IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

Joe Touch <touch@ISI.EDU> Thu, 28 May 2009 20:24 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A20C03A6D21 for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 13:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.031
X-Spam-Level:
X-Spam-Status: No, score=-2.031 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EasF8XHcV6yX for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 13:24:08 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 256153A6CC8 for <tsvwg@ietf.org>; Thu, 28 May 2009 13:24:08 -0700 (PDT)
Received: from [128.9.184.170] ([128.9.184.170]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n4SKPJ24025927; Thu, 28 May 2009 13:25:21 -0700 (PDT)
Message-ID: <4A1EF32F.50504@isi.edu>
Date: Thu, 28 May 2009 13:25:19 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu> <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net> <4A1EA9AE.7000309@isi.edu> <D49426F5-E25E-4C7F-A38D-966C9CD834E2@lakerest.net> <4A1EAE47.2090006@isi.edu> <28B33EA8-A171-4453-A5B8-271B05EB5A00@lakerest.net> <EE7BF7C0-E589-4769-AEAB-5C278CFA269B@lurchi.franken.de> <0C53DCFB700D144284A584F54711EC58075639E7@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC58075639E7@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tsvwg <tsvwg@ietf.org>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>, Randy Stewart <randall@lakerest.net>, Michael Tüxen <Michael.Tuexen@lurchi.franken.de>, "James Polk (jmpolk)" <jmpolk@cisco.com>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 20:24:15 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Anantha Ramaiah (ananth) wrote:
> Randy/Michael :
>  My suggestion here would be :
> 
> Suppose you are going to specify the timewait of vtags in the spec
> etc., I would like the following point to be considered (debated in the
> list):
> - Just not repeat the same thing done for TCP i.e, 2MSL (4 minutes!).
> 
> 2MSL time was considered the "safe and conservative time" for the old
> segments to be drained out of the network in 1981. Now this timewait
> value is, needless to say, is ultra-conservative for modern networks and
> SCTP being a modern transport protocol, should consider more thought
> while choosing the empirical value. Almost every implementation out
> there provides a knob and nobody waits for 4 minutes as far as TCP is
> concerned. FWIW.

Right. 2MSL might be way too short, given how new systems 'stall' for
longer periods of time -- e.g., as I noted how routers don't flush
queues when on trains going through tunnels.

While I agree that 2MSL might be incorrect as a value, there might be
good reason to *increase* the "do not repeat" period as well, as a
result of such "modern" environments.

Joe

>> -----Original Message-----
>> From: Michael Tüxen [mailto:Michael.Tuexen@lurchi.franken.de] 
>> Sent: Thursday, May 28, 2009 10:55 AM
>> To: Joe Touch
>> Cc: James Polk (jmpolk); Randy Stewart; Anantha Ramaiah 
>> (ananth); tsvwg; mallman@icir.org; Fernando Gont
>> Subject: Re: [Tsvwg] WGLC for Port Randomization starts now 
>> (April 1st)
>>
>> Hi Joe,
>>
>> just a clarification:
>>
>> * timewait for vtags is currently no described in
>>    any SCTP specification.
>> * the need for this kind of feature came up
>>    several times.
>> * Randall describes what is used implemented in
>>    FreeBSD and it does take the port number pair
>>    into account.
>> * Since an SCTP endpoint can have multiple addresses
>>    and these addresses can change over time, addresses
>>    are not considered in the FreeBSD implementation.
>>
>> Looking at the discussion, I think we need to write up an ID 
>> describing this stuff. This would also clarify things for 
>> other implementations which do not have this kind of stuff at all.
>>
>> Best regards
>> Michael
>>
>> On May 28, 2009, at 5:45 PM, Randy Stewart wrote:
>>
>>> On May 28, 2009, at 11:31 AM, Joe Touch wrote:
>>>
> 
> 
> Randy Stewart wrote:
>>>>>> On May 28, 2009, at 11:11 AM, Joe Touch wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> Randy Stewart wrote:
>>>>>>>>> Joe:
>>>>>>>>>
>>>>>>>>> In-line..
>>>>>>>>>
>>>>>>>>> ...
>>>>>>>>>> Basically for BSD we take a v-tag used in a 
>>> connection.. call it 
>>>>>>>>>> 'X', and we place just the tag 'X' into a 
>>> "timed-wait" cache for 
>>>>>>>>>> 2MSL.
>>>>>>>>>> There
>>>>>>>>>> is no
>>>>>>>>>> restriction on the socket here.. just the tag 'X' will not be 
>>>>>>>>>> used again with this socket.
>>>>>> ...
>>>>>>>>>> So basically the socket/port and peer socket/port is re-used 
>>>>>>>>>> right away with the restriction being that the vtag 
>>> 'X' cannot 
>>>>>>>>>> be used.
>>>>>>>>>> Hope that clears up the issue  :-)
>>>>>> Yes, but it also underscores my concern. What you did was 
>>> basically:
>>>>>>   - increase the space available to a single service from
>>>>>>   a single IP address
>>>>>>       going from TCP's 16 bits (max) of source port to
>>>>>>       48 bits of source port + vtag
>>>>>>
>>>>>>   - *decrease* the space available for different
>>>>>>   services from different IP addresses
>>>>>>       going from TCP's 32 bits of address +
>>>>>>       16 bits of source port + 16 bits of
>>>>>>       dest port (64 bits) down to only 32
>>>>>>
>>>>>>> Joe:
>>>>>>> I don't follow your meaning here..
>>>>>>> I can have
>>>>>>> IP-A Port-X Vtag-Y <---->
>>>>>>> and
>>>>>>> IP-A Port-Y Vtag=Y <---->
>>>>>>> existing simultaneously... so I don't see how this decreased the 
>>>>>>> space for services from different IP addresses...
> OK so there's two cases:
> 
> 	1) the vtag is the unique thing held (NO OTHER STATE)
> 	2) the vtag is held in the context of the socket pair
> 
> In 1), the vtag effectively is the connection ID.
> 
> In 2), the connection ID is the 5-tuple of 
> [srcIP,srcport,dstIP,dstport,vtag]
> 
> In the case of 1), you decrease the space available for 
>>> connections 
> vs.
> TCP when you include connections from different machines and for 
> different services.
> 
> In the case of 2), you increase the space available, and I 
>>> don't have 
> the concern raised above.
>>>>
>>>>
>>>> Ok, I just went out and looked at the code (sometimes its good to 
>>>> refresh your memory ;-D)
>>>>
>>>> Basically the vtag cache holds:
>>>>
>>>> 1) Vtag
>>>> 2) Source port
>>>> 3) Destination port
>>>> 4) A timestamp when the entry expires.
>>>>
>>>> This is all hashed on SrcPrt+DstPrt+Vtag-in-time-wait.
>>>>
>>>>
>>>> So when I go to create a new association, I
>>>>
>>>> 1) Randomly generate a vtag e.g. R
>>>> 2) Hash R+local-port+Peer-port
>>>> 3) Use hash to look in vtag time wait block.
>>>> 4) If found goto 1
>>>>   else use vtag-R
>>>>
>>>>
>>>> The IP addresses themselves are not saved in this. Could they be, 
>>>> sure, we just decided not to... since one would then have to have a 
>>>> "set" of IP addresses and a port on each side... and that seemed 
>>>> unneeded. Of course, as I said, most implementations have no 
>>>> timed-wait on anything.. which we in theory could do by setting the 
>>>> Time = 0... so they expire right away... But I don't think that is 
>>>> wise.
>>>>
>>>> It might even be wise to go back and expand the hash to 
>>> include the IP 
>>>> addresses of the peer...
>>>> since this simpler approach does limit the vtags somewhat... i.e. a 
>>>> peer connecting to a server from a same port could not use a vtag 
>>>> thats in time-wait...
>>>> which is not
>>>> strictly correct...
>>>>
>>>>
>>>>
>>>> R
>>>>
> 
> I am still a bit confused as to which case is true; you 
>>> appeared to 
> give two different responses.
> 
> Joe
>>>>
>>> -----
>>> Randall Stewart
>>> randall@lakerest.net
>>>
>>>
>>>
>>>
>>>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoe8y8ACgkQE5f5cImnZrvnpgCcCgx3lLpt7sLdF3t+3FTMacKK
+7cAoOl1mJpTZdUd7ky9WsA8ER9AzujX
=UHc6
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email