IETF Logo Mail Archive

[Spud] SPUD's open/close are unconvincing

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 08 April 2015 18:39 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4E5E1A8F38 for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 11:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kbaeUN5HJlr for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 11:39:41 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 47EA01A92BC for <spud@ietf.org>; Wed, 8 Apr 2015 11:39:31 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id CA762F984 for <spud@ietf.org>; Wed, 8 Apr 2015 14:39:28 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 03CB62023A; Wed, 8 Apr 2015 13:39:16 -0500 (CDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: spud@ietf.org
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Wed, 08 Apr 2015 14:39:16 -0400
Message-ID: <87iod631nv.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/PukBjUeQ7KnDBOJTqA7QjPu1VHE>
Subject: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 18:39:42 -0000

Hi folks--

Thanks to those who organized the SPUD BoF at IETF 92.  Despite having
some serious big-picture concerns about SPUD overall, I sympathize with
the general goal of facilitating encrypting more traffic to protect the
confidentiality, integrity and anonymity of Internet communications, so
i appreciate the effort.

I'll write up the big-picture concerns separately, but right now i plan
to focus on some of the concrete details that i find unconvincing about
the idea and the associated proposals.  I'll try to keep each detail
relatively succinct.

This message is about the need for open/close in SPUD, which in the
presentations i saw was frequently the first example brought out to
explain what advantages SPUD can offer to existing on-path equipment.

These signals don't seem to provide any useful advantages to me: Open is
superfluous, and Close is unreliable.

Open is superfluous
-------------------

Given the existing 5-tuple, on-path equipment trivially knows when a
flow starts already: it is a 5-tuple that they haven't seen before.  If
you want to maintain a distinction between a one-side-opened flow and a
replied flow, this is also traceable by looking at the 5-tuple.  It's
not clear that the "open" signal gives on-path equipment any additional
useful information that it didn't have already from the 5-tuple.


Close is unreliable
-------------------

One of the reasons on-path equipment would like a "close" signal is so
that they know when to tear down associations that are no longer needed.
This would reduce memory consumption and make a device more resilient to
DoS attacks that exhaust its connection table.  Without "close", the
on-path equipment has to rely on timers to decide when to tear down the
connection.

Unfortunately, we can't rely on endpoints to send Close.  Legitimate
endpoints crash, run out of power, or have their network connectivity
cut.  So on-path equipment needs to maintain timers anyway if they're
tracking flow state instead of just passing IP traffic statelessly.  And
in a DoS scenario, it's trival for an actively malicious end-point to
send lots of "open" messages without ever sending a "close", so it
doesn't protect against DoS either.



Why should SPUD bother with explicitly signalling open and close?

    --dkg

v2.8.7 | Report a Bug | By Email