Re: statement regarding keepalives

Joe Touch <touch@strayalpha.com> Sat, 18 August 2018 01:07 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-area@ietfa.amsl.com
Delivered-To: tsv-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D4D5130F72; Fri, 17 Aug 2018 18:07:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjMa6rG5VdPP; Fri, 17 Aug 2018 18:07:01 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C1D6130F1F; Fri, 17 Aug 2018 18:07:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=HEuc1zrb8YIEXrL+NiPrXC+Jn/SD1BDEiEo65pAchB4=; b=2ds+A6JnYyeOiYbHgxEqr0eOZ f3X1rjAoYyeUES0VLm9dq28IV6YTqIGZXCnWCX173wXI62F+zBqwBBKjJywSB07krKydL9+Flhwix 6tNapnhclavS46u/gRoVpREWpYGh3TFUUxXoaS1pmrF9Yxmec5l036b59hZ4YmyUlLwQAcI3tsxtl DNWLsbtIGLHycgfiEuKH1mrPbQ1L0NjPNX+huMqzY7deqymED4yANvyHxNH+5uTRtXnk5lmLIWThh W1gEfTlZUMf/2uoPvrWgvYm+PF8osurTbkyBbn7AAK8r6k28Z1p45/YN27ngOGRzd9o1mFhznedMJ toiuPbjAw==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:53680 helo=[192.168.1.77]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <touch@strayalpha.com>) id 1fqphg-002w6t-QQ; Fri, 17 Aug 2018 21:06:57 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: statement regarding keepalives
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <CALx6S368GHyuinM-zReeET3DAxNvS0ooZEhhk6k2Aat=U5jL9w@mail.gmail.com>
Date: Fri, 17 Aug 2018 18:06:55 -0700
Cc: Benjamin Kaduk <kaduk@mit.edu>, netconf-chairs@ietf.org, tls-ads@ietf.org, "tsv-area@ietf.org >> tsv-area@ietf.org" <tsv-area@ietf.org>, tsvwg-ads@tools.ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B4DA6CD3-BAF5-4756-A23B-2EE2A14CE772@strayalpha.com>
References: <D3326DE0-3F31-4045-B945-82B3F417BE4B@juniper.net> <alpine.DEB.2.20.1807201340240.14354@uplift.swm.pp.se> <B50DC954-CBB6-41C5-BE3A-F1DECD6046A5@juniper.net> <717202c9c6c6b3d083bfa4c8a9925e45@strayalpha.com> <6377766E-9A03-41BA-A4D4-8796F46278BD@juniper.net> <20180816221059.GG40887@kduck.kaduk.org> <B3FA514D-4082-4C36-B487-B9B6AB46BF9D@strayalpha.com> <20180816225715.GH40887@kduck.kaduk.org> <A0293639-EC0A-4559-9447-E58CDB8970FC@strayalpha.com> <CALx6S34o1DJ6Nmin23GSNF_o-ddVEHX0_5qMohnxJxmh-BqH9w@mail.gmail.com> <c9c28764899d10647b7d79e5ab1361fb@strayalpha.com> <CALx6S355YtSkquMmtQ-su=mBqPYdH=17XsChUJLXEURxeY-jEA@mail.gmail.com> <af592212b44a55e83749d0701ba60fa4@strayalpha.com> <CALx6S360cygpqZchTDT3jwCN09AwF-NvEDOMmaD-tJB7diV==w@mail.gmail.com> <1109abdc6ebffee7281c39d94b403003@strayalpha.com> <CALx6S368GHyuinM-zReeET3DAxNvS0ooZEhhk6k2Aat=U5jL9w@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-area/dwHr2ojoRKKXfMDWdC0eQmR80_Y>
X-BeenThere: tsv-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Transport and Services Area Mailing List <tsv-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-area/>
List-Post: <mailto:tsv-area@ietf.org>
List-Help: <mailto:tsv-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Aug 2018 01:07:03 -0000


> On Aug 17, 2018, at 4:53 PM, Tom Herbert <tom@herbertland.com> wrote:
> ...
> Joe,
> 
> I agree to the extent that keepalives are run only at one layer with
> one keepalive control loop. If they are simultaneously done at
> multiple layers without consideration that can be problematic.

They are equally problematic to try to coordinate those control loops.

> It's
> also probably a good general recommendation to do keepalives only at
> the application (highest layer) if at all possible.

That makes sense ONLY if the application layer is the layer at which the keepalives are needed; application layer keepalives aren’t a good way to keep a TLS session active, nor necessarily to keep NAT state. 

> Most modern
> application protocols support them (HTTP, RPC protocols, etc). There
> are still protocols like telnet ssh would need TCP keepalives.

Sorry, why does Telnet need a TCP keepalive? I agree telnet through a NAT might, but telnet itself wouldn’t timeout any more than TCP would or should when idle.

> TCP
> keepalives are a weaker signal and have become increasingly prone to
> false positives.

TCP keepalives are a great way to make sure TCP is kept active - the primary purposes of which are to take down any associated state (or let it be taken down) when it cannot be re-established. 

They’re not ‘weak’ at all. They’re TCP.

> For instance, if a connection goes through a
> transparent proxy, a TCP keepalive would only verify the liveness of a
> connection to the proxy, not TCP all the way to the peer unbeknownst
> to the user.

Agreed - again, you’re confirming the point. Use keepalives at EVERY layer that they are meaningfully needed. Don’t expect any other layer to solve that problem.

Joe