[Spud] States in draft-trammell-plus-statefulness-00

Dave Dolson <ddolson@sandvine.com> Fri, 11 November 2016 10:55 UTC

Return-Path: <ddolson@sandvine.com>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D05F2129639 for <spud@ietfa.amsl.com>; Fri, 11 Nov 2016 02:55:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.416
X-Spam-Level:
X-Spam-Status: No, score=-3.416 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bz-S4VV_Tn_0 for <spud@ietfa.amsl.com>; Fri, 11 Nov 2016 02:55:36 -0800 (PST)
Received: from mail1.sandvine.com (mail1.sandvine.com [64.7.137.165]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A92D129660 for <spud@ietf.org>; Fri, 11 Nov 2016 02:55:36 -0800 (PST)
Received: from WTL-EXCHP-2.sandvine.com ([fe80::68ac:f071:19ff:3455]) by WTL-EXCHP-3.sandvine.com ([fe80::3c39:d305:d721:f00a%15]) with mapi id 14.03.0319.002; Fri, 11 Nov 2016 05:55:35 -0500
From: Dave Dolson <ddolson@sandvine.com>
To: "mirja.kuehlewind@tik.ee.ethz.ch" <mirja.kuehlewind@tik.ee.ethz.ch>, "hildjj@cursive.net" <hildjj@cursive.net>, "ietf@trammell.ch" <ietf@trammell.ch>
Thread-Topic: States in draft-trammell-plus-statefulness-00
Thread-Index: AdI7o1fE+iaNGCadS5OC9ubAYOjCyQ==
Date: Fri, 11 Nov 2016 10:55:34 +0000
Message-ID: <E8355113905631478EFF04F5AA706E9831159645@wtl-exchp-2.sandvine.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.196.10]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: multipart/alternative; boundary="_000_E8355113905631478EFF04F5AA706E9831159645wtlexchp2sandvi_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/oIvTFZMZjweh34rWhM25IseUJF0>
Cc: "spud@ietf.org" <spud@ietf.org>
Subject: [Spud] States in draft-trammell-plus-statefulness-00
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 10:55:38 -0000

Mirja, Brian, Joe,

I think it is an interesting idea to formalize/standardize the state machine that should be used by flow-stateful network equipment.

But having read about the four states and three timeouts, I feel you are missing a state after biflow that represents a fully proven connection.

I'm thinking of the problem of source-spoofed SYN attack packets that attempt to consume state memory in servers and flow-stateful network devices.
A network device may see client SYN and server SYN-ACK but never the completed 3-way handshake because the client is not real.

Until the 3-way handshake is completed, only short timeouts should be used. This is true for server as well as stateful network devices.

The nice thing about the client's ACK of the server's SYN flag is that it echoes back (in the ACK field) the SYN sequence number, which is unlikely to be guessed by an attacking node that doesn't own the address it used in the SYN packet. The ACK packet also carries the original client sequence# + 1, proving it has a stateful connection.

As an alternative to adding a state, you could enter the bi-flow state only when the TCP 3-way handshake is complete.

Does QUIC carry a network-observable signal indicating receipt of the server packet?

-Dave