IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Toerless Eckert <eckert@cisco.com> Wed, 08 April 2015 19:39 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2990D1B3565 for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 12:39:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.511
X-Spam-Level:
X-Spam-Status: No, score=-12.511 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBzYb6DA22nv for <spud@ietfa.amsl.com>; Wed, 8 Apr 2015 12:39:23 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38B291B3554 for <spud@ietf.org>; Wed, 8 Apr 2015 12:39:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3888; q=dns/txt; s=iport; t=1428521963; x=1429731563; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=Q8KMUumxT3mHXK9QTOKSEo2fD7a5FbWKmEZGU2YnTs8=; b=Ru/2feDcbOav23ItCwQ23PUetZR63/2zLebgPmIl8ySMrqLZD17iG5Mt s/7uBuZGQICv3SJIuSpX/CmORG/n+eR5/l6WeFN41gWbiV8EOpbDheyuS sxUefhXwtoOUU8v79JyH0B0XfcS18KUHWe8bdI6KJWC5gmOkzldozJcGc I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A7BQCSgiVV/51dJa1cgwhSXMU9CoV9AoEsOxEBAQEBAQEBfYQgAQEEAQEBNzQLEAsYCSUPBRM2E4gqDcx5AQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSKLH+ELU8HgxeBFgWGHoUJj1MBgR2DN4JjiVqDSiKEDx4xgQIHgToBAQE
X-IronPort-AV: E=Sophos;i="5.11,545,1422921600"; d="scan'208";a="139420109"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-3.cisco.com with ESMTP; 08 Apr 2015 19:39:22 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t38JdLNr013340 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 8 Apr 2015 19:39:22 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id t38JdL8p031658; Wed, 8 Apr 2015 12:39:21 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id t38JdLP5031657; Wed, 8 Apr 2015 12:39:21 -0700
Date: Wed, 8 Apr 2015 12:39:21 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Message-ID: <20150408193920.GD24286@cisco.com>
References: <87iod631nv.fsf@alice.fifthhorseman.net> <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87iod631nv.fsf@alice.fifthhorseman.net>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/xhc4eCSJJb9gGRUIi7jCpPw2AnY>
Cc: spud@ietf.org
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 19:39:25 -0000

Daniel,

a) I think one hope of SPUDs design is to make UDP look enough like
   TCP to persuade FWs (and similar middleboxes) to police / permit it
   as well as TCP flows are policed/permitted.

b) If you don't like how it works, let me generalize the question,
   would like to hear your (and others) answers:

   What is the best possible design we can do to make UDP flows
   be equal or better permissible across WELL BEHAVED FW and similar
   middleboxes ? Please define "WELL BEHAVED"as part of your answer.

c) If i read it correctly, SPUD can 

   a) set up potentially multiple independent pipes across the same 5-tuple.
   b) A single pipe can go across different 5-tuples (multipath/mobility).
   
   These two features should explain why tracking 5-tuple as you
   suggest alone would not be sufficient.

   Btw: I am a fan of b), i don't think a) should be encouraged given
   experience with RTCweb. In that sense, the total number of
   pipes would even be equal or smaller than the number of 5 tuples.


Cheers
    Toerless

P.S.: Cool domain name. Is that indicative of the role you're planning
to take in the discussion ? ;-))) (sorry, i can never resists these questions).


On Wed, Apr 08, 2015 at 02:39:16PM -0400, Daniel Kahn Gillmor wrote:
> Hi folks--
> 
> Thanks to those who organized the SPUD BoF at IETF 92.  Despite having
> some serious big-picture concerns about SPUD overall, I sympathize with
> the general goal of facilitating encrypting more traffic to protect the
> confidentiality, integrity and anonymity of Internet communications, so
> i appreciate the effort.
> 
> I'll write up the big-picture concerns separately, but right now i plan
> to focus on some of the concrete details that i find unconvincing about
> the idea and the associated proposals.  I'll try to keep each detail
> relatively succinct.
> 
> This message is about the need for open/close in SPUD, which in the
> presentations i saw was frequently the first example brought out to
> explain what advantages SPUD can offer to existing on-path equipment.
> 
> These signals don't seem to provide any useful advantages to me: Open is
> superfluous, and Close is unreliable.
> 
> Open is superfluous
> -------------------
> 
> Given the existing 5-tuple, on-path equipment trivially knows when a
> flow starts already: it is a 5-tuple that they haven't seen before.  If
> you want to maintain a distinction between a one-side-opened flow and a
> replied flow, this is also traceable by looking at the 5-tuple.  It's
> not clear that the "open" signal gives on-path equipment any additional
> useful information that it didn't have already from the 5-tuple.
> 
> 
> Close is unreliable
> -------------------
> 
> One of the reasons on-path equipment would like a "close" signal is so
> that they know when to tear down associations that are no longer needed.
> This would reduce memory consumption and make a device more resilient to
> DoS attacks that exhaust its connection table.  Without "close", the
> on-path equipment has to rely on timers to decide when to tear down the
> connection.
> 
> Unfortunately, we can't rely on endpoints to send Close.  Legitimate
> endpoints crash, run out of power, or have their network connectivity
> cut.  So on-path equipment needs to maintain timers anyway if they're
> tracking flow state instead of just passing IP traffic statelessly.  And
> in a DoS scenario, it's trival for an actively malicious end-point to
> send lots of "open" messages without ever sending a "close", so it
> doesn't protect against DoS either.
> 
> 
> 
> Why should SPUD bother with explicitly signalling open and close?
> 
>     --dkg
> 
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud

v2.8.7 | Report a Bug | By Email