[multipathtcp] rfc6824bis - RST after MP_FASTCLOSE retransmission

François Finfe <francois.finfe@tessares.net> Tue, 23 May 2017 08:55 UTC

Return-Path: <francois.finfe@tessares.net>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF4DB1289C3 for <multipathtcp@ietfa.amsl.com>; Tue, 23 May 2017 01:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: No, score=0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tessares-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RD7mVRmBNbTr for <multipathtcp@ietfa.amsl.com>; Tue, 23 May 2017 01:55:36 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFA741296B3 for <multipathtcp@ietf.org>; Tue, 23 May 2017 01:55:35 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id b84so16045952wmh.0 for <multipathtcp@ietf.org>; Tue, 23 May 2017 01:55:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares-net.20150623.gappssmtp.com; s=20150623; h=from:to:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=j/LF5cxmbQlILwy+sipmWyufmZjg1MwrIm2et9og6es=; b=wAWe/wKTWbVqDxZp9uCQ/xDY793VcXxObToWRpTR+628jFW3rXi6TkY3YuljpD8c90 ArMRccQDtDBL9ceTEJM21jcvQZsODzsnzOIkpgkfu8Mb7uPo3Vlzz351037H4FutFriq m9NQlMkiMJEE5GJ6cpWGgdait0e2dsoxx+05BNDyX93TUumKpb/8DhQJzZVqZeGi3Pxg aPcGwYc6s26hcdOyjDSKAE25Ii0489dNIv2RD1EEHFSBqGDcJNbnm7VX4N3jn/II9UxN pRpWZS5+5CD9Q/JY4Qrj9lW0vkJd34IiizY+ZqHcjLFH/f+vQc3BMefVGVsTlFXrgf/t MMMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=j/LF5cxmbQlILwy+sipmWyufmZjg1MwrIm2et9og6es=; b=dp7whjIQkfZMsU1mOI5PjtM3xpT26AId2v2vWmgkyI81oB1X2lAfTJemQGwHucLfgb YRWBeEjqQit1IKV+UT8XKlXeeApObSITgNFPC/VOCpjv4MrJCAdWqYIW1/gTCHP9sfQm CCH3k++kdoJF70lQ5FABZLGdw6m0IdrPW2HvsxCtnaF0Z3MeRbD9cd4Sz4ReLv5GnfE/ aPPOd7ixhK8Xx2Q31hUfl8Xx9kjbfGA4WzY1uw3zxeq4h/uqE8/swBtTqb2x0ZhaoOun EtzU5aX80d+jaQ4Ln5qPZBzOIpmHT5Vog5OjUVWD9MgyZu7CXNDbuy28Uh7AcTgj8dEc W7Yg==
X-Gm-Message-State: AODbwcAmibrpA2NAwVGagWC5y/WMFpgo1KDrn0Jwym4SBEsd89OwGugE 3kBt+x+ro9R4V6BQICgYP1M5OHZBYJYySI1DwwjnLWHFECdeB7970uAuqd51qBwr4TzLLfBfzCh WesK3
X-Received: by 10.80.176.102 with SMTP id i93mr8243988edd.116.1495529734035; Tue, 23 May 2017 01:55:34 -0700 (PDT)
Received: from [10.3.76.100] ([5.149.142.22]) by smtp.gmail.com with ESMTPSA id c57sm25235edb.59.2017.05.23.01.55.33 for <multipathtcp@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 May 2017 01:55:33 -0700 (PDT)
From: =?UTF-8?Q?Fran=c3=a7ois_Finfe?= <francois.finfe@tessares.net>
To: multipathtcp@ietf.org
Message-ID: <3e6f4b31-15d3-0619-084a-2f264c93d9e5@tessares.net>
Date: Tue, 23 May 2017 10:55:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/TYi4118FLE6e5FCVg8OHqugtCm8>
Subject: [multipathtcp] rfc6824bis - RST after MP_FASTCLOSE retransmission
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2017 08:55:38 -0000

Hello,

I encountered an issue with MP_FASTCLOSE and a stateful firewall.

Let's explain it with the following scenario. See figure 1.
Firewalls M and N are stateful firewall which don't analyse MPTCP
options and ignore them.

- An MPTCP connection has been established between host A and host B.
- Host A sends a ACK with the MP_FASTCLOSE option.
- Firewall M forwards the packet to host firewall N.
- Firewall N forwards the packet to host B.
- Host B receives the MP_FASTCLOSE and replies with a TCP RST.
- Firewall N forwards the TCP RST packet to firewall M.
   Due to the TCP RST, the stateful firewall removes the connection
   state.
- The TCP RST is lost due to a lossy link, network congestion, etc.

- As host A didn't receive the expected TCP RST packet, a timeout fires
   a MP_FASTCLOSE retransmission.
- Firewall M forwards the packet to firewall N.
- For firewall N, this connection no more exists. It sees the
   MP_FASTCLOSE as an TCP ACK packet without any related connection.
   Firewall N drops the packet.
- MP_FASTCLOSE are retransmitted until the limit of MP_FASTCLOSE
   retransmission is reached.
- If nothing is done, firewall M will retain the connection state for
   some time until a connection tracking timeout occurs.
   In a production environment, with a lot of simultaneous connection,
   this kind of entries (erroneous connection state for an already closed
   connection) can accumulate in the firewall.
   Due to ressources limitation, this might lead to performance issue
   where new connections might be rejected.


To mitigate this issue, here is a proposal for rfc6824bis:
- When the limit of MP_FASTCLOSE retransmission is reached, a TCP RST
   could be sent by host A.
- In this scenario, firewall M forwards the TCP RST packet and removes
   the connection state.

This TCP RST packet could contain the MP_FASTCLOSE option.



   Host A                                                          Host B
    |                 Firewall M             Firewall N                |
    |                      |                      |                    |
    |  ACK(MP_FASTCLOSE)   |  ACK(MP_FASTCLOSE)   | ACK(MP_FASTCLOSE)  |
    |--------------------->|--------------------->|------------------->|
    |                      |             TCP RST  | TCP RST            |
    |                      |           x----------|<-------------------|
    |                      |                      |                    |
    |                      |                      |                    |
    |                      |                      |                    |
    |  ACK(MP_FASTCLOSE)   |  ACK(MP_FASTCLOSE)   |                    |
    |--------------------->|--------------------->x                    |
    |                      |                      |                    |
    |                      |                      |                    |
    |  ACK(MP_FASTCLOSE)   |  ACK(MP_FASTCLOSE)   |                    |
    |--------------------->|--------------------->x                    |
    |                      |                      |                    |
    :                      :                      :                    :
    :                                                                  :
    :  Multiple MP_FASTCLOSE retransmissions until limit is reached    :
    :                                                                  :
    :                      :                      :                    :
    :                      :                      :                    :
    :                      :                      :                    :
    |  Last retransmission |                      |                    |
    |                      |                      |                    |
    |  ACK(MP_FASTCLOSE)   |  ACK(MP_FASTCLOSE)   |                    |
    |--------------------->|--------------------->x                    |
    |                      |                      |                    |
    | (timeout)            |                      |                    |
    |  RST(MP_FASTCLOSE)   |  RST(MP_FASTCLOSE)   |                    |
    |--------------------->|--------------------->x                    |
    |                      |                      |                    |

    Figure 1


Best regards,


François Finfe

-- 

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.