IETF Logo Mail Archive

Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05

Olivier Bonaventure <olivier.bonaventure@tessares.net> Fri, 22 February 2019 10:43 UTC

Return-Path: <olivier.bonaventure@tessares.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD07F1277CC for <tcpm@ietfa.amsl.com>; Fri, 22 Feb 2019 02:43:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.178
X-Spam-Level:
X-Spam-Status: No, score=-1.178 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tessares-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FmCruyKnHVOj for <tcpm@ietfa.amsl.com>; Fri, 22 Feb 2019 02:42:59 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF673124BF6 for <tcpm@ietf.org>; Fri, 22 Feb 2019 02:42:58 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id e74so1498241wmg.3 for <tcpm@ietf.org>; Fri, 22 Feb 2019 02:42:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares-net.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to:content-transfer-encoding; bh=a3dev++QJX8LNVP7oTlYRy8wV/pe8/mmmmYbpqAl7z0=; b=zx90R3nsttjfza3kdarmCIhTmM77bkVzUE4gXvfnhzvElmKPnuy68mdpqGd2hA57Fp fTyF2VeUIhnLl+haXewgcTx9FBLUc45ZBjbiJfvKJeYVgC5ljl92OvQxLZ6oJsxDqKKr Xj3W34IEYkfi4rnX5ifscOWU3AVCEcEw3ONZGiOcUROO0VnqvrmLewHlPKRhmmf9ocJ5 xaIOr/T9H77bAgxlSz6k1y5dU4XwUqFvAik6EWpxF1VIkCsSLRVNkAegxowd0xEHvigv c55hK9R/3jt4NyeMyJm4uux/NnRtiJDtpmXo7yk3VpxF0hFAIX/aaAMxEtY8YMulh+pU DN4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to:content-transfer-encoding; bh=a3dev++QJX8LNVP7oTlYRy8wV/pe8/mmmmYbpqAl7z0=; b=D9ACDDu4+j5QvvKPtuD4YNXEQpjM8y3Dn19ZeN7HV1bsBp4rEK9Vu8jg2XtedKOUg2 jOh1TKSq4UntY1urSeyvHSgc5YSt+o1uhmPKSQP/1Natkc7G0Gj0GLaqcwMLrvEVg6qU MEge9CYcr4NwWy80cMEUWFZ6FI81BNiEPhaEi7SUPJCN4BCRn7JX2A+aGh4bHRGmJAGZ avG2AiIqsCXKbf6MWUpj5xzg7IK1pR81GqPXDfRg2pjFvQWTI/IkiaRPbzMT5OCh6YwS gJ1UgPMwJDHmEmg2tXKYF/AMt5Uq5EXY+e5TdhW4/bZZsv6HwLK/qZ0Ib8+hi05hjNY0 PxcQ==
X-Gm-Message-State: AHQUAuYXrSwKINpJzSEkxrOIeYK5WfC2PvwIJBdiJNLYWXk2Y2jnks6N obt5cL8DXm0KvtZyQMUI+2CXm8quORbGslhr0i0rRvxru0Xr1Tq7eeZGCAmEuK+tVvUpEmvG
X-Google-Smtp-Source: AHgI3IYAnPfKZ4wYIamH6aGAwfqbIpPjjyvV5XV7Bpy4N7tHuWbPehYI/vTJTmxcDgZo66jF26/QWA==
X-Received: by 2002:a7b:c214:: with SMTP id x20mr1952962wmi.62.1550832176830; Fri, 22 Feb 2019 02:42:56 -0800 (PST)
Received: from [10.44.66.8] (hag0-main.tessares.net. [87.98.252.165]) by smtp.gmail.com with ESMTPSA id w10sm943386wru.5.2019.02.22.02.42.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Feb 2019 02:42:55 -0800 (PST)
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
X-Apple-Auto-Saved: 1
X-Apple-Mail-Remote-Attachments: NO
From: Olivier Bonaventure <olivier.bonaventure@tessares.net>
X-Apple-Base-Url: x-msg://96/
In-Reply-To: <CAO249ycs3grfmcaVJem-swoAWMAU_boOc5csY-ZjWn5S8m0F5w@mail.gmail.com>
X-Apple-Windows-Friendly: 1
Date: Fri, 22 Feb 2019 10:37:13 +0100
Cc: mohamed.boucadair@orange.com, "tcpm@ietf.org" <tcpm@ietf.org>
X-Apple-Mail-Signature: SKIP_SIGNATURE
Message-Id: <C22A52DE-6666-44CF-B2F0-8BBA8A4D056F@tessares.net>
References: <9DD59801-36CE-407E-98F0-0BB1AAD514A7@tessares.net> <CAO249yc-eHAnOR7XfemQyJB+UVjmdtt43oZs+xJa=inZBBgp2w@mail.gmail.com> <787AE7BB302AE849A7480A190F8B93302EA2273F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <CAO249ycs3grfmcaVJem-swoAWMAU_boOc5csY-ZjWn5S8m0F5w@mail.gmail.com>
X-Uniform-Type-Identifier: com.apple.mail-draft
To: Yoshifumi Nishida <nishida@sfc.wide.ad.jp>
X-Mailer: Apple Mail (2.3445.102.3)
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/qVKxLbU-npQecoTNDsyMb5P6Zyc>
Subject: Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 10:43:02 -0000

Yoshi,


I just thought that it might be good if we can be a bit more specific about what is not trying to solve.
For example, in my understanding, these are not supported in this draft. (BTW, I think this is good thing.)
1: servers do not initiate connection to converters

I’m fine to discuss the support for connections initiated by servers in another document. This would make the current draft simpler and I’m not aware of plans to support this feature currently.

2: don't support "server has feature X, but client doesn't" cases 

I think that this should be left to implementations. Converters will have local policies/heuristics to decide which options they will place in the SYN that they send to server. These policies might enable the utilisation of feature X even if it is not used by the client, but this would not cause problems.

3: clients don't directly send SYNs to server when they need converter. (no transparent mode)
By limiting the focus, I thought we can avoid having lengthy discussions on nasty corner cases.
We can discuss more complex architecture in future versions after we see this idea works well

My objective is to simplify the draft. If you think that some parts correspond to a kind of transparent mode, let me know and I will update them.


 

3: I am not sure how TLS works when converter does mptcp conversions.

    When a client have multiple subflows to a mptcp converter and use TLS for all subflows, can we establish an end-to-end TLS session between the client and the server?

 

[Med] Establishing an e2e TLS connection in the presence of a converter is similar to establishing such session in the presence of CGNs. This is already captured in the draft:

 

   Similar to address sharing mechanisms, the architecture does not
   interfere with end-to-end TLS connections [https://tools.ietf.org/html/rfc8446" title='"The Transport Layer Security (TLS) Protocol Version 1.3"' target="_blank" class="" rel="nofollow">RFC8446] between the
   Client and the Server (Figure 3).

 

Do you see a specific problem?


Please let me explain a bit more and point it out if I miss something.

In case of mptcp converter, I think the connection will be like the below.

1: client and converter establishes a mptcp session and it has multiple subflows. (say, subflows are s1, s2, .. s5)
2: converter and server establish a single tcp connection.  (say r1)

Now, if all s1 from s5 use TLS for their connections and we want to use TLS for r1 as well, I think the converter will need to decrypt the payloads in s1 .. s5 and encrypt them for r1. 
But, this will mean that TLS session is separated by the converter. 

The converter does not process any bytestream, it only relays the bytestream from the upstream connection to the downstream one and vice versa. Once the convert TLVs have been exchanged at the beginning of the bytestream, all data sent by the client is relayed to the server and vice versa. SOCKS operates this way as well, expect that it is more chatty and uses several round-trip-times  

Olivier

v2.23.0 | Report a Bug | By Email