Re: [multipathtcp] FW: New Version Notification for draft-ford-mptcp-multiaddressed-02
"Ford, Alan" <alan.ford@roke.co.uk> Fri, 06 November 2009 14:34 UTC
Return-Path: <alan.ford@roke.co.uk>
X-Original-To: multipathtcp@core3.amsl.com
Delivered-To: multipathtcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BDF003A69CD for <multipathtcp@core3.amsl.com>; Fri, 6 Nov 2009 06:34:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.448
X-Spam-Level:
X-Spam-Status: No, score=-3.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyJR7MMXl+Hc for <multipathtcp@core3.amsl.com>; Fri, 6 Nov 2009 06:34:23 -0800 (PST)
Received: from rsys001x.roke.co.uk (rsys001x.roke.co.uk [193.118.201.108]) by core3.amsl.com (Postfix) with ESMTP id 53E133A69AF for <multipathtcp@ietf.org>; Fri, 6 Nov 2009 06:34:22 -0800 (PST)
Received: from rsys005a.comm.ad.roke.co.uk ([193.118.193.85]) by rsys001x.roke.co.uk (8.13.1/8.13.1) with ESMTP id nA6FYXt6024629; Fri, 6 Nov 2009 15:34:33 GMT
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 06 Nov 2009 14:34:44 -0000
Message-ID: <2181C5F19DD0254692452BFF3EAF1D6808C85816@rsys005a.comm.ad.roke.co.uk>
In-Reply-To: <4AF38B0F.4070106@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [multipathtcp] FW: New Version Notification for draft-ford-mptcp-multiaddressed-02
Thread-Index: Acpe2jTizxdDKiYzRdaMo3FOMIT0aAACAIdw
References: <2181C5F19DD0254692452BFF3EAF1D6808B826E2@rsys005a.comm.ad.roke.co.uk> <4AF38B0F.4070106@gmail.com>
From: "Ford, Alan" <alan.ford@roke.co.uk>
To: Scott Brim <scott.brim@gmail.com>
X-roke-co-uk-MailScanner: Found to be clean
X-roke-co-uk-MailScanner-SpamCheck:
X-roke-co-uk-MailScanner-From: alan.ford@roke.co.uk
Cc: multipathtcp@ietf.org
Subject: Re: [multipathtcp] FW: New Version Notification for draft-ford-mptcp-multiaddressed-02
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/multipathtcp>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2009 14:34:24 -0000
Hi Scott, > Ford, Alan allegedly wrote on 10/27/2009 10:03 AM: > > We now have a new version of the MPTCP protocol draft available, > > which will be presented in Hiroshima. > > > > Questions and discussion very much welcome beforehand too! > > > o Do we want a connection identifier in every packet? E.g. would > > make implementation of IDS much easier? > > I think so. What are the arguments against it? It deterministically > avoids the kind of cases that Joe was concerned about. Well the key argument against it would be the overhead it would create, and also any issues with option space limits. How would such an identifier really benefit these systems, in practice? In a way that could not be achieved by caching connection id/5-tuple mappings on initialisation? > > 4.1 Session Initiation > > Why is there a "multipath capable" option exchange at all? The question > is implicit in a "join" option. If the receiver does not understand the > "join", it is not multipath-capable, and you fall back. "Multipath Capable" is maybe a poor name for it. In reality, it is a "MPTCP Connection Initialization" option. It is, in effect, the source's definition of the MPTCP analogue of the source port. Remote hosts can then connect towards that. Without this, the initiator would not be able to pick a token that was unique to both the sender and the receiver. > > If these packets are unacknowledged, it is up to local policy to > > decide how to respond. It is expected that a sender will eventually > > fall back to single-path TCP (i.e. without the Multipath Capable > > Option), in order to work around middleboxes that may drop packets > > work _through_ them, rather :-) > > > If an endpoint is known to be multiaddressed (e.g. through multiple > > addresses returned in a DNS lookup), alternative destination > > addresses SHOULD be tried first, before falling back to regular TCP. > > You might want to note this is no different from some TCP behaviors > today, if a connection cannot be established to the first address attempted. Good point. > > The "Join" option includes an "Address ID". This is an identifier, > > locally unique to the sender of this option, and with only per- > > connection relevance, which identifies the source address of this > > packet. This serves two purposes. Firstly, if an address becomes > > unexpectedly unavailable on the sender, it can signal this to the > > receiver via a remove address option (Section 4.3.2) without needing > > to know what the source address actually is (thus allowing the use of > > NATs). > > This is good but ... > > > Secondly, it allows correlation between new connection > > attempts and address signalling (Section 4.3.1), to prevent duplicate > > subflow initiation. > > ... I have some problems with address "exchange". See below. > > > TBD: Instead of an Address ID, are there any cases where a Subflow ID > > (i.e. unique to the subflow) would be useful instead? For example, > > two addresses which become NATted to the same address? > > "Remove" is important but there are corner cases under all options I can > think of. I'm in favor of just documenting possible rare unintended > disruptions, and then just specifying "remove". For example, I could > see a scenario where A and B are communicating, and A is using address > 1.1.1.1 which is NATted to 3.3.3.3 by the time a packet reaches B. A > loses 1.1.1.1 and switches to 2.2.2.2, but an upstream network helpfully > NATs to the the same external address, 3.3.3.3, to be helpful to A. So > if A loses 1.1.1.1 and sends a "remove" for its ID, unintended > disruption will occur. Hmm, true, although it should open a new subflow from 2.2.2.2 and this should be able to reliably take over with no great interruption to the user. > > 4.3.1. Adding Addresses > > re "Add Address", I wouldn't bother. A source cannot know what its > addresses will look like to a destination, and NATs are here to stay. A > NAT on a particular path cannot know what a NAT on a different path will > do. Under no conditions should an address for one path be carried as > payload on another path. It's important to get layer violations out of > the control plane. Instead of promoting a mechanism that _might_ work > occasionally (and might open security holes??), let's focus on making > the data plane mechanisms work really well. Hmm. There are at least two strong use cases for signalling addresses, which cannot be achieved through an implicit join. 1. Firewalls/NATs in the way. Consider: Host A Host B ---------- ------------------------ Address A1 Address B1 Address B2 ---------- ---------- ---------- | | | | (initial setup) | | |--------------------->| | |<---------------------| | | | | | ###<--------------------------| | | | | (signal address) | | |<---------------------| | | | | | (additional subflow setup) | |----------------------------------->| |<-----------------------------------| | | Here, the multihomed endpoint cannot connect back to host A due to a firewall in the way (marked as ###), so instead the explicitly signalled address is used, and Host A can connect out to it to create the second subflow. 2. IPv6 and IPv4 - in this case, where there is an existing IPv4 subflow, it is not possible for one endpoint to implicitly use another of its addresses to the same endpoint, since both ends need to know about IPv6 addresses. So a second subflow should be initiated by an endpoint signalling its IPv6 address to the other endpoint, who is then able to use its IPv6 address in an implicit connection. (This kind of scenario may also apply to other cases). There is also the undecided security element, where signalling on an existing subflow is less open to exploits than entirely new TCP sessions. Regards, Alan
- [multipathtcp] FW: New Version Notification for d… Ford, Alan
- Re: [multipathtcp] FW: New Version Notification f… John Leslie
- Re: [multipathtcp] FW: New Version Notification f… Scott Brim
- Re: [multipathtcp] FW: New Version Notification f… Scott Brim
- Re: [multipathtcp] FW: New Version Notification f… John Leslie
- Re: [multipathtcp] FW: New Version Notification f… Ford, Alan
- Re: [multipathtcp] FW: New Version Notification f… Rémi Després