IETF Logo Mail Archive

Re: [Spud] SPUD's open/close are unconvincing

Caitlin Bestler <caitlin.bestler@nexenta.com> Thu, 09 April 2015 16:59 UTC

Return-Path: <caitlin.bestler@nexenta.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A05661B2F34 for <spud@ietfa.amsl.com>; Thu, 9 Apr 2015 09:59:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_72=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auy8snX9l9WB for <spud@ietfa.amsl.com>; Thu, 9 Apr 2015 09:59:27 -0700 (PDT)
Received: from mail-pa0-f48.google.com (mail-pa0-f48.google.com [209.85.220.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E60891B2F2F for <spud@ietf.org>; Thu, 9 Apr 2015 09:59:26 -0700 (PDT)
Received: by pabtp1 with SMTP id tp1so49762816pab.2 for <spud@ietf.org>; Thu, 09 Apr 2015 09:59:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=RcN8Th/zM5EHA3dOImrMuH8M3mo4x7EvF8zHmMzi8Dk=; b=WDPKW5y/f8ugk0O4TogUPnmWS+fvGfHRJn1PBEMBeTFgJrGbB0Xesd2sXYfnVz1JXq oZlrxwdh2cxZLKm6RubMMebYmM/BqnWCVxPteQkVvxXZoS6vgh8kmfOKRkIOgEuMxHQ6 z8/hs0AXSuHVzZVI+PgYSouYEEm/2PLqJSVbsEsfUL79rqz/rF6sy8xJgogv03zCI+nv Y5loDVsYBiq1N77L6+qbjS/dodAcf7nUwAN6T/A7qa9fdVHqbXQ0CeMkZgA/ORQwj/pZ 83NIIMfbkncPwHb1lQSkA7CWsqdS37v0NLRwlAnSYMXuLi2jfKOWQ/3/APxcLcvIyBCW JLhw==
X-Gm-Message-State: ALoCoQnQp0fDp5vSnrG61WFgUVnDCiryoBKPGFKLp3mDSRQqmWcOtHRYdUnnXsd49xh96bAYMRTg
X-Received: by 10.70.41.81 with SMTP id d17mr58684666pdl.16.1428598766603; Thu, 09 Apr 2015 09:59:26 -0700 (PDT)
Received: from Macintosh-2.local (67-207-110-172.static.wiline.com. [67.207.110.172]) by mx.google.com with ESMTPSA id pv4sm14873777pbb.17.2015.04.09.09.59.24 for <spud@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Apr 2015 09:59:25 -0700 (PDT)
Message-ID: <5526AFF1.8040109@nexenta.com>
Date: Thu, 09 Apr 2015 09:59:29 -0700
From: Caitlin Bestler <caitlin.bestler@nexenta.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: spud@ietf.org
References: <87iod631nv.fsf@alice.fifthhorseman.net> <DM2PR0301MB06555C7D7F32A69214405D44A8FC0@DM2PR0301MB0655.namprd03.prod.outlook.com> <20150408193920.GD24286@cisco.com> <871tju2rdq.fsf@alice.fifthhorseman.net>
In-Reply-To: <871tju2rdq.fsf@alice.fifthhorseman.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/spud/zT0ICJZXXPAXdZnn7xBTYu8Opeo>
Subject: Re: [Spud] SPUD's open/close are unconvincing
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 16:59:28 -0000


On 4/8/15 3:21 PM, Daniel Kahn Gillmor wrote:
> Hi Toerless--
>
> On Wed 2015-04-08 15:39:21 -0400, Toerless Eckert wrote:
>
>> a) I think one hope of SPUDs design is to make UDP look enough like
>>     TCP to persuade FWs (and similar middleboxes) to police / permit it
>>     as well as TCP flows are policed/permitted.
>>
>> b) If you don't like how it works, let me generalize the question,
>>     would like to hear your (and others) answers:
>>
>>     What is the best possible design we can do to make UDP flows
>>     be equal or better permissible across WELL BEHAVED FW and similar
>>     middleboxes ? Please define "WELL BEHAVED"as part of your answer.
> As i wrote to Joe, i'm not convinced that this is an answerable question
> considering that no one has provided a technical argument yet for why
> the enterprise firewall operators can't already do what we're talking
> about here.
>
>
With what information? Are you talking about separate switch
vendors independently implementing a SPUD-like solution, or
are you claiming they already have enough information to perform
this with no assist from the endpoints?

I believe that endpoint assist in the form of declarative information
is necessary to enable optimum network response. Standardizing
that information will make it something vendors and endpoint
stack developers will support. Without standardization you have
a chicken and egg problem that will never be resolved.

The key questions are:
* Are the hints sufficient to provide optimizations that more than
    reward the cost of sending the hints?
* Are we avoiding creating some form of DOS-vector, which would
    result in everyone turning off this feature in the field?

I suspect there are some refinements that may be needed to
avoid enhancing DOS attacks. But we need to set the goal
realistically as avoiding *enhanced* attacks, and not rejecting
SPUD for being vulnerable to the same attacks that would have
worked against TCP.

v2.8.7 | Report a Bug | By Email