IETF Logo Mail Archive

Re: [BEHAVE] NAT64: clarification on RST handling in V6 FIN RCV state

Wesley Eddy <wes@mti-systems.com> Sat, 10 March 2012 05:14 UTC

Return-Path: <wes@mti-systems.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA28611E8076 for <behave@ietfa.amsl.com>; Fri, 9 Mar 2012 21:14:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVMYakwxhGhD for <behave@ietfa.amsl.com>; Fri, 9 Mar 2012 21:14:31 -0800 (PST)
Received: from omr6.networksolutionsemail.com (omr6.networksolutionsemail.com [205.178.146.56]) by ietfa.amsl.com (Postfix) with ESMTP id 4E65911E8073 for <behave@ietf.org>; Fri, 9 Mar 2012 21:14:31 -0800 (PST)
Received: from cm-omr2 (mail.networksolutionsemail.com [205.178.146.50]) by omr6.networksolutionsemail.com (8.13.6/8.13.6) with ESMTP id q2A5EUqX030464 for <behave@ietf.org>; Sat, 10 Mar 2012 00:14:30 -0500
Authentication-Results: cm-omr2 smtp.user=wes@mti-systems.com; auth=pass (PLAIN)
X-Authenticated-UID: wes@mti-systems.com
Received: from [69.81.143.202] ([69.81.143.202:10692] helo=[192.168.1.106]) by cm-omr2 (envelope-from <wes@mti-systems.com>) (ecelerity 2.2.2.41 r(31179/31189)) with ESMTPA id 9F/A7-09323-633EA5F4; Sat, 10 Mar 2012 00:14:30 -0500
Message-ID: <4F5AE2D9.1060100@mti-systems.com>
Date: Sat, 10 Mar 2012 00:12:57 -0500
From: Wesley Eddy <wes@mti-systems.com>
Organization: MTI Systems
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: Fred Baker <fred@cisco.com>
References: <EF5EF2B13ED09B4F871D9A0DBCA463C21C2CC1F6@TK5EX14MBXC298.redmond.corp.microsoft.com> <4F585585.9000706@it.uc3m.es> <A89221DA-7F68-4EB2-AA7E-17DA3732937C@cisco.com> <4F599E5C.5090500@mti-systems.com> <F4CB9073-4671-496B-BBAB-048FFB14387D@cisco.com>
In-Reply-To: <F4CB9073-4671-496B-BBAB-048FFB14387D@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: Murari Sridharan <muraris@microsoft.com>, "behave@ietf.org" <behave@ietf.org>, Dmitry Anipko <Dmitry.Anipko@microsoft.com>
Subject: Re: [BEHAVE] NAT64: clarification on RST handling in V6 FIN RCV state
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Mar 2012 05:14:32 -0000

On 3/9/2012 1:44 AM, Fred Baker wrote:
> 
> On Mar 9, 2012, at 3:08 PM, Wesley Eddy wrote:
> 
>> On 3/8/2012 5:47 AM, Fred Baker wrote:
>>> I didn't find a FIN (F without Ack) in any of the examples.
>>
>> Since FIN is set on packets coming from a synchronized state,
>> I'm not sure why you would expect to find a bare one without
>> ACK set as well?  
> 
> You missed it. The sequence is FIN, FIN-ACK, ACK. 
> 
> http://tools.ietf.org/html/rfc793, and look at the transitions 
> 	SYN RCVD -> FIN-WAIT-1
> 	ESTAB    -> FIN-WAIT-1
>         ESTAB    -> CLOSE WAIT
> 
> What's there is FIN-ACK, RST. No FIN. I could understand FIN, FIN-ACK, RST (the guy sends FIN and closes the socket instantly), whether or not I agree with it. No FIN - I'm trying to figure out why there was a FIN-ACK.
> 

When you say "FIN-ACK", I think you're confusing a packet
having those two bits set with a packet that ACKs the FIN
psuedobyte.  All FINs should have the ACK bit set; a bare
FIN would be bogus.

Just looking at one of the trace files you sent
("10.71.5.180.60357.txt"), the beginning of the connection
closure process begins at the line with the timestamp of
06:35:47.021523, which I assume is a TLS closure alert.
That's followed by the TCP FIN at subsecond 021552.  I'm
not sure why you say there is no FIN.  Of course the ACK
bit is set ... the connection is in a synchronized state
and it has to be set for the segment to be accepted.

At this point, I think your machine tosses the connection
state.

When mail.ietf.org sends back its own TLS closure alert
and TCP FIN, logged at subseconds 088808 and 088813.
Those generate RSTs, since you've already released the
connection.  Before the server sees those, it also
ACKs your TLS closure alert (subsecond 139113) and then it
gives you the FIN's ACK (subsecond 140386), both of which
also generate RSTs.

So, I'm not sure what you find unusual here.  It looks
fairly normal to me.

-- 
Wes Eddy
MTI Systems

v2.23.0 | Report a Bug | By Email