Re: [multipathtcp] Consensus call on potential MPTCP proxy work

<mohamed.boucadair@orange.com> Wed, 26 April 2017 06:11 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 223F2129416 for <multipathtcp@ietfa.amsl.com>; Tue, 25 Apr 2017 23:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Level:
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hr6ZGvlibhD5 for <multipathtcp@ietfa.amsl.com>; Tue, 25 Apr 2017 23:11:40 -0700 (PDT)
Received: from relais-inet.orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D11D126C25 for <multipathtcp@ietf.org>; Tue, 25 Apr 2017 23:11:40 -0700 (PDT)
Received: from opfednr07.francetelecom.fr (unknown [xx.xx.xx.71]) by opfednr20.francetelecom.fr (ESMTP service) with ESMTP id 7C1D84019F; Wed, 26 Apr 2017 08:11:38 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.27]) by opfednr07.francetelecom.fr (ESMTP service) with ESMTP id 4C1891C005D; Wed, 26 Apr 2017 08:11:38 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM7C.corporate.adroot.infra.ftgroup ([fe80::8007:17b:c3b4:d68b%19]) with mapi id 14.03.0319.002; Wed, 26 Apr 2017 08:11:37 +0200
From: <mohamed.boucadair@orange.com>
To: Joe Touch <touch@isi.edu>
CC: "philip.eardley@bt.com" <philip.eardley@bt.com>, "multipathtcp@ietf.org" <multipathtcp@ietf.org>
Thread-Topic: [multipathtcp] Consensus call on potential MPTCP proxy work
Thread-Index: AQHSvQneFYN3Pf6Ey0Kw29UUSw2QvaHUm0kQ///mkACAAqPNgA==
Date: Wed, 26 Apr 2017 06:11:36 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933009E5390A@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <8c5ffa879686472594bfd3db2fa06076@rew09926dag03b.domain1.systemhost.net> <99affa00-5118-1a0f-227a-b3f4b751ffd4@isi.edu> <787AE7BB302AE849A7480A190F8B933009E4FBB2@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <11026acd-8f91-ff42-299d-b646c19c953e@isi.edu> <787AE7BB302AE849A7480A190F8B933009E503BE@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <d53d6f13-f412-c42f-53a6-04637c7fef9b@isi.edu> <787AE7BB302AE849A7480A190F8B933009E50F91@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <5df14875-b0ec-1052-d3e9-bb7936d4429a@isi.edu> <787AE7BB302AE849A7480A190F8B933009E51CDF@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <9a803d8c-0c2a-9b5c-cd2a-fb4ce23ea3bd@isi.edu> <787AE7BB302AE849A7480A190F8B933009E52977@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <78A398AB-57BC-4CB2-BEE6-46704FA6E849@isi.edu> <787AE7BB302AE849A7480A190F8B933009E52E56@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <e96adf18-f116-f424-9067-74b38ced6eee@isi.edu>
In-Reply-To: <e96adf18-f116-f424-9067-74b38ced6eee@isi.edu>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/fWktx-wcz7VCII7BveRIG-foK6s>
Subject: Re: [multipathtcp] Consensus call on potential MPTCP proxy work
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 06:11:42 -0000

Hi Touch, 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Joe Touch [mailto:touch@isi.edu]
> Envoyé : lundi 24 avril 2017 17:23
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : philip.eardley@bt.com; multipathtcp@ietf.org
> Objet : Re: [multipathtcp] Consensus call on potential MPTCP proxy work
> 
> 
> 
> On 4/24/2017 8:03 AM, mohamed.boucadair@orange.com wrote:
> > Re-,
> >
> > Do you consider a NAT implementation as part of your first category or
> the second one?
> A NAT is part of the second one. You'll notice that there are no
> IETF-endorsed NAT solutions

[Med] I disagree, Joe. The IETF published "Standards Track" documents about NAT TCP state machines: https://tools.ietf.org/html/rfc7857#section-2, https://tools.ietf.org/html/rfc6146#section-3.5.2.2, and many other RFCs about NAT TCP behavior itself (RFC5382) or RFC6888. All these RFCs are implemented and deployed in real networks.

The IETF has also a "Standards Track" document called SOCKSv5 (RFC1928) that is splitting the TCP connection. We are adhering to the logic of that RFC but without the drawbacks of SOCKS.

Your initial argument, that is about "the IETF has never sanctioned..", is not acceptable.


 - only protocols to talk directly to NATs or
> methods to overcome what NATs do.

[Med] I disagree. See above. We are leveraging on existing IETF standard track documents. 

> 
> > BTW, the mptcp proxy documents do only describe the external behavior.
> No implementation-specific assumptions/details are included.
> When you require the MPTCP SYN to be issued before the SYN-ACK is sent
> to the originating client, that is specifying split-TCP behavior that
> the IETF has never endorsed.
> 
> The same is true when you try to reinvent ways to interpret SYN data
> before the MPTCP 3WHS completes - reinventing TFO without TFO's
> protections.

[Med] I don't accept this argument. The only protection in TFO is a server-supplied "cookie". The proxy work has sufficient protections to interpret data inserted in a SYN in a safe manner. 

- TFO cookie is “used by the server side to authenticate a client initiating a TFO connection”. We support a variety of authentication/authorization methods; Please refer to slide 29 of https://www.ietf.org/proceedings/98/slides/slides-98-mptcp-sessa-network-assisted-mptcp-03.pdf.

- TFO specification acknowledges the following: “COOKIES ARE NOT NECESSARY if the server has application-level protection or is immune to these attacks” (cookie-less Fast Open) and “the server may choose to generate a TRIVIAL or even a ZERO-LENGTH COOKIE to improve performance by avoiding the cookie generation and verification”. Cached cookies are not required to supply data in 3WHS if the server if protection is in place. This is the case for the MPTCP proxy target case.  

- TFO server-supplied cookies are used to prevent SYNs with spoofed IP addresses attacks: Providers' networks are enabled with anti-spoofing filters.  

In order to avoid any confusion: the data we are talking about is not user/application supplied data but a proxy-supplied data that won't never reach the ultimate destination. We are not cloning TFO functionality. 

> 
> Joe
> 
> >
> > Cheers,
> > Med
> >
> >> -----Message d'origine-----
> >> De : Joe Touch [mailto:touch@isi.edu]
> >> Envoyé : lundi 24 avril 2017 16:49
> >> À : BOUCADAIR Mohamed IMT/OLN
> >> Cc : philip.eardley@bt.com; multipathtcp@ietf.org
> >> Objet : Re: [multipathtcp] Consensus call on potential MPTCP proxy work
> >>
> >> Med,
> >>
> >> A proxy can operate at the conventional socket layer and would not have
> or
> >> need direct access to SYN segments. Any information needed to
> reconstitute
> >> the SYN at the upstream proxy could be retrieved in other ways.
> >>
> >> You're pushing a split-TCP solution, one that (again, I repeat) the
> IETF
> >> has never sanctioned and I do not agree with.
> >>
> >> Joe
> >>
> >>> On Apr 24, 2017, at 1:23 AM, <mohamed.boucadair@orange.com>;
> >> <mohamed.boucadair@orange.com>; wrote:
> >>> Joe,
> >>>
> >>> Transforming a TCP connection into MPTCP connection will obviously
> need
> >> to access to SYNs to insert MPTCP options.
> >>> This is the basic behavior of ** any ** MPTCP proxy.
> >>>
> >>> Cheers,
> >>> Med
> >>>
> >>>> -----Message d'origine-----
> >>>> De : Joe Touch [mailto:touch@isi.edu]
> >>>> Envoyé : vendredi 21 avril 2017 18:04
> >>>> À : BOUCADAIR Mohamed IMT/OLN; philip.eardley@bt.com;
> >>>> multipathtcp@ietf.org
> >>>> Objet : Re: [multipathtcp] Consensus call on potential MPTCP proxy
> work
> >>>>
> >>>> Med,
> >>>>
> >>>> I've made my position clear too.
> >>>>
> >>>> I do not support this doc as MPTCP work.
> >>>>
> >>>> I also call into question whether this is in-scope for MPTCP. MPTCP
> is
> >>>> chartered to work within MPTCP - but this solution requires access to
> >>>> raw incoming SYNs inside a different TCP connection, which is no
> longer
> >>>> in-scope IMO.
> >>>>
> >>>> Joe
> >>>>