Re: [nbs] [Int-area] New draft related to name-based sockets

Pete McCann <mccap@petoni.org> Thu, 09 December 2010 03:41 UTC

Return-Path: <mccap@petoni.org>
X-Original-To: nbs@core3.amsl.com
Delivered-To: nbs@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 949B53A6892; Wed, 8 Dec 2010 19:41:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HuQlSCdyJxM9; Wed, 8 Dec 2010 19:41:49 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id DB13C3A682B; Wed, 8 Dec 2010 19:41:48 -0800 (PST)
Received: by wyf23 with SMTP id 23so1848579wyf.31 for <multiple recipients>; Wed, 08 Dec 2010 19:43:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.132.77 with SMTP id a13mr10049528wbt.5.1291866196703; Wed, 08 Dec 2010 19:43:16 -0800 (PST)
Received: by 10.227.155.7 with HTTP; Wed, 8 Dec 2010 19:43:16 -0800 (PST)
X-Originating-IP: [64.53.131.166]
In-Reply-To: <72504C2E-CE17-4AE0-ACBC-E6BB4F002267@isi.edu>
References: <AANLkTin4-uiFXoS9DaDWtTQartUb6DKEee+B8717odm5@mail.gmail.com> <4CFFFD8D.2000601@isi.edu> <AANLkTi=KG_CL5hQ0k4JQAy6oB=3RV3UWGQxTbYzGmsR3@mail.gmail.com> <72504C2E-CE17-4AE0-ACBC-E6BB4F002267@isi.edu>
Date: Wed, 8 Dec 2010 21:43:16 -0600
Message-ID: <AANLkTimmQ-HKJBpoqQCc9t1P=GFPFa8VojPTFh-D8Nay@mail.gmail.com>
From: Pete McCann <mccap@petoni.org>
To: Joe Touch <touch@isi.edu>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "int-area@ietf.org" <int-area@ietf.org>, "nbs@ietf.org" <nbs@ietf.org>
Subject: Re: [nbs] [Int-area] New draft related to name-based sockets
X-BeenThere: nbs@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Name based sockets discussion list <nbs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nbs>
List-Post: <mailto:nbs@ietf.org>
List-Help: <mailto:nbs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nbs>, <mailto:nbs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2010 03:41:50 -0000

Hi, Joe,

Thanks - can you elucidate or send a pointer to the issues with
putting data in the SYN?  Are you worried that some middleboxes
will have problems and drop such packets?

I'd be particularly interested if you can point me at some of these
prior proposals.

-Pete

On Wed, Dec 8, 2010 at 8:48 PM, Joe Touch <touch@isi.edu> wrote:
> Hi Pete,
>
> Sorry - you said transport payload, which - in hindsight - is ambiguous.
>
> First, as my old portnames ID explained, the strings need only be in the SYN. Using the data in the SYN for options has been proposed before, and there are many known issues.
>
> FYI.
>
> Joe
>
> On Dec 8, 2010, at 8:38 PM, Pete McCann <mccap@petoni.org> wrote:
>
>> Hi, Joe,
>>
>> I understand that ports are in the transport header.
>>
>> The shim I am proposing goes *after* the transport header and
>> provides an encapsulation for the transport payload.  That way,
>> middleboxes see what looks like a standard IP/TCP header,
>> followed by a payload which contains the new stuff.  Think of
>> it as a way to get a lot of new options space without confusing
>> any of the middleboxes (unless they do try to parse beyond the
>> transport header like a "transparent" HTTP proxy.  The new stuff
>> I am proposing would confuse those kinds of boxes).  I only say
>> "not backwards compatible" because both endpoints need to be
>> upgraded to support the new extensions.  Middleboxes that have
>> not been upgraded shouldn't care; it looks like standard TCP or
>> UDP to them.  I agree that defining a new transport protocol is
>> a non-starter in today's deployed IPv4 network.  I think there will
>> always be only TCP, UDP, and maybe ICMP (the latter shouldn't
>> be trusted anyway) so I'm essentially trying to layer on top of them.
>>
>> I know the choice of a DNS TXT record for public keys is controversial,
>> but it is very similar to the approach taken for DKIM which has been
>> quite successful.  The problem with new record types is that you have
>> to wait for all the servers and their configuration interfaces to support
>> them.
>>
>> -Pete
>>
>> On Wed, Dec 8, 2010 at 3:50 PM, Joe Touch <touch@isi.edu> wrote:
>>> Hi, Pete,
>>>
>>> This seems a little backwards. The port is in the context of the transport
>>> protocol, but if it's in the shim between IP and TCP it is - at best - a
>>> parameter to IP, not the transport (TCP, UDP, or other).
>>>
>>> Using a transport other than TCP or UDP also puts it on the slow path (or
>>> just blackholes it) for anything that looks beyond the IP header, too.
>>>
>>> As to where to put public keys, there's an RFC regarding reasons not to use
>>> TXT records for new DNS capabilities you might want to dig up (sorry - I'm
>>> in the airport and can't find it quickly - it was written by the IAB I
>>> think).
>>>
>>> Joe
>>>
>>> On 12/8/2010 9:21 AM, Pete McCann wrote:
>>>>
>>>> I've uploaded a new draft relevant to the name-based sockets
>>>> discussion and several others that have been going on in the
>>>> Internet Area and elsewhere:
>>>>
>>>> https://datatracker.ietf.org/doc/draft-mccann-picklepacket/
>>>>
>>>> It describes a framework for putting DNS names into transport
>>>> packets that is a bit different from the approaches I've seen
>>>> advocated on the NBS list.  For one thing, I wanted to work
>>>> with IPv4 as well as IPv6, which means avoiding all IP options
>>>> which cause packets to go on the slow path or get dropped.
>>>> The TCP options space is too limited for carrying DNS names,
>>>> let alone the extra authentication payloads that I wanted to
>>>> put there.  So, I'm proposing essentially extending the transport
>>>> options space in a non-backwards compatible way by shimming
>>>> in a magic number where the transport payload would normally
>>>> go.  This would apply to UDP as well.  I've defined a new header
>>>> which I think is relatively compact yet provides all the flexibility
>>>> we need, and a TLV format for carrying the DNS names and
>>>> public-key authentication tags.  I'm proposing to put public keys
>>>> into DNS TXT records so that they can be retrieved by middleboxes
>>>> that want to verify the transport connections passing through them.
>>>> Also, middleboxes can add their own names and authentication
>>>> tags, which allows them to make themselves known to the endpoints.
>>>> This enables them to be used as mobility anchor points in case the
>>>> path changes.
>>>>
>>>> The focus of the introduction is on preventing denial-of-service attacks
>>>> but I think the protocol has many other useful features.
>>>> Names can be used to route connections such as multiple servers
>>>> sitting behind a NAT all on the same port.  Routing on names does
>>>> require some state to be kept in the middleboxes if we don't want
>>>> to put DNS names into every packet.  So, I'm proposing that each
>>>> middlebox choose a 32-bit cookie value that it can use to index the
>>>> flow state.  These cookies get distributed in the same round-trip as
>>>> the initial transport connection setup.
>>>>
>>>> I'm very curious to have your feedback on the approach.  There is a
>>>> lot of stuff in the draft and the protocol is rather heavyweight, but
>>>> I think it addresses a lot of different themes that I've seen being
>>>> discussed in different working groups (TCP Auth Option, MPTCP,
>>>> NBS, MEXT, DKIM, KEYASSURE, etc).
>>>>
>>>> -Pete
>>>> _______________________________________________
>>>> Int-area mailing list
>>>> Int-area@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/int-area
>>>
>