IETF Logo Mail Archive

Re: statement regarding keepalives

Kent Watsen <kwatsen@juniper.net> Wed, 15 August 2018 17:35 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: tsv-area@ietfa.amsl.com
Delivered-To: tsv-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F98913103D; Wed, 15 Aug 2018 10:35:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aR6YWaOew0fV; Wed, 15 Aug 2018 10:35:32 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE956128CFD; Wed, 15 Aug 2018 10:35:32 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7FHYDtw028739; Wed, 15 Aug 2018 10:35:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=6StqXChqKV9dAuhSNNQux52lB3CdQ5gxsyFsYbMEGMk=; b=oJ6E6YtrutSN9cB4LqCFuw/Awbd/f37CBo1ml3agl1bkvkEOTS/58FqaxwhsFSi0lp9u /fPj2YNQ4hobRk3kxilj4N76Ak77ljrEwvRnTeEip6QhD9jRFwqIsHSJ9ui2fCX2nzpL gjFK66quh3ar4cR2J6yyPk2DmhU4JeccJEoU9/tHm41pwShZ6rsfHU4ksjWmZ5gyXLjL GXdSgoHh+DZqSiJVuQKM4UTIPwwT3YFGKamWbT52M/w1QXFwRppfBN9zqvCE+d/S0gpw o2hsuhKZdFwRHLUNrY9hHNgM4lQMBwlH8BXZyH0bDmYrY2fTq2NyitB8W83MsGK0rZQF Eg==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp0086.outbound.protection.outlook.com [207.46.163.86]) by mx0a-00273201.pphosted.com with ESMTP id 2kvmq2gg13-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 15 Aug 2018 10:35:32 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4939.namprd05.prod.outlook.com (20.176.112.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.19; Wed, 15 Aug 2018 17:35:29 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::e0bc:6a82:571d:258]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::e0bc:6a82:571d:258%2]) with mapi id 15.20.1059.010; Wed, 15 Aug 2018 17:35:29 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Joe Touch <touch@strayalpha.com>
CC: HMikael Abrahamsson <swmike@swm.pp.se>, "tsv-area@ietf.org" <tsv-area@ietf.org>, "tsvwg-ads@tools.ietf.org" <tsvwg-ads@tools.ietf.org>, "tls-ads@ietf.org" <tls-ads@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>
Subject: Re: statement regarding keepalives
Thread-Topic: statement regarding keepalives
Thread-Index: AQHUGkG/LZoJEIu3uky/qk612ULG36SYCm6A///2yoCAAGpcgIAomY+A
Date: Wed, 15 Aug 2018 17:35:28 +0000
Message-ID: <6377766E-9A03-41BA-A4D4-8796F46278BD@juniper.net>
References: <D3326DE0-3F31-4045-B945-82B3F417BE4B@juniper.net> <alpine.DEB.2.20.1807201340240.14354@uplift.swm.pp.se> <B50DC954-CBB6-41C5-BE3A-F1DECD6046A5@juniper.net> <717202c9c6c6b3d083bfa4c8a9925e45@strayalpha.com>
In-Reply-To: <717202c9c6c6b3d083bfa4c8a9925e45@strayalpha.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4939; 6:QyTUAp6AdbQT8nkJMQT3hLtVlBKmQQ6lnJkYDPEXRZxVYPuc2OeDWSZ7RrFnnNow8Hy88d663BpMZES1r8JnG8CHfLhq328anBwvOk6BQ1stij3yjh7OZerLrEcpTXur+62SR+ARw/LLc6PwRKnCEZx0vbn0vZ64IaZlkuca3vcy5X+ZiejdxlWL+LYapSz/FTxRCIZewXMkEc+iUcwEXcGxf1CWQ8tlxT0XWuUEr7ZGn+3/mVy9ygY3EZMNTP+MeFEWTjCr2nVVEKNjh6kByWNu254YKW2vUv8vmpC5jD39wFFEIN1GIRzcf8Z4l7R2RNtMBycJNG6Vn3Jud3gBaNQgzwE12Qmhj1cLj8DXqIHAPtsmoRJXzWEwTUPRqOkUJYnnNO5qZ3iBCMxU3D4LYfxxh1NsvqClyOfoq0E9qzO1XqRTlDTzHDcawuwck03EeKcWbPHCjzM66dtlTUi7yQ==; 5:B3EIqJ2XxNlqVvFxHzdRttnYWM2ojoLDDXSRUoCTx2SkkG0sDkVd5qrm0B06nFvTbaIdZFTxdRVUIeGjGu7/2uZW83XWHOM7NQQ16JnttqDlL8FHGu7/gEoOUNZgyxFWPplcf07OugJ1BY7Pb1iTclO+sm099ZqkjO0N0zmzNJw=; 7:qtXz5XFo57gH5WcahK7H/IXv0LbHi110aDY2u5BJGrPtMFmHxlPeAWvAFEJTsJmeoh4LWsfql4EGMmHCY/gDYkxbxCQM9GUdFP0y4s30fzGGPtNzz+Mjm3BQMQFO4jFbr9vCBU9qvRmsMXqrGgbVUG82mxLxZSTZvzbYUMPiZmfREwyl/12K1RSUXbqhaWKLN5R5Na1o5j3vjjsppcQHMfsl3tl/sshX4LukHsokSaePfnh+b9eenCfpMiq/jgCc
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: ee00820e-c193-49e1-21c3-08d602d57e53
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4939;
x-ms-traffictypediagnostic: DM6PR05MB4939:
x-microsoft-antispam-prvs: <DM6PR05MB4939EADB89DBB69DFC27C89DA53F0@DM6PR05MB4939.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(35073007944872)(265273979862326);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(3231311)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:DM6PR05MB4939; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4939;
x-forefront-prvs: 07658B8EA3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(39860400002)(376002)(136003)(346002)(199004)(189003)(4326008)(6246003)(6916009)(7116003)(5660300001)(6116002)(3846002)(25786009)(106356001)(105586002)(81156014)(8676002)(305945005)(2900100001)(7736002)(6486002)(6436002)(53936002)(33656002)(229853002)(6512007)(81166006)(8936002)(82746002)(6506007)(11346002)(5250100002)(486006)(97736004)(476003)(2616005)(14454004)(446003)(478600001)(316002)(3480700004)(58126008)(54906003)(66066001)(93886005)(68736007)(76176011)(83716003)(102836004)(256004)(36756003)(86362001)(26005)(14444005)(99286004)(186003)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4939; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 9uoczGM0wCiPMuBU8xnxNbF6pM8+o0DtclQhm6VsZZKwnwqLPGL4mjW12DcFDWrl8lLf/SUfk96towaK4pa3DVridK+XtXhEzLDKcdFDcDfZja64nywnyZ0IGtpPOpq83WGmRK0jCFaLr8Dbul2vgD/tTNVGbjE+g5Z9FY+z9NJdGzqAbcHrQoWlaWPZDM2StCNMv0gud5EopUxbVJ/TefOiHItL9O/iqHTBWj/LXYoIhqBLL6qSfnF46Xf66kYdN3R00pvCFVAA8kz+1kBOvGwOgZpPef/GNoVexRnV2jJp5akiGcJxEq4md4k7lPceeNEgxZzufAY8IzLSoSKTUuDd+m3wHV8ONEI7LncwYjs=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C6498B7312C1F1468DFC10BCC18A37B3@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: ee00820e-c193-49e1-21c3-08d602d57e53
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2018 17:35:28.8449 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4939
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-15_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808150184
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-area/sxLXBGXAS1Zf3OnumSXNBcbBlbk>
X-BeenThere: tsv-area@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF Transport and Services Area Mailing List <tsv-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-area/>
List-Post: <mailto:tsv-area@ietf.org>
List-Help: <mailto:tsv-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-area>, <mailto:tsv-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 17:35:35 -0000

Below is an updated version of some text that we might roll into
a statement or an I-D of some sort.  Kindly review and provide 
suggestions for improvement, or support for the text as is, if
that is the case.  ;)

This update accommodates comments from:
  - Wesley Eddy & David Black
     - removed "layers of functionality" verbiage
     - moved footnote into the body of the document (this had
       a cascading effect, and why it looks so different now)
  - Joe Touch
     - keepalives should occur at *all* layers that benefit
     - keepalives at a layer should be suppressed in the 
       presence of sufficient traffic from higher layers
     - keepalives at a layer should not be interpreted as
       implying state at any other layer

This update does not accommodate comments from:
  - Michael Abrahamsson & Tom Herbert
     - no statement added to promote TCP keepalives
        * note: I believe this to be unnecessary because 
          the current text doesn't ever say to not use TCP.
     - no statement added for tuning params (e.g., timeouts).
        * note: we could add this, but it will increase the
          scope of the document - do we want to do this?

Cheers!
Kent


===== START =====

# Connection Strategies for Long-lived Connections

A networked device may have an ongoing need to interact with a remote
device. Sometimes the need arises from wanting to push data to the
remote device, and sometimes the need arises from wanting to check if
there is any data the remote device may have pending to deliver to
it.

There are two fundamental network connection strategies that can be
used to accomplish this goal: 1) a single long-lived connection and
2) a sequence of short-lived connections.

A single long-lived connection is most common, as it is
straightforward to implement and directly answers the question of 
if the "connection" is established. However, long-lived connections
require more system resources, which may affect scalability, and
require the initiator of the connection to periodically test the
aliveness of the remote device, discussed further in the next 
section.

A sequence of short-lived connections is less common, as there is an
additional implementation effort, as well as concerns such as: 1) the
delay of the remote device needing to wait until the connection is
reestablished in order to deliver pending data, and 2) the additional
latency incurred from starting new connections, especially when
cryptology is involved. However, short-lived connections do not
require keepalives and are arguably more secure, as each device is
forced to re-authenticate the other and reload all related
access-control policies on each connection.

For networking sessions that are primarily quiet, and the use case
can cope with the additional latency of waiting for and starting new
connections, it is RECOMMENDED to use a sequence of short-lived
connections, instead of maintaining a single long-lived connection
using aliveness checks.


# Keepalives for Persistent Connections

When the initiator of a networking session needs to maintain a
long-lived connection, it is necessary for it to periodically test
the aliveness of the remote device. In such cases, it is RECOMMENDED
that the aliveness check happens at the highest protocol layer
possible that is meaningful to the application, in order to maximize
the depth of the aliveness check.

For example, for an HTTPS connection to a simple webserver,
HTTP-level keepalives would test more layers of functionality than
TLS-level keepalives. However, for a webserver that is accessed via a
load-balancer that terminates TLS connections, TLS-level aliveness
checks may be the most meaningful check that can be performed.

More generally, it is RECOMMENDED that applications be able to
perform the aliveness checks at all protocol levels that benefit, but
suppress the aliveness checks at lower protocol layers from occurring
when there is sufficient activity at higher protocol layers.
Keepalives at a layer SHOULD NOT be interpreted as implying state at
any other layer.

In order to ensure aliveness checks can occur at any given protocol
layer, it is RECOMMENDED that protocol designers always include an
aliveness check mechanism in the protocol and, for client/server
protocols, that the aliveness check can be initiated from either
device, as sometimes the "server" is the initiator of the underlying
networking connection (e.g., RFC 8071).

Some protocol stacks have a secure transport protocol layer (e.g.,
TLS, SSH, DTLS) that sits on top of a cleartext protocol layer (e.g.,
TCP, UDP). In such cases, it is RECOMMENDED that the aliveness check
occurs within protection envelope afforded by the secure transport
protocol layer; the aliveness checks SHOULD NOT occur via the
underlying cleartext protocol layer, as an adversary can block
aliveness check messages in either direction and send fake aliveness
check messages in either direction.

v2.23.0 | Report a Bug | By Email