Re: [nbs] [Int-area] New draft related to name-based sockets
Mirja Kuehlewind <mirja.kuehlewind@ikr.uni-stuttgart.de> Fri, 10 December 2010 11:51 UTC
Return-Path: <mirja.kuehlewind@ikr.uni-stuttgart.de>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1B1E28C0D9 for <nbs@core3.amsl.com>; Fri, 10 Dec 2010 03:51:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7tdMJ6g6IHTF for <nbs@core3.amsl.com>; Fri, 10 Dec 2010 03:51:02 -0800 (PST)
Received: from mailsrv.ikr.uni-stuttgart.de (mailsrv.ikr.uni-stuttgart.de [129.69.170.2]) by core3.amsl.com (Postfix) with ESMTP id 217083A6ADA for <nbs@ietf.org>; Fri, 10 Dec 2010 03:51:02 -0800 (PST)
Received: from netsrv1.ikr.uni-stuttgart.de (netsrv1-c [10.11.12.12]) by mailsrv.ikr.uni-stuttgart.de (Postfix) with ESMTP id 34572633B5; Fri, 10 Dec 2010 12:52:32 +0100 (CET)
Received: from vpn-2-cl177 (vpn-2-cl177 [10.41.21.177]) by netsrv1.ikr.uni-stuttgart.de (Postfix) with ESMTP id 21CF259A8A; Fri, 10 Dec 2010 12:52:32 +0100 (CET)
From: Mirja Kuehlewind <mirja.kuehlewind@ikr.uni-stuttgart.de>
Organization: University of Stuttgart (Germany), IKR
To: nbs@ietf.org
Date: Fri, 10 Dec 2010 12:52:31 +0100
User-Agent: KMail/1.9.10 (enterprise35 0.20090731.1005176)
References: <AANLkTin4-uiFXoS9DaDWtTQartUb6DKEee+B8717odm5@mail.gmail.com> <72504C2E-CE17-4AE0-ACBC-E6BB4F002267@isi.edu> <AANLkTimmQ-HKJBpoqQCc9t1P=GFPFa8VojPTFh-D8Nay@mail.gmail.com>
In-Reply-To: <AANLkTimmQ-HKJBpoqQCc9t1P=GFPFa8VojPTFh-D8Nay@mail.gmail.com>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-Id: <201012101252.31660.mirja.kuehlewind@ikr.uni-stuttgart.de>
Subject: Re: [nbs] [Int-area] New draft related to name-based sockets
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2010 11:51:03 -0000
Hi Pete, as far as I remember they also tested SYN packets with payload in the Middlebox survey of Michio Honda. I couldn't find those results in the slides he presented at the last MPTCP meeting, but maybe just contact him. Mirja On Thursday 09 December 2010 04:43:16 Pete McCann wrote: > Hi, Joe, > > Thanks - can you elucidate or send a pointer to the issues with > putting data in the SYN? Are you worried that some middleboxes > will have problems and drop such packets? > > I'd be particularly interested if you can point me at some of these > prior proposals. > > -Pete > > On Wed, Dec 8, 2010 at 8:48 PM, Joe Touch <touch@isi.edu> wrote: > > Hi Pete, > > > > Sorry - you said transport payload, which - in hindsight - is ambiguous. > > > > First, as my old portnames ID explained, the strings need only be in the > > SYN. Using the data in the SYN for options has been proposed before, and > > there are many known issues. > > > > FYI. > > > > Joe > > > > On Dec 8, 2010, at 8:38 PM, Pete McCann <mccap@petoni.org> wrote: > >> Hi, Joe, > >> > >> I understand that ports are in the transport header. > >> > >> The shim I am proposing goes *after* the transport header and > >> provides an encapsulation for the transport payload. That way, > >> middleboxes see what looks like a standard IP/TCP header, > >> followed by a payload which contains the new stuff. Think of > >> it as a way to get a lot of new options space without confusing > >> any of the middleboxes (unless they do try to parse beyond the > >> transport header like a "transparent" HTTP proxy. The new stuff > >> I am proposing would confuse those kinds of boxes). I only say > >> "not backwards compatible" because both endpoints need to be > >> upgraded to support the new extensions. Middleboxes that have > >> not been upgraded shouldn't care; it looks like standard TCP or > >> UDP to them. I agree that defining a new transport protocol is > >> a non-starter in today's deployed IPv4 network. I think there will > >> always be only TCP, UDP, and maybe ICMP (the latter shouldn't > >> be trusted anyway) so I'm essentially trying to layer on top of them. > >> > >> I know the choice of a DNS TXT record for public keys is controversial, > >> but it is very similar to the approach taken for DKIM which has been > >> quite successful. The problem with new record types is that you have > >> to wait for all the servers and their configuration interfaces to > >> support them. > >> > >> -Pete > >> > >> On Wed, Dec 8, 2010 at 3:50 PM, Joe Touch <touch@isi.edu> wrote: > >>> Hi, Pete, > >>> > >>> This seems a little backwards. The port is in the context of the > >>> transport protocol, but if it's in the shim between IP and TCP it is - > >>> at best - a parameter to IP, not the transport (TCP, UDP, or other). > >>> > >>> Using a transport other than TCP or UDP also puts it on the slow path > >>> (or just blackholes it) for anything that looks beyond the IP header, > >>> too. > >>> > >>> As to where to put public keys, there's an RFC regarding reasons not to > >>> use TXT records for new DNS capabilities you might want to dig up > >>> (sorry - I'm in the airport and can't find it quickly - it was written > >>> by the IAB I think). > >>> > >>> Joe > >>> > >>> On 12/8/2010 9:21 AM, Pete McCann wrote: > >>>> I've uploaded a new draft relevant to the name-based sockets > >>>> discussion and several others that have been going on in the > >>>> Internet Area and elsewhere: > >>>> > >>>> https://datatracker.ietf.org/doc/draft-mccann-picklepacket/ > >>>> > >>>> It describes a framework for putting DNS names into transport > >>>> packets that is a bit different from the approaches I've seen > >>>> advocated on the NBS list. For one thing, I wanted to work > >>>> with IPv4 as well as IPv6, which means avoiding all IP options > >>>> which cause packets to go on the slow path or get dropped. > >>>> The TCP options space is too limited for carrying DNS names, > >>>> let alone the extra authentication payloads that I wanted to > >>>> put there. So, I'm proposing essentially extending the transport > >>>> options space in a non-backwards compatible way by shimming > >>>> in a magic number where the transport payload would normally > >>>> go. This would apply to UDP as well. I've defined a new header > >>>> which I think is relatively compact yet provides all the flexibility > >>>> we need, and a TLV format for carrying the DNS names and > >>>> public-key authentication tags. I'm proposing to put public keys > >>>> into DNS TXT records so that they can be retrieved by middleboxes > >>>> that want to verify the transport connections passing through them. > >>>> Also, middleboxes can add their own names and authentication > >>>> tags, which allows them to make themselves known to the endpoints. > >>>> This enables them to be used as mobility anchor points in case the > >>>> path changes. > >>>> > >>>> The focus of the introduction is on preventing denial-of-service > >>>> attacks but I think the protocol has many other useful features. > >>>> Names can be used to route connections such as multiple servers > >>>> sitting behind a NAT all on the same port. Routing on names does > >>>> require some state to be kept in the middleboxes if we don't want > >>>> to put DNS names into every packet. So, I'm proposing that each > >>>> middlebox choose a 32-bit cookie value that it can use to index the > >>>> flow state. These cookies get distributed in the same round-trip as > >>>> the initial transport connection setup. > >>>> > >>>> I'm very curious to have your feedback on the approach. There is a > >>>> lot of stuff in the draft and the protocol is rather heavyweight, but > >>>> I think it addresses a lot of different themes that I've seen being > >>>> discussed in different working groups (TCP Auth Option, MPTCP, > >>>> NBS, MEXT, DKIM, KEYASSURE, etc). > >>>> > >>>> -Pete > >>>> _______________________________________________ > >>>> Int-area mailing list > >>>> Int-area@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/int-area > > _______________________________________________ > nbs mailing list > nbs@ietf.org > https://www.ietf.org/mailman/listinfo/nbs -- ------------------------------------------------------------------- Dipl.-Ing. Mirja Kühlewind Institute of Communication Networks and Computer Engineering (IKR) University of Stuttgart, Germany Pfaffenwaldring 47, D-70569 Stuttgart tel: +49(0)711/685-67973 email: mirja.kuehlewind@ikr.uni-stuttgart.de web: www.ikr.uni-stuttgart.de -------------------------------------------------------------------
- [nbs] New draft related to name-based sockets Pete McCann
- [nbs] New draft related to name-based sockets RJ Atkinson
- Re: [nbs] New draft related to name-based sockets Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] New draft related to name-based sockets Javier Ubillos
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Mirja Kuehlewind
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch