multipath tcp now in production use for linux based mobile devices
So, obviously, MPTCP can cause problems with Stateful Firewalls (as in asymmetric routing, out of state packets, etc.). Cisco's take on how to deal with MPTCP is just as interesting as MPTCP itself is. http://www.cisco.com/c/en/us/support/docs/ip/transmission-control-protocol-t... Yep, for regular ASAs they advise you to let everything with option 30 set in the header have a free pass to your network (turn off NOOP replacement of option 30 in TCP headers via a tcp-map)... and btw, turn off packet inspection. For ASA-X "next generation" firewalls with modern code levels, this behavior seems to be default, although it looks like you can have your packet inspection as well. --p -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Colin Johnston Sent: Saturday, August 01, 2015 1:45 AM To: nanog@nanog.org list Subject: [EXTERNAL]multipath tcp now in production use for linux based mobile devices http://blog.multipath-tcp.org/blog/html/2015/07/24/korea.html
"Darden, Patrick" <Patrick.Darden@p66.com> writes:
So, obviously, MPTCP can cause problems with Stateful Firewalls (as in asymmetric routing, out of state packets, etc.). Cisco's take on how to deal with MPTCP is just as interesting as MPTCP itself is. ...
It's not so much the statefulness of the firewall that's the problem, it's that if the firewall wants to work at higher layers than TCP, in particular at the TLS layer, it can't because it doesn't have all the data. Operators should probably consider that if they block or disable MPTCP, the device using it might decide that network is broken or not currently available to it for that service, and prefer its other interface bypassing the firewall entirely.
participants (3)
-
Colin Johnston
-
Darden, Patrick
-
Geoffrey Keating