Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
Joe Touch <touch@ISI.EDU> Thu, 28 May 2009 20:24 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A20C03A6D21 for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 13:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.031
X-Spam-Level:
X-Spam-Status: No, score=-2.031 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EasF8XHcV6yX for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 13:24:08 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 256153A6CC8 for <tsvwg@ietf.org>; Thu, 28 May 2009 13:24:08 -0700 (PDT)
Received: from [128.9.184.170] ([128.9.184.170]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n4SKPJ24025927; Thu, 28 May 2009 13:25:21 -0700 (PDT)
Message-ID: <4A1EF32F.50504@isi.edu>
Date: Thu, 28 May 2009 13:25:19 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <4A1EA9AE.7000309@isi.edu> <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net> <4A1EAE47.2090006@isi.edu> <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net> <EE7BF7C0-E589-4769-AEAB-5C278CFA269B@lurchi.franken.de> <0C53DCFB700D144284A584F54711EC58075639E7@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC58075639E7@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tsvwg <tsvwg@ietf.org>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>, Randy Stewart <randall@lakerest.net>, Michael Tüxen <Michael.Tuexen@lurchi.franken.de>, "James Polk (jmpolk)" <jmpolk@cisco.com>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 20:24:15 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anantha Ramaiah (ananth) wrote: > Randy/Michael : > My suggestion here would be : > > Suppose you are going to specify the timewait of vtags in the spec > etc., I would like the following point to be considered (debated in the > list): > - Just not repeat the same thing done for TCP i.e, 2MSL (4 minutes!). > > 2MSL time was considered the "safe and conservative time" for the old > segments to be drained out of the network in 1981. Now this timewait > value is, needless to say, is ultra-conservative for modern networks and > SCTP being a modern transport protocol, should consider more thought > while choosing the empirical value. Almost every implementation out > there provides a knob and nobody waits for 4 minutes as far as TCP is > concerned. FWIW. Right. 2MSL might be way too short, given how new systems 'stall' for longer periods of time -- e.g., as I noted how routers don't flush queues when on trains going through tunnels. While I agree that 2MSL might be incorrect as a value, there might be good reason to *increase* the "do not repeat" period as well, as a result of such "modern" environments. Joe >> -----Original Message----- >> From: Michael Tüxen [mailto:Michael.Tuexen@lurchi.franken.de] >> Sent: Thursday, May 28, 2009 10:55 AM >> To: Joe Touch >> Cc: James Polk (jmpolk); Randy Stewart; Anantha Ramaiah >> (ananth); tsvwg; mallman@icir.org; Fernando Gont >> Subject: Re: [Tsvwg] WGLC for Port Randomization starts now >> (April 1st) >> >> Hi Joe, >> >> just a clarification: >> >> * timewait for vtags is currently no described in >> any SCTP specification. >> * the need for this kind of feature came up >> several times. >> * Randall describes what is used implemented in >> FreeBSD and it does take the port number pair >> into account. >> * Since an SCTP endpoint can have multiple addresses >> and these addresses can change over time, addresses >> are not considered in the FreeBSD implementation. >> >> Looking at the discussion, I think we need to write up an ID >> describing this stuff. This would also clarify things for >> other implementations which do not have this kind of stuff at all. >> >> Best regards >> Michael >> >> On May 28, 2009, at 5:45 PM, Randy Stewart wrote: >> >>> On May 28, 2009, at 11:31 AM, Joe Touch wrote: >>> > > > Randy Stewart wrote: >>>>>> On May 28, 2009, at 11:11 AM, Joe Touch wrote: >>>>>> >>>>>> >>>>>> >>>>>> Randy Stewart wrote: >>>>>>>>> Joe: >>>>>>>>> >>>>>>>>> In-line.. >>>>>>>>> >>>>>>>>> ... >>>>>>>>>> Basically for BSD we take a v-tag used in a >>> connection.. call it >>>>>>>>>> 'X', and we place just the tag 'X' into a >>> "timed-wait" cache for >>>>>>>>>> 2MSL. >>>>>>>>>> There >>>>>>>>>> is no >>>>>>>>>> restriction on the socket here.. just the tag 'X' will not be >>>>>>>>>> used again with this socket. >>>>>> ... >>>>>>>>>> So basically the socket/port and peer socket/port is re-used >>>>>>>>>> right away with the restriction being that the vtag >>> 'X' cannot >>>>>>>>>> be used. >>>>>>>>>> Hope that clears up the issue :-) >>>>>> Yes, but it also underscores my concern. What you did was >>> basically: >>>>>> - increase the space available to a single service from >>>>>> a single IP address >>>>>> going from TCP's 16 bits (max) of source port to >>>>>> 48 bits of source port + vtag >>>>>> >>>>>> - *decrease* the space available for different >>>>>> services from different IP addresses >>>>>> going from TCP's 32 bits of address + >>>>>> 16 bits of source port + 16 bits of >>>>>> dest port (64 bits) down to only 32 >>>>>> >>>>>>> Joe: >>>>>>> I don't follow your meaning here.. >>>>>>> I can have >>>>>>> IP-A Port-X Vtag-Y <----> >>>>>>> and >>>>>>> IP-A Port-Y Vtag=Y <----> >>>>>>> existing simultaneously... so I don't see how this decreased the >>>>>>> space for services from different IP addresses... > OK so there's two cases: > > 1) the vtag is the unique thing held (NO OTHER STATE) > 2) the vtag is held in the context of the socket pair > > In 1), the vtag effectively is the connection ID. > > In 2), the connection ID is the 5-tuple of > [srcIP,srcport,dstIP,dstport,vtag] > > In the case of 1), you decrease the space available for >>> connections > vs. > TCP when you include connections from different machines and for > different services. > > In the case of 2), you increase the space available, and I >>> don't have > the concern raised above. >>>> >>>> >>>> Ok, I just went out and looked at the code (sometimes its good to >>>> refresh your memory ;-D) >>>> >>>> Basically the vtag cache holds: >>>> >>>> 1) Vtag >>>> 2) Source port >>>> 3) Destination port >>>> 4) A timestamp when the entry expires. >>>> >>>> This is all hashed on SrcPrt+DstPrt+Vtag-in-time-wait. >>>> >>>> >>>> So when I go to create a new association, I >>>> >>>> 1) Randomly generate a vtag e.g. R >>>> 2) Hash R+local-port+Peer-port >>>> 3) Use hash to look in vtag time wait block. >>>> 4) If found goto 1 >>>> else use vtag-R >>>> >>>> >>>> The IP addresses themselves are not saved in this. Could they be, >>>> sure, we just decided not to... since one would then have to have a >>>> "set" of IP addresses and a port on each side... and that seemed >>>> unneeded. Of course, as I said, most implementations have no >>>> timed-wait on anything.. which we in theory could do by setting the >>>> Time = 0... so they expire right away... But I don't think that is >>>> wise. >>>> >>>> It might even be wise to go back and expand the hash to >>> include the IP >>>> addresses of the peer... >>>> since this simpler approach does limit the vtags somewhat... i.e. a >>>> peer connecting to a server from a same port could not use a vtag >>>> thats in time-wait... >>>> which is not >>>> strictly correct... >>>> >>>> >>>> >>>> R >>>> > > I am still a bit confused as to which case is true; you >>> appeared to > give two different responses. > > Joe >>>> >>> ----- >>> Randall Stewart >>> randall@lakerest.net >>> >>> >>> >>> >>> >> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoe8y8ACgkQE5f5cImnZrvnpgCcCgx3lLpt7sLdF3t+3FTMacKK +7cAoOl1mJpTZdUd7ky9WsA8ER9AzujX =UHc6 -----END PGP SIGNATURE-----
- [Tsvwg] WGLC for Port Randomization starts now (A… James M. Polk
- Re: [Tsvwg] WGLC for Port Randomization starts no… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Lars Eggert
- Re: [Tsvwg] WGLC for Port Randomization starts no… Lars Eggert
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- [Tsvwg] Fwd: WGLC for Port Randomization starts n… Lars Eggert
- Re: [Tsvwg] Fwd: WGLC for Port Randomization star… Anantha Ramaiah (ananth)
- Re: [Tsvwg] Fwd: WGLC for Port Randomization star… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] Fwd: WGLC for Port Randomization star… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Mark Allman
- [Tsvwg] title (was Re: WGLC for Port Randomizatio… Mark Allman
- [Tsvwg] table size (was Re: WGLC for Port Randomi… Mark Allman
- [Tsvwg] NATs (etc.) (was Re: WGLC for Port Random… Mark Allman
- [Tsvwg] interoperability (was Re: WGLC for Port R… Mark Allman
- [Tsvwg] algorithm 5 (was Re: WGLC for Port Random… Mark Allman
- [Tsvwg] lookup time (was Re: WGLC for Port Random… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randall Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] title (was Re: WGLC for Port Randomiz… Fernando Gont
- Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Ra… Mark Allman
- Re: [Tsvwg] interoperability (was Re: WGLC for Po… Fernando Gont
- Re: [Tsvwg] interoperability (was Re: WGLC for Po… Mark Allman
- Re: [Tsvwg] table size (was Re: WGLC for Port Ran… Fernando Gont
- Re: [Tsvwg] NATs (etc.) (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] table size (was Re: WGLC for Port Ran… Mark Allman
- Re: [Tsvwg] interoperability (was Re: WGLC for Po… Fernando Gont
- Re: [Tsvwg] table size (was Re: WGLC for Port Ran… Fernando Gont
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] lookup time (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- [Tsvwg] Port Randomization issues summary Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Mark Allman
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] WGLC for Port Randomization starts no… Michael Tüxen
- Re: [Tsvwg] WGLC for Port Randomization starts no… Anantha Ramaiah (ananth)
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Michael Tüxen
- Re: [Tsvwg] WGLC for Port Randomization starts no… Brian F. G. Bidulock
- Re: [Tsvwg] Port Randomization issues summary Fernando Gont
- Re: [Tsvwg] WGLC for Port Randomization starts no… Joe Touch
- Re: [Tsvwg] Port Randomization issues summary Joe Touch
- Re: [Tsvwg] WGLC for Port Randomization starts no… Randy Stewart
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Fernando Gont
- Re: [Tsvwg] Port Randomization issues summary Fernando Gont
- Re: [Tsvwg] Port Randomization issues summary Joe Touch
- Re: [Tsvwg] algorithm 5 (was Re: WGLC for Port Ra… Mark Allman
- Re: [tsvwg] [Tsvwg] lookup time (was Re: WGLC for… Mark Allman
- Re: [tsvwg] [Tsvwg] lookup time (was Re: WGLC for… Fernando Gont