IETF Logo Mail Archive

Re: [multipathtcp] [Int-area] SOCKS 6 Draft

Joe Touch <touch@isi.edu> Wed, 05 July 2017 16:59 UTC

Return-Path: <touch@isi.edu>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8905C131D72; Wed, 5 Jul 2017 09:59:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tp9ADZ7SJa8w; Wed, 5 Jul 2017 09:59:54 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3561131CC1; Wed, 5 Jul 2017 09:59:53 -0700 (PDT)
Received: from [192.168.1.189] (cpe-172-250-240-132.socal.res.rr.com [172.250.240.132]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id v65Gx5wA014405 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 5 Jul 2017 09:59:06 -0700 (PDT)
To: Vladimir Olteanu <vladimir.olteanu@cs.pub.ro>, mohamed.boucadair@orange.com, David Schinazi <dschinazi@apple.com>
Cc: multipathtcp <multipathtcp@ietf.org>, "Int-area@ietf.org" <Int-area@ietf.org>
References: <149871247634.6490.5928844232347189122.idtracker@ietfa.amsl.com> <c215bf9d-5313-3a4b-ac47-dd34cb22766f@cs.pub.ro> <F42011E7-0F81-44DF-9DFC-A211B615DD33@apple.com> <004b4557-a926-9128-d3cf-0b3f41bef56e@cs.pub.ro> <AE3FC07A-DE86-4765-9D1F-00640942B4E4@apple.com> <3f975b41-78b0-9f50-6c46-cc8e30007f34@cs.pub.ro> <787AE7BB302AE849A7480A190F8B93300A000764@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <b33e4726-f255-75f7-5203-9e30faa36659@cs.pub.ro> <787AE7BB302AE849A7480A190F8B93300A000D16@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <a922a59f-2670-8d50-f3c5-99e1c29848ca@cs.pub.ro>
From: Joe Touch <touch@isi.edu>
Message-ID: <ec8cae81-dbeb-ed92-33ca-678bb2b5efeb@isi.edu>
Date: Wed, 05 Jul 2017 09:59:03 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <a922a59f-2670-8d50-f3c5-99e1c29848ca@cs.pub.ro>
Content-Type: multipart/alternative; boundary="------------BAEF158E60785C245021D546"
Content-Language: en-US
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/L1HD-9nLreSSQ6Aeibe4gqAko3k>
Subject: Re: [multipathtcp] [Int-area] SOCKS 6 Draft
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2017 16:59:56 -0000


On 7/5/2017 9:39 AM, Vladimir Olteanu wrote:
>>
>>  It can also be stacked as many times as desired for arbitrarily long
>> proxy chains. However:
>>  * We avoid using the SYN's payload as extra option space (which, I
>> think, goes against TCP's core philosophy).
>>
>> [Med] This is also true for MP_CONVERT Information Element which is
>> not a TCP option, but a data supplied for proxy purposes in the SYN
>> payload.
>>
> Fair enough, but this is not a purely layer 5+ protocol. It seems that
> you are strongly tied to TFO (between the client and the proxy).
> MP_CONVERT must be part of the SYN's payload, because the following
> SYN+ACK depends on the contents of MP_CONVERT and signals that the
> remote server has accepted your connection.

The biggest impact of including non-data information in the SYN payload
area is that it completely defeats graceful fallback for SYN receivers
that don't support the option. As you note, it can be *more* safe when
tied to out-of-band context (e.g., prior TFO support), but TCP has NO
requirement that such context is absolutely maintained across different
connections. You might be speaking to a different stack or demuxed off
to a different virtual host behind a load balancer.

Ultimately, putting any non-data info in the SYN payload violates the
requirement that TCP options can be ignored by receivers that don't
support them *without* impacting the ability of *that* connection
attempt to succeed.

Joe

v2.23.0 | Report a Bug | By Email