IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Tom Herbert <tom@herbertland.com> Thu, 09 April 2015 05:20 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A41291B2BCB for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 22:20:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ELEr-TcRZpXx for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 22:20:48 -0700 (PDT)
Received: from mail-ig0-f169.google.com (mail-ig0-f169.google.com [209.85.213.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6FA21B2BC9 for <spud@ietf.org>; Wed, 8 Apr 2015 22:20:48 -0700 (PDT)
Received: by igblo3 with SMTP id lo3so56441072igb.0 for <spud@ietf.org>; Wed, 08 Apr 2015 22:20:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hznEYWfxaSjyvDr7vrhyTV/as8NyF4ehSs9HRbpZSxQ=; b=Y71UVTe5BCE3ikpiPZjy3ZfJoEd2mWqkvyuKJ50wEATC4oEpv5krxcX0s3lwHReZS6 RUZtCWWQhBbvfTt/ul2QJqRKrUjbYio+28wDcJrWpQJDVXGxgOC3dKcJ1kq4QYJRrZGf w6N5LPBxX2xOqQavzDF8Gt5NSyT4H2iUBHRHC5czus9dBb1jWWFFOiEXWtqoTAcn+NzE uahyPU+VWwur+cjSI4Mij8YdPLsk48GH6RAAP8USuhDGLVdf08NO+LrD8fLF+7uKlNq4 N6hwlypJKeS8dsPLcuwFXDeWAyc4MYLZ172v4ih5cR3o3yEhyes3JNvz+0KzbbSpayUn dtvg==
X-Gm-Message-State: ALoCoQm+E++o3VyXerEbo3NtPW3fl8vG9u9JS883TwOqbtBF+65F0RIRQm2LuTgAriuDOZVRHC/Y
MIME-Version: 1.0
X-Received: by 10.42.236.78 with SMTP id kj14mr29004233icb.43.1428556848167; Wed, 08 Apr 2015 22:20:48 -0700 (PDT)
Received: by 10.107.149.15 with HTTP; Wed, 8 Apr 2015 22:20:48 -0700 (PDT)
In-Reply-To: <20150409041507.GJ24286@cisco.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20150408193920.GD24286@cisco.com> <871tju2rdq.fsf@alice.fifthhorseman.net> <20150409012229.GG24286@cisco.com> <CALx6S35NH9yPZxeARTic10b0jFEi8aC4Gmt79cxuzF_VpYYqLA@mail.gmail.com> <20150409041507.GJ24286@cisco.com>
Date: Wed, 8 Apr 2015 22:20:48 -0700
Message-ID: <CALx6S350kZibL4rn3R701tO5nGFeetbQM_EZfrFn__NXYLrKGg@mail.gmail.com>
From: Tom Herbert <tom@herbertland.com>
To: Toerless Eckert <eckert@cisco.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/8Sk_cVty2kFOpQj9G8pAa8G74Mg>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, spud@ietf.org
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 05:20:50 -0000

On Wed, Apr 8, 2015 at 9:15 PM, Toerless Eckert <eckert@cisco.com> wrote:
> On Wed, Apr 08, 2015 at 08:46:24PM -0700, Tom Herbert wrote:
>> I think the kernel/user-land argument is a red herring.
>
> Elaborate please. To me its probably the biggest motivator for
> SPUD. Otherwise we could design all we need into IP and TCP.
>
>> The problem is
>> that middleboxes routinely participate in transport layer protocols
>> which was never architected-- transport layer protocols are inherently
>> end-to-end protocols.
>
> Thats 1970'th IETF katechism. I would call middleboxes a big contributor
> to todays success of Internet technologies.
>
Maybe, but the consequences of diverging from the end-to-end model is
reality we still need to deal with. When we deploy transport protocols
at scale on the Internet we are still bound in a large part by the
least common denominator network devices out there. There are deployed
devices that choke on our attempts to extend transports. We need to be
concerned about these, we simply can't completely break connectivity
for 1% of the world in order to give everyone else a 5% performance
improvement.

>> It's relatively easy to change client and
>> server sides to accommodate new transport functionality,
>
> Which is why we have OS-level TCP functions that lag state of the art
> on average by a decade.
>
I can't comment on other OSes, but I will say that the rate of change
to TCP and transport layer protocols in Linux and high and
significantly outpaces IETF standards (e.g. IW=10, lowering initRTO,
CC changes). These arguments seem to have more to do with the time for
deployment. This is not a problem with any reasonably modern OS, but
people are still concerned with getting changes into legacy
deployments (Windows is often cited). But, if you have specific OS
features that you think are missing I'd be happy discuss that
off-thread.

>> but pretty much impossible for us to change all the possible middleboxes
>> in a path in a timely fashion.  Just one middlebox in the path that decides
>> to drop our packet because it doesn't understand our new option, or
>> doesn't like our new flags can spoil everything-- it is really
>> difficult to work around interoperabilities like this.
>
> Everybody and their dog concerned about this problem is already
> automatically falling back to IP over SSL on port 443. We simply need to
> do the best to evolve away from that. Thats why it is important to offer
> benefits to those middleboxes.
>
This a general problem with modifying transport protocols. For
instance, it's potential problems with middleboxes that may wreak
havoc with attempts to increase the TCP option space (EDO).

>> So, yes, the
>> net effect of this is that we have become very conservative with
>> transport layer changes, and when we do make changes at the transport
>> layer we often have to masquerade these in something that is
>> considered generally palatable to middleboxes. This is why we intend
>> to run transport protocols over UDP in the first place, and has even
>> motivated brazen attempts to overload TCP protocol number with other
>> things (e.g. STT). SPUD is a good opportunity to generalize and
>> standardize middlebox/transport protocol interactions, but if the its
>> benefits are dependent on middleboxes being updated that not is going
>> to go anywhere fast either!
>
> Any firewall can start out processing SPUD just as UDP and once
> FW firmware improves it will simply improve from there. Nobody
> says firewalls MUST update, we just say that we want to provide
> at least the same toolset for relevant inspection firewalls as what TCP gives
> them.

It's pretty clear that for the foreseeable future were pretty much
stuck with using either TCP or UDP on the Internet (barring that
something like SCTP would ever get traction). Since we can't do
reasonably stateful firewalls or stateful NAT with UDP that is a
fundamental problem which constrains us to use TCP. There are needs
for new transport protocols, so encapsulating them in UDP seems to be
pragmatic approach, but we really need the ability for middlesboxes to
track state for such things-- this is what I hope SPUD provides.

Tom

>
> Cheers
>     Toerless

v2.8.7 | Report a Bug | By Email