IETF Logo Mail Archive

Re: TCPMUX (RFC 1078) status

Martin Sustrik <sustrik@250bpm.com> Fri, 16 August 2013 05:38 UTC

Return-Path: <sustrik@250bpm.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D0C11E8113 for <ietf@ietfa.amsl.com>; Thu, 15 Aug 2013 22:38:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.694
X-Spam-Level:
X-Spam-Status: No, score=-0.694 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SK=1.35, HOST_EQ_SK=0.555]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaFgQYNazsUi for <ietf@ietfa.amsl.com>; Thu, 15 Aug 2013 22:38:21 -0700 (PDT)
Received: from mail.moloch.sk (chrocht.moloch.sk [62.176.169.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7839111E811B for <ietf@ietf.org>; Thu, 15 Aug 2013 22:38:17 -0700 (PDT)
Received: from [192.168.1.134] (188-167-109-79.dynamic.chello.sk [188.167.109.79]) by mail.moloch.sk (Postfix) with ESMTPSA id 4E1B31803553; Fri, 16 Aug 2013 07:38:03 +0200 (CEST)
Message-ID: <520DBABA.2000506@250bpm.com>
Date: Fri, 16 Aug 2013 07:38:02 +0200
From: Martin Sustrik <sustrik@250bpm.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111109 Thunderbird/3.1.16
MIME-Version: 1.0
To: Wesley Eddy <wes@mti-systems.com>
Subject: Re: TCPMUX (RFC 1078) status
References: <5205D2FB.8010205@250bpm.com> <52069498.1000604@mti-systems.com> <520D3779.4050106@isi.edu> <520D7F0D.10905@mti-systems.com>
In-Reply-To: <520D7F0D.10905@mti-systems.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-tcpm-tcp-rfc4614bis@tools.ietf.org, IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 05:38:27 -0000

On 16/08/13 03:23, Wesley Eddy wrote:

>> There are semantics issues to; see draft-touch-tcp-portnames-00 for
>> information (this is being revised for resubmission shortly, FWIW).
>>
> I totally agree.  In fact, in the update to the TCP roadmap [1], we
> added TCPMUX to the section on "Historic and Undeployed Extensions",
> though it definitely bears further discussion than is currently in
> the roadmap.  I think we should add a reference to your portnames doc
> to explain why this should be Historic plus check a bit more to see if
> the code that's out there is really being used or whether it's just
> hanging out like a vestigal limb in the various inetd packages.
>
> If it's fair to ask Martin ... I'm kind of curious why you might want
> to be using it or think it sounds useful?  I think a lot of admins
> would be concerned that it could be used to get around port-based
> firewall rules, etc.

Ok, let me explain.

I am coming from enterprise messaging world (think of IBM MQ series, 
JMS, ActiveMQ, RabbitMQ et c.)

Once I was participating on AMQP protocol development (now at OASIS). 
So, what AMQP and other enterprise messaging products do is exposing a 
"message broker" on a single TCP port, which then forwards messages to 
any connected services. As can be seen, single open firewall port can be 
used to access any internal service.

That being obviously the *wrong* way to do things, I've written ZeroMQ 
later which takes the strict approach: If you want to expose a new 
service, you have to use a separate TCP port number.

Since then it turned out that this as a limitation that people are most 
complaining about.

Now, the reason seems to be that ZeroMQ requires you to use different 
TCP connections for doing different kinds of stuff to avoid head-of-line 
blocking et c. (think of SCTP channels simulated via TCP)

What that means is that you have a lot of fine-grained services and as 
the development of your application proceeds you add more of them, 
remove them and so on.

That in turn requires admins (and the corporate approval process!) to 
get into the deployment cycle and open the TCP ports as appropriate. The 
result is that the development basically grinds to halt.

The solution IMO is to preserve the port-based services functionality 
for those that truly care about security and -- optionally -- support 
some kind of multiplexer such as TCPMUX for those that care more about 
short deployment cycle.

That being said, IIRC, there's such functionality in WebSockets as well. 
Open a connection to fixed pot (80) and particular URL (string), then 
after the initial negotiation, switch to raw TCP mode and hand the 
connection to whatever application is suppose to handle it. The reason I 
don't like that solution is that you have to have web server installed 
to work as a multiplexer, which is kind of strange.

Martin

v2.23.0 | Report a Bug | By Email