IETF Logo Mail Archive

Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tuning for HTTP

Patrick McManus <mcmanus@ducksong.com> Thu, 03 March 2016 20:49 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D88351B43C8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Mar 2016 12:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.285
X-Spam-Level:
X-Spam-Status: No, score=-6.285 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fH84vldDi3tC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 3 Mar 2016 12:49:09 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CB601B43CA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 3 Mar 2016 12:49:09 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aba6T-0002Pb-CT for ietf-http-wg-dist@listhub.w3.org; Thu, 03 Mar 2016 20:44:09 +0000
Resent-Date: Thu, 03 Mar 2016 20:44:09 +0000
Resent-Message-Id: <E1aba6T-0002Pb-CT@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mcmanus@ducksong.com>) id 1aba6N-0002Nk-6W for ietf-http-wg@listhub.w3.org; Thu, 03 Mar 2016 20:44:03 +0000
Received: from www.ducksong.com ([192.155.95.102] helo=linode64.ducksong.com) by lisa.w3.org with esmtp (Exim 4.80) (envelope-from <mcmanus@ducksong.com>) id 1aba6L-0004Y7-HL for ietf-http-wg@w3.org; Thu, 03 Mar 2016 20:44:02 +0000
Received: from mail-vk0-f47.google.com (mail-vk0-f47.google.com [209.85.213.47]) by linode64.ducksong.com (Postfix) with ESMTPSA id 129CC3A01B for <ietf-http-wg@w3.org>; Thu, 3 Mar 2016 15:43:39 -0500 (EST)
Received: by mail-vk0-f47.google.com with SMTP id e6so34191684vkh.2 for <ietf-http-wg@w3.org>; Thu, 03 Mar 2016 12:43:39 -0800 (PST)
X-Gm-Message-State: AD7BkJIlb8tVWRHWM/IZpOYiLVubfSnOCj9Whyik70behuSWh3phxrGrHaHsu7B93ZgI3CGWxfPb29zA/ZVvjA==
MIME-Version: 1.0
X-Received: by 10.31.135.79 with SMTP id j76mr3123484vkd.91.1457037818783; Thu, 03 Mar 2016 12:43:38 -0800 (PST)
Received: by 10.176.64.72 with HTTP; Thu, 3 Mar 2016 12:43:38 -0800 (PST)
In-Reply-To: <20160303184418.GA18774@1wt.eu>
References: <56D74C23.5010705@isi.edu> <56D76A7E.7090507@isi.edu> <20160302232125.GA18275@1wt.eu> <56D77892.2000308@isi.edu> <20160303065545.GA18412@1wt.eu> <56D87BAC.4060204@isi.edu> <20160303184418.GA18774@1wt.eu>
Date: Thu, 03 Mar 2016 15:43:38 -0500
X-Gmail-Original-Message-ID: <CAOdDvNokUDxmfy87VrQNLoQvQknP6L3h6fLbuFeVpOiDN4szAQ@mail.gmail.com>
Message-ID: <CAOdDvNokUDxmfy87VrQNLoQvQknP6L3h6fLbuFeVpOiDN4szAQ@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Joe Touch <touch@isi.edu>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a114592e49d359d052d2b0d4a"
Received-SPF: pass client-ip=192.155.95.102; envelope-from=mcmanus@ducksong.com; helo=linode64.ducksong.com
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: AWL=-0.707, BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aba6L-0004Y7-HL 32f259f86b49007b1daa7cfca2bb225e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fwd: Re: [tcpm] FW: Call for Adoption: TCP Tuning for HTTP
Archived-At: <http://www.w3.org/mid/CAOdDvNokUDxmfy87VrQNLoQvQknP6L3h6fLbuFeVpOiDN4szAQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31169
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Wily, Joe,

This message is a bit of a diversion from the discussion so far. sorry bout
that.

On Thu, Mar 3, 2016 at 1:44 PM, Willy Tarreau <w@1wt.eu> wrote:

> I've seen people
> patch their kernels to lower the TIME_WAIT down to 2 seconds to address
> such shortcomings! Quite frankly, this workaround *is* causing trouble!
>

really? That's fascinating to me. Can you provide background or citations
on what kind of trouble has been attributed to this and the scenario where
it was done?

You don't need to go through the theoretical - I know what TW could
conceptually catch - but the assertion about the shorter timeout causing
field problems is something I'd love to understand better.

For TW to be useful protection it also has to be paired with
re-transmission and some application states that will be impacted by the
screwup which reduces its utility, particularly for HTTP. I read the above
statement as saying that TW is indeed useful in the field at the
application layer - but maybe it is referencing some side effect I'm not
thinking of rather than the vulnerability of not using it.

Those kinds of post mortem war stories where it is seen in the field are
pretty interesting and help inform the discussion about whether the cure is
worse than the disease. My inclination has generally been that TW doesn't
help a lot in practice and has some limitations and causes pain (as well
documented in this thread.). So it would be interesting to look at the
fallout of a situation it could have helped with.

This feels a bit like the musing over the subpar utility of the tcp
checksum on high bandwidth networks. For that one, the answer at least in
the http space is 'use https for integrity and sort out the rare error at
the application level'. I'm wondering if that's the right advice in the
time_wait space for http as well.. we're really still talking about
integrity. Go ahead and turn it off - just make sure you're running a
higher level protocol that won't confuse old data with new data.

(Fun paper: http://conferences2.sigcomm.org/imc/2015/papers/p303.pdf showed
that at the tail of a ping survey, 1 % of replies from 1% of addresses
needed >= 145 seconds to arrive. And that's just delay - not
retransmission. A truly protective TW is a very large number.)

v2.23.0 | Report a Bug | By Email