Re: [hackathon] [Ext] IETF 118 Hackathon: Are long-lived TCP sessions a problem for (DNS) statistics?
Roy Arends <roy.arends@icann.org> Wed, 01 November 2023 16:00 UTC
Return-Path: <roy.arends@icann.org>
X-Original-To: hackathon@ietfa.amsl.com
Delivered-To: hackathon@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEFEFC14F721 for <hackathon@ietfa.amsl.com>; Wed, 1 Nov 2023 09:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.907
X-Spam-Level:
X-Spam-Status: No, score=-0.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BAD_THREAD_QP_64=0.999, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hICKdAYpiPgE for <hackathon@ietfa.amsl.com>; Wed, 1 Nov 2023 09:00:10 -0700 (PDT)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FB69C14CF15 for <hackathon@ietf.org>; Wed, 1 Nov 2023 09:00:10 -0700 (PDT)
Received: from MBX112-W2-VA-1.pexch112.icann.org (out.mail.icann.org [64.78.48.207]) by ppa2.lax.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 3A1G00sM024929 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 1 Nov 2023 16:00:00 GMT
Received: from MBX112-E2-VA-2.pexch112.icann.org (10.217.41.130) by MBX112-E2-VA-2.pexch112.icann.org (10.217.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.27; Wed, 1 Nov 2023 11:59:58 -0400
Received: from MBX112-E2-VA-2.pexch112.icann.org ([10.217.41.130]) by MBX112-E2-VA-2.pexch112.icann.org ([10.217.41.130]) with mapi id 15.02.1258.027; Wed, 1 Nov 2023 11:59:58 -0400
From: Roy Arends <roy.arends@icann.org>
To: John Scudder <jgs=40juniper.net@dmarc.ietf.org>
CC: "jerry@dns-oarc.net" <jerry@dns-oarc.net>, "rs.ietf@gmx.at" <rs.ietf@gmx.at>, "hackathon@ietf.org" <hackathon@ietf.org>, Warren Kumari <warren@kumari.net>
Thread-Topic: [Ext] [hackathon] IETF 118 Hackathon: Are long-lived TCP sessions a problem for (DNS) statistics?
Thread-Index: AQHaDNgg7Dk7N0KCXESGTrmTGt/fw7Bl4j4A
Date: Wed, 01 Nov 2023 15:59:58 +0000
Message-ID: <053EE2DE-6547-455C-B9C0-99C22AEA98BC@icann.org>
References: <622eef00-5802-437c-bf6e-26b523bf5df5@dns-oarc.net> <abf0f8b0-76eb-4b06-9faf-6c8119f1405e@gmx.at> <CAHw9_iJifEf8J+7mg0xh6WYnF11jeTRS-ow9JTRgzVuswt7bCA@mail.gmail.com> <CE588850-5D7E-4CD0-9EA3-DE245AA7FCC6@juniper.net>
In-Reply-To: <CE588850-5D7E-4CD0-9EA3-DE245AA7FCC6@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.47.234]
x-source-routing-agent: True
Content-Type: multipart/signed; boundary="Apple-Mail=_507C30B6-CBF9-4CAC-B2CE-E794D2D25185"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-11-01_14,2023-11-01_02,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/hackathon/hZxsEXZXRIe2XTvESVfmgo8zzqM>
Subject: Re: [hackathon] [Ext] IETF 118 Hackathon: Are long-lived TCP sessions a problem for (DNS) statistics?
X-BeenThere: hackathon@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion regarding past, present, and future IETF hackathons." <hackathon.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hackathon>, <mailto:hackathon-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hackathon/>
List-Post: <mailto:hackathon@ietf.org>
List-Help: <mailto:hackathon-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hackathon>, <mailto:hackathon-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2023 16:00:15 -0000
Hi, Thanks for jumping in! We are well aware of long term TCP sessions that carry other protocol traffic. However, for DNS over TCP, at least at some the root-server instance traffic DITL data, it seems that the bulk of TCP sessions are short lived, where the lifetime lasts mostly a single query/response pair. We even see multiple (parallel) TCP sessions occur from a single client to a single server. Some tools that monitor DNS traffic, that include traffic over TCP derived from 5 minute PCAP files, need to observe a syn/ack first before including DNS traffic within that session. Additionally, some tools do not expect a second query in the same session. This leads to a potential under-reporting of DNS-over-TCP traffic. We’d like to analyse a bit more DITL traffic to look for TCP sessions that lasts longer than a query/response exchange, and see for how long it lasts, etc. We could then feed that traffic into monitoring tools to look for accurate reporting. Hope this helps to understand the premise for the proposed hackathon work. Warmly, Roy Arends > On 1 Nov 2023, at 15:27, John Scudder <jgs=40juniper.net@dmarc.ietf.org> wrote: > > And for that matter, BGP runs over TCP and it’s not unusual to see BGP sessions that are up for months. I wouldn’t be surprised if there were ones that stayed up for more than a year. I didn’t reply earlier because the question seemed to be specific to DNS/TCP, but since someone else jumped first… :-) > > I regret to say I don’t have hard data to offer, just anecdote. > > —John > >> On Oct 6, 2023, at 11:56 AM, Warren Kumari <warren@kumari.net> wrote: >> >> >> On Fri, Oct 06, 2023 at 4:30 AM, <rs.ietf@gmx.at> wrote: >> I don't have data ready to share, but i want to point out that in the storage space (NFS; SMB; iSCSI; NVMe/TCP; iWARP) - which is not necessarily on the public internet though, it is the norm rather then the exception to have TCP sessions being active for days and weeks at a time - typcially only reestablished after some more or less severe disruption (hosts rebooting, ports failing, excessive packet discards...). >> >> >> >> I think that this is also true for a bunch of VPN / tunneling technologies. >> >> For example, I've had a number of enterprise site-to-site "SSL Tunnels" which have been up for many many months, as well as a bunch of SSH tunnels (and just sessions) for similar times. In fact, I recently stumbled across an SSH connection to a terminal server which had been up for a few years — someone had SSHed from a console server to a termserver, and then disconnected, leaving the session up indefinitely. >> >> W >> >> >> >> I can not comment on DNS/TCP sessions though. >> >> Best regards, >> Richard >> >> Am 06.10.2023 um 09:27 schrieb Jerry Lundström: >> >> Hi all, >> >> Some tools uses packet capturing to do statistics for DNS and some of them needs to see the beginning of the TCP sessions. If resolver systems out there start keeping TCP session against authorities open for a very long time (days or weeks) then it might become a problem for these tools. >> >> We would like to look at two things; >> 1) First to poke at data to see if there are very long-lived TCP sessions out there today, or not(!) which is equally interesting to know. >> 2) Second to survey DNS statistics tools out there to see how they handle long-lived TCP sessions to understand how wide a problem this might be, if any. And maybe fix some of them if issues are spotted when doing this. >> >> Sounds interesting? Do you have data to poke at? Hope to see you at the hackathon then! :) >> >> Cheers, >> Jerry Lundström & Roy Arends >> >> _______________________________________________ >> hackathon mailing list >> hackathon@ietf.org >> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/hackathon__;!!PtGJab4!_o8pfsPaVtEEUhH2sPdKH0avw6EFzPZbyuztEVDO8XodqCqHOFRdQBUEZPN3Tzl9tQ7zm9Wlyec-0LG7Xe6I5td-La9273RwbiBS6A$ [ietf[.]org] >> Unsubscribe: mailto:hackathon-request@ietf.org?subject=unsubscribe >> >> _______________________________________________ >> hackathon mailing list >> hackathon@ietf.org >> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/hackathon__;!!PtGJab4!_o8pfsPaVtEEUhH2sPdKH0avw6EFzPZbyuztEVDO8XodqCqHOFRdQBUEZPN3Tzl9tQ7zm9Wlyec-0LG7Xe6I5td-La9273RwbiBS6A$ [ietf[.]org] >> Unsubscribe: mailto:hackathon-request@ietf.org?subject=unsubscribe >> >> >> _______________________________________________ >> hackathon mailing list >> hackathon@ietf.org >> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/hackathon__;!!NEt6yMaO-gk!C5cszFscM6tI6kNzCMFJW1rcvh82rEQl7j3LVB-rfHmJJP3x7tUqWs5hshga0Pie03Z6-fSDa-OK$ >> Unsubscribe: mailto:hackathon-request@ietf.org?subject=unsubscribe > > _______________________________________________ > hackathon mailing list > hackathon@ietf.org > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/hackathon__;!!PtGJab4!_o8pfsPaVtEEUhH2sPdKH0avw6EFzPZbyuztEVDO8XodqCqHOFRdQBUEZPN3Tzl9tQ7zm9Wlyec-0LG7Xe6I5td-La9273RwbiBS6A$ [ietf[.]org] > Unsubscribe: mailto:hackathon-request@ietf.org?subject=unsubscribe
- [hackathon] IETF 118 Hackathon: Are long-lived TC… Jerry Lundström
- Re: [hackathon] IETF 118 Hackathon: Are long-live… rs.ietf
- Re: [hackathon] IETF 118 Hackathon: Are long-live… Warren Kumari
- Re: [hackathon] IETF 118 Hackathon: Are long-live… guest271314
- Re: [hackathon] IETF 118 Hackathon: Are long-live… Jerry Lundström
- Re: [hackathon] IETF 118 Hackathon: Are long-live… John Scudder
- Re: [hackathon] [Ext] IETF 118 Hackathon: Are lon… Roy Arends
- Re: [hackathon] IETF 118 Hackathon: Are long-live… Houda CHIHI
- Re: [hackathon] IETF 118 Hackathon: Are long-live… Benno Overeinder
- Re: [hackathon] IETF 118 Hackathon: Are long-live… Houda CHIHI