Re: [nbs] New draft related to name-based sockets

Pete McCann <mccap@petoni.org> Wed, 08 December 2010 20:02 UTC

Return-Path: <mccap@petoni.org>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5946D3A69A5 for <nbs@core3.amsl.com>; Wed, 8 Dec 2010 12:02:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMQa0esd2F1t for <nbs@core3.amsl.com>; Wed, 8 Dec 2010 12:02:05 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 0327D3A6870 for <nbs@ietf.org>; Wed, 8 Dec 2010 12:02:04 -0800 (PST)
Received: by wyf23 with SMTP id 23so1475990wyf.31 for <nbs@ietf.org>; Wed, 08 Dec 2010 12:03:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.132.77 with SMTP id a13mr9652885wbt.5.1291838612439; Wed, 08 Dec 2010 12:03:32 -0800 (PST)
Received: by 10.227.155.7 with HTTP; Wed, 8 Dec 2010 12:03:32 -0800 (PST)
X-Originating-IP: [199.104.137.72]
In-Reply-To: <EFD35F73-F924-4942-9B18-463251097887@gmail.com>
References: <EFD35F73-F924-4942-9B18-463251097887@gmail.com>
Date: Wed, 8 Dec 2010 14:03:32 -0600
Message-ID: <AANLkTi=KT3yx55hrFCd7AxPDB==wgrmS5eaqYXe8nbcp@mail.gmail.com>
From: Pete McCann <mccap@petoni.org>
To: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: nbs@ietf.org
Subject: Re: [nbs] New draft related to name-based sockets
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 20:02:06 -0000

Hi, Ran,

Thanks for the responses... some replies inline.

On Wed, Dec 8, 2010 at 1:34 PM, RJ Atkinson <rja.lists@gmail.com> wrote:
> Earlier, Pete McCann wrote:
>> For one thing, I wanted to work with IPv4 as well as IPv6,
>> which means avoiding all IP options which cause packets
>> to go on the slow path or get dropped.
>
> One can parse the sentence above in more than one way.
> I'm not sure which meaning is intended.

Sorry.  My chain of reasoning was "IPv4 options cause
packets to travel the slow path or get dropped"
^ "want a solution for IPv4"
==> "don't use IPv4 options".

> Many ISP folks tell me that their deployed IPv4 (and IPv6)
> routers have been configured to *ignore* the presence of
> IPv4 Options/IPv6 Optional Headers.

That would certainly avoid the slow path/drop problem
if true, but recent mails to the list seem to indicate that
this configuration is not common enough to prevent
problems:

http://www.ietf.org/mail-archive/web/int-area/current/msg02361.html

Also, the IPv4 options space is simply not big enough
to hold the data elements that I am contemplating.

> The shim you propose appears to break that ACL capability,
> and likely would cause your new packets to be dropped
> by some router along the path from the sender, rather
> than being carried along the whole path.

The shim is actually where the transport *payload* would
be, and the transport *header* is completely unaffected.
This means that unless the ACL were configured to look
inside transport payload for the new magic number, there
would be no detectable difference between these packets
and normal transport packets.

One thing that might break are TCP proxies that assume
that a packet with the same sequence number must have
the same payload.  In the draft, it is assumed that sequence
numbers track the actual transport payload and are not
incremented to account for the new DNS name TLVs.
In most cases, this will lead to the same sequence numbers
being re-used for packets which apparently have different
transport payload.  But, if we are dealing with middleboxes
that munge that deep into the packets it seems there is
almost no hope to deploy new mechanisms.

>> I'm proposing to put public keys into DNS TXT records
>> so that they can be retrieved by middleboxes that want
>> to verify the transport connections passing through them.
>
> I regret that I am not crystal clear what the quoted text
> just above means.

Please read section 4.1 of the draft.

> (Full Disclosure)
> So out of an abundance of caution, and mindful of IETF IPR
> disclosure rules, one might want to take a look at
> US Patent 5,511,122 which might be related to what you
> might be describing in the quoted text above.

IANAL so can't comment on the above.

>> Routing on names does require some state to be kept in the
>> middleboxes if we don't want to put DNS names into every packet.
>
> That claim is not obviously true, at least with respect
> to the NBS concepts and scope that were presented at IETF
> in Beijing last month.  (I wasn't present in Beijing,
> but I have scanned the presentation slides and meeting minutes
> online.)  If one thinks it is true for some special case,
> then it would be helpful to clarify.  Alternatively, perhaps
> defining terms more precisely would clarify things.

The assumption was: if we put names into the first few packets
of a transport connection, and use those names somehow to
choose the next hop of a packet (possibly after doing some form
of NAT), then to ensure that subsequent packets in the same
connection go to the same place we need to at least remember
the IP and transport port numbers; that is, unless we put the DNS
names into every packet of the flow.  In case we want multiple
services to reside behind the same IP address and port it would
seem to require a new identifier on which to demultiplex.  Hence
the "cookie" mechanism described in the draft.

>> I'm very curious to have your feedback on the approach.
>
> I'm quite happy to oblige.

Thanks again, please do read the draft and let me know if
you still have questions after that.

-Pete