IETF Logo Mail Archive

Re: [radext] Server identity and RFC7585bis

Alexander Clouter <alex+ietf@coremem.com> Fri, 12 April 2024 09:06 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE8BC14F61A for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 02:06:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="TmVOJt/F"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="QzZNXzFo"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWdPzlg2lNj3 for <radext@ietfa.amsl.com>; Fri, 12 Apr 2024 02:06:30 -0700 (PDT)
Received: from wfout5-smtp.messagingengine.com (wfout5-smtp.messagingengine.com [64.147.123.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8669C14F61C for <radext@ietf.org>; Fri, 12 Apr 2024 02:06:30 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.west.internal (Postfix) with ESMTP id C53EB1C00121 for <radext@ietf.org>; Fri, 12 Apr 2024 05:06:27 -0400 (EDT)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Fri, 12 Apr 2024 05:06:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1712912787; x=1712999187; bh=aFNjcph5fm zTGp6wuZOteHyorp8j5NDGdIMLRpxxFSI=; b=TmVOJt/FkmfCEDzotX30YlrrQ2 BMzafzXDKDSODWayLxcG7yT5TnQHG+Uch7eb123dy72Gv6V4EAKLc1iImPerich/ 7QcMwxhGROhXgUXplwKSHO2hDxEHX7+S4RjD1UuWOqShoQwNti9EHXHH9cl0MFnR 7LKYPe9afchZfU5dZNjlQYMsuRHYV1e+7HejmtyZqoiNVNTMta0dtG6b+FZrcwkT QbWUm2Zdu0bk7tNa65hUp9Bct0ozKwOMQjuV2aCxPpHL/7tiNrq4lH8ztGR9exyC X3iix0w3/O7DlIfxAhf5rC6z/N6yCMgI8iX/iYt0OeThyXqNent0k5csD4gw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712912787; x=1712999187; bh=aFNjcph5fmzTGp6wuZOteHyorp8j 5NDGdIMLRpxxFSI=; b=QzZNXzFosC6U0ryCWIcg79pDgMG8C+37S/ryxY2s/mhk /JrCPUdU9Ymnl7t46LrOSWfywlfx4xXWzmBleCgp+R5yX0JxUX73bJRjRedT4RgR RMe9ZiB1/3CDVrBmHyEVZbwpHFw0iUjg92lcNC3uXZLH91vrzBQBQXZo4mOYPUYW pTBPrfdE7Itdq9209h3ZW5fV1Ld5YYAO0eoyOz/VdwzYaxHR6XngE/3MD6UHnOcK z4VqXDj+RbbuxkWj8KH6cE14udTqjHmxkZoIHx39VOY2Zly5f2OkNce7J2p3ZqC6 IAL39xRRq2dhxs5jdJvMQr5glZBG/8ap6G3jlBfc5g==
X-ME-Sender: <xms:k_kYZtVy47GYVMhCXHppAoCX-smkpbsBUuXD0LZKK6YIG5YMIaGCwg> <xme:k_kYZtleVfHGCIBqPB5M9eqMJjCyPRWgwz4twFMGPG5rHRsG8FvTZswTo2Y97xTJs PABtaMrkRWySvrzDw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeiuddgudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedftehlvgigrghnuggvrhcuvehlohhuthgvrhdfuceorghl vgigodhivghtfhestghorhgvmhgvmhdrtghomheqnecuggftrfgrthhtvghrnhepvdetje fhhefggeelueelfeetieekgfevhfehkeehvedvkeeufeekieeifffhvdegnecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheprghlvgigodhivghtfh estghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:k_kYZpaw_AmL4cBvYh0WTtH72zx6uAtoJGso98Md8S1Vz7lFrU9QtQ> <xmx:k_kYZgVgaWqfE8BAYotyJgKYfoPDyl1ysgdZnbfGsXJhfkEnttG8UQ> <xmx:k_kYZnkkAhJh5IA6lg6tPOCpLoED63DaSRLipc0B9BlT3dzscL44cg> <xmx:k_kYZtfZIKbuFqYFBCn6tBPePmoXguTuwgndEs2NtZYpph3sBqCGtg> <xmx:k_kYZmsKOxM1lBr5qSbzfLCe4a1pemEDS7z7frv8dCzcR_xsahL9Rb4z>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 06F7C2A20090; Fri, 12 Apr 2024 05:06:27 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-379-gabd37849b7-fm-20240408.001-gabd37849
MIME-Version: 1.0
Message-Id: <9d43bddb-a53b-44dc-8aed-6398fe182f6c@app.fastmail.com>
In-Reply-To: <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
References: <CA9BEA9C-39EF-4764-A0FE-D122413B37F7@deployingradius.com> <18ef8267-474e-49ae-9204-0c6c79d5e50c@dfn.de> <6628c5c8-5071-476f-9ea2-2875d86304e2@dfn.de> <10347.1712778967@obiwan.sandelman.ca> <7D282A57-B68E-43DA-A6A2-7E14A8C09119@deployingradius.com> <5b5d0dc0-a81a-415e-ac01-de8b365a6ea0@dfn.de>
Date: Fri, 12 Apr 2024 10:06:06 +0100
From: Alexander Clouter <alex+ietf@coremem.com>
To: radext@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/UIOh4mzzjvrVdAkPob96yRu091Q>
Subject: Re: [radext] Server identity and RFC7585bis
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 09:06:35 -0000

Hello,

On Fri, 12 Apr 2024, at 09:35, Jan-Frederik Rieckers wrote:
> The purpose of defining a way to check if it is the same server is to 
> make sure that we mark broken servers as down and don't use them in our 
> load-balancing any more.

No load balancer should do this.

There can be many reasons why one of N connections to the same application process could stall.

An implementation may wish to service an entire stream socket serially in a single thread. If that thread blocks, other threads servicing other stream sockets will be fine.

Another is you may have multi-path (inc dual-stack) between the target backend server and only one of those paths is broken.

Really, you do not want to be doing this.

This is why load balancers use an out-of-bound health checks. Only the server knows if it is DOWN and is the only system that authoritatively can state this.

Everything else is only able to infer "route is bust".

> 2. Prevent opening unnecessarily many open connections to a server with 
> dynamic discovery, just because the client is not sure if it's the same, 
> while keeping deployment options open (i.e. different policies hidden 
> behind different Server Names, but with the same certificate)

This is a bad reason. TCP connections are cheap.

An idle TCP socket creates no load on the remote system. It actually probably improves performance as routers in between and the OS running the server can all use this for horizontal scaling.

TCP connection pooling is wildly used to lower latency.

Also...consider the compute/resources of maintaining a TCP connection proportional to the cost of servicing a request sent over it; especially as the 'cost' is immortalised over time. I would be surprised if it even rendered as an anti-aliasing artefact on a pie chart :)

Connection cycling ('reload') is a different problem.

Regards

v2.23.0 | Report a Bug | By Email