On Mon, Sep 18, 2017 at 6:39 PM, Yoshifumi Nishida <[email protected]> wrote: > Hi Tom, > > On Mon, Sep 18, 2017 at 1:43 PM, Tom Herbert <[email protected]> wrote: >> >> On Mon, Sep 18, 2017 at 1:06 PM, Yoshifumi Nishida >> <[email protected]> wrote: >> > Hi Tom, >> > >> > Only a few companies can control both client and server sides. >> > However, ISPs might be able to control the STB at the client side and >> > the >> > middleboxes in their networks. >> > This may be a relatively easy way to deploy MPTCP technology rather than >> > updating clients or servers. >> >> Yoshi, >> >> I think you're focusing too much on the benefits of this solution and >> not considering the cost. We've seen time and time again that when >> middleboxes get involved in transport layer operations they break the >> end to end nature of TCP and that leads to problems. Middlebox >> involvement in TCP is one of the major source of protocol ossification >> on the Internet. MPTCP is just one feature of TCP that we might want >> do deploy there are many others. If this solution hampers use and >> deployment of those, then I don't believe this is a reasonable >> tradeoff regardless of what the benefits are. > > > You might be right that I focus on the benefits too much. > But, I personally don't think all middleboxes are bad. I think these > ossifications are mainly caused by poorly designed middleboxes. > If we can do things correctly, I think a middlebox might be able to > intervene only when it can be beneficial otherwise stays away to not harm > anything. > I guess you don't want to throw away all load balancers, IDSs, firewalls > from the Internet because they ossify protocols in some cases.
It's a bit off topic, but, yes, I do want to eliminate these from the Internet. It's not just because of protocol ossification or their breaking of the end to end model (particularly for security). I believe they're becoming largely obsolete. Stateless load balancing can and ECMP can be accomplished with out DPI by including IPv6 flow label in a hash. The perimeter stateful firewall model is not relevant for cloud and multi-tenant environments and without IDS they don't give users much protection for modern threats. IDS on application layer protocols is great except for the fact that it's pretty much rendered useless in the presence of payload encryption (i.e. TLS). Besides that, I think were going to see more protocols like QUIC that purposely hide transport layer information from the network and hopefully more use of transport mode encryption for TCP to accomplish the same effect. The service that these devices provide (packet filtering, IDS, etc.) are still needed, but I believe we can get these without needing middleboxes in the data path and without breaking end to end model or end to end security. Tom > -- > Yoshi > >
