Re: [tcpm] End to End Proprietary Information Field - Request for a new TCP option

Joe Touch <touch@ISI.EDU> Fri, 26 September 2008 16:52 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 947BB28C19D; Fri, 26 Sep 2008 09:52:14 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BC1183A6B96 for <tcpm@core3.amsl.com>; Fri, 26 Sep 2008 09:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzQd1t8hlJbW for <tcpm@core3.amsl.com>; Fri, 26 Sep 2008 09:52:12 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 91D8E3A6B9A for <tcpm@ietf.org>; Fri, 26 Sep 2008 09:52:12 -0700 (PDT)
Received: from [128.9.176.35] (c1-vpn5.isi.edu [128.9.176.35]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m8QGp9bX004097 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 26 Sep 2008 09:51:11 -0700 (PDT)
Message-ID: <48DD12FC.30907@isi.edu>
Date: Fri, 26 Sep 2008 09:51:08 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: "Ish Shalom, Ran" <rishshal@akamai.com>
References: <5342C364A2C3A6458B15BB147FB4B724AC479D@MAVS1.kendall.corp.akamai.com> <48DD0961.4020802@isi.edu> <5342C364A2C3A6458B15BB147FB4B724AC482F@MAVS1.kendall.corp.akamai.com> <48DD0E4D.2070009@isi.edu> <5342C364A2C3A6458B15BB147FB4B724AC4868@MAVS1.kendall.corp.akamai.com>
In-Reply-To: <5342C364A2C3A6458B15BB147FB4B724AC4868@MAVS1.kendall.corp.akamai.com>
X-Enigmail-Version: 0.95.7
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] End to End Proprietary Information Field - Request for a new TCP option
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ran,

Ish Shalom, Ran wrote:
> Joe,
> 
> I agree and it was my oversight for not discussing it explicitly. A
> tunnel is certainly an option to transmit such information (with
> sometimes the added benefits of authentication). The main downside to
> implementing it is its cost. Tunnels (at any layer) are sometimes very
> expensive in terms of processing and delay. Having a TCP option may help
> us avoid taking this hit. 

That's an implementation issue, and largely impacts throughput and
processing (not latency). I don't think we should modify a core Internet
protocol to overcome the inefficiencies of some implementations.

> As for NAT devices still destroying TCP header information, I agree that
> needs to be discussed and solved. The way I see it is that once we have
> a formally assigned TCP option with a clear definition of what it is
> used for and how to treat it, we can then work with NAT vendors to make
> sure that this specific TCP option will not be changed. 

Cooperative NATs don't want to destroy the destination IP address or
port - which define the packet path and service.

Non-cooperative NATs, that destroy destination IP addresses or ports,
are no more likely to preserve this option than they were to preserve
the destination IP address and port.

It seems that there is only one reason for this sort of option - to
preserve the source IP address and source port. It's not clear why this
information is useful, however - e.g., the source address behind the NAT
could have been private and thus meaningless, and the source port is
useful only for demuxing anyway.

> There are some
> security concerns with it but there is also a benefit to communicating
> this info.

Given the above, can you explain further? I.e., what is the benefit to
knowing the source IP and source port?

Joe

> -----Original Message-----
> From: Joe Touch [mailto:touch@ISI.EDU] 
> Sent: Friday, September 26, 2008 12:31 PM
> To: Ish Shalom, Ran
> Cc: tcpm@ietf.org
> Subject: Re: [tcpm] End to End Proprietary Information Field - Request
> for a new TCP option
> 
> 
> 
> Ish Shalom, Ran wrote:
>> Joe,
> 
>> Thank you for your comments. I certainly agree with your stand that we
> 
>> should not make TCP proprietary. My proposal was not to make it 
>> proprietary but to assign an option to allow us to communicate local 
>> information (such as private IP addresses and local ports) end to end 
>> despite the many gateways that may change this information in the 
>> header fields.
> 
> Ran,
> 
> As I noted before, NAT/NAPTs already cannot be trusted to pass options
> unchanged, so this doesn't solve the problem.
> 
> It's already possible to exchange that information using a tunnel, which
> does not require a change to the protocol. Use of a tunnel requires mods
> to both ends of the protocol, but then so does use of this sort of
> option.
> 
> Further, a tunnel allows use of TCP authentication (TCP MD5, TCP-AO) to
> verify that the addr/port values have not changed, or even the use of
> IPsec (depending on the layer of the tunneling).
> 
> Joe
> 
>> Ran
> 
>> -----Original Message-----
>> From: Joe Touch [mailto:touch@ISI.EDU]
>> Sent: Friday, September 26, 2008 12:10 PM
>> To: Ish Shalom, Ran
>> Cc: tcpm@ietf.org
>> Subject: Re: [tcpm] End to End Proprietary Information Field - Request
> 
>> for a new TCP option
> 
>> Ish,
> 
>> TCP options signal changes to the TCP protocol. That protocol is not 
>> proprietary, and I do not support making it - or any variants thereof 
>> - proprietary.
> 
>> Proprietary information about a TCP connection is already encoded in 
>> the port number, and in-band in the application data. If the 
>> information determines the nature of the application data, it is a 
>> port number issue. If the information is application data, it belongs 
>> in the data path.
> 
>> I see no reason for a TCP option based on this argument, nor do I see 
>> a reason for a proprietary TCP option either.
> 
>> Additional note below...
> 
>> Joe
> 
>> Ish Shalom, Ran wrote:
>>> Increasingly businesses and their workforces are becoming more and 
>>> more distributed as they spread globally and move their offices to be
> 
>>> closer to their customers. At the same time, financial wisdom 
>>> dictates
>>> strict cost control. The combination of which pushed more business to
> 
>>> use the Internet as a transport medium for remote offices and/or
>> employees.
>>> IP addresses shortage, privacy and security concerns have generated a
> 
>>> myriad of solutions in the form of NATs, PATs, firewalls, etc. As a 
>>> result, local information such as private IP addresses, ports and 
>>> potentially additional local private information often gets rewritten
> 
>>> and lost when a session traverses these functions. Furthermore, some 
>>> gateway services might terminate sessions in order to carry them over
> 
>>> a different medium or using a different service. All of which result 
>>> in the same way - lost of end to end transparency. However, 
>>> occasionally applications and/or network administrators may need a 
>>> means to communicate local private IP information across the Internet
> 
>>> domain so that the far end may be able to process the session
>> correctly.
> 
>> Any device that destroys information of a TCP connection (e.g., 
>> destination port of a SYN, or rewriting IP addresss) cannot be trusted
> 
>> to preserve TCP options either. They often rewrite or omit such 
>> options anyway.
> 
>>> I would like to propose creating a proprietary information channel 
>>> using a dedicated TCP option that can be used by such application to 
>>> communicate private local information across the internet. A flexible
> 
>>> end-to-end private channel will allow Service Providers and 
>>> application vendors to provide seamless communication across the 
>>> Internet domain despite the many intermediate functions that are in
>> place today.
>>> Sincerely,
>>> Ran Ish-Shalom
>>> Akamai technologies
> 
>>> ---------------------------------------------------------------------
>>> -
>>> --
>>> _______________________________________________
>>> tcpm mailing list
>>> tcpm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tcpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjdEvwACgkQE5f5cImnZru60QCgmt/acdHsTxdWTy9oW5luA7jo
dOIAoKAJY1Sran1qwqzZvyG95VInHZl/
=jwMA
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm