From: Dave Taht <dave.taht@gmail.com>
To: Bruce Atherton <bruce@callenish.com>
Cc: bloat <bloat@lists.bufferbloat.net>
Subject: Re: [Bloat] Testing Queue models
Date: Fri, 17 Feb 2012 14:22:55 +0000 [thread overview]
Message-ID: <CAA93jw4jx8bwa1m2LQEQKGmAHHv-f+Sxq+Dj7vP5Bhtxu68eoA@mail.gmail.com> (raw)
In-Reply-To: <4F3B13B5.8080703@callenish.com>
On Wed, Feb 15, 2012 at 2:08 AM, Bruce Atherton <bruce@callenish.com> wrote:
>
>
> On 2/1/2012 12:46 PM, Dave Taht wrote:
>>
>> I don't have a whole lot of hope for classification. In fact, I'm kind of
>> upset that the move away from flash means we are seeing more video streams
>> on port 80, rather than on the macromedia port...
>
>
> It may be worse than that in the future. Now that Websockets is RFC6455 the
> nature of traffic on port 80 may change a lot. Roy Fielding was so concerned
> about it that he asked that a security note be added to the draft spec.
What we conventionally think about as the need for firewalling and
threat models is increasingly irrelevant, particularly with the advent
of new - and standardized, even! - tunneling models like this, as well
as devices that live on 3g and wireless at the same time, etc.
> No idea what that will mean for your efforts here.
Running the entire internet through port 80 and 443, and further,
tunneling new applications through that, rather than using specialized
and well defined protocols seems like the wrong thing.
I have a rant on this topic that amusingly dates to around the time
I'd got involved in the bufferbloat effort...
<rant>
http://nex-6.taht.net/posts/Beating_the_speed_of_light_on_the_web/
</rant>
It's something of a consequence of nat, and may well be a wedge to try
and make ipv6 'more right'...
On my very backlogged 'round-to-it' list has been writing an xtables
module for multi-protocol matching, as the current methods for
matching protocols (at least in linux) only support a single match,
and as you add protocols becomes tedious, error prone, and slow.
iptables -I INPUT -p tcp -j ALLOW
iptables -I INPUT -p udp -j ALLOW
iptables -I INPUT -p 41 -j ALLOW
etc.
Better would be something that did a lookup against a 256bit-map
ip6tables -I INPUT -m protocols --protocols
icmp,tcp,udp,igmp,rdp,dccp,rsvp,gre,esp,ah,ospf,ipip,pim,l2p,isis,sctp,udplite,manet,hip,shim6,wesp
-J ALLOW
In the hope that this would improve end-to-end connectivity,
performance, and availability of new stuff in the general case as ipv6
is rolled out.
Regrettably I haven't got around to writing that bit, nor something
similar for diffserv....
>
--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
next prev parent reply other threads:[~2012-02-17 14:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-01 17:12 Dave Taht
[not found] ` <A8F77CC3-7B92-4979-A631-2921E66F1E95@gmx.de>
[not found] ` <CAA93jw50eQHiQHGh0V1z6vT1vxfo3ShJL8TAOprdCOiYHZAq3Q@mail.gmail.com>
2012-02-01 19:17 ` Sebastian Moeller
2012-02-01 19:49 ` Dave Taht
2012-02-01 20:08 ` Justin McCann
2012-02-01 20:38 ` Dave Taht
2012-02-01 20:46 ` Dave Taht
2012-02-15 2:08 ` Bruce Atherton
2012-02-17 14:22 ` Dave Taht [this message]
2012-02-17 21:55 ` Bruce Atherton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/bloat.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw4jx8bwa1m2LQEQKGmAHHv-f+Sxq+Dj7vP5Bhtxu68eoA@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=bloat@lists.bufferbloat.net \
--cc=bruce@callenish.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox