IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

"Joe Hildebrand (jhildebr)" <jhildebr@cisco.com> Wed, 08 April 2015 20:53 UTC

Return-Path: <jhildebr@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEFE1B365E for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 13:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qks3_TKDEyXs for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 13:53:26 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D7D31B362F for <spud@ietf.org>; Wed, 8 Apr 2015 13:53:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2214; q=dns/txt; s=iport; t=1428526408; x=1429736008; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=MEf1KCrDYvM69+9E+rP5ud39Agi0TeVtJ5wai0em8iQ=; b=KQIq/ALczlsOBKPx5Hz9LkKxbyxy96J1yUKbmLI480E3SoSwhNmH+zrR W6AiOUQUvVFPoCNAnofgCQyfHhDlfa2DxylsDEOSnIosA8MZ4unu9unjD TtzAEfAgXYFEhQLrvVgIhNbofa+q1ohrPrRD1In1zs+JuePPzU4Jq71nj k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A8BQAblCVV/4ENJK1cgwiBLgWDEL9xb4dPAhyBEjoSAQEBAQEBAX2EIAEBBCMRRRACAQgaAhEVAgICMBUQAgQBDQUbiA+2S5ZRAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4EhigqESTMHCoJeL4EWAQSQdIoHlFsig29vgUR/AQEB
X-IronPort-AV: E=Sophos;i="5.11,545,1422921600"; d="scan'208";a="139421062"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-1.cisco.com with ESMTP; 08 Apr 2015 20:53:27 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id t38KrPgE016597 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 8 Apr 2015 20:53:25 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.175]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.03.0195.001; Wed, 8 Apr 2015 15:53:25 -0500
From: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
To: "Toerless Eckert (eckert)" <eckert@cisco.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Thread-Topic: [Spud] SPUD's open/close are unconvincing
Thread-Index: AQHQcitjI1D3RHk2H0SfkwcdNYTIfZ1D1uaA//+wGwA=
Date: Wed, 8 Apr 2015 20:53:24 +0000
Message-ID: <09D0D481-9380-42CA-94B1-895EC9E51428@cisco.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20150408193920.GD24286@cisco.com>
In-Reply-To: <20150408193920.GD24286@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/15.8.2.150328
x-originating-ip: [10.129.24.173]
Content-Type: text/plain; charset="utf-8"
Content-ID: <488B3FB23A8EEE4BBCAE549A146B807E@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/6yhv9m5ERd5B9KkqtQ6-QFiE8IE>
Cc: "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 20:53:27 -0000

On 4/8/15, 1:39 PM, "Toerless Eckert (eckert)" <eckert@cisco.com> wrote:

>Daniel,
>
>a) I think one hope of SPUDs design is to make UDP look enough like
>   TCP to persuade FWs (and similar middleboxes) to police / permit it
>   as well as TCP flows are policed/permitted.

Yes.  In talking with enterprise firewall admins, they're comfortable with these properties of TCP:

- they're sure which interface the intent to start an association came in on
- they're pretty sure that subsequent packets match that initial intent
- they're pretty sure that if a box goes down comes back up, or a new box takes the old one's address listening on the same port, that the host will be able to reject traffic left over from an old association
- they know when to clean up state
- they don't feel the need to set as aggressive timeouts as they currently do for UDP, which would cause apps to send lots of extra keep-alives

From a certain perspective, it doesn't necessarily matter if we completely agree with them that today's implicit heuristics are not good enough.  We have evidence that there are enough corporate firewall admins have similar feelings, particularly in places where folks that want to deploy standards-based WebRTC solutions (e.g.), that I believe we need to take their perceptions into account.  The approach that SPUD currently takes is to smell enough like TCP from a policy perspective that we can get corporate firewall admins to allow the traffic by policy.

In other words: these are potentially deployment requirements, not technical requirements.

-- 
Joe Hildebrand

v2.8.7 | Report a Bug | By Email