IETF Logo Mail Archive

Re: [Int-area] [multipathtcp] SOCKS 6 Draft

Joe Touch <touch@isi.edu> Thu, 20 July 2017 00:41 UTC

Return-Path: <touch@isi.edu>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A9A129A9C; Wed, 19 Jul 2017 17:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bzfszydj9qyR; Wed, 19 Jul 2017 17:41:19 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF46B126E64; Wed, 19 Jul 2017 17:41:19 -0700 (PDT)
Received: from [192.168.1.189] (cpe-172-250-240-132.socal.res.rr.com [172.250.240.132]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id v6K0em49021035 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Jul 2017 17:40:49 -0700 (PDT)
To: Vladimir Olteanu <vladimir.olteanu@cs.pub.ro>, Dragoș Niculescu <dragos.niculescu@cs.pub.ro>
Cc: mohamed boucadair <mohamed.boucadair@orange.com>, David Schinazi <dschinazi@apple.com>, multipathtcp <multipathtcp@ietf.org>, int-area <Int-area@ietf.org>
References: <149871247634.6490.5928844232347189122.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93300A000764@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <b33e4726-f255-75f7-5203-9e30faa36659@cs.pub.ro> <787AE7BB302AE849A7480A190F8B93300A000D16@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <a922a59f-2670-8d50-f3c5-99e1c29848ca@cs.pub.ro> <ec8cae81-dbeb-ed92-33ca-678bb2b5efeb@isi.edu> <1459306318.3890958.1499330475778.JavaMail.zimbra@cs.pub.ro> <c15031f3-95cf-d341-2ddb-0b3850a74d76@isi.edu> <53068639.4279258.1500018250846.JavaMail.zimbra@cs.pub.ro> <0f8dd648-d89f-50ee-716a-7547ee34885a@isi.edu> <f7121225-ce5f-4002-d3cf-202dcdd11f04@cs.pub.ro> <2ff22633-8f12-f4ef-868f-9c6c698ae32f@isi.edu> <5c61bf79-5a8f-65cf-e6b7-02a29db37073@cs.pub.ro>
From: Joe Touch <touch@isi.edu>
Message-ID: <1cf7caa4-22a2-b61a-662f-8927197baf09@isi.edu>
Date: Wed, 19 Jul 2017 17:40:46 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <5c61bf79-5a8f-65cf-e6b7-02a29db37073@cs.pub.ro>
Content-Type: multipart/alternative; boundary="------------45623A4508A275C9BB7AECC7"
Content-Language: en-US
X-MailScanner-ID: v6K0em49021035
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/21DN-wC26Sq5o5vTHw7cCaQhHwo>
Subject: Re: [Int-area] [multipathtcp] SOCKS 6 Draft
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 00:41:22 -0000


On 7/19/2017 5:32 PM, Vladimir Olteanu wrote:
>> If the above is correct, then it would be useful to NEVER speak of
>> "putting data in the SYN payload". You simply don't have that control.
>> The interface to TCP *allows* pending "user" (as in TCP user, which in
>> this case is the SOCKS layer) data to be placed in the SYN, but never
>> requires it.
> We're perfectly aware of that. We were only talking about putting data
> in the SYN for the sake of brevity, because said data is very likely
> to actually make it into the SYN under typical circumstances.
>
> However, you do have a point, especially given that MPTCP-PM and O-RTT
> converters are being actively discussed and they do require data to be
> placed in the SYN.

And those would fall under the category of attack devices, IMO.

I.e., if you're speaking of just an application proxy, then the doc
needs to be very clear of that goal AND use only the required TCP "user"
API -- which does not have any indication of an arriving SYN (it would
only indicate when the connection was established, e.g., after the TWHS
completes).

If you're speaking of something that rewrites TCP segments directly,
then you need to be clear that this is what you intend (and I cannot see
how you can do that and be compliant with TCP).

>> So you can talk about putting information in the SOCKS stream, but
>> shouldn't be referring to individual TCP segments.
>>
> If we were not discussing performance, I would agree with you.
> However, it's impractical (and not useful, either) to reason about the
> RTT overhead without making some assumptions about what data goes into
> which segment. SOCKS 6 is is designed to take advantage of how the
> stack is likely to split the data into segments in typical use cases. 

You can make some *assumptions* about what might happen, and even talk
about ways to configure the outgoing TCP to encourage its putting data
in the SYN (e.g., by writing before connecting). However, if we're
talking about an application layer proxy, you cannot assume availability
of the incoming SYN data unless you also assume TFO - and at best, it's
an assumption (your application would never know).

I.e., if you do everything right, you MIGHT end up looking "LIKE" you
rewrote the TCP SYN as it "passes through", but speaking of that as the
actual mechanism violates TCP.

So at best, there is need for a significant revision to clear this all up.

Joe

v2.23.0 | Report a Bug | By Email