RE: statement regarding keepalives
"Black, David" <David.Black@dell.com> Fri, 13 July 2018 14:37 UTC
Return-Path: <David.Black@dell.com>
X-Original-To: tsv-area@ietfa.amsl.com
Delivered-To: tsv-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 598E3130E75 for <tsv-area@ietfa.amsl.com>; Fri, 13 Jul 2018 07:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=Y7Kl5t7T; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=DileOI9R
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEiG33wY9Hfx for <tsv-area@ietfa.amsl.com>; Fri, 13 Jul 2018 07:37:35 -0700 (PDT)
Received: from esa5.dell-outbound.iphmx.com (esa5.dell-outbound.iphmx.com [68.232.153.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A15A1130E9D for <tsv-area@ietf.org>; Fri, 13 Jul 2018 07:37:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1531492120; x=1563028120; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=1UpTbOwAkoWntxxqzDzTPAN30HZbh37a4JuLwdt9HiI=; b=Y7Kl5t7TZBVwy+xt63ryYYAG/EAqxo1xoGe2BeHtdCXoCklngBsBcRB7 Yrgt9suqT3qxou7aKlX/ivITzB2tor8ycmCquT84miRnEvn/5dJ5UF5xk 16vVZC6aHjTgAFEMBzvxsjjDY4nrJ8PRNkJUfUeO5kA33eHhoJP+Cgib6 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2EOBQD9uEhbh8mZ6ERcHAEBAQQBAQoBAYJ1gTd/KAqDcZQ8ggyDOJIAFIErOwsjC4Q+AheCOSE1FwECAQECAQECAQECEAEBAQoLCQgpIwyCNSIRSy8IMwEBAQEBAQEBAQEBAQEBAQEBARcCQwESAQEYAQEBAQMjEQwfBhULBAIBCA4DBAEBAQICBh0DAgICMBQBCAgCBAESCIMYAYF/AQ6pO4EugniHPQMFgQuHd4FYPoERgxGDGQKBKCIYFYJqMYIkmV4DBAIChgiCZJQeijmHNAIEAgQFAhSBQgGCCXCDOYIzg06FFIU+b4sbgRoBAQ
X-IPAS-Result: A2EOBQD9uEhbh8mZ6ERcHAEBAQQBAQoBAYJ1gTd/KAqDcZQ8ggyDOJIAFIErOwsjC4Q+AheCOSE1FwECAQECAQECAQECEAEBAQoLCQgpIwyCNSIRSy8IMwEBAQEBAQEBAQEBAQEBAQEBARcCQwESAQEYAQEBAQMjEQwfBhULBAIBCA4DBAEBAQICBh0DAgICMBQBCAgCBAESCIMYAYF/AQ6pO4EugniHPQMFgQuHd4FYPoERgxGDGQKBKCIYFYJqMYIkmV4DBAIChgiCZJQeijmHNAIEAgQFAhSBQgGCCXCDOYIzg06FFIU+b4sbgRoBAQ
Received: from esa1.dell-outbound2.iphmx.com ([68.232.153.201]) by esa5.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jul 2018 09:28:30 -0500
From: "Black, David" <David.Black@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa1.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jul 2018 20:34:43 +0600
Received: from maildlpprd53.lss.emc.com (maildlpprd53.lss.emc.com [10.106.48.157]) by mailuogwprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w6DEbFIl010544 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Jul 2018 10:37:16 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com w6DEbFIl010544
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1531492637; bh=K8qw5zsKe856GCpEW/7mUVyTXcM=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=DileOI9RwxBcFxQ55L14KBae0+KI5WW/BmnP5hwHy3Sv5keA1EjpEF5dXXAtqe1Bm St37b3BYQF7fQ+/xtu6FWiFZNKQ0e2w8X3ZJZ+F9G4W/JZq25tNUv+Z2wQNbDptw7C cok9M4MaVEc+L05Engb7lNcB1k5oaGdRtqkoCqL0=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com w6DEbFIl010544
Received: from mailusrhubprd04.lss.emc.com (mailusrhubprd04.lss.emc.com [10.253.24.22]) by maildlpprd53.lss.emc.com (RSA Interceptor); Fri, 13 Jul 2018 10:37:01 -0400
Received: from MXHUB306.corp.emc.com (MXHUB306.corp.emc.com [10.146.3.32]) by mailusrhubprd04.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w6DEb3VO009902 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Fri, 13 Jul 2018 10:37:04 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB306.corp.emc.com ([10.146.3.32]) with mapi id 14.03.0399.000; Fri, 13 Jul 2018 10:37:02 -0400
To: Wesley Eddy <wes@mti-systems.com>, "tsv-area@ietf.org" <tsv-area@ietf.org>
Subject: RE: statement regarding keepalives
Thread-Topic: statement regarding keepalives
Thread-Index: AQHUGkG/LZoJEIu3uky/qk612ULG36SMmcEAgACfNMA=
Date: Fri, 13 Jul 2018 14:37:02 +0000
Message-ID: <CE03DB3D7B45C245BCA0D24327794936301D252B@MX307CL04.corp.emc.com>
References: <D3326DE0-3F31-4045-B945-82B3F417BE4B@juniper.net> <4f7e0b1c-79d5-bd22-4c02-c066cc7cfa03@mti-systems.com>
In-Reply-To: <4f7e0b1c-79d5-bd22-4c02-c066cc7cfa03@mti-systems.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.21.34]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd04.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-area/HLCARo1tYcwwTkh_TSassKLpcbc>
X-BeenThere: tsv-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Transport and Services Area Mailing List <tsv-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-area/>
List-Post: <mailto:tsv-area@ietf.org>
List-Help: <mailto:tsv-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 14:37:38 -0000
+1 on Wes's comments, especially that "layers of functionality" is better than "aliveness" ;-). Thanks, --David > -----Original Message----- > From: tsv-area [mailto:tsv-area-bounces@ietf.org] On Behalf Of Wesley > Eddy > Sent: Thursday, July 12, 2018 9:06 PM > To: tsv-area@ietf.org > Subject: Re: statement regarding keepalives > > Hi Kent, I agree with the spirit of the statement / guidance you've drafted. > > You might want to tweak some of the wording, e.g. "test more aliveness" > could be "test more layers of functionality" or something like that, but > this is just a nit. > > I think the footnote recommending short-lived connections should be more > clear about why that's the recommendation. What is the risk/danger/etc > of longer-lived connections. That recommendation seems a bit naked as > currently described, and actually should probably be more than just a > footnote. > > > > On 7/12/2018 8:37 PM, Kent Watsen wrote: > > Dear TSVAREA, > > > > The folks working with the BBF asked the NETMOD WG to consider > modifying draft-ietf-netconf-netconf-client-server to support TCP keepalives > [1]. However, it is unclear what IETF's position is on the use of keepalives, > especially with regards to keepalives provided in protocol stacks (e.g., > <some-app> over HTTP over TLS over TCP). > > > > After some discussion with Transport ADs (Spencer and Mijra) and the TLS > ADs (Eric and Ben), the following draft statement has been crafted. Spencer > and Mijra have requested TSVAREA critique it before, perhaps, developing a > consensus document around it in TSVWG. > > > > It would be greatly appreciated if folks here could review and provide > comments on the draft statement below. The scope of the statement can > be increased or reduced as deemed appropriate. > > > > [1] > https://mailarchive.ietf.org/arch/msg/netconf/MOzcZKp2rSxPVMTGdmmrVI > nwx2M > > > > Thanks, > > Kent (and Mahesh) // NETCONF chairs > > > > > > ===== STATEMENT ===== > > > > When the initiator of a networking session needs to maintain a persistent > connection [1], it is necessary for it to periodically test the aliveness of the > remote peer. In such cases, it is RECOMMENDED that the aliveness check > happens at the highest protocol layer possible that is most meaningful to the > application, to maximize the depth of the aliveness check. > > > > E.g., for an HTTPS connection to a simple webserver, HTTP-level keepalives > would test more aliveness than TLS-level keepalives. However, for a > webserver that is accessed via a load-balancer that terminates TLS > connections, TLS-level aliveness checks may be the most meaningful check > that could be performed. > > > > In order to ensure aliveness checks can always occur at the highest protocol > layer, it is RECOMMENDED that protocol designers always include an > aliveness check mechanism in the protocol and, for client/server protocols, > that the aliveness check can be initiated from either peer, as sometimes the > "server" is the initiator of the underlying networking connection (e.g., RFC > 8071). > > > > Some protocol stacks have a secure transport protocol layer (e.g., TLS, SSH, > DTLS) that sits on top of a cleartext protocol layer (e.g., TCP, UDP). In such > cases, it is RECOMMENDED that the aliveness check occurs within protection > envelope afforded by the secure transport protocol layer. In such cases, the > aliveness checks SHOULD NOT occur via the cleartext protocol layer, as an > adversary can block aliveness check messages in either direction and send > fake aliveness check messages in either direction. > > > > [1] While reasons may vary for why the initiator of a networking session > feels compelled to maintain a persistent connection. If the session is > primarily quiet, and the use case can cope with the additional latency of > starting a new connection, it is RECOMMENDED to use short-lived > connections, instead of maintaining a long-lived persistent connection using > aliveness checks. > > > >
- statement regarding keepalives Kent Watsen
- Re: statement regarding keepalives Wesley Eddy
- RE: statement regarding keepalives Black, David
- Re: statement regarding keepalives Spencer Dawkins at IETF
- Re: statement regarding keepalives Mikael Abrahamsson
- Re: statement regarding keepalives Spencer Dawkins at IETF
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Kent Watsen
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Kent Watsen
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Kent Watsen
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Kent Watsen
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Eggert, Lars
- Re: statement regarding keepalives Eggert, Lars
- Re: statement regarding keepalives Mikael Abrahamsson
- Re: statement regarding keepalives Olle E. Johansson
- Re: statement regarding keepalives Gorry Fairhurst
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Mikael Abrahamsson
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Benjamin Kaduk
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Benjamin Kaduk
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Joe Touch
- Re: statement regarding keepalives Tom Herbert
- Re: statement regarding keepalives Joe Touch