[e2e] Can we revive T/TCP ?
michael.welzl at uibk.ac.at
Sat Mar 25 03:14:54 PST 2006
Thanks for the many answers to my question - in particular,
of course, Bob's answer.
Let me explain what I had in mind when I asked about T/TCP.
I work on network improvements for the Grid - where people
invoke procedure calls using SOAP over HTTP, yet have an
interest in performance (I know that this is at odds :-) ).
The delay of these function calls (which is apparently the result
of SOAP processing more than anything else, but connection
setup can also take a while if nodes are very far from each other -
which, for instance, is true for some nodes in the EGEE Grid)
limits the parallelization granularity in Grids - reducing it would
be a real win in my opinion.
In a Grid, nodes are (or can be) authenticated. Using IPSec
is an option. There are lots of short function calls. So, I figured:
why is it necessary to set up connections at all before doing
Then, I thought, heck, this question was asked before :)
So I enquired about T/TCP.
However, for my idea, reasons (1) and (3)
> (1) There are very few situations in which single-packet exchanges
> are possible, so T/TCP is very seldom a significant performance
> improvement. But it does have significant complexity.
> (3) I have heard rumors that someone has found an error in the
> specific state transitions, of T/TCP although I have never seen
> the details.
don't apply, and Bob mentions IPSec in reason (2)
> (2) Since the server is asked to do a perhaps signficant computation
> before the 3WHS has completed, it is an open invitation to
> DoS attacks. (This would be OK if you could assume that all
> T/TCP clients were authenticated using IPsec,)
- exactly my thinking. So skipping the handshake would make sense
in such an environment, right?
To me, there's just one open question. When all nodes authenticate
themselves in a Grid, why don't they just set up and maintain TCP
connections to each other forever? The UTO draft could help here.
I've been told (by Grid people) that this is completely impossible
because it's a big security problem. I fail to see why, and nobody
ever explained it to me.
I'd be thankful for your comments, and an answer to this open
question in particular (remember, we're considering long lasting
TCP connections in an authenticated environment, let's say
with IPSec - then, why can this be a problem?).
More information about the end2end-interest