Re: [DNSOP] Eric Rescorla's No Objection on draft-ietf-dnsop-session-signal-12: (with COMMENT)
Eric Rescorla <ekr@rtfm.com> Wed, 01 August 2018 03:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 929A8130E96 for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 20:39:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.008
X-Spam-Level:
X-Spam-Status: No, score=-0.008 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TrkUO4xbOQHa for <dnsop@ietfa.amsl.com>; Tue, 31 Jul 2018 20:39:39 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2C38130E1D for <dnsop@ietf.org>; Tue, 31 Jul 2018 20:39:36 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id f8-v6so15586667ljk.1 for <dnsop@ietf.org>; Tue, 31 Jul 2018 20:39:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tunX4sZfE4R1bqnXA6YX4Z/rixMouq20i0IGJqqHcdo=; b=gAN5C30QV4eFAeycbHntE0D/xIEwQjTtJ999qiTaR0xnJ5PldIkKToZaDg8rZfuJ/y Hj8NLQyuFQitN+9EjGMYyRQXEXGtFw1ATYeaWXdU1+z6gvrhnUWzY7KUXJd0g5pKkTjq C9+lAskafq4WCC1LSD+ie5Qyix/iHziZzQGgpvGcdyQTwTGE2sckQ43FLObJwaEsDXMP HkHeoQKe2D7TeP1R4BbRXl0W+0XSkokwvPkJ6wGUEtDY+oecxJUKsKjDsK6uaBNty57/ ld/vM3toUzwTB/ddgGtMOS8TjVRN/WqK+NgRABQIJ3+7JqGAgA7glnqVgb2m82fgIiDU afGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tunX4sZfE4R1bqnXA6YX4Z/rixMouq20i0IGJqqHcdo=; b=ZXlQusL7jUERjpAGbUl0kcnr3awU7ijX6GOA9zRHlrpDErXw3ELpp2b2TKBBMo40Ur Zd4CmRbBDKxQ5CT0CrBosITatqMEjmGvI/ycUahpqWfhxA9dodDE7vKm7ww9z8fMzQJ4 5WU+VTBowveVTuwTZjHyJDQVlAMwhBZSG5dOU9wQIMvvUh6O/JxBoojRBov4plr0Pul3 GnDTsb3HVPEBwr2RNQ83iKf4Hk5jIGNSrqv7ZXkkbWH1yxKH97rWzRA2vIezNs48zvfE S3kVx5XQH3wNdLjnlSJfvDo1WSktfvh4sGBZibDwqEKmv7E1+AK/AYqZv8X0Ek3wrFSY 9RAg==
X-Gm-Message-State: AOUpUlEt5KPvi4klYB7uLMhG3254pPMLIMi/LjiCsMaq3NCB9i6QDB4d OjAgDbY/xjjx3MoD19a3jyw9pefnbMJlASIdpGj+Nw==
X-Google-Smtp-Source: AAOMgpd+hwlOtE+fBVSXo/dVVwwDapPu0rBIuoSk/mtI0Aole4+tw+5m+LnQG/Q5yG8FYiaEFSs//Al2Cg0h1BhNaak=
X-Received: by 2002:a2e:9c4d:: with SMTP id t13-v6mr17202965ljj.153.1533094775032; Tue, 31 Jul 2018 20:39:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Tue, 31 Jul 2018 20:38:54 -0700 (PDT)
In-Reply-To: <CAPt1N1=z7bjXT9+xAwupr+gttY-L6d4UnP_01iJeawKAUJGOgg@mail.gmail.com>
References: <153307610896.3243.16744625445592133652.idtracker@ietfa.amsl.com> <CAPt1N1m_LP2ZcG9yR1DggwRg7KOeuRwTzrsX67iBxkpXekjxUw@mail.gmail.com> <CABcZeBO+5Nxv88HW6xVkDtru5DUnCHxeytX1gdRAc4Z3S7K+Jg@mail.gmail.com> <CAPt1N1=z7bjXT9+xAwupr+gttY-L6d4UnP_01iJeawKAUJGOgg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 31 Jul 2018 20:38:54 -0700
Message-ID: <CABcZeBMdQkR6qB_eCzk2N7GYCj7pEhfryrotACcrPDdfdJQXjg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: The IESG <iesg@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop WG <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>, draft-ietf-dnsop-session-signal@ietf.org
Content-Type: multipart/alternative; boundary="00000000000079225b05725771ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HbOM8hzISwdvMQrmS2ajW46c7X0>
Subject: Re: [DNSOP] Eric Rescorla's No Objection on draft-ietf-dnsop-session-signal-12: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Aug 2018 03:39:42 -0000
On Tue, Jul 31, 2018 at 8:21 PM, Ted Lemon <mellon@fugue.com> wrote: > > Sorry, has this been changed in a new version? >> > > The text you commented on is the new version, with some additional text to > address a point raised in the gen-art review. We gamed this out pretty > thoroughly—I don't think there's an actual problem here, although I > understand why it looks that way. The worst case scenario here is that a > middlebox breaks the session signaling, which just looks like "the server > doesn't support session signaling," which is fine. > I think I'm just confused about the meaning of this text. Is it an analysis or a recommendation? > >> >>> S 5.4. >>>> > generate a response, the application-layer software informs >>>> the >>>> > TCP implementation that it should go ahead and send the TCP >>>> ACK >>>> > and window update immediately, without waiting for the >>>> Delayed ACK >>>> > timer. Unfortunately it is not known at this time which (if >>>> any) >>>> > of the widely-available networking APIs currently include this >>>> > capability. >>>> >>>> Are you going to make a recommendation here? >>>> >>> >>> Out of scope for DNSOP to update TCP stack APIs. >>> >> >> Sorry, it wasn't clear from context what I was referring to here. You >> discuss a number >> of strategies and then say they are all bad. Do you had a recommendation >> for what >> people ought to do? >> > > We don't. This is text that was heavily touched by Mirja's DISCUSS, so I > suspect that by the time Stuart is done addressing her DISCUSS, this will > have been fixed. However, I will try to remember to check just to be > sure. :) > OK. S 6.6.1.2. >>>> > client a Retry Delay message, or by forcibly aborting the >>>> underlying >>>> > transport connection) the client SHOULD try to reconnect, to that >>>> > service instance, or to another suitable service instance, if >>>> more >>>> > than one is available. If reconnecting to the same service >>>> instance, >>>> > the client MUST respect the indicated delay, if available, before >>>> > attempting to reconnect. >>>> >>>> Do you want to recommend some sort of randomness around this value to >>>> avoid avalanche? >>>> >>> >>> The server is specifying the retry delay, so if the client adds >>> randomness, that could result in more collisions rather than fewer. >>> >> >> Sure, if the server actually randomizes it itself. Perhaps that's worth >> recommending? >> > > Yeah, I was dragging my feet on this, but inclined the same way. > > diff --git a/draft-ietf-dnsop-session-signal.md > b/draft-ietf-dnsop-session-signal.md > index a9037e0..85bc28d 100644 > --- a/draft-ietf-dnsop-session-signal.md > +++ b/draft-ietf-dnsop-session-signal.md > @@ -1463,6 +1463,12 @@ are described in {{delay}}. > After sending a Retry Delay message, > the server MUST NOT send any further messages on that DSO Session. > > +The server MAY randomize retry delays in situations where many retry > delays are sent > +in quick succession, so as to avoid all the clients attempting to > reconnect at once. > +In general, implementations should avoid using the Retry Delay message in > a way that > +would result in many clients reconnecting at the same time, if every > client attempts > +to reconnect at the exact time specified. > + > Upon receipt of a Retry Delay message from the server, > the client MUST make note of the reconnect delay for this server, > and then immediately close the connection gracefully. > @@ -1520,7 +1526,9 @@ or by forcibly aborting the underlying transport > connection) > the client SHOULD try to reconnect, > to that service instance, or to another suitable service instance, if > more than one is available. > If reconnecting to the same service instance, the client MUST respect the > indicated delay, > -if available, before attempting to reconnect. > +if available, before attempting to reconnect. Clients should not > attempt to randomize the delay; > +the server will randomly jitter the retry delay values it sends to client > if this behavior is > +desired. > LGTM. > If the service instance will only be out of service for a short > maintenance period, > it should use a value a little longer that the expected maintenance > window. > > >> Mostly I just missed this. With that said, generally we are discouraging >> compression in cryptographic protocols. >> OTOH, I'm not that worried about the covert-channel either, so it's kind >> of a tossup >> > > OK. I'm going to call it done then, at least until we hear back from > Stuart and Mirja. > WFM.
- [DNSOP] Eric Rescorla's No Objection on draft-iet… Eric Rescorla
- Re: [DNSOP] Eric Rescorla's No Objection on draft… Eric Rescorla
- Re: [DNSOP] Eric Rescorla's No Objection on draft… Ted Lemon
- Re: [DNSOP] Eric Rescorla's No Objection on draft… Ted Lemon
- Re: [DNSOP] Eric Rescorla's No Objection on draft… Eric Rescorla
- Re: [DNSOP] Eric Rescorla's No Objection on draft… Ted Lemon