Re: [multipathtcp] Fwd: New Version Notification for draft-paasch-mptcp-loadbalancer-00.txt
Christoph Paasch <cpaasch@apple.com> Thu, 10 September 2015 02:21 UTC
Return-Path: <cpaasch@apple.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1925F1B54AD for <multipathtcp@ietfa.amsl.com>; Wed, 9 Sep 2015 19:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLNf9BdmcgRR for <multipathtcp@ietfa.amsl.com>; Wed, 9 Sep 2015 19:21:52 -0700 (PDT)
Received: from mail-in5.apple.com (mail-out5.apple.com [17.151.62.27]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 629C21B324D for <multipathtcp@ietf.org>; Wed, 9 Sep 2015 19:21:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1441851711; x=2305765311; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LA7cFnRxhO+GP982Zt/fYYtlo8G+OhmrXre7R97If6I=; b=fpXaY1k1XBGrwUNolJe747/6pegtmM2mr4HqhK8s0B8tW6CwbdGh42q8lBpw1Idq bjbXlgvwEokmbYsY2bxX/dy0H8H414NFr+x7cqs64HdLs1Im1aPo6zVOGsCV00b4 UmDYZtnzB1CnpRDrBh2KcKFp0RrFI0QyaU4Xpu3Z1Y6C+bRnGBlyQpj3g1vSsfNL 226omvnho8ntBJMbJNfp51KGXXCRLZosjhaWJZwrbIH7a6dxdjxaSaKkUCVsU8c3 HWsJ25LQN266H0SO+ZWdkpgRGDkSltPZ3c0eMRWqo8a6Q9H6e8Ww5oVbSEpDMHHb b2Fn1cNVHCGQrDuPUgfXGA==;
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90]) by mail-in5.apple.com (Apple Secure Mail Relay) with SMTP id F6.62.22968.F39E0F55; Wed, 9 Sep 2015 19:21:51 -0700 (PDT)
X-AuditID: 11973e13-f79006d0000059b8-60-55f0e93fb7d2
Received: from marigold.apple.com (marigold.apple.com [17.128.115.132]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay6.apple.com (Apple SCV relay) with SMTP id 26.91.22881.F39E0F55; Wed, 9 Sep 2015 19:21:51 -0700 (PDT)
Received: from localhost ([17.153.77.168]) by marigold.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTPSA id <0NUF0022AVWF0T60@marigold.apple.com> for multipathtcp@ietf.org; Wed, 09 Sep 2015 19:21:51 -0700 (PDT)
Sender: cpaasch@apple.com
Date: Wed, 09 Sep 2015 19:21:51 -0700
From: Christoph Paasch <cpaasch@apple.com>
To: Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be>
Message-id: <20150910022151.GF42530@Chimay.local>
References: <20150908035557.GB73228@Chimay.local> <55F098DB.8020201@uclouvain.be>
MIME-version: 1.0
Content-type: text/plain; charset="us-ascii"
Content-disposition: inline
In-reply-to: <55F098DB.8020201@uclouvain.be>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrNLMWRmVeSWpSXmKPExsUi2FAYpWv/8kOowaO5OhafV19nc2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXRsfx/4wF7boV2262MDcwTlTqYuTkkBAwkehYsIkdwhaTuHBv PVsXIxeHkMBeRomzrw+zwRRtWfyUGcQWEpjEJLH4fQ5EUTeTxOztj1hBEsICkhLdd+6AFbEI qEp867zJBGKzCWhJvL3dDlYjImAlcer0dLBtzAIaEpPWHGHpYuQA6k2TaNttAxLmFTCU6Luw hAViV7DEpJMNbBBxQYkfk++xQLRqSazfeZwJwpaWePR3BjvIGE4BHYl3vRUgYVEBFYkrE95C /fWTVWL1xsIJjCKzkEyahWTSLCSTFjAyr2IUyk3MzNHNzDPVSywoyEnVS87P3cQICu3pdsI7 GE+vsjrEKMDBqMTDm3DxQ6gQa2JZcWXuIUZpDhYlcd7P5UAhgfTEktTs1NSC1KL4otKc1OJD jEwcnFINjFUFzl1iEw5Kncm1PLauQPJTUd+qDJ6yijcfUlev2iq3doLJ57WSX37clH/6KuDL zHivM2vyeLmXltRLLe2QOMF7K2fZDJGuuqiizNnHOW/E6PbFcsnda1SVt76bmWP9z5JvzUkz ryDLHWz2Akz56n4Kix727jtXz7Kd2XNn1IP+GcXrt3qcVWIpzkg01GIuKk4EAAp6ITtOAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPLMWRmVeSWpSXmKPExsUi2FDcomv/8kOowYrjmhafV19nc2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXRsfx/4wF7boV2262MDcwTlTqYuTkkBAwkdiy+CkzhC0mceHe ejYQW0hgEpPE4vc5XYxcQHY3k8Ts7Y9YQRLCApIS3XfugDWwCKhKfOu8yQRiswloSby93Q5W IyJgJXHq9HR2EJtZQENi0pojLF2MHEC9aRJtu21AwrwChhJ9F5awQOwKlph0soENIi4o8WPy PRaIVi2J9TuPM0HY0hKP/s5gBxnDKaAj8a63AiQsKqAicWXCW/YJjIKzkHTPQtI9C0n3Akbm VYwCRak5iZVmeokFBTmpesn5uZsYwcFYGLWDsWG51SFGAQ5GJR7ehIsfQoVYE8uKK3MPMUpw MCuJ8KZtBwrxpiRWVqUW5ccXleakFh9ilOZgURLnbRB5FSokkJ5YkpqdmlqQWgSTZeLglGpg bPYwlE9t3Zjrwzan2L/SYvlJXkOD/J/H3q1evrpt8c+suL4n3bOnR/4QFNjg/6dow3QxVSfN yguJdactvr4Xyq5PiS6VeDdL6smejyerSpgCEwTbD2yaulQxUu1MsLr1dGn5a5ceOFbvrs3c c1Mx1aRh38QFn8O8BCJ84u5XnHv+c/mEybenKbEUZyQaajEXFScCAHnaFHlCAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/multipathtcp/obBNhN-aEgaMSEiQvfhj3e6rGRY>
Cc: MultiPath WG <multipathtcp@ietf.org>
Subject: Re: [multipathtcp] Fwd: New Version Notification for draft-paasch-mptcp-loadbalancer-00.txt
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2015 02:21:54 -0000
Hello Olivier, On 09/09/15 - 22:38:51, Olivier Bonaventure wrote: > >we have submitted a draft discussing the issues when using MPTCP behind > >layer-4 loadbalancers. > > Thanks for bringing this to the list. This is indeed an important problem. > As I might be late during tomorrow's telco, let me try to answer by email. > > A first point that we might want to clarify in the document is how ECMP > works with Multipath TCP and regular TCP. > > With regular TCP, some load balancers behave in a purely stateless manner > and compute a hash over the five-tuple in each packet to distribute the load > among a set of servers. > > ECMP --- server1 > +----- server2 > > > With single homed and single stack clients, this ECMP solution ensures that > all the connections sent by one host (i.e. one IP address) will be received > by the same server if the hashing is independant of the source port. > Otherwise, connections from the same host might hit different servers. > > If the clients are either multihomed (e.g. smartphones) or dual-stack, then > using a hash-based load balancing that does not include the source port in > the computation does not ensure that all the connections from one client > will hit the same server. > > With Multipath TCP, a single connection may use different subflows and each > subflow has its own five-tuple. When ECMP is used, then subflows from the > same Multipath TCP connection might hit different servers. > > Let us now consider stateful load balancers (LB). For simplicity, we assume > that the load balancer maintains a table that maps each TCP connection, > identified by a five-tuple on a given server. The table might also be used > to perform NAT. The LB can use any technique to build this table (random, > RR, load-based solutions, ...). As an example, let us consider a load > balancer that resieds in front of N servers as shown below : > > > LB ----- server1 > +------- server2 > > > When the LB receives a SYN with the MP_CAPABLE option from a client, it must > insert an entry for the corresponding five-tuple inside its table. For > regular TCP, this would be sufficient. For Multipath TCP, this is not enough > since it needs to ensure that all the subflows that belong to this > connection will be forwarded to the same server. In your draft, you propose > to change the way tokens are computed and discuss different ways to perform > the handshake. Let me suggest a different approach that might be worth to > compare. > > To support Multipath TCP efficiently in this setup, we need to ensure the > following properties for the tokens that are used (on the server side) : > - tokens are unique (at time t, server1 and server2 cannot use the same > token for different connections) > - tokens are known by both the LB and the server that is handling for the > connection > > Instead of computing the keys (and thus indirectly the token) on the > servers, why not selecting the keys for the MP_CAPABLE option in the load > balancer ? > > Let us consider the following scenario : > > client LB server > > SYN + MP_CAPABLE (K_A) > -----------------------> > (client sends normal key) > > > SYN + MP_CAPABLE (K_A,K_B) > -----------------------> > (LB computes key for server) > > > SYN/ACK + MP_CAPABLE (K_B) > <--------------------------- > (normal MPTCP segment) > > > ACK + MP_CAPABLE_ACK (K_A, K_B) > --------------------------------> > (no change to this ack) > > > Since the LB computes the key that will be used by the server, it can ensure > that the (token extracted from the key) is unique and also remember it for > future subflows to pin them to the good server. There are probably different > techniques that the LB could use to generate these keys on behalf of the > server, but I don't think that they need to be specified in an IETF > document. It's up to each implementor to find an efficient way to do that. > > One issue that needs to be discussed is how the LB can convey the key to the > server in the SYN packet. There are different techniques that are possible > and we should probably select one to ensure the interoperability between a > LB and servers : > - add K_B to the MP_CAPABLE option, but this is likely to be beyond the > maximum length of the TCP options > - add K_B in the payload of the SYN segment (but we'll need to check the > impact on TFO) > - encapsulate the SYN segment inside something, like a UDP segment with a > TLV format that has enough space for a SYN segment and the additional key > - invent a hack to encode the 64 bits key inside some "unused" fields of the > IP/TCP headers (say IP id, TCP ack number, IPv6 flowlabel, TCP timestamp > echo, ...) > - ... > > At this stage, I'd opt for an encapsulation which seems to be cleaner to me. > It also forces the servers to be aware of the presence of the LB, which > seems a useful feature to me. > > Comments are, of course, welcome I really like this idea. Very often, IP-in-IP encapsulation is done from the loadbalancer to the server. Thus, the key could even be placed in an IP-option. As everything is local to the data-center there shouldn't be an issue with adding a new IP-option. But as you point out in the other mail, when multiple loadbalancers are being used we have an issue again. Maybe, there is a way to generate the key in such a way that we can guarantee uniqueness across the loadbalancers? Cheers, Christoph
- [multipathtcp] Fwd: New Version Notification for … Christoph Paasch
- Re: [multipathtcp] Fwd: New Version Notification … Olivier Bonaventure
- Re: [multipathtcp] Fwd: New Version Notification … Christoph Paasch
- Re: [multipathtcp] Fwd: New Version Notification … Olivier Bonaventure
- Re: [multipathtcp] Fwd: New Version Notification … Christoph Paasch
- Re: [multipathtcp] New Version Notification for d… Costin Raiciu