Re: [Spud] States in draft-trammell-plus-statefulness-00

Tom Herbert <tom@herbertland.com> Tue, 15 November 2016 03:10 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA8E129A0D for <spud@ietfa.amsl.com>; Mon, 14 Nov 2016 19:10:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sBJEzSNNPsR for <spud@ietfa.amsl.com>; Mon, 14 Nov 2016 19:10:53 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 380A8129A0B for <spud@ietf.org>; Mon, 14 Nov 2016 19:10:53 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id n204so120707109qke.2 for <spud@ietf.org>; Mon, 14 Nov 2016 19:10:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eB0qdC45uezWI2+MbvAwutVrJagGLs2J/G78sBBA/3Q=; b=qHTQvabyja3UHl4EEQEya+7BYPt4A/OWXlqPEVnloqqvbS6PG/YqPwkcyIBCRQ/hOm 8Kc7vHgkWfmD5ix8UEgaT5H5yS03sDsKZFnI/75GvXmMXVRN0+0FgOIAgkr+/B3F/Ebn y0sfelbdl3h2RNSccjxUqW0q9qCYckpH9+Ei3cszFM0qhj9UFglf3iBcug/48j3mMmFC vK0qWij2P8ZLYfcFFcUII1emCiyDe3nmIzoCHRwRweKPULyCk3VkkGCcflbjNojYpv+X kp79WEPomX3qtbBm/xLkpUpjlK+KVEryxaq5C+ksvDukS5jhJXo0uMaygARhjL3xxjS3 7L/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eB0qdC45uezWI2+MbvAwutVrJagGLs2J/G78sBBA/3Q=; b=i0O32k3V3lVXyxsHX374Bru8UVBLt6PNCTmtG1axQ940hdrmNksR5pDlVWK0ClQqFe FrBfB9Tuyt+qFEdGImUBwBYgyiwrXdCGLqKz9ZG6dBjGmHjw+wcrcjprKEc3iW0TUoJC B1r1nJR6umnA1z7Sfn0Y/4xF/dtndeMZVtaKf9wIplZV8bj6tdUHdnh+OZwV5YPa193m POK2SDADtc46EH+QweMLDr/hWcSv2yq/+iLlE9qTYGsvK/ar+1MvLFW5n/nYPaBGKPEl BqfoEHGq6dUeaLS/Tsk9tUlgJQrVNbm27FpfLr4M0YSzJ+mnVsGZb8+7U56PiK7sdL4a 7Mng==
X-Gm-Message-State: ABUngveQlm2Shoiw+AJbapZkb+YVyaTR9rA3St/uEZmPf6TYMt7pfR3F0QKCdKgn6jonH87UQxeyzzBcG7nBOg==
X-Received: by 10.55.41.39 with SMTP id p39mr20497908qkh.245.1479179452343; Mon, 14 Nov 2016 19:10:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.58.197 with HTTP; Mon, 14 Nov 2016 19:10:51 -0800 (PST)
In-Reply-To: <013401d23ea8$c4d113f0$4e733bd0$@huitema.net>
References: <E8355113905631478EFF04F5AA706E9831159645@wtl-exchp-2.sandvine.com> <835E355C-0AF1-4660-B0FF-8BEE0C54788D@trammell.ch> <03b101d23e9b$7c883540$75989fc0$@huitema.net> <dcefd280-3e2b-9b92-b333-ee87d7fb0aab@cisco.com> <013401d23ea8$c4d113f0$4e733bd0$@huitema.net>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 15 Nov 2016 12:10:51 +0900
Message-ID: <CALx6S34Vp3B3O9tHD4Q17-DJsa+3dsEnonm6Gq9J=hgVNFwH0A@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary=001a1147b374d11b3405414e4d80
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/6ELBoco3vmSoviu7iZJI3KnNsXY>
Cc: hildjj@cursive.net, Eliot Lear <lear@cisco.com>, =?UTF-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>, spud <spud@ietf.org>, Brian Trammell <ietf@trammell.ch>, Dave Dolson <ddolson@sandvine.com>
Subject: Re: [Spud] States in draft-trammell-plus-statefulness-00
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2016 03:10:58 -0000

On Tue, Nov 15, 2016 at 3:56 AM, Christian Huitema <huitema@huitema.net>;
wrote:

> On Monday, November 14, 2016 9:58 AM, Eliot Lear wrote:
> > The nice thing about TCP being stateful, however, is that the middlebox
> > has reason to trust how an end device is going to handle something that
> > is outside the state machine.  It's really well defined.  That's the
> > good part.  The bad part is that then the state machine is ossified.
>
> That's not the only bad part. Looking for SYN/SYN-ACK won't work if
> packets follow a new path after a route change, as could easily happen with
> multi-homing.
>
> Networking maintaining state and multihoming was raised as a concern in
the BOF in Berlin. Has there been any work on how to resolve that in PLUS?

Thanks,
Tom

Also, the lack of authentication allows for the "spoofed RST" attack, in
> which injecting a single packet can cause connections to be dropped. That's
> why I would rather see mechanisms in which the magic packets have to flow
> in both directions. For example, a middlebox sees "drop me" coming from the
> left, and simply marks the state as "drop from left requested". If it
> receives a corresponding "drop me" from the right, the state is dropped. If
> on the contrary it receives a regular packet from the left, then it
> suspects spoofing and the state reverts to normal.
>
> -- Christian Huitema
>
>
>
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud
>