Re: Naive question on multiple TCP/IP channels
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 04 February 2015 21:23 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D89B01A88EF; Wed, 4 Feb 2015 13:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43g0BK6KJudY; Wed, 4 Feb 2015 13:23:46 -0800 (PST)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1BAC1A88C8; Wed, 4 Feb 2015 13:23:45 -0800 (PST)
Received: by mail-la0-f52.google.com with SMTP id gd6so2735303lab.11; Wed, 04 Feb 2015 13:23:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=jXfEw2RcjXDSCgOUkFjgxQxcCyjVSGt3EJpw3dA4SEE=; b=INni2HKXUrgDnaYumcjv4Kj8bHX5sSer6Wqcfr1EFs5rytboQ8pxaS6JRi3Hd/TIkK YglCZhrJZwQ2bqd/TUA+skAzd7F0hOh4AzvWvcvlpUVqb7rWpaJlDViE/RwTiUlZqy+P cIlWqEPuwEnPLRtVRNibPPeNIEBNvLfeKGe8bBs48/emU9ZIiaHEzdmKJSvnJ/xZja9U NmhVp3YRI6VrAXxOLtAxZyDinnI0ffMTbKtjgelGOIlMBmiGoQ76F+CHoxUoJElcKdps 0/i3s4r48EM11VJLeS7eAFs7PXhyneHdxZwS+1Ksf2mBtqUJXbUVkODON4++Z+aDQvG7 V6RA==
MIME-Version: 1.0
X-Received: by 10.112.12.71 with SMTP id w7mr252250lbb.99.1423085024210; Wed, 04 Feb 2015 13:23:44 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.147.193 with HTTP; Wed, 4 Feb 2015 13:23:43 -0800 (PST)
In-Reply-To: <CAL9jLaaxapXeCBE3cNJeO6b6RXHoc+RJdSLsb046qz+nvQk-3Q@mail.gmail.com>
References: <CAMm+Lwgb9L9bUG6ommBDYJzQTCU1cC_zLSEf_5JPeJ+c=yrYmA@mail.gmail.com> <5DF6DC77-E476-408F-9FA5-F107DDC9F857@netapp.com> <CAMm+LwjM412i4NbXhYajSKdrP2FTa7sBbu8Fca1yA9g6QWjYGQ@mail.gmail.com> <CAL9jLaaxapXeCBE3cNJeO6b6RXHoc+RJdSLsb046qz+nvQk-3Q@mail.gmail.com>
Date: Wed, 04 Feb 2015 16:23:43 -0500
X-Google-Sender-Auth: 5RSE4jP3KwNp5RB0LqixJpUZ1jU
Message-ID: <CAMm+LwhcQfbCjimzj59VYM1w1L6dNm8aKFbk4TOeeJv5u20NnQ@mail.gmail.com>
Subject: Re: Naive question on multiple TCP/IP channels
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3e6065a78e3050e49cd5c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/5OlpXzjBtHuJ5eTc3P6BEWpafvY>
Cc: IETF Discussion Mailing List <ietf@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 21:23:48 -0000
On Wed, Feb 4, 2015 at 4:00 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote: > On Wed, Feb 4, 2015 at 3:47 PM, Phillip Hallam-Baker > <phill@hallambaker.com> wrote: > > > I know that traditionally we have considered congestion control to be a > per > > connection thing rather than per process or per user. Those don't exactly > > exist in the Internet model. But if we consider DDoS to be an extreme > form > > of congestion, we have to look at the O/S implementing broader rate > limiting > > anyway. > > I'm not sure this scales in a useful manner...especially if you want > (for instance) to be able to read from your cloud/nas/etc at 'line > rate' but then limit access rates to other places because of 'dos' > concerns. > No it is not simple at all! At a gut level, there is something wrong if a node is generating vast numbers of SYN messages and never doing anything more. But only looking for SYN floods at the network border means the attackers will attempt some Data as well. Working at the endpoint is a lot simpler but then we rely on the endpoint not being compromised which is a bad assumption for a machine doing DDoS attacks. The reason I am doing this work is to try to work out what controls to place where.Traditionally a firewall has been seen as a device that protects the local network from attacks coming in. But preventing outbound attacks is equally important. Nobody is going to bother attacking Comcast's customers if all their residential gateways have egress controls that make them useless as bots. Conversely nobody is going to pay for Comcast service if the egress controls makes it useless for browsing etc. > Policy for that is not going to be clear, or simple, or reasonable. > > > If the case for multiple streams is better performance based on > friendlier > > slow start parameters, maybe these should be allowed without the end > run. If > > the net is surviving with people starting five streams instead of one, > maybe > > the slow start parameters could start at five packets per destination > host > > instead of one per connection. It would be a little more code to > implement > > but speed is hardly an issue where its purpose is throttling anyway. > > More connections means you may avoid the 'random early drop' problem > for some of your connections, right? Presuming somewhere between > src/dest there's a thinner pipe (or more full pipe) and RED/etc is > employed (or just queue drops in general), putting all your eggs in > one connection basket is less helpful than 5 connection baskets. > Hmm, again sounds like gaming the congestion parameters rather than an argument for a particular approach. > One connection (one traditional http/tcp connection) also means object > serialization gets you as well. (I think roberto alludes to this > above) > There are several necessary functions. One of them is MUX and another of them is serializing data from API calls. The question being which function each belongs at which layer.
- Naive question on multiple TCP/IP channels Phillip Hallam-Baker
- Re: Naive question on multiple TCP/IP channels Roberto Peon
- Re: Naive question on multiple TCP/IP channels Donald Eastlake
- Re: Naive question on multiple TCP/IP channels David Morris
- Re: Naive question on multiple TCP/IP channels Eggert, Lars
- Re: Naive question on multiple TCP/IP channels Phillip Hallam-Baker
- Re: Naive question on multiple TCP/IP channels Christopher Morrow
- Re: Naive question on multiple TCP/IP channels Phillip Hallam-Baker
- Re: Naive question on multiple TCP/IP channels Christopher Morrow
- Re: Naive question on multiple TCP/IP channels Brian E Carpenter
- Re: Naive question on multiple TCP/IP channels Phillip Hallam-Baker
- Re: Naive question on multiple TCP/IP channels Martin Rex
- Re: Naive question on multiple TCP/IP channels Jim Gettys
- Re: Naive question on multiple TCP/IP channels Phillip Hallam-Baker
- Re: Naive question on multiple TCP/IP channels Jim Gettys
- Re: Naive question on multiple TCP/IP channels Phillip Hallam-Baker
- Re: [tsvwg] Naive question on multiple TCP/IP cha… Piers O'Hanlon
- Re: [tsvwg] Naive question on multiple TCP/IP cha… Jim Gettys
- Re: Naive question on multiple TCP/IP channels Wesley Eddy