Re: [dtn] Martin Duke's Discuss on draft-ietf-dtn-tcpclv4-22: (with DISCUSS and COMMENT)

Martin Duke <martin.h.duke@gmail.com> Mon, 09 November 2020 22:30 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EE7F3A0EF6; Mon, 9 Nov 2020 14:30:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dj1FKg6bmyb; Mon, 9 Nov 2020 14:30:48 -0800 (PST)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A96FB3A0EAA; Mon, 9 Nov 2020 14:30:48 -0800 (PST)
Received: by mail-io1-xd29.google.com with SMTP id s10so11578473ioe.1; Mon, 09 Nov 2020 14:30:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SOhBopHbY3NVqL80p4A7RHUOl9gPiBuMmQ7SjfncsTU=; b=joBjQnToi61VpZndkE+ZdWSEBuSkR9J0Vgbuwy+uMwT2WeXDzM/CCtyS+E8RquYxY2 107wVIb1o1SrnpIj/4wqTjXnTbbuTKhIfBaJ3Cu7oABXh4YM8Pq3VilzZil2tWYFRp0r EQLtvcDYbHXlpsRLI0sWF/AEVc+3lNpXSWA04DIt18XOmeMu/ZkXdhbYDGrj1Vk8bnfv WLN3csjUXv6e89TloEi+VuJyhglZWwT2Bx2V6TfpfsqgATJJUN/qCzMszQKDPayLTX5U 9e9Ig6jjNFQHHpQxPWNmszpveVneDJOfVGkuo4OT9rKVwTEkFGrCJ/5OEvm0hRVoyRxq H81A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SOhBopHbY3NVqL80p4A7RHUOl9gPiBuMmQ7SjfncsTU=; b=ZXnl3aSCjaIlxOE8R8eN9BEnGpsqmbsiUYHIRx6gAs+LqC9Nw1Zwe7Rp3jqvWDZ6Kz wgg3nhTOrRBJnAlG3Hcwin1E1kbvYu5fQbbalI1dj9t9FVcMhgZU4hCXtH7byR8rm52U xdGbu83x73o3bKEB0GpXQ6rQQpOnPNoMZQMlYzT8yvB8JnvFJOQqT8SBZ5lLUZDBC63Q Q69ADfuG1ReDW0FCLHfO/hYXzgtphMK94cZ24FX2nBD1m78MZQbZxsXLc2CM0MB+L3kZ s4XGggrk3dn0f3Fi3ToyfovVbNZPD0fBuzxO6zrOO/mNUkRSUB9q33XDpi6ejvPUsUi2 SXJQ==
X-Gm-Message-State: AOAM530MZEnZf3k/DBOOqJLEx0ZtxIO1BsF1CCq/fmk28TRs6368H+Xa CtRAadxgItpKvoYqap42SaE7hz/maX1tgZ5AV4A=
X-Google-Smtp-Source: ABdhPJzrfHLIedHFjTATX0Ogq8nWEZDrY1gsjNYNiO2yJw/vEMIlF0xN2fiqfmSIuzZ0sX8acmL9vLLmaflkEmoqjok=
X-Received: by 2002:a6b:7f44:: with SMTP id m4mr11481780ioq.19.1604961047940; Mon, 09 Nov 2020 14:30:47 -0800 (PST)
MIME-Version: 1.0
References: <160479610567.30934.2651041608307943087@ietfa.amsl.com> <d7b8cefdb52977bfbb99bf2608083a2f281dc807.camel@rkf-eng.com>
In-Reply-To: <d7b8cefdb52977bfbb99bf2608083a2f281dc807.camel@rkf-eng.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 9 Nov 2020 14:30:37 -0800
Message-ID: <CAM4esxTNouowAR_f6_WaGC7FfVabDPGjbVGjEgd4rWbBqUixYw@mail.gmail.com>
To: Brian Sipos <BSipos@rkf-eng.com>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "dtn-chairs@ietf.org" <dtn-chairs@ietf.org>, "draft-ietf-dtn-tcpclv4@ietf.org" <draft-ietf-dtn-tcpclv4@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>, "edward.birrane@jhuapl.edu" <edward.birrane@jhuapl.edu>
Content-Type: multipart/alternative; boundary="00000000000024126405b3b41d50"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/MNuJTlwq85QLzqWwAUWtYXH2dJ0>
Subject: Re: [dtn] Martin Duke's Discuss on draft-ietf-dtn-tcpclv4-22: (with DISCUSS and COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2020 22:30:51 -0000

Hi Brian,

On Sun, Nov 8, 2020 at 5:49 PM Brian Sipos <BSipos@rkf-eng.com> wrote:

> Martin,
> My responses are in-line below with prefix "BS1".
>
> >
> > First of all, "failure of the transfer" is ambiguous because there
> > may be two
> > transfers going on, one in each direction.
> >
> BS1: This phrasing is a bit unclear because the statement applies to
> the transfer itself. Instead of "a transmitting node" it should be "a
> node transmitting a transfer" so the subject of the statement becomes
> the outgoing transfer.
>

Yes, that would help.


>
> > Second, I would like further clarity on what it means that nodes
> > "SHALL"
> > consider it "a failure of the transfer". What is actionable if it's a
> > failure?
> > If nothing is actionable, it shouldn't be a SHALL. Does this mean
> > that in
> > subsequent sessions I must resend the whole bundle?
> >
> BS1: There are requirements about how a CLA interacts with its
> overlaying BPA, and this requirement applies to what will be indicated
> to the BPA about the formerly-in-progress transfer. Section 3.1
> explains that CLA--BPA interface.


This reply makes sense. Perhaps a reference to Sec 3.1 would help?


>
> > Can you list some reasons why an endpoint would choose to close
> > uncleanly? Some
> > motivation might provide helpful context.
> >
> BS1: The motivation here is that there are some reasons why the CLA
> will know that it's about to lose connectivity and send a positive
> indication of "I'm about to go away and cannot finish a transfer (in
> either direction)" instead of waiting (potentially a long time) for a
> CLA timeout or a TCP timeout. For example, a low battery starting into
> a power saving mode and stopping a data link. This is as opposed to a
> clean termination, which is not time-critical and more of a "I don't
> want to start any more transfers, so don't attempt any new ones."
>

Thanks. Maybe add a sentence about this? "For instance, an endpoint may
know it's about to lose connectivity and request abrupt termination rather
than forcing a timeout."


>
> > Moreover the "sending or receiving" bit is confusing.
> > - So one option is that I'm a session that has decided to do an
> > unclean
> > termination rather than a clean one. So I send SESS_TERM and then
> > close (FIN?
> > RST?) the TCP connection. So if it's a FIN, I might very well get the
> > last
> > XFER_ACK.  If I RST or don't get that ACK, then I do think it's clear
> > that the
> > transfer is a failure, whatever that means.
> >
> BS1: I can add a top-level requirement that closing a TCP connection
> always means using a FIN.
>

Thanks.


>
> > - But as a receiver, how do I know that the termination is unclean?
> > Have I made
> > an independent decision to close uncleanly? Am I to take the receipt
> > of a
> > SESS_TERM without my having sent XFER_ACK as an unclean close? If I
> > sent
> > XFER_ACK, how do I know that the sender sent it? And what does it
> > mean, as a
> > receiver, that the transfer "failed" if I have all the data?
> >
> BS1: Some of these requirements may be trying to overspecify behavior
> and just get confusing. There is always the potential for the TCP
> connection to close for some other reason outside the CLA's control.
> Maybe a better set of requirements is to mention that a peer MAY close
> the connection before a transfer is finished, and that a closed
> connection before receiving the final XFER_ACK SHALL be treated as a
> failed transfer (even outside of an unclean termination, because at
> that point there is no possibility of ever receving that final ACK).
>

I think that would be an improvement

Some clearer description of when an endpoint TCPCL should send close to its
TCP, given receipt of a SESS_TERM and FIN, would be helpful. For most
SESS_TERMs, I don't want to send FIN until I have both completed any
in-progress transmission, and have XFER_ACKed all incoming segments. In the
unclean case I probably want to send a FIN more or less immediately to
avoid a timeout, I think (?), and some guidance on how to distinguish these
cases would make this clearer.


> >
> > ---------------------------------------------------------------------
> > -
> > COMMENT:
> > ---------------------------------------------------------------------
> > -
> >
> > Thanks for this document. I have numerous minor concerns:
> >
> > Sec 4.3. "the TCP connection SHALL be closed." Can you clarify if
> > this is a
> > clean close (FIN) or abort (RST)? In fact, if you always mean FIN, it
> > might be
> > good to clarify that in the terminology section to indicate that
> > there are no
> > RSTs anywhere.
> >
> BS1: as mentioned above, I will add a requirement that FIN is the
> correct method.
>

Thanks


>
> > Sec 4.3. VERSION_MISMATCH would benefit from being split into
> > VERSION_TOO_HIGH
> > and VERSION_TOO_LOW. For example, if the passive is at v4 only and
> > the active
> > supports v1, v2, and v3, it will take three tries to figure out that
> > there is
> > no way for these nodes to communicate. Even better would be a QUIC-
> > style
> > Version Negotiation message that would communicate the options in 1
> > RTT.
> >
> BS1: This had been discussed in the WG somewhat and this is a carry-
> over from the behavior of the TCPCLv3.
> The current requirements on the actie entity are to start at the
> highest supported version and on the passive entity are to begin
> TLS/session negotiation on *any* acceptable TCPCL version, which
> assumes that a later version will be more acceptable to an arbitrary
> passive entity.
> Adding a "supported versions set" to the Contact Header is possible,
> but there needs to be WG discussion on whether this is a worthwile late
> addition.
>

If it's routine for a node that supports v4 to also support earlier
versions, than I agree there is no serious problem here.


>
> > There are few items that seem to be artifacts of TLS happening after
> > session
> > negotiation in v3:
> >
> > Sec 4.4.3. "If certificate validation
> >    fails or if security policy disallows a certificate for any
> > reason,
> >    the entity SHALL terminate the session"
> >
> > I don't understand this; certificate validation generally occurs
> > during the TLS
> > handshake, where there is no session?
> >
> BS1: There is a bit of gray area when the TLS handshake is involved,
> because it can either succeed or fail but after the handshake it is
> possible to send TCPCL messages regardless of handshake success. I
> suppose that if the TLS stack fails within the TLS handshake that there
> will be a TLS-level message indicating this fact and the TCPCL-level
> message is redundant. Using the SESS_TERM regardless of whether the TLS
> stack rejected the handshake or the CLA rejected the peer certificate
> guarantees that there is some over-the-wire indication of what went
> wrong (as opposed to the connection just being closed after a seemingly
> valid TLS handshake).
>

I am uneasy about this response. The TLS alert mechanism can already signal
the peer when there is a problem with the handshake. However, many TLS
stacks deliberately obscure the precise reason for handshake failure to
avoid attacker analysis. This text treats cert validation as something
outside the handshake, which I don't believe is correct.


>
> > Sec 4.4.3
> > "the active
> >    entity SHALL authenticate the DNS name (of the passive entity)
> > used
> >    to initiate the TCP connection"
> > s/TCP Connection/TLS session. TCP connections don't consider DNS at
> > all.
> >
> BS1: This may be a phrasing issue, maybe instead:
>    Either during or immediately after the TLS handshake if the active
>    entity resolved a DNS name (of the passive entity) in order to
>    initiate the TCP connection, the active
>    entity SHALL authenticate that DNS name using any DNS-ID of the peer
>    certificate.
>

LGTM.


>
> > Sec 4.5.
> > "After the initial exchange of a Contact Header, all messages
> >    transmitted over the session are identified by a one-octet header
> >    with the following structure:"
> >
> > Obviously, TLS handshake messages are after the Contact Header and
> > are not
> > prepended by these headers. Perhaps this is an artifact from v3?
> >
> BS1: This is an artifact, it should be clarified as:
>     After the initial exchange of a Contact Header and any TLS
>     handshake exchanges, ...
>

LGTM


>
> > Sec 4.7
> > "Once this process of parameter negotiation is completed (which
> >    includes a possible completed TLS handshake of the connection to
> > use
> >    TLS),"
> >
> > The TLS handshake occurs before parameter negotiation.
> >
> BS1: This is a vestigal behavior and needs to be rephrased to remove
> that parenthetical.
>

Yep


>
> > Sec 5.2.4 I find it odd that each CL would have its own set of reason
> > codes
> > that it will simply pass to the bundle layer. Far better for it to be
> > a common
> > set of CL-agnostic errors that the bundle layer implements, as they
> > literally
> > do not matter to the CL at all.
> >
> BS1: There had been earlier WG discussion about a standardized CLA--BPA
> interface and nomenclature, but the CLA capabilities are incredibly
> link-layer dependent and not at all consistent, especially ways in
> which a transfer can fail (some link layers are even unidirectional and
> don't provide any feedback at all to the CLA).
> This could be discussed in the WG to see if the consensus has evolved
> in any way in the meanwhile.
>
>
OK, I don't think it's necessary to revisit consensus on this.