RE: statement regarding keepalives

"Black, David" <David.Black@dell.com> Fri, 13 July 2018 14:37 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsv-area@ietfa.amsl.com
Delivered-To: tsv-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 598E3130E75 for <tsv-area@ietfa.amsl.com>; Fri, 13 Jul 2018 07:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=Y7Kl5t7T; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=DileOI9R
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rEiG33wY9Hfx for <tsv-area@ietfa.amsl.com>; Fri, 13 Jul 2018 07:37:35 -0700 (PDT)
Received: from esa5.dell-outbound.iphmx.com (esa5.dell-outbound.iphmx.com [68.232.153.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A15A1130E9D for <tsv-area@ietf.org>; Fri, 13 Jul 2018 07:37:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1531492120; x=1563028120; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=1UpTbOwAkoWntxxqzDzTPAN30HZbh37a4JuLwdt9HiI=; b=Y7Kl5t7TZBVwy+xt63ryYYAG/EAqxo1xoGe2BeHtdCXoCklngBsBcRB7 Yrgt9suqT3qxou7aKlX/ivITzB2tor8ycmCquT84miRnEvn/5dJ5UF5xk 16vVZC6aHjTgAFEMBzvxsjjDY4nrJ8PRNkJUfUeO5kA33eHhoJP+Cgib6 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2EOBQD9uEhbh8mZ6ERcHAEBAQQBAQoBA?= =?us-ascii?q?YJ1gTd/KAqDcZQ8ggyDOJIAFIErOwsjC4Q+AheCOSE1FwECAQECAQECAQECEAE?= =?us-ascii?q?BAQoLCQgpIwyCNSIRSy8IMwEBAQEBAQEBAQEBAQEBAQEBARcCQwESAQEYAQEBA?= =?us-ascii?q?QMjEQwfBhULBAIBCA4DBAEBAQICBh0DAgICMBQBCAgCBAESCIMYAYF/AQ6pO4E?= =?us-ascii?q?ugniHPQMFgQuHd4FYPoERgxGDGQKBKCIYFYJqMYIkmV4DBAIChgiCZJQeijmHN?= =?us-ascii?q?AIEAgQFAhSBQgGCCXCDOYIzg06FFIU+b4sbgRoBAQ?=
X-IPAS-Result: =?us-ascii?q?A2EOBQD9uEhbh8mZ6ERcHAEBAQQBAQoBAYJ1gTd/KAqDcZQ?= =?us-ascii?q?8ggyDOJIAFIErOwsjC4Q+AheCOSE1FwECAQECAQECAQECEAEBAQoLCQgpIwyCN?= =?us-ascii?q?SIRSy8IMwEBAQEBAQEBAQEBAQEBAQEBARcCQwESAQEYAQEBAQMjEQwfBhULBAI?= =?us-ascii?q?BCA4DBAEBAQICBh0DAgICMBQBCAgCBAESCIMYAYF/AQ6pO4EugniHPQMFgQuHd?= =?us-ascii?q?4FYPoERgxGDGQKBKCIYFYJqMYIkmV4DBAIChgiCZJQeijmHNAIEAgQFAhSBQgG?= =?us-ascii?q?CCXCDOYIzg06FFIU+b4sbgRoBAQ?=
Received: from esa1.dell-outbound2.iphmx.com ([68.232.153.201]) by esa5.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jul 2018 09:28:30 -0500
From: "Black, David" <David.Black@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa1.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Jul 2018 20:34:43 +0600
Received: from maildlpprd53.lss.emc.com (maildlpprd53.lss.emc.com [10.106.48.157]) by mailuogwprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w6DEbFIl010544 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 13 Jul 2018 10:37:16 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com w6DEbFIl010544
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1531492637; bh=K8qw5zsKe856GCpEW/7mUVyTXcM=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=DileOI9RwxBcFxQ55L14KBae0+KI5WW/BmnP5hwHy3Sv5keA1EjpEF5dXXAtqe1Bm St37b3BYQF7fQ+/xtu6FWiFZNKQ0e2w8X3ZJZ+F9G4W/JZq25tNUv+Z2wQNbDptw7C cok9M4MaVEc+L05Engb7lNcB1k5oaGdRtqkoCqL0=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com w6DEbFIl010544
Received: from mailusrhubprd04.lss.emc.com (mailusrhubprd04.lss.emc.com [10.253.24.22]) by maildlpprd53.lss.emc.com (RSA Interceptor); Fri, 13 Jul 2018 10:37:01 -0400
Received: from MXHUB306.corp.emc.com (MXHUB306.corp.emc.com [10.146.3.32]) by mailusrhubprd04.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id w6DEb3VO009902 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Fri, 13 Jul 2018 10:37:04 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB306.corp.emc.com ([10.146.3.32]) with mapi id 14.03.0399.000; Fri, 13 Jul 2018 10:37:02 -0400
To: Wesley Eddy <wes@mti-systems.com>, "tsv-area@ietf.org" <tsv-area@ietf.org>
Subject: RE: statement regarding keepalives
Thread-Topic: statement regarding keepalives
Thread-Index: AQHUGkG/LZoJEIu3uky/qk612ULG36SMmcEAgACfNMA=
Date: Fri, 13 Jul 2018 14:37:02 +0000
Message-ID: <CE03DB3D7B45C245BCA0D24327794936301D252B@MX307CL04.corp.emc.com>
References: <D3326DE0-3F31-4045-B945-82B3F417BE4B@juniper.net> <4f7e0b1c-79d5-bd22-4c02-c066cc7cfa03@mti-systems.com>
In-Reply-To: <4f7e0b1c-79d5-bd22-4c02-c066cc7cfa03@mti-systems.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.21.34]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd04.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-area/HLCARo1tYcwwTkh_TSassKLpcbc>
X-BeenThere: tsv-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Transport and Services Area Mailing List <tsv-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-area/>
List-Post: <mailto:tsv-area@ietf.org>
List-Help: <mailto:tsv-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 14:37:38 -0000

+1 on Wes's comments, especially that "layers of functionality" is better than "aliveness" ;-).

Thanks, --David

> -----Original Message-----
> From: tsv-area [mailto:tsv-area-bounces@ietf.org] On Behalf Of Wesley
> Eddy
> Sent: Thursday, July 12, 2018 9:06 PM
> To: tsv-area@ietf.org
> Subject: Re: statement regarding keepalives
> 
> Hi Kent, I agree with the spirit of the statement / guidance you've drafted.
> 
> You might want to tweak some of the wording, e.g. "test more aliveness"
> could be "test more layers of functionality" or something like that, but
> this is just a nit.
> 
> I think the footnote recommending short-lived connections should be more
> clear about why that's the recommendation.  What is the risk/danger/etc
> of longer-lived connections.  That recommendation seems a bit naked as
> currently described, and actually should probably be more than just a
> footnote.
> 
> 
> 
> On 7/12/2018 8:37 PM, Kent Watsen wrote:
> > Dear TSVAREA,
> >
> > The folks working with the BBF asked the NETMOD WG to consider
> modifying draft-ietf-netconf-netconf-client-server to support TCP keepalives
> [1].  However, it is unclear what IETF's position is on the use of keepalives,
> especially with regards to keepalives provided in protocol stacks (e.g.,
> <some-app> over HTTP over TLS over TCP).
> >
> > After some discussion with Transport ADs (Spencer and Mijra) and the TLS
> ADs (Eric and Ben), the following draft statement has been crafted.  Spencer
> and Mijra have requested TSVAREA critique it before, perhaps, developing a
> consensus document around it in TSVWG.
> >
> > It would be greatly appreciated if folks here could review and provide
> comments on the draft statement below.  The scope of the statement can
> be increased or reduced as deemed appropriate.
> >
> > [1]
> https://mailarchive.ietf.org/arch/msg/netconf/MOzcZKp2rSxPVMTGdmmrVI
> nwx2M
> >
> > Thanks,
> > Kent (and Mahesh) // NETCONF chairs
> >
> >
> > ===== STATEMENT =====
> >
> > When the initiator of a networking session needs to maintain a persistent
> connection [1], it is necessary for it to periodically test the aliveness of the
> remote peer.  In such cases, it is RECOMMENDED that the aliveness check
> happens at the highest protocol layer possible that is most meaningful to the
> application, to maximize the depth of the aliveness check.
> >
> > E.g., for an HTTPS connection to a simple webserver, HTTP-level keepalives
> would test more aliveness than TLS-level keepalives.  However, for a
> webserver that is accessed via a load-balancer that terminates TLS
> connections, TLS-level aliveness checks may be the most meaningful check
> that could be performed.
> >
> > In order to ensure aliveness checks can always occur at the highest protocol
> layer, it is RECOMMENDED that protocol designers always include an
> aliveness check mechanism in the protocol and, for client/server protocols,
> that the aliveness check can be initiated from either peer, as sometimes the
> "server" is the initiator of the underlying networking connection (e.g., RFC
> 8071).
> >
> > Some protocol stacks have a secure transport protocol layer (e.g., TLS, SSH,
> DTLS) that sits on top of a cleartext protocol layer (e.g., TCP, UDP).  In such
> cases, it is RECOMMENDED that the aliveness check occurs within protection
> envelope afforded by the secure transport protocol layer.  In such cases, the
> aliveness checks SHOULD NOT occur via the cleartext protocol layer, as an
> adversary can block aliveness check messages in either direction and send
> fake aliveness check messages in either direction.
> >
> > [1] While reasons may vary for why the initiator of a networking session
> feels compelled to maintain a persistent connection.  If the session is
> primarily quiet, and the use case can cope with the additional latency of
> starting a new connection, it is RECOMMENDED to use short-lived
> connections, instead of maintaining a long-lived persistent connection using
> aliveness checks.
> >
> >