout on idle connections: "Absent any other information, 10 > seconds is a reasonable value for this timeout in most cases." I think it would also make sense to explain a bit more why these values were taken and what considerations/“other information" can be used to make a different decisions. I know that might not be fully straight-forward but just providing “random” numbers might also only provide limited value. Mirja > > >> >> Similarly section 4.3 talks about tuning net.ipv4.tcp_fin_timeout, however, it >> doesn't provide any guidance on how to tune it; Linux recommend a value of >> 15-30 seconds. Also setting net.ipv4.tcp_fin_timeout to a too low value and >> net.ipv4.tcp_tw_reuse to 1 can cause trouble and should not be done for the >> general case. So I don't think that guidance is appropriate without further >> discussion of the risks. Please reconsider this part of the document! > > This paragraph in section 4.3 has been rewritten: > > On systems where large numbers of sockets in TIME_WAIT are observed > (either as client or server), and are affecting an application's > performance, it may be tempting to tune local TCP parameters. For > example, the Linux kernel has a "sysctl" parameter named > net.ipv4.tcp_tw_reuse which allows connections in the TIME_WAIT state > to be reused in specific circumstances. Note, however, this affects > only outgoing (client) connections and has no impact on servers. In > most cases it is NOT RECOMMENDED to change parameters related to the > TIME_WAIT state. It should only be done by those with detailed > knowledge of both TCP and the affected application. > > > >> On section 4.4, maybe mention TCP fast open here again as well? >> > > It now reads: > > Unoptimized connection > setup takes two additional round-trips compared to TCP, but can be > reduced with TCP Fast Open, TLS session resumption [RFC8446] and TLS > False Start [RFC7918]. > > > > FYI We're tracking these changes in github at https://github.com/jtkristoff/draft-ietf-dnsop-dns-tcp-requirements/pull/5 if that is helpful. > > DW >
- [DNSOP] Tsvart last call review of draft-ietf-dns… Mirja Kühlewind via Datatracker
- Re: [DNSOP] Tsvart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] [Tsv-art] Tsvart last call review of … Mirja Kuehlewind
- Re: [DNSOP] Tsvart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] Tsvart last call review of draft-ietf… Mirja Kuehlewind
- Re: [DNSOP] Tsvart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] Tsvart last call review of draft-ietf… Qin Wu