IETF Logo Mail Archive

Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)

Randy Stewart <randall@lakerest.net> Thu, 28 May 2009 14:43 UTC

Return-Path: <randall@lakerest.net>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 539573A6E87 for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 07:43:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNfTf7hT4xRT for <tsvwg@core3.amsl.com>; Thu, 28 May 2009 07:43:43 -0700 (PDT)
Received: from lakerest.net (unknown [IPv6:2001:240:585:2:213:d4ff:fef3:2d8d]) by core3.amsl.com (Postfix) with ESMTP id 6246B3A681A for <tsvwg@ietf.org>; Thu, 28 May 2009 07:43:42 -0700 (PDT)
Received: from [10.1.150.171] (rrcs-24-106-179-126.se.biz.rr.com [24.106.179.126]) (authenticated bits=0) by lakerest.net (8.14.3/8.14.3) with ESMTP id n4SEirup076632 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 28 May 2009 10:44:55 -0400 (EDT) (envelope-from randall@lakerest.net)
DKIM-Signature: a=rsa-sha1; c=simple/simple; d=lakerest.net; s=mail; t=1243521897; h=Cc:Message-Id:From:To:In-Reply-To:Content-Type: Content-Transfer-Encoding:Mime-Version:Subject:Date:References: X-Mailer; b=PCJDAeywDsYinrSsxMyaiS+sWnWHvSBjInPk3PF2nxNdydvTcPR6iL7 8fJ2Rn1mlo6wlmv5qagnAUUcc8j5/3g==
Message-Id: <9F71CBFA-9E70-4CD4-B60D-D15F45842739@lakerest.net>
From: Randy Stewart <randall@lakerest.net>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <4A1D6F4E.2080005@isi.edu>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Thu, 28 May 2009 10:39:37 -0400
References: <20090415033307.F00C0CD585E@lawyers.icir.org> <4A037030.6040107@isi.edu> <0C53DCFB700D144284A584F54711EC58074EEED6@xmb-sjc-21c.amer.cisco.com> <4A1AB6EE.5080900@gont.com.ar> <0C53DCFB700D144284A584F54711EC58074EEF11@xmb-sjc-21c.amer.cisco.com> <4A1BF56D.3020709@isi.edu> <0C53DCFB700D144284A584F54711EC58074EF74C@xmb-sjc-21c.amer.cisco.com> <4A1D6F4E.2080005@isi.edu>
X-Mailer: Apple Mail (2.935.3)
Cc: "James Polk (jmpolk)" <jmpolk@cisco.com>, "Anantha Ramaiah (ananth)" <ananth@cisco.com>, tsvwg <tsvwg@ietf.org>, mallman@icir.org, Fernando Gont <fernando@gont.com.ar>
Subject: Re: [Tsvwg] WGLC for Port Randomization starts now (April 1st)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 14:43:44 -0000

Joe:

In-line..


On May 27, 2009, at 12:50 PM, Joe Touch wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Anantha Ramaiah (ananth) wrote:
>>
>>>> Any RFC compliant TCP implementation will honor TIME-WAIT
>>> requirement
>>>> and that involves keeping state at the side which initiated the
>>>> connection close.
>>> It's worth noting that many implementations aren't RFC
>>> compliant in this regard, though.
>>
>> Which TCP implementation is not honoring TIME-WAIT state (BSD, Linux,
>> our implementations etc., all honor TIME-WAIT requirement)? The only
>> thing is that the "ancient" 2MSL value can be configurable. 2MSL is
>> getting adapted to modern networks and in some intranet cases this  
>> value
>> is configured to be very small, FWIW.
>
> RFC793 specifies MSL as 2 minutes, and it is not "configurable". In
> terms of following the specification, that's where most  
> implementations
> fail.
>
> Many modern networks actually take advantage of this MSL when they do
> not flush their buffers during short-term outages. In networks with  
> such
> paths - e.g., users on cellphones that go through tunnels, etc. -  
> RTT is
> not a reasonable estimate of MSL.
>
>>>> It is also well known that the side-effect of TIME-WAIT requirement
>>>> leads for the 4-tuple (socket-pairs) to be locked for some time.
>>> That is not a "side effect", that is the *desired* effect.
>>
>> The reason I use the term "side effect" is beause if the TIME-WAIT  
>> state
>> deosn't exist, your port reuse factor aka connection acceptance rate
>> (for the same socket pair) gets increased. YMMV.
>
> If TIME-WAIT doesn't exist, your potential to have data from an old
> connection corrupt a new connection also increases, and you no longer
> have a reliable protocol. If you call that "mileage", sure; I call  
> that
> a crash ;-)
>
>>>> It needs to be pointed out at that, other transport protocols like
>>>> SCTP doesn't have the TIME-WAIT requirement since the protocol
>>>> supports in-built mechanisms to deal with the need for the same.
>>> SCTP has a TIME WAIT state for its connection IDs (socket
>>
>> TCB is gone, only the vtag can be in time-wait (some  
>> implementations do
>> it). TIME-WAIT state doesn't exist in the SCTP protocol. Pl see  
>> Randy's
>> and my responses.
>
> While I agree that the term "TIME-WAIT" does not appear in RFC 2690,
> there is a note:
>
> " A new Verification Tag value MUST be used each time the
>   endpoint tears-down and then re-establishes an association to the
>   same peer."
>
> Can you explain how you know that the tag is new unless you hold it  
> for
> some period of time?



Basically for BSD we take a v-tag used in a connection.. call it 'X',  
and
we place just the tag 'X' into a "timed-wait" cache for 2MSL. There is  
no
restriction on the socket here.. just the tag 'X' will not be used again
with this socket.

So say the socket did the following:

sd = socket(..., ONE-2-MANY)

/* setup events .. not shown */

sd = sctp_connectx(ip-z, &assoc-id);

<---At transport layer Vtag=X --->

sctp_sendmsg(some-mesg, size,... assoc-id);

... some time later
sctp_sendmsg(SCTP_EOF, assoc-id);

<---SHUTDOWN is sent, and at conclusion
     the V-tag'X' is placed in timed-wait.

<-- event returned telling you the association is gone.

Then right away (less than 2MSL).. app does

sd = sctp_connectx(ip-z, &assoc-id);

<- Transport layer randomly picks a new vtag but CANNOT use 'X'
    (its in the time-wait cache).. so it uses 'Y'.

sctp_sendmsg(hello-again, size, ..., assoc-id);


Note that In theory I did not even need to have the "connectx calls"  
since
SCTP will setup the association implicitly ... I added these for clarity
in this email ;-)


So basically the socket/port and peer socket/port is re-used right  
away with
the restriction being that the vtag 'X' cannot be used.

Hope that clears up the issue  :-)

R




>
>
> Joe
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkodb04ACgkQE5f5cImnZruWNwCfUx8QgBSsjEo2zKsRuFtykbpp
> 4DQAmwaWCj0UjpRscD8aOwx4Xznkq2xa
> =WP09
> -----END PGP SIGNATURE-----
>

-----
Randall Stewart
randall@lakerest.net

v2.23.0 | Report a Bug | By Email