Re: [multipathtcp] TR: I-D Action: draft-boucadair-mptcp-plain-mode-08.txt
"PEIRENS Bart (TSI/MST)" <bart.peirens@proximus.com> Thu, 14 July 2016 17:04 UTC
Return-Path: <bart.peirens@proximus.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39F212D09A for <multipathtcp@ietfa.amsl.com>; Thu, 14 Jul 2016 10:04:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0pviGRW4G5X for <multipathtcp@ietfa.amsl.com>; Thu, 14 Jul 2016 10:04:52 -0700 (PDT)
Received: from mx18.belgacom.be (mx18.belgacom.be [195.13.15.238]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8AC12D7A4 for <multipathtcp@ietf.org>; Thu, 14 Jul 2016 10:04:50 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.28,363,1464645600"; d="scan'208";a="3524179"
Received: from a05193.bgc.net ([10.121.129.141]) by mx18.belgacom.be with ESMTP; 14 Jul 2016 19:04:49 +0200
X-TM-IMSS-Message-ID: <6bf194b7000f1f7e@proximus.com>
Received: from A04023.BGC.NET ([10.120.135.24]) by proximus.com ([10.121.129.141]) with ESMTP (TREND IMSS SMTP Service 7.5) id 6bf194b7000f1f7e ; Thu, 14 Jul 2016 19:04:48 +0200
Received: from A04086.BGC.NET ([169.254.2.167]) by A04023.BGC.NET ([10.120.135.24]) with mapi id 14.03.0266.001; Thu, 14 Jul 2016 19:04:48 +0200
From: "PEIRENS Bart (TSI/MST)" <bart.peirens@proximus.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "multipathtcp@ietf.org" <multipathtcp@ietf.org>
Thread-Topic: Re: [multipathtcp] TR: I-D Action: draft-boucadair-mptcp-plain-mode-08.txt
Thread-Index: AdHc425rg3vMOxmqTYixnk9DQIRiUA==
Date: Thu, 14 Jul 2016 17:04:47 +0000
Message-ID: <FBDC7DA3C88E6D418CD2F6178D25AC227883521B@A04086.BGC.NET>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.12.97]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/ipWa-nMR-jityEkzl1K2qzrKlEo>
Subject: Re: [multipathtcp] TR: I-D Action: draft-boucadair-mptcp-plain-mode-08.txt
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2016 17:04:55 -0000
Dear Med,
Thanks for the update of this draft
My understanding is that the plain-mode draft is:
It's inspired to have a deployment model that allows an 'off-path' concentrator/mptcp-proxy in the backbone network without requiring additional traffic steering techniques or tunnelling done in the network towards it.
(E.g. it's 'network assisted mptcp deployment, within an operator controlled environment, but avoiding impact/configuration changes on other existing network elements in the operator network)
It allows either implicit or explicit deployment modes (using e.g. I-D.boucadair-mptcp-dhc for discovery of the concentrator nodes)
Furthermore it allows different modes in which the original CPE WAN or Host LAN (IPv6) address is either preserved or mapped to the local pool on the proxy node.
Some questions arise while reviewing the draft:
* Is the option preservation or the original source address on the concentrator not in direct contradiction with the goals of the draft, as the network in such mode will have to implement traffic steering policies for Internet originated or return packets back to the concentrator, even more problematic if only selected flows/protocols originating from the CPE should benefit from the network assisted mptcp? An 'on-path' model of the mptcp proxy in the forwarding path in the network could resolve this, but then rewriting the addresses and embedding original ones in the PM option would no longer be a requirement as well for deployment.
* The draft does not seem to address the requirement for validation of the embedded address in the PM option by the concentrator, especially with the D bit set. The updated -08 version addresses the concern with multicast/broadcast/host loopback addresses however. Such validation for packets with the D-bit set should be done to implement BCP 38 on the concentrator. The network elements of an operator at the network boundary can no longer do this now the address is embedded (we consider the CPE function outside of the network boundary and untrusted). When the PM option with D bit set to preserve original LAN address (e.g. IPv6 default case) the concentrator in addition needs to have knowledge of the delegated addresses behind the CPE and keep state of this? This would likely require some extra out of band synchronisation and complexity in the overall solution.
* Even without source address preservation at the concentrator node, the lack of validation of an embedded address in a PM option with D bit set by the CPE is problematic. As mentioned in section 7.3 such a deployment that involves global (ipv4) address mapping/sharing will typically require a logging function for the operator for traceback of abuse or lawful purposes. Such logging can only be relied on if the embedded source address received by the CPE has been validated by some means to be effectively being assigned to it.
* The effects of a rogue 'on-path' concentrator are described and illegitimate access to a concentrator node is described in section 7.1. My understanding of the workings of plain-mode is however that if any (e.g. including illegitimate off-path) concentrator can direct traffic to the CPE WAN address it allows source address spoofing for incoming connections towards the customer LAN or CPE itself. I believe restricting the sources that a CPE does accept packets with PM option set would be a requirement to resolve this and as such ruling out the option of an implicit configuration model currently left open in the draft?
I believe if the above points are left unaddressed the benefits of the 'off-path' deployment model do not outweighs the new issues it creates for an operator and doubt if addressing them will not bring the solution to at least the same or even higher complexity than an on-path model for an operator.
In response we submitted a new ID (draft-peirens-mptcp-transparent-00) where a more 'transparent' mode deployment is documented, preserving original customer addressing without embedding those within a new option field, as an alternate deployment model. It would however require placing the concentrator 'on-path', or using network assisted steering of the traffic towards the concentrator/proxy. Today an operator has already has multiple options available today to archive this, not necessary requiring encapsulation, and a more generic framework is being addresses as well in sfc wg. We would welcome discussion on this topic and benefits of either deployment model and will present the draft in the Wednesday slot next week.
While in favour of a MPTCP proxy model for accelerated deployment and resource pooling between access networks, I'm currently not convinced that embedding a specific traffic steering using a new MPTCP option is the best approach forward.
Regards
Bart
> Dear all,
>
> A new version that integrates the comments received from the list is available online:
> * clarify that the solution applies for both CPEs and hosts directly connected to operator networks.
> * clarify how fragmentation is managed for UDP.
> * clarify that one MPTCP connection is bound to one UDP flow
> * precise the behavior when a plain mode option includes multicast and broadcast addresses
> * call out that CGN optimization are inherited (e.g., optimize logging files, address pooling, port randomization, port set assuagement, etc.).
> * add a new section to explicit the target deployment and middlebox interference
> * add some text about checksum adjustment
>
> Reviews are more than welcome.
>
> Cheers,
> Med
________________________________
***** Disclaimer *****
http://www.proximus.be/maildisclaimer
- [multipathtcp] TR: I-D Action: draft-boucadair-mp… mohamed.boucadair
- Re: [multipathtcp] TR: I-D Action: draft-boucadai… mohamed.boucadair
- Re: [multipathtcp] TR: I-D Action: draft-boucadai… PEIRENS Bart (TSI/MST)