[e2e] Can we revive T/TCP ?

Michael Welzl michael.welzl at uibk.ac.at
Mon Mar 27 07:39:24 PST 2006


> > Let me explain what I had in mind when I asked about T/TCP.
> > I work on network improvements for the Grid - where people
> > invoke procedure calls using SOAP over HTTP, yet have an
> > interest in performance  (I know that this is at odds  :-)  ).
> > The delay of these function calls (which is apparently the result
> > of SOAP processing more than anything else, but connection
> > setup can also take a while if nodes are very far from each other -
> > which, for instance, is true for some nodes in the EGEE Grid)
> > limits the parallelization granularity in Grids - reducing it would
> > be a real win in my opinion.
> 
> If that's the case, it would be useful to reexamine the whole of the
> stack that's causing the problem, rather than trying to fix it at the
> most ubiquitous and otherwise stable (for the rest of the Internet) layer.

I agree about that, and I'm also going in this direction
(hence my older (sigh, I just checked - that was in December...
my personal research is surely moving sloooowly these
days   :-(    ) question about SOAP and persistent
connections).

But it seems to me that some things just can't be solved
on top, and so I started questioning the usefulness of
connection setup in authenticated environments. But I'm
also questioning the problem with long lasting connections
in such environments... I don't see a problem, but I'm not
a security expert, and the fact that nobody has spoken up
saying "sure, the problem is..." gives me some confidence.


> > In a Grid, nodes are (or can be) authenticated. Using IPSec
> > is an option. There are lots of short function calls. So, I figured:
> > why is it necessary to set up connections at all before doing
> > the call?
> 
> IPsec sets up security associations between endpoints, not connections.

I know - doesn't matter here, does it?


> The larger issue is that you have multiple layers of connections that
> are working against - rather than with - each other.

Indeed!


> If you're doing short function calls, then why do you need TCP? If you
> want congestion control, have you considered DCCP? Or SCTP?

We want reliability, so TCP or SCTP would be our protocols of
choice. I don't see much benefit of SCTP's features for our
scenario (but I'd be thankful for inspirational comments in
this direction  :)  ).


> > - exactly my thinking. So skipping the handshake would make sense
> > in such an environment, right?
> 
> So would skipping shared state on a per-exchange basis. ;-)

What do you mean? Sounds like a hint in the right direction,
but I can't solve the puzzle behind your words...


> > To me, there's just one open question. When all nodes authenticate
> > themselves in a Grid, why don't they just set up and maintain TCP
> > connections to each other forever? The UTO draft could help here.
> > 
> > I've been told (by Grid people) that this is completely impossible
> > because it's a big security problem. I fail to see why, and nobody
> > ever explained it to me.
> 
> If they use IPsec, it'd be useful to understand the security problem
> that persistent TCP connections present.

This was a comment from an anonymous paper review, so I can't
ask back  :)   and the reviewer might not have thought of IPSec,
but using it is surely an option in Grids. Maybe it was just
a misunderstanding - me considering a Grid with, and her/him
considering a Grid without IPSec.

Cheers,
Michael



More information about the end2end-interest mailing list