Re: [multipathtcp] Progressing the MPTCP proxy work
Tom Herbert <tom@herbertland.com> Sat, 16 September 2017 18:54 UTC
Return-Path: <tom@herbertland.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6A81326F3 for <multipathtcp@ietfa.amsl.com>; Sat, 16 Sep 2017 11:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FaVwf7ZvSWP7 for <multipathtcp@ietfa.amsl.com>; Sat, 16 Sep 2017 11:54:15 -0700 (PDT)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 560E0133048 for <multipathtcp@ietf.org>; Sat, 16 Sep 2017 11:54:13 -0700 (PDT)
Received: by mail-qt0-x236.google.com with SMTP id m35so4664351qte.1 for <multipathtcp@ietf.org>; Sat, 16 Sep 2017 11:54:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=MiWA1Lpc4m3x7BWeskfkPqELF/c9Isl3YW+Qpq1wV+8=; b=bsDitQMQvtmFpY5rSGc0Sdta/PvoTLQagfTBuFfpZUfifcPtPyNrPVE8apjaUPMwNu EgBOtB3cTnoVm+zNabgpT7FZscQCjJdx9JjORR1IXsXJhxtBHVGV/vncCxDPsR678Ye8 RamXNMm/MQFXNbEGmETJEB5YtqmJW+IDA9MSIHYMIGmek8N550SGNUDM4eKLPaTK+hh1 d5KO7nDw8enkfPH0a2u37FFdHwLwHxepzo+X8cliAKosE2o4qaYiyUHMhgRIkB/iaCQM VLEIC81TG/qNe8JYAmlG/KYdH763G3iJLGncWn+LOU4EXrJoOP4uSHUUNg5CogO+GPX9 tmMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=MiWA1Lpc4m3x7BWeskfkPqELF/c9Isl3YW+Qpq1wV+8=; b=YtOPbX7KF5lQf6CCIiWyZQ/qFM3AlGDYzTz6hMmdVkNBO25Ewmi8Q3NQTvBY6nBOgI Llpq41MfBr/9Vq0VcWBnLGmgHRZR/WpltR2ybULq44B7vh/u8oQVJ09YAezA6slao0Zi Rkih84TnORRwp5Y1WSRMgVpa0a00p0gJ2Kq5RxsBLFUcDVdLdhis79ZLSiPdpfGZ6Vem bOow/yGSiwNwKucCubldOH0JIaGg39iwH0ow8MXqSwDVpB8xJD93BgKLhb5JBhq86Gnb XCXbdwL6NHgsAs0hPedBsJ+4Xte1YQ5fsmjOjIKFMUxfdwCYAft8dYdIfKITLN6bcc3Q Rgtg==
X-Gm-Message-State: AHPjjUi62Jy/HfcqrqzoMG+vllJmPicGFSa3iQjfd6JAin88aSSdT2I+ 7wxJQQQ37lAYXdsf2Rdk/ehSoSmxx9O4B3o+TcLIcg==
X-Google-Smtp-Source: AOwi7QB1KGyh98Y0rNEGVR+WVHKGYBKvSTje2B64qaHdcf2Ob2kJA3BSRUeJgFpAhoUMLX0g1P6UQSi8VOqJ4zb0DDU=
X-Received: by 10.200.43.140 with SMTP id m12mr23128316qtm.58.1505588052155; Sat, 16 Sep 2017 11:54:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.61.196 with HTTP; Sat, 16 Sep 2017 11:54:11 -0700 (PDT)
In-Reply-To: <2efd30edab0647dda78246734f89a3f1@rew09926dag03b.domain1.systemhost.net>
References: <2efd30edab0647dda78246734f89a3f1@rew09926dag03b.domain1.systemhost.net>
From: Tom Herbert <tom@herbertland.com>
Date: Sat, 16 Sep 2017 11:54:11 -0700
Message-ID: <CALx6S352Ez=ZusXhb71MZYCr_7O6TUiB+P7QKwzX4=7uAEVSrw@mail.gmail.com>
To: philip.eardley@bt.com
Cc: multipathtcp@ietf.org, tcpm@ietf.org, tsv-area@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/WoxAoxa59ecfl8fKeHnSjjXsjFE>
Subject: Re: [multipathtcp] Progressing the MPTCP proxy work
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Sep 2017 18:54:17 -0000
On Wed, Sep 13, 2017 at 8:01 AM, <philip.eardley@bt.com> wrote: > Hi, > > At the IETF we discussed (in MPTCP WG) a new proposal on MPTCP proxy, “0-RTT > TCP converters” > https://tools.ietf.org/html/draft-bonaventure-mptcp-converters This seemed > to get a good reception, and had taken on board the feedback about the > “plain mode” draft. > > We believe the next steps are: > > • WGs – TCPM & MPTCP - please send any further initial comments, > especially if you believe it hasn’t dealt with technical concerns that were > raised about the “plain mode” draft, or if you have fresh concerns > Hello, I have some concerns about both the motivation and solution described in the draft. The primary motivation stated for this protocol seems to be that "deploying those extensions on both a wide range of clients and servers remains difficult". That's a pretty general and subjective rationalization. The argument that things take too long to deploy can be applied to nearly any protocol; for instance, a similar argument was recently given in 6man to justify the need for IPv10 since IPv6 is taking too long to deploy. The typical problems with this argument are three fold: 1) it presumes that development and deployment of an interim solution will take less time than to deploy the protocol being fixed 2) it doesn't address the root cause of why a protocol is taking long to deploy in the first place 3) the interim solution likely creates new problems and incompatibilities that need to be dealt with. For this draft I think these should be considered in the specific context of MPTCP. For #1 the assumption, the key assertion in the draft is "There are some situations where the transport stack used on clients (resp. servers) can be upgraded at a faster pace than the transport stack running on servers (resp. clients)."-- I think the reality of this is quite debatable. Major content provider providers that make up the bulk Internet traffic, such as Google and Facebook, upgrade their front end web server software at a much faster rate than clients typically do. There a good examples, TFO for instance, where there was support for new TCP features on servers long before clients. The other part of this is that the solution assumes client support of MPTCP. AFAIK Android (which represents a huge number of clients) does not ship with an MPTCP implementation even though its been part of IOS since 2013. So, the real question that should be asked is why isn't MPTCP being deployed which leads to problem #2. I suspect a major reason that MPTCP is not deployed in Android or servers is that fact that upstream Linux has not adopted the implementation. There was an effort a while back to get it into the stack, however there was pushback because of the invasiveness of the code (it was 1000's of lines of core TCP code change). Unfortunately, the developers didn't followup and continue working on reducing the complexity of implementation. I think with enough persistence in addressing the feedback the code would eventually make it in. Even so, acceptance into Linux is not a requirement for deployment. Google and Facebook could be running MPTCP on their servers, and Android could shipped with MPTCP support. I suspect the reason they're not doing that is motivation. If they were convinced that MPTCP is a great value to users, they can make deployment happen quickly. For #3, the problems of the interim solution need to be elaborated. TCP is an end to end protocol, and we know that whenever a middlebox attempts to transparently process TCP some things will break. As section 5 states "The Converter protocol was designed to be used in networks that do not contain middleboxes that interfere with TCP." -- the irony of this statement is that the converter itself becomes a middlebox that interferes with TCP. The converter has many of the same issues of other middlebox solutions (proxies, firewalls) in the network that are invasive at the transport layer. For instance E2E security (e.g. TCP-AO) is likely broken. Also, I have to wonder about the case where the client and server support an option that is unknown to the converter-- say for instance that an experimental option is being used for a new feature such as we did with TFO. In this case I don't see how the converter can deal with the option, passing it through between MPTCP and non-MPTCP may or may not be correct. So probably the only reasonable behavior is to drop unknown options. But, then that means the endpoints would be bound to using only TCP options that the converter supports, so ultimately the converter is an obstacle not a facilitator for deploying new options. Perhaps the biggest irony of this proposal is that the converter is stateful for a connection, so all packets must flow through a single point in the network. Like stateful firewalls, this inevitably becomes a bottleneck and a single point of failure. I believe that is nearly the exact opposite of what MPTCP endeavors to provide. A few comments about the text: In several places the term "TCP extensions" is used, I think "TCP options" is the more correct term. In Section 2.1: The arguments that SOCKS can't be used are not entirely convincing to me. "the converter protocol leverages the TFO option [RFC7413] to place all its control information inside the SYN and SYN+ACK packets." I'm not sure what "control information" means here. Is this referring to TCP options, an inband control protocol, or something else? It seems to me that support for SOCKS to use TFO should be straightforward, in fact the draft even states that has been proposed for SOCKS. "A second difference is that the converter protocol takes the TCP extensions explicitly into account." Per #3 above, the converter can only take into account TCP options that it understands and it can't deal with options like TCP-AO that must be truly end to end. Given these limitations, and the fact that a SOCKS should be running on an modern TCP stack that supports all the common options, I'm not sure how much tangible value there is in this difference. The third argument may have merit, but I would point out that this difference applies to all proxies and they are ubiquitous in deployment. Also, we are adding kProxy (in kernel proxy) for the Linux stack which actually would allow SYN forwarding in proxies without finishing client side connection establishment to give the same effect of the solution in the draft. Tom
- [multipathtcp] Progressing the MPTCP proxy work philip.eardley
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Tom Herbert
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Olivier Bonaventure
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Tom Herbert
- Re: [multipathtcp] [tcpm] Progressing the MPTCP p… Joe Touch
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Olivier Bonaventure
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Tom Herbert
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Olivier Bonaventure
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Tom Herbert
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Yoshifumi Nishida
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Tom Herbert
- Re: [multipathtcp] [tcpm] Progressing the MPTCP p… Joe Touch
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Yoshifumi Nishida
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Olivier Bonaventure
- Re: [multipathtcp] Progressing the MPTCP proxy wo… Tom Herbert