Re: [multipathtcp] Two proxy scenario (network proxy off path)

<mohamed.boucadair@orange.com> Wed, 29 March 2017 16:32 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48959129672 for <multipathtcp@ietfa.amsl.com>; Wed, 29 Mar 2017 09:32:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEUQUECU8V_h for <multipathtcp@ietfa.amsl.com>; Wed, 29 Mar 2017 09:32:48 -0700 (PDT)
Received: from relais-inet.orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F477129519 for <multipathtcp@ietf.org>; Wed, 29 Mar 2017 09:32:48 -0700 (PDT)
Received: from opfedar02.francetelecom.fr (unknown [xx.xx.xx.4]) by opfedar24.francetelecom.fr (ESMTP service) with ESMTP id EB356C023F; Wed, 29 Mar 2017 18:32:46 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.66]) by opfedar02.francetelecom.fr (ESMTP service) with ESMTP id C4AD7180066; Wed, 29 Mar 2017 18:32:46 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILMA1.corporate.adroot.infra.ftgroup ([fe80::95e2:eb4b:3053:fabf%19]) with mapi id 14.03.0319.002; Wed, 29 Mar 2017 18:32:46 +0200
From: <mohamed.boucadair@orange.com>
To: "cpaasch@apple.com" <cpaasch@apple.com>
CC: "Henderickx, Wim (Nokia - BE/Antwerp)" <wim.henderickx@nokia.com>, "philip.eardley@bt.com" <philip.eardley@bt.com>, "multipathtcp@ietf.org" <multipathtcp@ietf.org>
Thread-Topic: [multipathtcp] Two proxy scenario (network proxy off path)
Thread-Index: AQHSqKjPMv/9rf5sCkmZVt7p+2qnp6GsAG9A
Date: Wed, 29 Mar 2017 16:32:45 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933009E430CE@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <70EAECD3-22A6-420A-B84C-04B0673020DF@nokia.com> <20170329153901.GF2779@dhcp-8507.meeting.ietf.org> <3D71318E-8644-4FB3-8C7F-9DD4E5AFE89B@nokia.com> <20170329154652.GG2779@dhcp-8507.meeting.ietf.org> <787AE7BB302AE849A7480A190F8B933009E4303A@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <20170329162327.GH2779@dhcp-8507.meeting.ietf.org>
In-Reply-To: <20170329162327.GH2779@dhcp-8507.meeting.ietf.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.5]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/jIF9h5RApZvSaQHQwxJqLtGAaCU>
Subject: Re: [multipathtcp] Two proxy scenario (network proxy off path)
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 16:32:51 -0000

Re,

Please see inline.

Cheers,
Med

> -----Message d'origine-----
> De : cpaasch@apple.com [mailto:cpaasch@apple.com]
> Envoyé : mercredi 29 mars 2017 11:23
> À : BOUCADAIR Mohamed IMT/OLN
> Cc : Henderickx, Wim (Nokia - BE/Antwerp); philip.eardley@bt.com;
> multipathtcp@ietf.org
> Objet : Re: [multipathtcp] Two proxy scenario (network proxy off path)
> 
> On 29/03/17 - 16:13:18, mohamed.boucadair@orange.com wrote:
> > Christoph,
> >
> > If you remove the initial TCP connection,
> > If you remove the authentication negotiation,
> > If you include the payload of the original SYN as part of the NEW SOCKS
> request
> >
> > You are just cloning the MP_CONVERT behavior by overloading SOCKS
> semantic without providing an extra feature compared to the MP_CONVERT.
> >
> > For the particular case of IPv6 when source address/prefix preservation
> is required, I don't see how this can be supported by SOCKS. Of course,
> you can modify the SOCKS command to clone MP_CONVERT :)
> 
> The point is that we should try to do something that is architecturally
> clean,
> without being closely linked to MPTCP.

[Med] MP_CONVERT is defined as an Information Element; not an MPTCP option. The documents we are discussing in MPTCP are specifying the use of this IE for MPTCP proxying purposes. This is the only case we have today for it.

> 
> Just imagine, if you deploy a proxy that enables the use of TCP-BBR, a
> congestion-control that is much better than what servers/clients currently
> use. This would also need a 0-RTT proxying solution (even if it is not
> using MPTCP).

[Med] I agree. MP_CONVERT can be used in that context. Interested parties can edit a document to describe the MP_CONVERT IE applicability for that use case. This is not precluded if there is interest.
 
> 
> 
> The point I am trying to make is that a 0-RTT proxying solution is not
> something that the MPTCP working-group should be in charge of. There are
> other places in the IETF that are probably more appropriate for this.
> 
[Med] MPTCP is the place where **MPTCP** proxy is to be specified. 0-RTT is a concern for all transport protocol designs. Endorsing an MPTCP proxy design that increases the delay of establishing proxyied connections by several tens of ms is a no starter. 

> 
> Christoph
> 
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : cpaasch@apple.com [mailto:cpaasch@apple.com]
> > > Envoyé : mercredi 29 mars 2017 10:47
> > > À : Henderickx, Wim (Nokia - BE/Antwerp)
> > > Cc : philip.eardley@bt.com; BOUCADAIR Mohamed IMT/OLN;
> > > multipathtcp@ietf.org
> > > Objet : Re: [multipathtcp] Two proxy scenario (network proxy off path)
> > >
> > > On 29/03/17 - 15:42:59, Henderickx, Wim (Nokia - BE/Antwerp) wrote:
> > > > Christoph, yes but again it something new and less optimal from the
> > > proposed MP_CONVERT IE in the SYN.
> > >
> > > No, that's what I wrote below. It's not less optimal. It's exactly the
> > > same in
> > > terms of performance as MP_CONVERT IE in the SYN!
> > >
> > >
> > > Christoph
> > >
> > >
> > > >
> > > > On 29/03/2017, 10:39, "cpaasch@apple.com on behalf of Christoph
> Paasch"
> > > <cpaasch@apple.com> wrote:
> > > >
> > > >     Hello Wim,
> > > >
> > > >     inline:
> > > >
> > > >     On 29/03/17 - 15:29:04, Henderickx, Wim (Nokia - BE/Antwerp)
> wrote:
> > > >     > Phil, you will be a bit more optimal but not a lot as you can
> see
> > > or you end up changing the SOCKs protocol. Even if you do this
> MP_CONVERT
> > > IE will always be the most optimal and hence this is what we propose
> for
> > > doing this proxy function.
> > > >     >
> > > >     > On 29/03/2017, 10:12, "multipathtcp on behalf of
> > > philip.eardley@bt.com" <multipathtcp-bounces@ietf.org on behalf of
> > > philip.eardley@bt.com> wrote:
> > > >     >
> > > >     >     By non-chatty, I meant a version that didn't do all the
> > > authentication messages. After all, the home gateway and network proxy
> can
> > > be expected to know about each other already - at least don't need to
> do
> > > for every new TCP connection from devices behind home gateway
> > > >     >
> > > >     >     -----Original Message-----
> > > >     >     From: mohamed.boucadair@orange.com
> > > [mailto:mohamed.boucadair@orange.com]
> > > >     >     Sent: 29 March 2017 06:30
> > > >     >     To: Eardley,PL,Philip,TUB8 R <philip.eardley@bt.com>om>;
> > > multipathtcp@ietf.org
> > > >     >     Subject: RE: Two proxy scenario (network proxy off path)
> > > >     >
> > > >     >     Hi Phil,
> > > >     >
> > > >     >     Can you please clarify what you mean by a "non-chatty
> > > version"? version of what?
> > > >     >
> > > >     >     You can refer to Section 3 of RFC1928 to have an idea
> about
> > > the number of messages that are required before sending actual traffic
> > > when SOCKSv5 is used.
> > > >     >
> > > >     >     Below an excerpt of signaling messages observed to create
> an
> > > initial subflow using SOCKSv5:
> > > >     >
> > > >     >     ==============
> > > >     >     (MP Client) ->    TCP SYN    ->  (MCP)
> > > >     >                        <- TCP SYN/ACK <-
> > > >     >                        ->    TCP ACK    ->
> > > >     >                        -> SOCKS Method Request (1)(a) ->
> > > >
> > > >     you would of course use TFO with SOCKS, so that you gain one
> RTT.
> > > >
> > > >     If then in addition to that you remove the authentication part
> of
> > > SOCKS, and
> > > >     you can even put the payload right after the SOCKS Connection
> > > Request inside
> > > >     the SYN-payload, then you are effectively also at a 0-RTT
> connection
> > > >     establishment.
> > > >
> > > >
> > > >     Christoph
> > > >
> > > >
> > > >     >                        <-    TCP ACK (b)   <-
> > > >     >                         <- SOCKS Method Response (2)(c) <-
> > > >     >                         ->   TCP ACK (d)   ->
> > > >     >                         -> SOCKS Authentication Request (3)(e)
> ->
> > > >     >                         <-    TCP ACK (f)    <-
> > > >     >                         <- SOCKS Auth. Response (4)(g) <-
> > > >     >                         ->   TCP ACK (h)   ->
> > > >     >                         -> SOCKS Connection Request (5)(i) ->
> > > (MCP)
> > > >     >                         <-   TCP ACK (j)                   <-
> > > (MCP)
> > > >     >
> > > (MCP)  -> TCP SYN (k) -> (Server)
> > > >     >
> > > (MCP)  <- SYN/ACK (l) <- (Server)
> > > >     >                         <- SOCKS Connection Response (n) (6)
> <-
> > > (MCP) -> TCP ACK (m) -> (Server)
> > > >     >                         ->   TCP ACK (o)  ->
> > > >     >     =================
> > > >     >
> > > >     >     I let you compare it with the 0-RTT and 0-extra signaling
> > > approach with MP_CONVERT IE.
> > > >     >
> > > >     >     Cheers,
> > > >     >     Med
> > > >     >
> > > >     >     > -----Message d'origine-----
> > > >     >     > De : multipathtcp [mailto:multipathtcp-bounces@ietf.org]
> De
> > > la part de
> > > >     >     > philip.eardley@bt.com Envoyé : mardi 28 mars 2017 20:24
> À :
> > > >     >     > multipathtcp@ietf.org Objet : [multipathtcp] Two proxy
> > > scenario
> > > >     >     > (network proxy off path)
> > > >     >     >
> > > >     >     > Hi,
> > > >     >     >
> > > >     >     > I'm now thinking about the scenario where there are two
> > > proxies, one
> > > >     >     > in the home gateway or Customer Premises Equipment and
> one
> > > in the
> > > >     >     > network, both under the control of the operator. And
> looking
> > > at the 'explicit mode'
> > > >     >     > scenario, which - if I get it right - means that the
> network
> > > proxy is
> > > >     >     > not on the default path. (It's safe to assume that the
> home
> > > gateway
> > > >     >     > proxy is on the default path)
> > > >     >     >
> > > >     >     > Thinking about the use of SOCKS in this context.
> > > >     >     >
> > > >     >     > Earlier Olivier said (in the context of the smartphone
> > > scenario -
> > > >     >     > sorry if your comments don't apply to this scenario and
> I'm
> > > just
> > > >     >     > creating
> > > >     >     > confusion) that there are different variants of SOCKS
> that
> > > can be
> > > >     >     > used, which mainly depend on the number of messages that
> are
> > > used to
> > > >     >     > authenticate.
> > > >     >     > In the two proxy scenario, it's probably reasonable to
> > > assume that the
> > > >     >     > home gateway and network proxy are already
> authenticated. So
> > > a
> > > >     >     > non-chatty version would be ok.
> > > >     >     >
> > > >     >     > Is that right?
> > > >     >     >
> > > >     >     > Thanks
> > > >     >     > phil
> > > >     >     >
> > > >     >     > _______________________________________________
> > > >     >     > multipathtcp mailing list
> > > >     >     > multipathtcp@ietf.org
> > > >     >     > https://www.ietf.org/mailman/listinfo/multipathtcp
> > > >     >
> > > >     >     _______________________________________________
> > > >     >     multipathtcp mailing list
> > > >     >     multipathtcp@ietf.org
> > > >     >     https://www.ietf.org/mailman/listinfo/multipathtcp
> > > >     >
> > > >     >
> > > >     > _______________________________________________
> > > >     > multipathtcp mailing list
> > > >     > multipathtcp@ietf.org
> > > >     > https://www.ietf.org/mailman/listinfo/multipathtcp
> > > >
> > > >