Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
Yoshifumi Nishida <nishida@sfc.wide.ad.jp> Mon, 25 February 2019 18:41 UTC
Return-Path: <nishida@sfc.wide.ad.jp>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612E3130EFE for <tcpm@ietfa.amsl.com>; Mon, 25 Feb 2019 10:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tMBlhkc1qVef for <tcpm@ietfa.amsl.com>; Mon, 25 Feb 2019 10:41:01 -0800 (PST)
Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp [203.178.142.146]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCE1512426A for <tcpm@ietf.org>; Mon, 25 Feb 2019 10:41:00 -0800 (PST)
Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id EB3232784BA for <tcpm@ietf.org>; Tue, 26 Feb 2019 03:40:58 +0900 (JST)
Received: by mail-wr1-f47.google.com with SMTP id w17so11069500wrn.12 for <tcpm@ietf.org>; Mon, 25 Feb 2019 10:40:58 -0800 (PST)
X-Gm-Message-State: AHQUAuYUbCGBP6hG5tsmY9LWbX39dTf5kGb+bnI4SRlf2BXvOt9QdK0N RZCCi8P+5rvogKtjZURWpJbVRxdDXQZcQsH42Lk=
X-Google-Smtp-Source: AHgI3IaIL7vd6IetIz/vT6d/IyWCSurCSsZBqpc5q/xfk0UTW9LWees3W+m4X3bCAE7PtwSdvqN8m4g50w9pLLWWMmo=
X-Received: by 2002:adf:b3d1:: with SMTP id x17mr6026559wrd.15.1551120056569; Mon, 25 Feb 2019 10:40:56 -0800 (PST)
MIME-Version: 1.0
References: <9DD59801-36CE-407E-98F0-0BB1AAD514A7@tessares.net> <CAO249yc-eHAnOR7XfemQyJB+UVjmdtt43oZs+xJa=inZBBgp2w@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93302EA2273F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAO249ycs3grfmcaVJem-swoAWMAU_boOc5csY-ZjWn5S8m0F5w@mail.gmail.com> <C22A52DE-6666-44CF-B2F0-8BBA8A4D056F@tessares.net>
In-Reply-To: <C22A52DE-6666-44CF-B2F0-8BBA8A4D056F@tessares.net>
From: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>
Date: Mon, 25 Feb 2019 10:40:45 -0800
X-Gmail-Original-Message-ID: <CAO249ye3KWj6KkQptvEcvX-KFepmTrLprqjaeG275Rm79oMzNg@mail.gmail.com>
Message-ID: <CAO249ye3KWj6KkQptvEcvX-KFepmTrLprqjaeG275Rm79oMzNg@mail.gmail.com>
To: Olivier Bonaventure <olivier.bonaventure@tessares.net>
Cc: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>, mohamed.boucadair@orange.com, "tcpm@ietf.org" <tcpm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f9d4600582bc4701"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/eFxJHAhCq_UGXBBEflt4mNgObH4>
Subject: Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 18:41:05 -0000
Hi Olivier, On Fri, Feb 22, 2019 at 1:37 AM Olivier Bonaventure < olivier.bonaventure@tessares.net> wrote: > Yoshi, > > > I just thought that it might be good if we can be a bit more specific > about what is not trying to solve. > For example, in my understanding, these are not supported in this draft. > (BTW, I think this is good thing.) > 1: servers do not initiate connection to converters > > > I’m fine to discuss the support for connections initiated by servers in > another document. This would make the current draft simpler and I’m not > aware of plans to support this feature currently. > OK. > 2: don't support "server has feature X, but client doesn't" cases > > > I think that this should be left to implementations. Converters will have > local policies/heuristics to decide which options they will place in the > SYN that they send to server. These policies might enable the utilisation > of feature X even if it is not used by the client, but this would not cause > problems. > My intention was to make things simple by limiting the focus. It is fine if you don't see any possibilities for potential nasty corner cases by allowing this. I just wanted to be on the safe side. 3: clients don't directly send SYNs to server when they need converter. (no > transparent mode) > By limiting the focus, I thought we can avoid having lengthy discussions > on nasty corner cases. > > We can discuss more complex architecture in future versions after we see > this idea works well > > > My objective is to simplify the draft. If you think that some parts > correspond to a kind of transparent mode, let me know and I will update > them. > As I wrote in the response to Med, I personally think one text could be updated to avoid confusion. > >> >> 3: I am not sure how TLS works when converter does mptcp conversions. >> >> When a client have multiple subflows to a mptcp converter and use >> TLS for all subflows, can we establish an end-to-end TLS session between >> the client and the server? >> >> >> >> [Med] Establishing an e2e TLS connection in the presence of a converter >> is similar to establishing such session in the presence of CGNs. This is >> already captured in the draft: >> >> >> >> Similar to address sharing mechanisms, the architecture does not >> >> interfere with end-to-end TLS connections [RFC8446 <https://tools.ietf.org/html/rfc8446>] between the >> >> Client and the Server (Figure 3). >> >> >> >> Do you see a specific problem? >> > > Please let me explain a bit more and point it out if I miss something. > > In case of mptcp converter, I think the connection will be like the below. > > 1: client and converter establishes a mptcp session and it has multiple > subflows. (say, subflows are s1, s2, .. s5) > 2: converter and server establish a single tcp connection. (say r1) > > Now, if all s1 from s5 use TLS for their connections and we want to use > TLS for r1 as well, I think the converter will need to decrypt the payloads > in s1 .. s5 and encrypt them for r1. > But, this will mean that TLS session is separated by the converter. > > > The converter does not process any bytestream, it only relays the > bytestream from the upstream connection to the downstream one and vice > versa. Once the convert TLVs have been exchanged at the beginning of the > bytestream, all data sent by the client is relayed to the server and vice > versa. SOCKS operates this way as well, expect that it is more chatty and > uses several round-trip-times > Although mptcp converter might be a special case for the converter, I am thinking if the number of subflows in a mptcp session is more than 1, simply relaying would not work with TLS. Please point it out if I overlook something. Thanks, -- Yoshi
- [tcpm] Updated version of draft-ietf-tcpm-convert… Olivier Bonaventure
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Olivier Bonaventure
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Olivier Bonaventure
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Scharf, Michael
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Scharf, Michael
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Scharf, Michael
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Scharf, Michael
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… Yoshifumi Nishida
- Re: [tcpm] Updated version of draft-ietf-tcpm-con… mohamed.boucadair