Matthäus Wander wrote:
> * Paul Vixie [7/5/2014 7:47 PM]:
>> Matthäus Wander wrote:
>>> DTLS works on top of UDP (among others) and thus can pass CPE devices.
>> no, it cannot. DTLS does not look something that the CPE was programmed
>> to accept; thus in many cases it is silently dropped.
>>
>
> DTLS can be used on top of UDP. CPE devices allow outgoing UDP sessions
> to arbitrary ports. If they didn't, many online games and VoIP
> applications would not work.
it's possible to find single counter examples to almost any assertion.
however, consider RFC 2671 (EDNS), published fifteen years ago. because
it changes the format of a UDP/53 datagram, there is silent loss across
most CPE boundaries. implementers of EDNS have had to investigate and
deploy about a dozen different fallback strategies since then, not to
make EDNS work, but to make it fail reliably enough so that normal
non-EDNS can be tried. since DNSSEC relies on EDNS0, this is a real
problem. to the extent that it's gotten any better it's because someone
changed this CPE logic:
if (normal dns packet)
intercept it and answer inappropriately, 30% of the time;
let it get where it's going, 70% of the time;
else
drop;
to this:
if (normal dns packet)
intercept it and answer inappropriately, 30% of the time;
let it get where it's going, 70% of the time;
else if (normal edns packet)
intercept it and answer inappropriately, 30% of the time;
let it get where it's going, 70% of the time;
else
drop;
in other words what fixes have been made have been EDNS specific, where
the real fix is:
if (packet addressed to you)
handle it or send ICMP;
else
let it get where it's going;
that fix is not going into the O(10^9) CPE devices now in place, ever.
if we can't get this right for EDNS in 15 years, my bet is that another
15 (or 150) years of trying won't produce better results. in fact, by
jim gettys and dave taht i've been made to understand that the world's
CPE problem is much worse than i knew. we might be able to fix it for
the next billion devices some day, but the devices shipping today are
still crippled.
incentives are such that a CPE provider hopes to sell web access, not
internet access.
your counter-example of DNS gaming does not change the treatment now
accorded UDP/53 at the internet edge. if you seriously think that a DTLS
solution can be universally deployed, including in hotel rooms, home CPE
environments, coffee shops, and mobile, then you and i are having a
"same planet, different worlds" experience, and i wish you well on your
walk.
vixie
_______________________________________________
Int-area mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/int-area
