Re: [tcpm] New ID available: TCP Option for Transparent Middlebox Discovery
"Mahdavi, Jamshid" <jamshid.mahdavi@bluecoat.com> Fri, 14 August 2009 16:14 UTC
Return-Path: <jamshid.mahdavi@bluecoat.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45F843A6D50 for <tcpm@core3.amsl.com>; Fri, 14 Aug 2009 09:14:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCKhdhiEBS7U for <tcpm@core3.amsl.com>; Fri, 14 Aug 2009 09:14:14 -0700 (PDT)
Received: from whisker.bluecoat.com (whisker.bluecoat.com [216.52.23.28]) by core3.amsl.com (Postfix) with ESMTP id 265FB3A6D37 for <tcpm@ietf.org>; Fri, 14 Aug 2009 09:14:14 -0700 (PDT)
Received: from bcs-mail04.internal.cacheflow.com (bcsmail04.internal.cacheflow.com [10.2.2.56] (may be forged)) by whisker.bluecoat.com (8.14.2/8.14.2) with ESMTP id n7EGEH68011153; Fri, 14 Aug 2009 09:14:18 -0700 (PDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA1CFA.2583D034"
Date: Fri, 14 Aug 2009 09:13:22 -0700
Message-ID: <B0D803D04AA2F54A8227E1B606344ED90225587A@bcs-mail04.internal.cacheflow.com>
In-Reply-To: <4A84990C.9080002@bluecoat.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] New ID available: TCP Option for Transparent Middlebox Discovery
Thread-Index: AcocaKlmhggx7SJERnC98HqwicIOHgAjzGQg
References: <4A775C60.7030204@bluecoat.com> <4A8460BE.1060105@bluecoat.com> <C304DB494AC0C04C87C6A6E2FF5603DB476E50BAD9@NDJSSCC01.ndc.nasa.gov> <4A847050.7080007@bluecoat.com> <C304DB494AC0C04C87C6A6E2FF5603DB476E50BB5D@NDJSSCC01.ndc.nasa.gov> <4A84990C.9080002@bluecoat.com>
From: "Mahdavi, Jamshid" <jamshid.mahdavi@bluecoat.com>
To: "Knutsen, Andrew" <andrew.knutsen@bluecoat.com>, "Eddy, Wesley M. (GRC-MS00)[Verizon]" <wesley.m.eddy@nasa.gov>
Cc: "Frederick, Ron" <ron.frederick@bluecoat.com>, "Li, Qing" <qing.li@bluecoat.com>, tcpm@ietf.org, "Yeh, Wei Jen" <weijen.yeh@bluecoat.com>
Subject: Re: [tcpm] New ID available: TCP Option for Transparent Middlebox Discovery
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2009 16:14:16 -0000
I'd like to add one thing to Andrew's last point regarding interoperability. We tried to design the option specification to allow for companies with proprietary protocols to do discovery via the OUI ("Private") mechanism. In this case the expectation is that the option is largely used in a "Private" fashion -- in our case, one Blue Coat device finding another Blue Coat device. For cases where there is a desire for real interoperability between multiple products from different vendors and/or open source packages, our hope is that such applications would define a non-private "device type" and have this allocated by IANA. A suitable RFC would have to be provided specifying how discovery for that device type is supposed to work and that is really where things would open up for anyone to be able to use this option in an interoperable fashion. I can try to give one hypothetical example of what this might look like. In HTTP, browsers provide slightly different formatting for the URL depending on whether they are using a proxy or speaking directly to a server. When companies write transparent HTTP proxies, they must deal with the server format of the URL. One could imagine a transparent middlebox discovery option defined for the purpose of discovering transparent HTTP proxies. If present, the application (the web browser) could adjust the HTTP header to be more suitable for an HTTP proxy. This is somewhat of a contrived example since no one really needs this today, but we've defined the option formatting to allow for standardization of such mechanisms that would allow applications to discover and cooperate with middleboxes in the path (if they are present and if they are interested in such cooperation). --J ________________________________ From: Knutsen, Andrew Sent: Thursday, August 13, 2009 3:52 PM To: Eddy, Wesley M. (GRC-MS00)[Verizon] Cc: tcpm@ietf.org; Mahdavi, Jamshid; Frederick, Ron; Li, Qing; Yeh, Wei Jen Subject: Re: [tcpm] New ID available: TCP Option for Transparent Middlebox Discovery I'll put my responses inline this time... Eddy, Wesley M. (GRC-MS00)[Verizon] wrote: Ok; just a couple easy follow-up questions: -----Original Message----- From: Andrew Knutsen [mailto:andrew.knutsen@bluecoat.com] Sent: Thursday, August 13, 2009 3:58 PM To answer your fundamental question, yes this is existing technology, implemented by at least three companies for several years. You can check our website (www.bluecoat.com) for one example. This assignment will not change the basic operation of these WAN Optimization products. Ok; so what option number do they use? Do they all use the same one, or does each company pick its own? How was the option format arrived at (is it just Bluecoat's or do all the vendors use their own variation)? I guess that's all just background information that's needed to put the effort in context. We use one of the "experimental" numbers, 0xFD. Cisco uses 0x21, and Riverbed uses both 0x4C and 0x4E. You can draw your own conclusions on how they were picked ;-). Although this info can be easily "sniffed", its probably not appropriate to put it in the draft. In fact, I'm not making any promises or representations about BlueCoats, or anyone else's, use or non-use of any of these or any other numbers in the future or the past. I hope that keeps the lawyers happy. "Transparent detection" refers to the fact that there is no explicit detection protocol; instead the detection is piggybacked on the TCP connection transaction, which goes through to the OCS (as we say; Original Content Server, the host explicitly addresses by the SYN packet) if the connection is not intercepted. Again, this is existing multivendor practice, used for the reasons mentioned in the draft. Ah; so there's terminology confusion between calling a middlebox transparent (meaning without end-application/transport knowledge) and calling the detection transparent (meaning no extra packets sent). I guess it would be more clear as "in-band detection"? Well, our implementation is transparent in both ways.. although another vendor uses a slightly different transparent exchange, where extra packets are sent if a peer is detected. The current proposal could be used for many of these mechanisms. "In-band" doesn't really imply that the connection works if the middlebox is not present, does it? The word "transparent" is used fairly widely in the sense of no explicit configuration, although it can also refer to use of the same addresses on a tunnel connection as on the client and server connections (see below). Also, the "no extra packets" isn't a common use of the word, although one might consider it "transparent in time" ;-). Its just a real-world requirement. The "R" bit is to detect hosts which misbehave, and reflect options back to the sender. This does happen. Ick! That makes sense, but it should be explicitly stated in the discussion of the R-bit if that's its full reason for existing, rather than only mentioned in passing in the interoperability issues section. We felt that it is an interoperability issue, and discussing it earlier would detract from the discussion of the primary purpose. Simultaneous opens have never been an issue because this is client/server technology. We can make this explicit. It seems reasonable to do so. Will do. We can add some information to section 7 if desired, but middleboxes typically run proprietary operating systems and thus the APIs are not standard... Right, but (correct this if I'm wrong ...) you have to also modify the TCP and application on the endpoints that initiate communications, right? Or will this only be intended for middlebox-to-middlebox? I'm still trying to understand what an application does now that it knows something about the middlebox(es), what changes about its behavior? Our use for this, which I think is the most common, if not the only use at present, is to set up "tunnels" as described in section 1. Since this draft is not a protocol spec, we didn't add detail about how these work. However for the purpose of this discussion: There are usually four "boxes" involved when a tunnel (as described here) is used: the client and the server, which don't know anything about this option, and two middleboxes, which we may call the "edge" (near the client) and the "core" (near the server). However, it is possible for the edge function to be implemented in the client box. It is also possible to have multiple tunnels along a path, so one box is both edge and core. Server and core are less likely to be combined because that would add load to the server. Both the client and the edge can use either explicit or transparent connection methods. The simplest, and currently most common, use of this option is transparent detection of the core by the edge (ie to see if the server is fronted by a core box), for the purpose of setting up a tunnel between two middleboxes. Note that there are other kinds of "tunnels" which are really more like relays, in that there is only one middebox. There are also tunnels where transparency is not appropriate, such as VPN tunnels. The tunnels I'm talking about are most often used for compression (aka WAN Optimization). I could add a lot of pictures to this, but at this level they're just series of boxes with lines between them ;-). Again, we didn't feel this level of background was appropriate for the draft, partly because we don't want to prejudice any future efforts towards protocol-level interoperability in this area, and partly for legal reasons (I haven't compromised myself here, I don't think, but if I went into more detail I might). However perhaps we could add a sentence saying "tunnels", as defined in the draft, are a primary use case. The draft is pretty good in explaining the format of the option itself, but doesn't really speak to how the knowledge the option conveys gets used productively. As the application-writer, now that a know company X's gizmo 123 is in my path, how does that affect me versus not knowing it, or knowing that company Y's doohickey 456 is on the path? In order to request interception by company X, you'd want to find out how they registered their option (OUI or IANA), and what particular info they want in the option. Then you'd need to know what to do if they responded. Also, you wouldn't really need this if you knew what was in the path (you'd likely use an explicit arrangement). However, if you were writing a server-side app and looking at all the options received, you'd at least know to ignore this option. Or, if you were writing a network monitoring tool, you could keep track of interception requests and responses. If you were writing a firewall, you could do policy on it. Etc... Andrew And yes, WAN Optimization can be considered a layering violation, along with most other security and load-balancing middleboxes, but that won't make them go away... Fully understood and I don't disagree :). --------------------------- Wes Eddy Network & Systems Architect Verizon FNS / NASA GRC Office: (216) 433-6682 ---------------------------
- [tcpm] New ID available: TCP Option for Transpare… Andrew Knutsen
- Re: [tcpm] New ID available: TCP Option for Trans… Andrew Knutsen
- Re: [tcpm] New ID available: TCP Option for Trans… Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] New ID available: TCP Option for Trans… Andrew Knutsen
- Re: [tcpm] New ID available: TCP Option for Trans… Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] New ID available: TCP Option for Trans… Andrew Knutsen
- Re: [tcpm] New ID available: TCP Option for Trans… Mahdavi, Jamshid