Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
Michael Tüxen <Michael.Tuexen@lurchi.franken.de> Thu, 28 May 2009 17:53 UTC
Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1D3528C2EC for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 10:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.867
X-Spam-Level:
X-Spam-Status: No, score=0.867 tagged_above=-999 required=5 tests=[AWL=-1.771, BAYES_00=-2.599, HOST_EQ_DIP_TDIAL=2.144, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_41=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VyzwKoxHnMu for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 10:53:24 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by core3.amsl.com (Postfix) with ESMTP id 9E7F53A69E5 for <tsvwg@ietf.org>; Thu, 28 May 2009 10:53:23 -0700 (PDT)
Received: from [192.168.1.102] (p5481D8B4.dip.t-dialin.net [84.129.216.180]) by mail-n.franken.de (Postfix) with ESMTP id C4BE91C0B4619; Thu, 28 May 2009 19:55:00 +0200 (CEST)
Message-Id: <EE7BF7C0-E589-4769-AEAB-5C278CFA269B@lurchi.franken.de>
From: Michael Tüxen <Michael.Tuexen@lurchi.franken.de>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Thu, 28 May 2009 19:55:00 +0200
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <4A1EA9AE.7000309@isi.edu> <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net> <4A1EAE47.2090006@isi.edu> <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net>
X-Mailer: Apple Mail (2.935.3)
Cc: tsvwg <tsvwg@ietf.org>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>, Randy Stewart <randall@lakerest.net>, "James Polk (jmpolk)" <jmpolk@cisco.com>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 17:53:54 -0000
Hi Joe, just a clarification: * timewait for vtags is currently no described in any SCTP specification. * the need for this kind of feature came up several times. * Randall describes what is used implemented in FreeBSD and it does take the port number pair into account. * Since an SCTP endpoint can have multiple addresses and these addresses can change over time, addresses are not considered in the FreeBSD implementation. Looking at the discussion, I think we need to write up an ID describing this stuff. This would also clarify things for other implementations which do not have this kind of stuff at all. Best regards Michael On May 28, 2009, at 5:45 PM, Randy Stewart wrote: > > On May 28, 2009, at 11:31 AM, Joe Touch wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Randy Stewart wrote: >>> >>> On May 28, 2009, at 11:11 AM, Joe Touch wrote: >>> >>> >>> >>> Randy Stewart wrote: >>>>>> Joe: >>>>>> >>>>>> In-line.. >>>>>> >>>>>> ... >>>>>>> Basically for BSD we take a v-tag used in a connection.. call it >>>>>>> 'X', and >>>>>>> we place just the tag 'X' into a "timed-wait" cache for 2MSL. >>>>>>> There >>>>>>> is no >>>>>>> restriction on the socket here.. just the tag 'X' will not be >>>>>>> used >>>>>>> again >>>>>>> with this socket. >>> >>> ... >>>>>>> So basically the socket/port and peer socket/port is re-used >>>>>>> right away >>>>>>> with >>>>>>> the restriction being that the vtag 'X' cannot be used. >>>>>> >>>>>>> Hope that clears up the issue :-) >>> >>> Yes, but it also underscores my concern. What you did was basically: >>> >>> - increase the space available to a single service from >>> a single IP address >>> going from TCP's 16 bits (max) of source port to >>> 48 bits of source port + vtag >>> >>> - *decrease* the space available for different >>> services from different IP addresses >>> going from TCP's 32 bits of address + >>> 16 bits of source port + 16 bits of >>> dest port (64 bits) down to only 32 >>> >>>> Joe: >>> >>>> I don't follow your meaning here.. >>> >>>> I can have >>> >>>> IP-A Port-X Vtag-Y <----> >>>> and >>>> IP-A Port-Y Vtag=Y <----> >>> >>>> existing simultaneously... so I don't see how this decreased the >>>> space for services from different IP addresses... >> >> OK so there's two cases: >> >> 1) the vtag is the unique thing held (NO OTHER STATE) >> 2) the vtag is held in the context of the socket pair >> >> In 1), the vtag effectively is the connection ID. >> >> In 2), the connection ID is the 5-tuple of >> [srcIP,srcport,dstIP,dstport,vtag] >> >> In the case of 1), you decrease the space available for connections >> vs. >> TCP when you include connections from different machines and for >> different services. >> >> In the case of 2), you increase the space available, and I don't have >> the concern raised above. > > > > Ok, I just went out and looked at the code (sometimes its good to > refresh your memory ;-D) > > Basically the vtag cache holds: > > 1) Vtag > 2) Source port > 3) Destination port > 4) A timestamp when the entry expires. > > This is all hashed on SrcPrt+DstPrt+Vtag-in-time-wait. > > > So when I go to create a new association, I > > 1) Randomly generate a vtag e.g. R > 2) Hash R+local-port+Peer-port > 3) Use hash to look in vtag time wait block. > 4) If found goto 1 > else use vtag-R > > > The IP addresses themselves are not saved in this. Could they be, > sure, we just > decided not to... since one would then have to have a "set" of IP > addresses > and a port on each side... and that seemed unneeded. Of course, as I > said, most > implementations have no timed-wait on anything.. which we in theory > could do > by setting the Time = 0... so they expire right away... But I don't > think > that is wise. > > It might even be wise to go back and expand the hash to include the > IP addresses of the peer... > since this simpler approach does limit the vtags somewhat... i.e. a > peer connecting to > a server from a same port could not use a vtag thats in time-wait... > which is not > strictly correct... > > > > R > >> >> >> I am still a bit confused as to which case is true; you appeared to >> give >> two different responses. >> >> Joe >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (MingW32) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org >> >> iEYEARECAAYFAkoerkcACgkQE5f5cImnZrvVlQCgoNoQPGril0N687ocbOD1n0ex >> cUoAn35PgtR+ogd0NGkkPZBD74H39MzN >> =uJLP >> -----END PGP SIGNATURE----- >> > > ----- > Randall Stewart > randall@lakerest.net > > > > >
- [Tsvwg] WGLC for Port Randomization starts now (A… James M. Polk
- Re: [Tsvwg] WGLC for Port Randomization starts no… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Lars Eggert
- Re: [Tsvwg] WGLC for Port Randomization starts no… Lars Eggert
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- [Tsvwg] Fwd: WGLC for Port Randomization starts n… Lars Eggert
- Re: [Tsvwg] Fwd: WGLC for Port Randomization star… Anantha Ramaiah (ananth)
- Re: [Tsvwg] Fwd: WGLC for Port Randomization star… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] Fwd: WGLC for Port Randomization star… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Mark Allman
- [Tsvwg] title (was Re: WGLC for Port Randomizatio… Mark Allman
- [Tsvwg] table size (was Re: WGLC for Port Randomi… Mark Allman
- [Tsvwg] NATs (etc.) (was Re: WGLC for Port Random… Mark Allman
- [Tsvwg] interoperability (was Re: WGLC for Port R… Mark Allman
- [Tsvwg] algorithm 5 (was Re: WGLC for Port Random… Mark Allman
- [Tsvwg] lookup time (was Re: WGLC for Port Random… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randall Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] title (was Re: WGLC for Port Randomiz… Fernando Gont
- Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Ra… Mark Allman
- Re: [Tsvwg] interoperability (was Re: WGLC for Po… Fernando Gont
- Re: [Tsvwg] interoperability (was Re: WGLC for Po… Mark Allman
- Re: [Tsvwg] table size (was Re: WGLC for Port Ran… Fernando Gont
- Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] table size (was Re: WGLC for Port Ran… Mark Allman
- Re: [Tsvwg] interoperability (was Re: WGLC for Po… Fernando Gont
- Re: [Tsvwg] table size (was Re: WGLC for Port Ran… Fernando Gont
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] lookup time (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- [Tsvwg] Port Randomization issues summary Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Michael Tüxen
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Michael Tüxen
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] Port Randomization issues summary Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] Port Randomization issues summary Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] Port Randomization issues summary Fernando Gont
- Re: [Tsvwg] Port Randomization issues summary Joe Touch
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Mark Allman
- Re: [tsvwg] [Tsvwg] lookup time (was Re: WGLC for… Mark Allman
- Re: [tsvwg] [Tsvwg] lookup time (was Re: WGLC for… Fernando Gont