Re: [multipathtcp] The point about multiple listening sockets at theclient side
William Herrin <bill@herrin.us> Thu, 12 November 2009 13:15 UTC
Return-Path: <wherrin@gmail.com>
X-Original-To: multipathtcp@core3.amsl.com
Delivered-To: multipathtcp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F57A3A6903 for <multipathtcp@core3.amsl.com>; Thu, 12 Nov 2009 05:15:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RLH9Q1p0VJ7F for <multipathtcp@core3.amsl.com>; Thu, 12 Nov 2009 05:15:16 -0800 (PST)
Received: from mail-fx0-f215.google.com (mail-fx0-f215.google.com [209.85.220.215]) by core3.amsl.com (Postfix) with ESMTP id 697E23A6937 for <multipathtcp@ietf.org>; Thu, 12 Nov 2009 05:15:16 -0800 (PST)
Received: by fxm7 with SMTP id 7so2226322fxm.29 for <multipathtcp@ietf.org>; Thu, 12 Nov 2009 05:15:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=guE9GqG6bhhz/ppLv7PCIw0C3bUm9Jllf0uEmrJ/b0o=; b=faJeTZ9xCT7AwuPa6jjvkcbyq2MOOuEfqipgUKZOrTqQBcj4COFHVHnrQQFrUWAAww 6v1SUd7zg4N6MbEdLcDFobOk8FUFwZlShlxo5HDzZWfZ0pbTS+IIoNFbphaVuhx5TlNR y1J9z0+73Z7GNKALJqzNDikt736HX7r3mjzKY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=mItCB9pi5FwcZqcp7qNIX5I4/7K7CaIvYAV+kflLdcRhF/WJ/MMo6cuWuv+20cTw4O 1DoPOJBLQJbVW52nIaffz6TotTF/7LGicFmXaC0F6NlNG69zP7/2i4V7V1lXaH5s1dAy ZlMWdLj5Kd99a/2UteS9KBOWtqg6bkO2RYDAs=
MIME-Version: 1.0
Sender: wherrin@gmail.com
Received: by 10.216.89.9 with SMTP id b9mr899233wef.61.1258031741173; Thu, 12 Nov 2009 05:15:41 -0800 (PST)
In-Reply-To: <2181C5F19DD0254692452BFF3EAF1D6808D7C070@rsys005a.comm.ad.roke.co.uk>
References: <4AF8B8A5.4040602@ismailov.eu> <2181C5F19DD0254692452BFF3EAF1D6808D7BB53@rsys005a.comm.ad.roke.co.uk> <3c3e3fca0911101220g55f84f79nf62526d8693d39fa@mail.gmail.com> <2181C5F19DD0254692452BFF3EAF1D6808D7BDEE@rsys005a.comm.ad.roke.co.uk> <3c3e3fca0911111737t5c783bf7rb96f49bb15f360e3@mail.gmail.com> <2181C5F19DD0254692452BFF3EAF1D6808D7C070@rsys005a.comm.ad.roke.co.uk>
Date: Thu, 12 Nov 2009 08:15:41 -0500
X-Google-Sender-Auth: b0e057315d82a95a
Message-ID: <3c3e3fca0911120515u642a549bke68a789298fae056@mail.gmail.com>
From: William Herrin <bill@herrin.us>
To: "Ford, Alan" <alan.ford@roke.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: multipathtcp@ietf.org
Subject: Re: [multipathtcp] The point about multiple listening sockets at theclient side
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/multipathtcp>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 13:15:17 -0000
On Thu, Nov 12, 2009 at 2:27 AM, Ford, Alan <alan.ford@roke.co.uk> wrote: >> TS: TCP SYN-SYN/ACK-ACK from the server to the client which includes >> the multipath TCP subflow join option. >> >> MJ: TCP packet without SYN but containing the multipath TCP join >> option and expecting the same sort of JOIN-JOIN/ACK-ACK handshake. >> >> Scenarios: >> >> No firewall: TS succeeds. MJ succeeds. >> Packet filter: TS fails. SYN to a random client port? Don't think so! >> MJ succeeds. >> Legacy Stateful firewall: TS fails. MJ fails. >> Legacy "DSL router": TS fails. MJ fails. >> Multipath-aware stateful firewall: TS fails. SYN to a random client >> port? Bad plan! MJ succeeds. >> Multipath-aware "DSL router": TS fails. SYN to a random client port? >> Come on! MJ succeeds. > > So the only cases here where TS != MJ is when you're talking about > Multipath-aware routers or firewalls? Hi Alan, No, basic packet filtering firewalls too. The ones we'll all move to instead of NAT firewalls if the IPv6 folks get their way. The point you were supposed to take is that NONE of the firewalled cases can be reasonably expected to handle an inbound join in a TCP SYN while MANY can be expected to handle an inbound subflow creation crafted without using a SYN packet. In fairness, that was mistaken. There is actually ONE firewalled case where the TCP SYN version can be expected to suceed as well: Multipath-aware proxy firewall: TS succeeds. MJ succeeds. The proxy firewall isn't passing the raw SYN packet back to the client; he's handling it himself. So in that one firewalled case, the TCP SYN version can be expected to succeed. > In order for them to let through > MJ they need the existence of the Join option to override the natural > rejection of such a packet due to coming from an unknown address. In > which case, they could do the same for TS! But they won't, because TCP SYN has unacceptable security implications that a packet which contains a join option without setting the syn flag does not. What it boils down to is this: if there's the slightest chance that a bad actor crafting custom packets could establish a *non-multipath* TCP connection, it won't be allowed through the firewall. In fact, if it so much as complicates the code which has to make the decision about basic SYN packets, it won't be allowed through the firewall because of the risk of introducing a security bug. Even with MJ we'll have to do a thorough security analysis to make the case that the packet is completely harmless if sent to a non-multipath host. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
- Re: [multipathtcp] [mif] The point about multiple… Lars Eggert
- [multipathtcp] The point about multiple listening… Yuri Ismailov
- Re: [multipathtcp] The point about multiple liste… Ford, Alan
- Re: [multipathtcp] The point about multiple liste… Costin Raiciu
- Re: [multipathtcp] The point about multiple liste… William Herrin
- Re: [multipathtcp] The point about multiple liste… Ford, Alan
- Re: [multipathtcp] The point about multiple liste… William Herrin
- Re: [multipathtcp] The point about multiple liste… Scott Brim
- Re: [multipathtcp] The point about multiple liste… Yuri Ismailov
- Re: [multipathtcp] The point about multiple liste… Ford, Alan
- Re: [multipathtcp] The point about multiple liste… William Herrin