IETF Logo Mail Archive

Re: [DNSOP] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12

"Wessels, Duane" <dwessels@verisign.com> Tue, 07 September 2021 16:23 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0043A1290; Tue, 7 Sep 2021 09:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKgznE2JoO_T; Tue, 7 Sep 2021 09:23:50 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F1E3A128E; Tue, 7 Sep 2021 09:23:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9585; q=dns/txt; s=VRSN; t=1631031830; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=gtGBP5iXzTY3vLVPmtbUloaf7As2Cgcd3oYmdq18ndw=; b=PfQ8PB6/GXsTsGwPYgJ7pasyZKPhSCzkcH2FxJLqDgq0rRNVNVhX1das lQpMJiZvZxrR1gpL55ZaWBkNlxLF18XegiDvopRjrVmJTATt2Lhgt6J1/ +na45kKqitNTprURrmgPTLM3hMUZHh1yEBw9+WCjvSxB/GVg1FFXGj3gg v62OiYFzPSqUAj7mUiKZFE5roS1EkBL2xN330nxR4XRSwo3qyp0UcXZiq bjk0wKSSeiE2Kz05fULgNVQzyVanPP9t+yh3+5WvIBWcVEtgTJ9HuBMqR v7nKirbAnmsUTZbFlzf3gpTp3+vWkt0xnE/gJPtMt8HPGj/w5fY405o+H A==;
IronPort-SDR: 3gGhJZClcLYyiw3vfvJyKj0yc1S+G+wFL5pfJmacI5C0aswiW9Uj0gfP6SzhUFxdWhFlMgAdS+ K9tTuisLdXPn0yqo2bsb+lXSJ1x7BhwyrXixX5gowpOqoEeia1vPPWsppbchtlAMEDr+xAIdmT qdf7m/OOsA1LqMM8YOa95Lkz9eg6E9OBJkk7J3e9SPDjInYug8EdMIgAJyT7jv4lInwmv5o3ml gC82OPkGd4Kw7kJxHllWJ73CKDpvnHEdZiy62fJREjo+xxZtZubiI/tkm91Y615TRqs88KLeOo wOY=
IronPort-HdrOrdr: A9a23:8+FJP6oDCGBC01n58hs6rDwaV5r0eYIsimQD101hICG9vPbo8v xG785rqyMc6QxhIE3I/OrrBEDuewK6yXcY2/hzAV6CZnibhILKFvAa0WKB+UyHJ8SWzIc0vs ddmsBFaeEYZmIK6foSlTPIbOrIruP3kpxARt2z856ud2xXgm1bgDuRcDzraHGePDM2eKbRb6 DsnfavbgDPRUgq
X-IronPort-AV: E=Sophos; i="5.85,274,1624334400"; d="p7s'?scan'208"; a="9851353"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Tue, 7 Sep 2021 12:23:47 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2308.008; Tue, 7 Sep 2021 12:23:47 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>
CC: "tsv-art@ietf.org" <tsv-art@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [EXTERNAL] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
Thread-Index: AQHXmckisgvwJIb2nEKLSdGCcMl8yKuZGPIA
Date: Tue, 07 Sep 2021 16:23:47 +0000
Message-ID: <79387CF2-2A23-4B04-BCAC-53ECD85447A4@verisign.com>
References: <162990671395.10583.8870779506155492851@ietfa.amsl.com>
In-Reply-To: <162990671395.10583.8870779506155492851@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_CC550BDD-B3C3-40FD-9209-04E857C1559F"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EP1przH-WyDofIpMUIUb4l5ruHo>
Subject: Re: [DNSOP] Tsvart last call review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Sep 2021 16:23:55 -0000


> On Aug 25, 2021, at 8:51 AM, Mirja Kühlewind via Datatracker <noreply@ietf.org> wrote:
> 
> 
> 
> First a minor comment here:
> "TCP connection timeout, which is often around 60-120 seconds."
> I guess this value relates to an RTO of 1s and 6 SYN retries which is the
> default in Linux. Maybe say that...? I also recommend to add a link to RFC6298.

I've made this addition to the paragraph in section 4.1:

   ... rather than
   rely on the host operating system's TCP connection timeout, which is
   often around 60-120 seconds (i.e., due to an initial retransmission
   timeout of 1 second, the exponential back off rules of [RFC6298], and
   a limit of six retries as is the default in Linux).


> 
> And a more general comment on section 4.2: this section takes about various
> limits but doesn't recommend any values. I understand that there is not a
> one-fits-all solution here but not knowing how to set these values correctly
> might scared people aways from supporting TCP. So I think having a discussion
> either of default values or how to derives these values based on a certain
> configuration would be a very valuable contribution in this document.

I've added some recommendations to the paragraphs in section 4.2.

For the limit on total number of connections: "Absent any other information,
150 is a reasonable value for this limit in most cases."

For the limit on connections per source address: "Absent any other
information, 25 is a reasonable value for this limit in most cases."

For the timeout on idle connections: "Absent any other information, 10
seconds is a reasonable value for this timeout in most cases."


> 
> Similarly section 4.3 talks about tuning net.ipv4.tcp_fin_timeout, however, it
> doesn't provide any guidance on how to tune it; Linux recommend a value of
> 15-30 seconds. Also setting net.ipv4.tcp_fin_timeout to a too low value and
> net.ipv4.tcp_tw_reuse to 1 can cause trouble and should not be done for the
> general case. So I don't think that guidance is appropriate without further
> discussion of the risks. Please reconsider this part of the document!

This paragraph in section 4.3 has been rewritten:

   On systems where large numbers of sockets in TIME_WAIT are observed
   (either as client or server), and are affecting an application's
   performance, it may be tempting to tune local TCP parameters.  For
   example, the Linux kernel has a "sysctl" parameter named
   net.ipv4.tcp_tw_reuse which allows connections in the TIME_WAIT state
   to be reused in specific circumstances.  Note, however, this affects
   only outgoing (client) connections and has no impact on servers.  In
   most cases it is NOT RECOMMENDED to change parameters related to the
   TIME_WAIT state.  It should only be done by those with detailed
   knowledge of both TCP and the affected application.



> On section 4.4, maybe mention TCP fast open here again as well?
> 

It now reads:

   Unoptimized connection
   setup takes two additional round-trips compared to TCP, but can be
   reduced with TCP Fast Open, TLS session resumption [RFC8446] and TLS
   False Start [RFC7918].



FYI We're tracking these changes in github at https://github.com/jtkristoff/draft-ietf-dnsop-dns-tcp-requirements/pull/5 if that is helpful.

DW

v2.23.0 | Report a Bug | By Email