Re: [multipathtcp] Two proxy scenario (network proxy off path)

<mohamed.boucadair@orange.com> Wed, 29 March 2017 15:32 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37CD129613 for <multipathtcp@ietfa.amsl.com>; Wed, 29 Mar 2017 08:32:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oiv9yfP70nyi for <multipathtcp@ietfa.amsl.com>; Wed, 29 Mar 2017 08:32:01 -0700 (PDT)
Received: from relais-inet.orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 668F91296E1 for <multipathtcp@ietf.org>; Wed, 29 Mar 2017 08:32:01 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id 90299606EB for <multipathtcp@ietf.org>; Wed, 29 Mar 2017 17:31:59 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.17]) by opfedar04.francetelecom.fr (ESMTP service) with ESMTP id 6B21540067; Wed, 29 Mar 2017 17:31:59 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM24.corporate.adroot.infra.ftgroup ([fe80::a1e6:3e6a:1f68:5f7e%18]) with mapi id 14.03.0319.002; Wed, 29 Mar 2017 17:31:59 +0200
From: <mohamed.boucadair@orange.com>
To: "philip.eardley@bt.com" <philip.eardley@bt.com>, "multipathtcp@ietf.org" <multipathtcp@ietf.org>
Thread-Topic: Two proxy scenario (network proxy off path)
Thread-Index: AdKoJ5zQqp6DxGj1TeSb3FIu9At16gADSQSAABpPv9AAAF1KAA==
Date: Wed, 29 Mar 2017 15:31:58 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933009E42E79@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <6284b86cf96445548c88452da0daf225@rew09926dag03b.domain1.systemhost.net> <787AE7BB302AE849A7480A190F8B933009E42A2F@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <3439e96f9db74300bcfda44c8b7af09d@rew09926dag03b.domain1.systemhost.net>
In-Reply-To: <3439e96f9db74300bcfda44c8b7af09d@rew09926dag03b.domain1.systemhost.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.5]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/MJhNV6F2koJxcgs7Yjh_RrEG0_0>
Subject: Re: [multipathtcp] Two proxy scenario (network proxy off path)
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 15:32:04 -0000

Re-,

Thank you for the clarification. There is no such standard non-chatty SOCKS specifications. 

You are completely right that authorization is not needed for every connection coming from the same CPE. But SOCKSv5 does not allow for relaxing that. 

As discussed in the nam-deployment draft, there are alternate approaches to achieve authorization without even implying an explicit exchange between the CPE and the MCP. 

Cheers,
Med

> -----Message d'origine-----
> De : philip.eardley@bt.com [mailto:philip.eardley@bt.com]
> Envoyé : mercredi 29 mars 2017 10:13
> À : BOUCADAIR Mohamed IMT/OLN; multipathtcp@ietf.org
> Objet : RE: Two proxy scenario (network proxy off path)
> 
> By non-chatty, I meant a version that didn't do all the authentication
> messages. After all, the home gateway and network proxy can be expected to
> know about each other already - at least don't need to do for every new
> TCP connection from devices behind home gateway
> 
> -----Original Message-----
> From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
> Sent: 29 March 2017 06:30
> To: Eardley,PL,Philip,TUB8 R <philip.eardley@bt.com>om>;
> multipathtcp@ietf.org
> Subject: RE: Two proxy scenario (network proxy off path)
> 
> Hi Phil,
> 
> Can you please clarify what you mean by a "non-chatty version"? version of
> what?
> 
> You can refer to Section 3 of RFC1928 to have an idea about the number of
> messages that are required before sending actual traffic when SOCKSv5 is
> used.
> 
> Below an excerpt of signaling messages observed to create an initial
> subflow using SOCKSv5:
> 
> ==============
> (MP Client) ->    TCP SYN    ->  (MCP)
>                    <- TCP SYN/ACK <-
>                    ->    TCP ACK    ->
>                    -> SOCKS Method Request (1)(a) ->
>                    <-    TCP ACK (b)   <-
>                     <- SOCKS Method Response (2)(c) <-
>                     ->   TCP ACK (d)   ->
>                     -> SOCKS Authentication Request (3)(e) ->
>                     <-    TCP ACK (f)    <-
>                     <- SOCKS Auth. Response (4)(g) <-
>                     ->   TCP ACK (h)   ->
>                     -> SOCKS Connection Request (5)(i) -> (MCP)
>                     <-   TCP ACK (j)                   <- (MCP)
>                                                           (MCP)  -> TCP
> SYN (k) -> (Server)
>                                                           (MCP)  <-
> SYN/ACK (l) <- (Server)
>                     <- SOCKS Connection Response (n) (6) <-(MCP) -> TCP
> ACK (m) -> (Server)
>                     ->   TCP ACK (o)  ->
> =================
> 
> I let you compare it with the 0-RTT and 0-extra signaling approach with
> MP_CONVERT IE.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : multipathtcp [mailto:multipathtcp-bounces@ietf.org] De la part de
> > philip.eardley@bt.com Envoyé : mardi 28 mars 2017 20:24 À :
> > multipathtcp@ietf.org Objet : [multipathtcp] Two proxy scenario
> > (network proxy off path)
> >
> > Hi,
> >
> > I'm now thinking about the scenario where there are two proxies, one
> > in the home gateway or Customer Premises Equipment and one in the
> > network, both under the control of the operator. And looking at the
> 'explicit mode'
> > scenario, which - if I get it right - means that the network proxy is
> > not on the default path. (It's safe to assume that the home gateway
> > proxy is on the default path)
> >
> > Thinking about the use of SOCKS in this context.
> >
> > Earlier Olivier said (in the context of the smartphone scenario -
> > sorry if your comments don't apply to this scenario and I'm just
> > creating
> > confusion) that there are different variants of SOCKS that can be
> > used, which mainly depend on the number of messages that are used to
> > authenticate.
> > In the two proxy scenario, it's probably reasonable to assume that the
> > home gateway and network proxy are already authenticated. So a
> > non-chatty version would be ok.
> >
> > Is that right?
> >
> > Thanks
> > phil
> >
> > _______________________________________________
> > multipathtcp mailing list
> > multipathtcp@ietf.org
> > https://www.ietf.org/mailman/listinfo/multipathtcp