Re: [nbs] New draft related to name-based sockets
Pete McCann <mccap@petoni.org> Wed, 08 December 2010 20:02 UTC
Return-Path: <mccap@petoni.org>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5946D3A69A5 for <nbs@core3.amsl.com>; Wed, 8 Dec 2010 12:02:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMQa0esd2F1t for <nbs@core3.amsl.com>; Wed, 8 Dec 2010 12:02:05 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 0327D3A6870 for <nbs@ietf.org>; Wed, 8 Dec 2010 12:02:04 -0800 (PST)
Received: by wyf23 with SMTP id 23so1475990wyf.31 for <nbs@ietf.org>; Wed, 08 Dec 2010 12:03:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.132.77 with SMTP id a13mr9652885wbt.5.1291838612439; Wed, 08 Dec 2010 12:03:32 -0800 (PST)
Received: by 10.227.155.7 with HTTP; Wed, 8 Dec 2010 12:03:32 -0800 (PST)
X-Originating-IP: [199.104.137.72]
In-Reply-To: <EFD35F73-F924-4942-9B18-463251097887@gmail.com>
References: <EFD35F73-F924-4942-9B18-463251097887@gmail.com>
Date: Wed, 08 Dec 2010 14:03:32 -0600
Message-ID: <AANLkTi=KT3yx55hrFCd7AxPDB==wgrmS5eaqYXe8nbcp@mail.gmail.com>
From: Pete McCann <mccap@petoni.org>
To: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: nbs@ietf.org
Subject: Re: [nbs] New draft related to name-based sockets
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 20:02:06 -0000
Hi, Ran, Thanks for the responses... some replies inline. On Wed, Dec 8, 2010 at 1:34 PM, RJ Atkinson <rja.lists@gmail.com> wrote: > Earlier, Pete McCann wrote: >> For one thing, I wanted to work with IPv4 as well as IPv6, >> which means avoiding all IP options which cause packets >> to go on the slow path or get dropped. > > One can parse the sentence above in more than one way. > I'm not sure which meaning is intended. Sorry. My chain of reasoning was "IPv4 options cause packets to travel the slow path or get dropped" ^ "want a solution for IPv4" ==> "don't use IPv4 options". > Many ISP folks tell me that their deployed IPv4 (and IPv6) > routers have been configured to *ignore* the presence of > IPv4 Options/IPv6 Optional Headers. That would certainly avoid the slow path/drop problem if true, but recent mails to the list seem to indicate that this configuration is not common enough to prevent problems: http://www.ietf.org/mail-archive/web/int-area/current/msg02361.html Also, the IPv4 options space is simply not big enough to hold the data elements that I am contemplating. > The shim you propose appears to break that ACL capability, > and likely would cause your new packets to be dropped > by some router along the path from the sender, rather > than being carried along the whole path. The shim is actually where the transport *payload* would be, and the transport *header* is completely unaffected. This means that unless the ACL were configured to look inside transport payload for the new magic number, there would be no detectable difference between these packets and normal transport packets. One thing that might break are TCP proxies that assume that a packet with the same sequence number must have the same payload. In the draft, it is assumed that sequence numbers track the actual transport payload and are not incremented to account for the new DNS name TLVs. In most cases, this will lead to the same sequence numbers being re-used for packets which apparently have different transport payload. But, if we are dealing with middleboxes that munge that deep into the packets it seems there is almost no hope to deploy new mechanisms. >> I'm proposing to put public keys into DNS TXT records >> so that they can be retrieved by middleboxes that want >> to verify the transport connections passing through them. > > I regret that I am not crystal clear what the quoted text > just above means. Please read section 4.1 of the draft. > (Full Disclosure) > So out of an abundance of caution, and mindful of IETF IPR > disclosure rules, one might want to take a look at > US Patent 5,511,122 which might be related to what you > might be describing in the quoted text above. IANAL so can't comment on the above. >> Routing on names does require some state to be kept in the >> middleboxes if we don't want to put DNS names into every packet. > > That claim is not obviously true, at least with respect > to the NBS concepts and scope that were presented at IETF > in Beijing last month. (I wasn't present in Beijing, > but I have scanned the presentation slides and meeting minutes > online.) If one thinks it is true for some special case, > then it would be helpful to clarify. Alternatively, perhaps > defining terms more precisely would clarify things. The assumption was: if we put names into the first few packets of a transport connection, and use those names somehow to choose the next hop of a packet (possibly after doing some form of NAT), then to ensure that subsequent packets in the same connection go to the same place we need to at least remember the IP and transport port numbers; that is, unless we put the DNS names into every packet of the flow. In case we want multiple services to reside behind the same IP address and port it would seem to require a new identifier on which to demultiplex. Hence the "cookie" mechanism described in the draft. >> I'm very curious to have your feedback on the approach. > > I'm quite happy to oblige. Thanks again, please do read the draft and let me know if you still have questions after that. -Pete
- [nbs] New draft related to name-based sockets Pete McCann
- [nbs] New draft related to name-based sockets RJ Atkinson
- Re: [nbs] New draft related to name-based sockets Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] New draft related to name-based sockets Javier Ubillos
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Mirja Kuehlewind
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch
- Re: [nbs] [Int-area] New draft related to name-ba… Pete McCann
- Re: [nbs] [Int-area] New draft related to name-ba… Joe Touch