IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Toerless Eckert <eckert@cisco.com> Thu, 09 April 2015 04:15 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2049B1B2C65 for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 21:15:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkdlNOqL-EzU for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 21:15:09 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0691B2C67 for <spud@ietf.org>; Wed, 8 Apr 2015 21:15:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2355; q=dns/txt; s=iport; t=1428552909; x=1429762509; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=M6q4hdN5dRX3sDlEAZ1NXPtwhVAj36SNP1pHKiOh2KM=; b=jdyiEaT/YjzeEcoRoDuL6VYM8Qs8ox5BFI4OSKyJW0sYzHNkFCkKMDV+ AnogIS6uZON7aeVeLK8Cby0A28gnuoQpeOzMGZJMDgswEa7tNvQUa+OHD M3eql+6PKkdSJoMGnAxFDm0vYdUA6A7fkVsj8ZiTbvQRkkLtpfoLvIgqB A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A2BQCo+yVV/5BdJa1cgwjFTIdPAoEyOhIBAQEBAQEBfYQfAQEBAwE6PwULCxgJJQ8FSYg1CMx1AQEBAQEBAQEBAQEBAQEBAQEBAQEYiyuEMUsHhC0FiyeLLYQmAYEdgzeJBIcDIoQPHoJ0AQEB
X-IronPort-AV: E=Sophos;i="5.11,548,1422921600"; d="scan'208";a="139514019"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-1.cisco.com with ESMTP; 09 Apr 2015 04:15:08 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t394F8QQ016513 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 9 Apr 2015 04:15:08 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t394F74S006452; Wed, 8 Apr 2015 21:15:07 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t394F7Yc006451; Wed, 8 Apr 2015 21:15:07 -0700
Date: Wed, 8 Apr 2015 21:15:07 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Tom Herbert <tom@herbertland.com>
Message-ID: <20150409041507.GJ24286@cisco.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20150408193920.GD24286@cisco.com> <871tju2rdq.fsf@alice.fifthhorseman.net> <20150409012229.GG24286@cisco.com> <CALx6S35NH9yPZxeARTic10b0jFEi8aC4Gmt79cxuzF_VpYYqLA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CALx6S35NH9yPZxeARTic10b0jFEi8aC4Gmt79cxuzF_VpYYqLA@mail.gmail.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/LJGQP6cmo05bmAW48l-EF_-lY24>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, spud@ietf.org
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 04:15:11 -0000

On Wed, Apr 08, 2015 at 08:46:24PM -0700, Tom Herbert wrote:
> I think the kernel/user-land argument is a red herring.

Elaborate please. To me its probably the biggest motivator for 
SPUD. Otherwise we could design all we need into IP and TCP.

> The problem is
> that middleboxes routinely participate in transport layer protocols
> which was never architected-- transport layer protocols are inherently
> end-to-end protocols.

Thats 1970'th IETF katechism. I would call middleboxes a big contributor
to todays success of Internet technologies.

> It's relatively easy to change client and
> server sides to accommodate new transport functionality,

Which is why we have OS-level TCP functions that lag state of the art
on average by a decade.

> but pretty much impossible for us to change all the possible middleboxes
> in a path in a timely fashion.  Just one middlebox in the path that decides
> to drop our packet because it doesn't understand our new option, or
> doesn't like our new flags can spoil everything-- it is really
> difficult to work around interoperabilities like this.

Everybody and their dog concerned about this problem is already
automatically falling back to IP over SSL on port 443. We simply need to
do the best to evolve away from that. Thats why it is important to offer
benefits to those middleboxes.

> So, yes, the
> net effect of this is that we have become very conservative with
> transport layer changes, and when we do make changes at the transport
> layer we often have to masquerade these in something that is
> considered generally palatable to middleboxes. This is why we intend
> to run transport protocols over UDP in the first place, and has even
> motivated brazen attempts to overload TCP protocol number with other
> things (e.g. STT). SPUD is a good opportunity to generalize and
> standardize middlebox/transport protocol interactions, but if the its
> benefits are dependent on middleboxes being updated that not is going
> to go anywhere fast either!

Any firewall can start out processing SPUD just as UDP and once
FW firmware improves it will simply improve from there. Nobody
says firewalls MUST update, we just say that we want to provide
at least the same toolset for relevant inspection firewalls as what TCP gives
them. 

Cheers
    Toerless

v2.8.7 | Report a Bug | By Email