IETF Logo Mail Archive

Re: [tcpm] I-D Action:draft-ietf-tcpm-persist-03.txt

"Anantha Ramaiah (ananth)" <ananth@cisco.com> Mon, 14 March 2011 22:26 UTC

Return-Path: <ananth@cisco.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A90DF3A6978 for <tcpm@core3.amsl.com>; Mon, 14 Mar 2011 15:26:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.641
X-Spam-Level:
X-Spam-Status: No, score=-11.641 tagged_above=-999 required=5 tests=[AWL=-1.042, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iv6kaJT5zFrT for <tcpm@core3.amsl.com>; Mon, 14 Mar 2011 15:26:43 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 028EC3A6944 for <tcpm@ietf.org>; Mon, 14 Mar 2011 15:26:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=ananth@cisco.com; l=7292; q=dns/txt; s=iport; t=1300141687; x=1301351287; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=tRYp4CZb+x+5MHqL1beh+An+TISO4ymm8Nv8WzZXT78=; b=lT828wHSspHOL6nqnhuVYQouz6XvYwrHUsYg9BM9Ocme2rwxb3u4O83U zKMOSYDEXA6OhExNZcpqcrCXQcUNn4+9/eL84wf5pB9bEBVHPSZRjyt9X A3orDGy/ZlPUnlKakmERyHric6cTRRUXQS8bIZnxXDZvlD0YzXvK5q+bD s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEANcyfk2tJXG+/2dsb2JhbACmDXekbZw4hWIEhSuKew
X-IronPort-AV: E=Sophos;i="4.62,319,1297036800"; d="scan'208";a="320223487"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by sj-iport-2.cisco.com with ESMTP; 14 Mar 2011 22:28:06 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by rcdn-core2-3.cisco.com (8.14.3/8.14.3) with ESMTP id p2EMRjnZ028461; Mon, 14 Mar 2011 22:28:06 GMT
Received: from xmb-sjc-21c.amer.cisco.com ([171.70.151.176]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 14 Mar 2011 15:28:03 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Mar 2011 15:28:02 -0700
Message-ID: <0C53DCFB700D144284A584F54711EC580C2CFB46@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <AANLkTi=TpRy8Q48KDGJfTyERKy_d5jPxr-DhkV5-Gmb-@mail.gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] I-D Action:draft-ietf-tcpm-persist-03.txt
Thread-Index: AcvijGJnzxgZe1y6QxyaVxd9U51TaQAAK3RA
References: <20110216164501.27490.96538.idtracker@localhost><0C53DCFB700D144284A584F54711EC580BE2DF4F@xmb-sjc-21c.amer.cisco.com><4D7E5329.1030202@mti-systems.com> <AANLkTi=TpRy8Q48KDGJfTyERKy_d5jPxr-DhkV5-Gmb-@mail.gmail.com>
From: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
To: John Heffner <johnwheffner@gmail.com>, Wesley Eddy <wes@mti-systems.com>
X-OriginalArrivalTime: 14 Mar 2011 22:28:03.0272 (UTC) FILETIME=[15229C80:01CBE297]
Cc: tcpm@ietf.org
Subject: Re: [tcpm] I-D Action:draft-ietf-tcpm-persist-03.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2011 22:26:45 -0000

John,

Firstly I am alarmed at the timing of your emails. For the last call comments which you provided (albeit late), in consultations with the chairs we incorporated all the LC comments received including yours(IOHO) and the next version was out. I had sent a note to the list (you were cc'ed and so as TCPM, you should have received at least 1 or 2 copies of the same email). Here is the link (for the sake of reference) :-

http://www.ietf.org/mail-archive/web/tcpm/current/msg06319.html

I did not see any comments to the above post. Now you have an email saying your comments have not been incorporated when the last call process commenced again. You may want to relax your filter rules esp. when you have commented on something and authors have taking the pain to incorporate them and waiting for a reply. (if you need more time, that's fine..) Only sounds as a fair practice to me.

Anyways, lets come to the point :-

You had made the following comments during the last call :

========================================
<BEGIN QUOTE>

First, apologies for missing the last call deadline.  But I'd like for the record to state that I don't believe the authors have addressed the substantive criticisms raised on the list.  I'm also not sure that consensus has been reached on this document, but that is for the working group chairs to decide.

To summarize my position in a single phrase, closing a TCP connection because it is in the persist state is a mistake.  And this document describes a mechanism to do exactly that.  If the language in RFC1122 needs to be clarified, the clarification should be that a connection may be aborted while in the persist state.  It should not be aborted
*because* it is in the persist state.

To be more specific, the majority of the doc describes a DoS attack by resource exhaustion; however, the persist condition is only a small subset of this class of resource exhaustion attacks.  Addressing only connections in the persist state ignores the rest of the problem.  The document does not address this very simple well-know attack:
<http://shlang.com/netkill/>.  This document also does not address connections where, for example, one byte of window is opened every 60 seconds, and how they might be prioritized relative to connections in the persist state.  Using the mechanism described in the document leaves a system completely vulnerable to resource exhaustion by such a slow-acking attacker.  As a developer, why would I choose to implement this?  Unless these simple variations are addressed, I think it's a waste of time.

Additionally, most implementations already provide an API for handling closing of sockets in FIN_WAIT or CLOSING states, with the SO_LINGER option.  I don't think this document makes a sufficient justification for why this existing mechanism is inadequate, or why the proposed API is necessary or sufficient.

Thanks,
  -John

<END QUOTE>
=========================================

Response to some of the claims you make above :-

C1 : "close connections because it is persist state". "it also doesn't say a connection may be aborted because it is in persist state". 

Response :- where in the document it is mentioned like you said above? We will be glad to correct it.

C2 : "majority of the document describes a DoS attack by resource exhaustion". 

Response: Can you explain why you feel so? 

C3:
" The document does not address this very simple well-know attack:
<http://shlang.com/netkill/>"

Response : It is not the purpose of the document to address attacks since the WG consensus was for clarification of RFC 1122 text. 

C4:

"handling closing of sockets in FIN_WAIT or CLOSING states, with the SO_LINGER option".

Response : SO_LINGER works only during connection close.  The API which is being illustrated in the document is not a proposal. It is the one which we used and we needed that API since it informs the resource manager about the connection that is not making any progress which in the current case is in persist state. Actually by mentioning the SO_LINGER etc., and explaining why it was inadequate simply implies that we are trying to propose a new API. This is not the case since we are simply adhering to the WG consensus of being "informational draft + clarification of persist condition".

Further..
<snip>

> For the record, none of my previous comments have not been addressed.
> At a minimum, I strongly suggest removing the last paragraph of
> Section 5:
> "In order to provide some level of robustness to DoS attacks, a TCP
>    implementation MAY provide a feedback regarding the persist
> condition
>    to the application if requested to do so or an application or other
>    resource manager can query the health of the TCP connection allowing
>    it to take the desired action.  All such techniques are in complete
>    compliance of TCP [RFC0793] and Requirements for Internet Hosts
>    [RFC1122]."
> and all of Appendix A.

Please note the "desired action" A desired action can mean nothing or it could be mean aborting a connection. It is up to the application or resource manager to decide what to do. There is no harm in the above sentence, in fact it only clarifies the current spirit of RFC 1122, IMO. Querying about a connection, taking action etc., are all normal, we are not suggesting anything implicit.  

Can you elaborate/send text?

Thanks,
-Anantha

> 
> Thanks,
>   -John
> 
> 
> On Mon, Mar 14, 2011 at 1:40 PM, Wesley Eddy <wes@mti-systems.com>
> wrote:
> > On 2/16/2011 1:31 PM, Anantha Ramaiah (ananth) wrote:
> >>
> >> Greetings,
> >>      This new version posted addresses the concerns raised during
> the
> >> last call. It also contains the idnits changes suggested by Fernando
> and
> >> Lars. Special thanks goes to Wes for going through the draft and
> >> providing some useful text which primarily aims at addressing the
> >> concerns raised during the LC. If folks in the to list can review
> the
> >> new version and check if this version addresses the issues raised by
> >> them, and provide feedback to the list, it would be great.
> >
> >
> > I haven't seen responses to this, but as the document shepherd, it
> looks to
> > me like the comments have been incorporated to good extent.  This
> note is
> > just to be explicit about the process being followed.  David is
> planning to
> > make a review of it this week, and our plan is that if he agrees with
> that
> > assessment, we'll forward the request for publication to the IESG.
> >
> >
> > --
> > Wes Eddy
> > MTI Systems
> > _______________________________________________
> > tcpm mailing list
> > tcpm@ietf.org
> > https://www.ietf.org/mailman/listinfo/tcpm
> >
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.46.0 | Report a Bug | By Email | System Status