IETF Logo Mail Archive

Re: [Spud] FW: New Version Notification for draft-hildebrand-spud-prototype-02.txt

Patrick McManus <mcmanus@ducksong.com> Tue, 10 March 2015 20:18 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3274B1A8932 for <spud@ietfa.amsl.com>; Tue, 10 Mar 2015 13:18:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7UR2yw7gLFjC for <spud@ietfa.amsl.com>; Tue, 10 Mar 2015 13:18:28 -0700 (PDT)
Received: from linode64.ducksong.com (li629-102.members.linode.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 17DB21A890D for <spud@ietf.org>; Tue, 10 Mar 2015 13:18:28 -0700 (PDT)
Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com [209.85.192.49]) by linode64.ducksong.com (Postfix) with ESMTPSA id 3B23B3A01D for <spud@ietf.org>; Tue, 10 Mar 2015 16:18:27 -0400 (EDT)
Received: by qgef51 with SMTP id f51so5057951qge.0 for <spud@ietf.org>; Tue, 10 Mar 2015 13:18:26 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.140.145.11 with SMTP id 11mr45547095qhr.19.1426018706896; Tue, 10 Mar 2015 13:18:26 -0700 (PDT)
Received: by 10.140.104.115 with HTTP; Tue, 10 Mar 2015 13:18:26 -0700 (PDT)
In-Reply-To: <CA+9kkMDaWrvZM3b7G8FyuiHL0nRO=kWLHjqxQjPjxqtoa1Dq=w@mail.gmail.com>
References: <20150303155825.32731.37010.idtracker@ietfa.amsl.com> <08728A73-ED15-4928-A5BB-A59EA9E6D785@cisco.com> <CA+9kkMDSMMUByAMOc8gSyMajyKj0ZtZzmFPg+J7bz-6AYkFYhw@mail.gmail.com> <CAOdDvNrRcMCnWMzBvL0Do16mmiajeR4OJRx36cxnppuaD7+81w@mail.gmail.com> <C0A46E88-A9C2-4EB3-B7B6-2DE20D0B957A@cisco.com> <CA+9kkMDaWrvZM3b7G8FyuiHL0nRO=kWLHjqxQjPjxqtoa1Dq=w@mail.gmail.com>
Date: Tue, 10 Mar 2015 16:18:26 -0400
Message-ID: <CAOdDvNq3NMP6ynqXmfoaVStFpRjVq70ZupVqt6ZmZutdg96SaA@mail.gmail.com>
From: Patrick McManus <mcmanus@ducksong.com>
To: Ted Hardie <ted.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a1137645477f1e30510f4dad0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/yKj6r2emrrcIUmoOnCrE4uAezX8>
Cc: Patrick McManus <mcmanus@ducksong.com>, "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] FW: New Version Notification for draft-hildebrand-spud-prototype-02.txt
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 20:18:29 -0000

On Mon, Mar 9, 2015 at 6:05 PM, Ted Hardie <ted.ietf@gmail.com> wrote:

> So, I may need a whiteboard here, because the way I see this use case
> sharing a tube-id seems like a loss.
>
> What I think you're saying is Client A (from 192.0.2.1) sends traffic
> toward service Z (at 203.0.113.1) .  The packet goes from A across a path
> until it reaches middlebox L (at 198.51.100.1) which dispatches​ it toward
> a backend server Z-15 (at 203.0.113.15) which would currently spoof
> 203.0.113.1.  This often forces L to maintain a map for the tuple in A's
> packets to the correct backend.  A tube-id would simplify this (since L
> could use it instead of a tuple).
>
> ​What I hear you saying is that you'd prefer to allow Z-15 to emit a
> packet using its own IP address, rather than Z's, and have it be understood
> to be in the same flow by dint of it sharing the same tube-id.    This
> gives the tube-id some serious security requirements that it doesn't
> currently (as an advisory bit) have.  Have I misunderstood you?   Do you
> want something different here?
>

"want" is such a strong word :) I'm just brainstorming.

There is a case where L doesn't want to be part of the flow after Z-15 is
selected, but obviously it needs to be in a TCP scenario if for no other
reason than to forward the ack traffic to Z-15 - the fact that it continues
to be involved is really an artifact of the protocol - L isn't a typical on
path middlebox; but spuds is still interesting here for its interaction
with something like a client side NAT. This is an ordered flow (a tube?)
with 3 end points.

I don't really know that the tube-id itself takes on security requirements
here, the transport running in the tube might have a totally self defined
security and identification model independent of the tube-id - mobility
leads you down that path naturally. (but yes - that's a hard problem :)).
Is there a reason that gets bumped up to the spuds wrapper?

v2.23.0 | Report a Bug | By Email