IETF Logo Mail Archive

Re: [DNSOP] Spencer Dawkins' Discuss on draft-ietf-dnsop-session-signal-12: (with DISCUSS and COMMENT)

Ted Lemon <mellon@fugue.com> Thu, 02 August 2018 15:07 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03260130EBD for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 08:07:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Ba4stqkKwbG for <dnsop@ietfa.amsl.com>; Thu, 2 Aug 2018 08:07:49 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CDE3130FC5 for <dnsop@ietf.org>; Thu, 2 Aug 2018 08:07:42 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id q9-v6so2164998ioj.8 for <dnsop@ietf.org>; Thu, 02 Aug 2018 08:07:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SsI+DfvAczbtyfMrr75oJ/JOf9QLoRQgLIAo1FDkl8M=; b=iGa7cj/gp+xEvmvMpA+DrYvE1jQR4rAykZTZPvc190kW+k0BtXi2j88xb42EMKdhuS ySgdjJkpJNLcCytnu+WqgnISA7iOJ8okvCkAwS98sFQGvvSEpjB5HYESwpESZPyXKrZM HrIQrDWzLpLOju7MbkRnrLJ70AqYcvzahjCP4DUL1WaDXnE74VzXwmvWHwCve9AtpvJ6 d81IC0a/BoDH1MOsd9bPLJeOwuPr997AQ094HIJMUUxtuRUl3vxdcyF/Uzf0D6aORpVh aXBAPdQ5a5WjkmdUEDOKd4ySIP4GNoQU38stoxawIhuR5+cKqInPc8/NTNmtMuyrlNJU lWbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SsI+DfvAczbtyfMrr75oJ/JOf9QLoRQgLIAo1FDkl8M=; b=Cq5a75KoEe5tw8t5kcF7CTfm0QbfoENOH8n3Ciliv9ieQNRoE+E6koFWwEFVJNznHi c1fbenukAhtE2SqRF+VbgwAgxQtsgCwmFWZbBSL7AwGjZbfKfJ5UG8qsWLJyqruVQRqq m0cv5p0I2tCmx7ZOJlkF5MJT8gEkoC5y/3uDw9eI0t3lwlNb5JMRFbbDGI5l4ImXZ4HY 5KU75+ZureAGsSHC1d9COJ13gLhLvs5dhmrLju10US6Cn58mz8z4f5+2L7sVlXuXaq3x zXVSf9jIBYJ1YG0uD8dGZRaUw3NI6eNYGGl+5UBPX5e0bKhiIW/dtayoHASwOv7v+qHj URiQ==
X-Gm-Message-State: AOUpUlEhBbjJKJCTOpmBYv+sM1VNt192A9XflDzz17HOIlJzdFF7h+7W bUE+f1UAmO/FMjxWi4uqL5wX43d6GU8Mql1sy6hPGw==
X-Google-Smtp-Source: AA+uWPz7tywfoT9TtXJTbJbb2azeFVX+vVOUiZgYuLOiBWTtaXl6LDmNUzp/hKXVg0yFsGa9WF8p/Kj5iMwjw2LEiMA=
X-Received: by 2002:a6b:dd01:: with SMTP id f1-v6mr2649883ioc.45.1533222461703; Thu, 02 Aug 2018 08:07:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:b442:0:0:0:0:0 with HTTP; Thu, 2 Aug 2018 08:07:01 -0700 (PDT)
In-Reply-To: <CAKKJt-d+4TiO3f8YQrb4m1c_+a7ChJKmeQrwsxtbv1NrYucWMA@mail.gmail.com>
References: <153266600019.24802.9316144897968330271.idtracker@ietfa.amsl.com> <F1CE7C6A-DE44-45F4-8CF4-E49766CFCEA5@fugue.com> <CAKKJt-d+4TiO3f8YQrb4m1c_+a7ChJKmeQrwsxtbv1NrYucWMA@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 02 Aug 2018 11:07:01 -0400
Message-ID: <CAPt1N1mUy4raULr9yfHzuSQh5nYg14efza0seoniXnpTqrW4og@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: IESG <iesg@ietf.org>, draft-ietf-dnsop-session-signal@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dnsop-chairs <dnsop-chairs@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003127fc0572752cec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_3E7ivcCO6PssRdpnIEbHYrH3UU>
Subject: Re: [DNSOP] Spencer Dawkins' Discuss on draft-ietf-dnsop-session-signal-12: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Aug 2018 15:07:52 -0000

On Thu, Aug 2, 2018 at 9:39 AM, Spencer Dawkins at IETF <
spencerdawkins.ietf@gmail.com> wrote:

> Hi, Ted,
>
> Chopping down to clearing my Discuss, and one wording suggestion for new
> text ...
>
> On Tue, Jul 31, 2018 at 1:41 PM Ted Lemon <mellon@fugue.com> wrote:
>
>> On Jul 27, 2018, at 12:33 AM, Spencer Dawkins <
>> spencerdawkins.ietf@gmail.com> wrote:
>>
>> I really like this document, and think it's headed the right direction. Of
>> course I have four pages of comments, because reasons, but the only part
>> I'm
>> really confused about is this one ...
>>
>> I would have thought that if you end up with a different endpoint because
>> your
>> anycast address now resolves differently, the new endpoint would have to
>> have
>> shared a lot of state with the previous endpoint, for this to work:
>>
>>  When an anycast service is configured on a particular IP address and
>>   port, it must be the case that although there is more than one
>>   physical server responding on that IP address, each such server can
>>   be treated as equivalent.  If a change in network topology causes
>>   packets in a particular TCP connection to be sent to an anycast
>>   server instance that does not know about the connection, the normal
>>   keepalive and TCP connection timeout process will allow for recovery.
>>
>> What I would have expected to happen, is that the new endpoint sees a
>> packet
>> arrive that's not on a synchronized TCP connection, and immediately
>> responds
>> with a RST (reset), rather than the normal keepalive and TCP connection
>> timeout
>> process happening. That's also the way I'm reading
>> https://tools.ietf.org/html/rfc7828#section-3.6. Is that not the way it's
>> working for anycast these days?
>>
>>
>> I believe this is correct—thanks for pointing it out.   I think the fix
>> is straightforward:
>>
>>   When an anycast service is configured on a particular IP address and
>>   port, it must be the case that although there is more than one
>>   physical server responding on that IP address, each such server can
>>   be treated as equivalent.  If a change in network topology causes
>>   packets in a particular TCP connection to be sent to an anycast
>>   server instance that does not know about the connection, the new
>>   server will automatically terminate the connection with a TCP reset,
>>   since it will have no record of the connection, and then the client can
>>   reconnect or stop using the connection, as appropriate.
>>
>> Does that sound good?
>>
>
> I'll clear based on this text, but you might want to consider being a bit
> more precise about what you're thinking of, when you say "each such server
> can be treated as equivalent", which, IIRC, was what started my journey
> into the weeds on this paragraph.
>
> ISTM that there are two ways people could be using anycast
> (overgeneralizing wildly) -
>
>    - I have nine servers that are geographically close enough to maintain
>    TCP state across the set of servers and I'm using anycast for
>    loadbalancing, or
>    - I have nine servers that are geographically diverse, and I'm using
>    anycast to provide more robust service, and they're not close enough to
>    maintain TCP state across the set of servers.
>
> I think your point is that the first case is fine (a change in network
> topology means that the server now being used either knows or can figure
> out quickly that to do with the incoming packet), and the second case is
> not (a change in network topology means that the server being used has no
> idea what to do with the incoming packet, and has no way to figure that
> out).
>
> If I got that right (at a 50,000 foot level), you might think about how to
> say it more correctly, but I'm clearing now, so do the right thing.
>

 When an anycast service is configured on a particular IP address and port,
it
 must be the case that although there is more than one physical server
 responding on that IP address, each such server can be treated as
equivalent.
+What we mean by "equivalent" here is that both servers can provide the
+same service and, where appropriate, the same authentication information,
+such as PKI certificates, when establishing connections.
+
+In principle, anycast servers could maintain sufficient state that they
can both handle packets
+in the same TCP connection.  In order for this to work with DSO, they
would need to also share
+DSO state.  It is unlikely that this can be done successfully, however, so
we recommend that
+each anycast server instance maintain its own session state.
+
 If a change in network topology causes
 packets in a particular TCP connection to be sent to an anycast
 server instance that does not know about the connection, the new


>
> "in order to respond in order" is kind of clunky. Perhaps "SHOULD NOT
> delay sending responses so that they can be returned in the order the
> corresponding requests were received"?
>
> But do the right thing, of course.
>

How's this:

 This prevents TCP's delayed acknowledgement algorithm from forcing the
 client into a slow lock-step.
 The server MUST act on messages in the order they are transmitted, but
-when responses to those messages become available out of order, the server
-SHOULD NOT delay sending available responses to respond in order.
+SHOULD NOT delay sending responses to those messages as they become
available in
+order to return them in the order the requests were received.
 {{?RFC7766}} section 3.3 specifies this in more detail.



> I'll clear now.
>

Thanks, and thanks for the thoughtful review!

v2.23.0 | Report a Bug | By Email