IETF Logo Mail Archive

Re: [Spud] New Version Notification for draft-hildebrand-spud-prototype-02.txt

Brian Trammell <ietf@trammell.ch> Tue, 10 March 2015 21:15 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50DF51A8A39 for <spud@ietfa.amsl.com>; Tue, 10 Mar 2015 14:15:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utq4XzgqxBjV for <spud@ietfa.amsl.com>; Tue, 10 Mar 2015 14:15:47 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id 8A0C71A8A29 for <spud@ietf.org>; Tue, 10 Mar 2015 14:15:47 -0700 (PDT)
Received: from [IPv6:2001:470:26:9c2::7ea] (unknown [IPv6:2001:470:26:9c2::7ea]) by trammell.ch (Postfix) with ESMTPSA id 1F6411A0032; Tue, 10 Mar 2015 22:15:16 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_1B7C42FB-2912-4F69-8EDF-2722380EEC44"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b5
From: Brian Trammell <ietf@trammell.ch>
In-Reply-To: <CAOdDvNq3NMP6ynqXmfoaVStFpRjVq70ZupVqt6ZmZutdg96SaA@mail.gmail.com>
Date: Tue, 10 Mar 2015 22:15:15 +0100
Message-Id: <6DC4AC2F-7279-4B18-8656-939E787E055D@trammell.ch>
References: <20150303155825.32731.37010.idtracker@ietfa.amsl.com> <08728A73-ED15-4928-A5BB-A59EA9E6D785@cisco.com> <CA+9kkMDSMMUByAMOc8gSyMajyKj0ZtZzmFPg+J7bz-6AYkFYhw@mail.gmail.com> <CAOdDvNrRcMCnWMzBvL0Do16mmiajeR4OJRx36cxnppuaD7+81w@mail.gmail.com> <C0A46E88-A9C2-4EB3-B7B6-2DE20D0B957A@cisco.com> <CA+9kkMDaWrvZM3b7G8FyuiHL0nRO=kWLHjqxQjPjxqtoa1Dq=w@mail.gmail.com> <CAOdDvNq3NMP6ynqXmfoaVStFpRjVq70ZupVqt6ZmZutdg96SaA@mail.gmail.com>
To: Patrick McManus <mcmanus@ducksong.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/C6XTV8opcyMXZUIEkbEZhGP3MEo>
Cc: Ted Hardie <ted.ietf@gmail.com>, "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] New Version Notification for draft-hildebrand-spud-prototype-02.txt
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 21:15:50 -0000

hi Patrick, all,

...in the hopes the conversation has not overtaken me, see inline below...

> On 10 Mar 2015, at 21:18, Patrick McManus <mcmanus@ducksong.com> wrote:
> 
> On Mon, Mar 9, 2015 at 6:05 PM, Ted Hardie <ted.ietf@gmail.com> wrote:
> So, I may need a whiteboard here, because the way I see this use case sharing a tube-id seems like a loss.
> 
> What I think you're saying is Client A (from 192.0.2.1) sends traffic toward service Z (at 203.0.113.1) .  The packet goes from A across a path until it reaches middlebox L (at 198.51.100.1) which dispatches​ it toward a backend server Z-15 (at 203.0.113.15) which would currently spoof 203.0.113.1.  This often forces L to maintain a map for the tuple in A's packets to the correct backend.  A tube-id would simplify this (since L could use it instead of a tuple).
> 
> ​What I hear you saying is that you'd prefer to allow Z-15 to emit a packet using its own IP address, rather than Z's, and have it be understood to be in the same flow by dint of it sharing the same tube-id.    This gives the tube-id some serious security requirements that it doesn't currently (as an advisory bit) have.  Have I misunderstood you?   Do you want something different here?
> 
> "want" is such a strong word :) I'm just brainstorming.
> 
> There is a case where L doesn't want to be part of the flow after Z-15 is selected, but obviously it needs to be in a TCP scenario if for no other reason than to forward the ack traffic to Z-15 - the fact that it continues to be involved is really an artifact of the protocol - L isn't a typical on path middlebox; but spuds is still interesting here for its interaction with something like a client side NAT. This is an ordered flow (a tube?) with 3 end points.
> 
> I don't really know that the tube-id itself takes on security requirements here, the transport running in the tube might have a totally self defined security and identification model independent of the tube-id - mobility leads you down that path naturally. (but yes - that's a hard problem :)). Is there a reason that gets bumped up to the spuds wrapper?

If we scope a tube ID to a five tuple, then it has some very nice properties. Since we're probably multiplexing significantly less than 2**64 tubes over a five tuple, the currently-active tube ID space is extremely sparse, and if the tube ID is sufficiently random, it is hard enough to guess them that we can presume that anyone that has the ID of a given tube is one of the endpoints, is on path, or is cooperating with a device on path. This is a property we need in any case in which we're requiring middleboxes to spoof endpoints, which itself will be necessary for NAT traversal.

Further, the five tuple has really become the state lookup key in each domain of routability in which its IP addresses are valid. So if the session ID is scoped to this key, it never has to be rewritten or otherwise handled by the middleboxes *other* than to bind a group of packets together so some common properties can be assigned to them.

If you use the tube ID for mobility -- i.e., to cover the "my endpoint address changed, but my session is the same" case, which I very much wanted to use it for when kicking this idea around much earlier -- now the scope is different, and all this gets much messier. The tube ID has to be chosen by the initiating endpoint, which in a mobile-client world is often the endpoint whose address may change, so scoping to the three-tuple of the fixed-address side of the connection brings with it a coordination problem -- and negotiation / decollision of tube IDs adds complexity and roundtrips, both of which are to be avoided.

Of course you could fix that problem by scoping the tube ID to the entire Internet, but this would (1) need way more bits, (2) probably need decollision anyway, and (3) has less than optimal (read: "terrifying") privacy implications for trackability etc.

What I can see being useful here is a facility built in to the "core" spud vocabulary that says "this tube is related to some other tube, here's the ID", for a small set of values of "related". This is more a signal to the remote endpoint than the path, though, so it's not clear it needs to be exposed in SPUD. One tube ID linkage that would need to be exposed to the path is "prefer to drop packets in this tube before packets in tube ID x" or "prefer to forward packets in tube ID x before packets in this tube", which gives you a nice simple vocabulary for expressing almost everything you need to for differential QoS from a given source without allowing global marking with all its attendant mark inflation problems.

Of course, since everything along the path and everything cooperating with everything along the path knows the tube id, any tube linkage features probably have implications for spoofing we'll need to be careful about.

Cheers,

Brian

v2.23.0 | Report a Bug | By Email