IETF Logo Mail Archive

Re: [tcpm] TCP Connection ID

Olivier Bonaventure <olivier.bonaventure@tessares.net> Tue, 26 May 2020 06:52 UTC

Return-Path: <olivier.bonaventure@tessares.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03423A0C0C for <tcpm@ietfa.amsl.com>; Mon, 25 May 2020 23:52:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tessares-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BvmEKJoUiwKm for <tcpm@ietfa.amsl.com>; Mon, 25 May 2020 23:52:08 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 677603A0C0A for <tcpm@ietf.org>; Mon, 25 May 2020 23:52:07 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id l15so22781521lje.9 for <tcpm@ietf.org>; Mon, 25 May 2020 23:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=lruVfi/szerdsRCI0kbJ4SLgE635ieSrMsPhFF1HU/E=; b=nOiulWr8fTiA6lTY3z+oaBnupQr38/Sdh7Cp/DbFHPn01l7uPRwVHdmy2UeKDXumsO fiJSYmu2VVXuAloTzBxcnDJAVR1APMmPLditHDk1GUd7BDqf0Dg0hK7T4CT1rXuAUYYp VSZmGe9OpcqXdh0Ixhy3zUIeHiEYYLLIFpXHpGe/mFFZsoC6RQNaXRebW1EkREohE1zg xm5PY7X9WnJPbMwNibqkH5QLy3ZyjvEubFzqTZJF2DWo6g3ZyG4BED4EiG9rSFX3KH9g H/baG/8pkWWYO12uoSV5AmNGeHIK0HqOjwtdsrjQub7IizMKYPUYHeYHuKDE8T+xPGyc pkgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=lruVfi/szerdsRCI0kbJ4SLgE635ieSrMsPhFF1HU/E=; b=NBvTjPVrp4RJnbt0FIT6I6ZSetOBBV9iaXHr1386XJdPNUd2e/eUpKD5pfBOomSxLi ZZcMEU79UDOkFoVCRor27e0Kpvx/N7zjunh0CgnfdsjxywO/aIqMhuvhfXHJxgMBvnRo F2zJ7Ju3Fb2AKglCHnUcNbI9hjdX3w1/mxnI3c9N/QbkGC00BQWnwSwwKN0YYncSTWt2 eQWsQqJFSFegDPZg4A1swC/S3JQW2aY+lQyUFU7GnOKbRdLSoXKPDt4vcFNomvuJSMCH YQ0cMbj3cxuLJH9+S+7vvJh+RI404gLD8ioq2OuO4vXvKnri/ldX3ao2HNFxEGkZsDHF W0tw==
X-Gm-Message-State: AOAM53181m+iHprPuiLnC16a9ccXDXzdxvfeSO5n7oqZwAkNC1mB3mvs JqkHOm+wibT8UETpmZqxqdqn39956/yqzVfBP61bfdufwJKdUgzl2GU5j6JXOU5qo5Qu07eIs+s SuuO+xm3jye+k
X-Google-Smtp-Source: ABdhPJz8tBhBgZ/0pyOqV5E7UGHHiGxP+v2XW7+i5H45h9Jka/P17cpspLhpvFPfIdnMC4qigv2eB1iTCu4c3EV0a/4=
X-Received: by 2002:a05:651c:2c1:: with SMTP id f1mr12645210ljo.440.1590475926150; Mon, 25 May 2020 23:52:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAEGSd=DQwj_XbpxCz=7GYTgzjGM=ARqgw3oG58_Y9hbNZpPPrQ@mail.gmail.com> <CAEGSd=BrgqFrZVexkKhvYr2Yeu-B2Gyde7aYevPqTr8MzWQs4A@mail.gmail.com> <86F47ECD-8504-4FAA-8D39-0099C203FA0C@tessares.net> <CAEGSd=Adh2-JNZDp6CksDUbV59jZ5nZkup8gvahjzs=T8BNsmA@mail.gmail.com>
In-Reply-To: <CAEGSd=Adh2-JNZDp6CksDUbV59jZ5nZkup8gvahjzs=T8BNsmA@mail.gmail.com>
From: Olivier Bonaventure <olivier.bonaventure@tessares.net>
Date: Tue, 26 May 2020 08:51:40 +0200
Message-ID: <CAJuVx18w3j6tpWfeHMNYVnF3R2N5Wt=23jBAjJG+5fF8NJX27Q@mail.gmail.com>
To: Alexander Azimov <a.e.azimov@gmail.com>
Cc: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/_GTaM8a1fSlNJ0PA8x4GUNJvmIk>
Subject: Re: [tcpm] TCP Connection ID
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2020 06:52:12 -0000

Alexander,

> As far as I understand you are suggesting to use IP LSR/RH which SHOULD be turned off by default (RFC7196). Besides, P and X, in your terms may belong to different address families. It seems that you still have confusion on the purpose of my proposal:
>
> There is a browser, that sends a WEB-request. The request is sent to the virtual IP (VIP). The browser/OS is out of our control.
> There is a load balancer inside the datacenter, which receives an SYN packet and needs to send it to the server with real IP. Normally it is done via tunnel: IPIP or GRE. Both load balancer and server are under the same administrative control.
> The idea is to introduce a connection id, that is generated by the server at the time of SYN/ACK and kept at the client for the time of TCP session, thus removing the need to keep the state at the load balancer. This brings advantages in the case of DDoS attacks, load drain from servers, and traffic rerouting between LB.

Another possibility would be to place the connection id in the network
layer, see doi:10.1109/TNET.2018.2799242

> Oliver:
> Thank you for the link! I was not aware of this paper. The option to advertise VIP looks interesting, but seem to have limitations:
>
> What if real server IP is IPv6 address while the client is working from IPv4 only network?

If your VIP is IPv4 and the server behind the LB only support IPv6,
then you need the packets to pass through the LB anyway

> The attacker may learn the full list of backend servers, which can be used for DDoS attacks. The dynamic IP allocation for connections may work as a partial workaround, have you implemented it in the lab?

We did some tests but did not deploy that on busy servers

> The load balancer still needs to keep states of the connections. But it wasn't the problem that was addressed in the paper.
>

Indeed. The main objective of the paper was to show how to efficiently
support MPTCP on load balancers


Olivier

-- 


Disclaimer: https://www.tessares.net/mail-disclaimer/ 
<https://www.tessares.net/mail-disclaimer/>

v2.23.0 | Report a Bug | By Email