IETF Logo Mail Archive

Re: [Udp35] Snowden and SPUD

Eliot Lear <lear@cisco.com> Mon, 20 July 2015 17:06 UTC

Return-Path: <lear@cisco.com>
X-Original-To: udp35@ietfa.amsl.com
Delivered-To: udp35@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D2C81B2C82 for <udp35@ietfa.amsl.com>; Mon, 20 Jul 2015 10:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PgFMfH23h_ts for <udp35@ietfa.amsl.com>; Mon, 20 Jul 2015 10:06:57 -0700 (PDT)
Received: from aer-iport-3.cisco.com (aer-iport-3.cisco.com [173.38.203.53]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5E661B29AE for <udp35@ietf.org>; Mon, 20 Jul 2015 10:06:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4051; q=dns/txt; s=iport; t=1437412000; x=1438621600; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=WtpUql9elcmSXfJ2JimeXAx7sZBv556hbQj5Ec5eSRM=; b=lctMH7O/J5KpxA37ehqyJqfpWhPSIdeuO4t2o8w15e80GVRgEm25EGov LDPHSQzgqlMI9gEmp7/b8/Tn+asra0V9hYaeSyVoXPUxAeP2l0RPdW75i pw8CgoLC1hTICFd6g6DbzBQNAVTVQmJ27cN6ZTjQAI6J8gKlXBvQu5BjB M=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DUBABYKa1V/xbLJq1ch3PAPwKBeQEBAQEBAYELhCQBAQMBI0QHCgEFCwsOExYLAgIJAwIBAgFFBgEMCAEBiCIIsj2VfAEBAQEBAQEBAQEBAQEBAQEBAQEZi0yEIwsGAVEHgmiBQwEElFKCM4FUiBqIS5A8JmOBKhyBVTyBNggXgScBAQE
X-IronPort-AV: E=Sophos;i="5.15,509,1432598400"; d="asc'?scan'208";a="568123533"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-3.cisco.com with ESMTP; 20 Jul 2015 17:06:38 +0000
Received: from [10.61.170.123] ([10.61.170.123]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t6KH6beO032420; Mon, 20 Jul 2015 17:06:37 GMT
To: Michael Welzl <michawe@ifi.uio.no>, Jana Iyengar <jri@google.com>
References: <DD4CE423-ABFD-41CA-8AA8-79DE2779A47B@ifi.uio.no> <CAGD1bZbwkaYmH7WR_jb-wgkXfM7EjyExAy=P11V3CR_u40KKFQ@mail.gmail.com> <AED99648-40DE-4857-9F67-861C52252DF7@ifi.uio.no>
From: Eliot Lear <lear@cisco.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <55AD2A9C.2070106@cisco.com>
Date: Mon, 20 Jul 2015 19:06:36 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <AED99648-40DE-4857-9F67-861C52252DF7@ifi.uio.no>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="w0FTpPC0UkbrUnECjHG26ou9aIcWcrdg7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/udp35/-i-X-V9SlNJYYxG3iSd7Yppkahs>
Cc: udp35@ietf.org
Subject: Re: [Udp35] Snowden and SPUD
X-BeenThere: udp35@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Life beyond UDP <udp35.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/udp35>, <mailto:udp35-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/udp35/>
List-Post: <mailto:udp35@ietf.org>
List-Help: <mailto:udp35-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/udp35>, <mailto:udp35-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 17:06:58 -0000

Hi Michael,

On 7/20/15 6:47 PM, Michael Welzl wrote:


> Okay, I guess it’s time for me to say what I think about SPUD.
>
> There are two parts here: the later rolled-into-SPUD AE(C)ON-and-before (flow metadata and whatever else it was called) ideas from Cisco. These are what they are, with their pro’s and deficiencies, and this is not what this email is about. I think we should focus on the original idea, which is about getting through middleboxes by “playing nice”. Here I think SPUD is trying to solve a problem that can’t be solved by protocol design. It’s not a design problem, it’s an incentive problem.
>
> Consider the discussion about connection setup/teardown that happened on the SPUD mailing list some time ago. Someone said (s)he thinks it’s useless because in the middlebox, they will need a timer anyway, as one can’t simply trust the teardown message to arrive. Well, people do have more trust in TCP it seems … it seems to me that it’s a story of incentives and trust much more than it’s a story of how the protocol looks.

Yes.  Sort of.  But I feel the need to jump up and down and TYPE IN ALL
CAPS:

A firewall in particular that is attempting to limit connectivity to
that which the host has initiated takes it as granted that a host knows
what to do if it sees a SYN ACK or ACK for a 5-tuple that has never been
SYN'd.  That requires ZERO state to maintain AND it even works with
multihoming.  That stateless firewall is good enough for many MANY
people.  Anything stateful can be built atop that simple understanding. 
If SPUD duplicates those semantics for UDP, that will have taken us a
long way.

>
> Here’s a thought experiment. Three (wrong) assumptions: 1) Assume, for a second, that native protocols would have a 50% chance of passing on the Internet (I think that’s too optimistic, but that’s not the point here). 2) Assume that browsers could send out native protocols.  3) Assume that QUIC would be such a native protocol.
>
> Q: what would happen to the non-supportive paths?
>
> I think we would quickly see this 50% number grow - because there’s a customer need associated with QUIC. People want it because it makes their browsers faster, as simple as that! Plus, it will earn trust points over time because it’s only generated in user space, comes from browsers, comes from Google, has been wider and wider tested….
>
> Now, assume that QUIC would become a general-purpose carrier. All kinds of applications would start using it. Everything would be multiplexed over QUIC. What would middleboxes do? They would start looking deeper into QUIC, right? Same problem again!
>
> The point of this story: I think you can’t make a general-purpose carrier that “plays nice” and convinces middleboxes that all is fine. 

And yet we have proof of existence of just such a carrier: TCP

???

Eliot

v2.23.0 | Report a Bug | By Email