Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01

"Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com> Tue, 25 August 2015 10:05 UTC

Return-Path: <michael.scharf@alcatel-lucent.com>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2571B29B3 for <tcpinc@ietfa.amsl.com>; Tue, 25 Aug 2015 03:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XHoat81AJqt for <tcpinc@ietfa.amsl.com>; Tue, 25 Aug 2015 03:05:10 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A5651AD2EE for <tcpinc@ietf.org>; Tue, 25 Aug 2015 03:05:10 -0700 (PDT)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (unknown [135.239.2.42]) by Websense Email Security Gateway with ESMTPS id 2AB8DB543E7A6; Tue, 25 Aug 2015 10:05:06 +0000 (GMT)
Received: from FR711WXCHHUB02.zeu.alcatel-lucent.com (fr711wxchhub02.zeu.alcatel-lucent.com [135.239.2.112]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id t7PA51e4015801 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 25 Aug 2015 12:05:04 +0200
Received: from FR712WXCHMBA15.zeu.alcatel-lucent.com ([169.254.7.91]) by FR711WXCHHUB02.zeu.alcatel-lucent.com ([135.239.2.112]) with mapi id 14.03.0195.001; Tue, 25 Aug 2015 12:05:01 +0200
From: "Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com>
To: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Stephen Kent <kent@bbn.com>, "tcpinc@ietf.org" <tcpinc@ietf.org>
Thread-Topic: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
Thread-Index: AQHQ3S1c0tMebiFR/UylpTVaYz2b454Y6QYAgAAGFwCAAApFgIAAneQAgAARHgCAAAFCAIAAMhkAgAAUKgCAAArqAIAAJQaAgAAtUoCAAAN3gIABJMQAgAALTgCAAA+jAIAA5/Sg
Date: Tue, 25 Aug 2015 10:05:01 +0000
Message-ID: <655C07320163294895BBADA28372AF5D4846E55B@FR712WXCHMBA15.zeu.alcatel-lucent.com>
References: <CABcZeBNEFVkDi38y3G-C2nQF=dzW2mGDsj5DVK_OKVkPwK=G0g@mail.gmail.com> <878u92oadf.fsf@ta.scs.stanford.edu> <CACsn0ckQskjLqo0=YfJrmBEsyCaq0jpcSzGUwKhRo0BzzQ=wDA@mail.gmail.com> <871teuo7nu.fsf@ta.scs.stanford.edu> <CACsn0ckn-QdoXmTgjW8gYQyVqZ0x9JHEYvZO5VHQkG9nKA3-Ew@mail.gmail.com> <87wpwmnenv.fsf@ta.scs.stanford.edu> <CACsn0cnq9cZdkn=yp8-GJfXDGMP8r1sib3qrQQEQYhF25kYZPg@mail.gmail.com> <87twrpokpz.fsf@ta.scs.stanford.edu> <CACsn0ck2PfKQ8pkDLiSmuLH+81s2GzsBnKYH7e=5ga5nSJvo1Q@mail.gmail.com> <87io85ofkl.fsf@ta.scs.stanford.edu> <CACsn0cmna07KzCZme7pxRgCcAOJLXzup3KPJ+bRimL=n3mpPXg@mail.gmail.com> <87vbc5l8si.fsf@ta.scs.stanford.edu> <CACsn0c=cLj2F6JyFX848D1TuDt0A=kT7UMm8ZPRRu-X6ow4oTQ@mail.gmail.com> <55DB79BC.8040309@bbn.com> <55DB8338.4060403@cs.tcd.ie> <877foke4yx.fsf@ta.scs.stanford.edu>
In-Reply-To: <877foke4yx.fsf@ta.scs.stanford.edu>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.239.27.41]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/1eNHNX4kceokB1NTORibIzm0U4E>
Subject: Re: [tcpinc] Review of draft-bittau-tcpinc-tcpeno-01
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 10:05:16 -0000

> In fact, it's possible to fit a 32-byte ECDH parameter into a SYN-ACK segment today.  That means even without large SYN options, we can imagine making TCPINC zero latency.  Realistically, doing so will > require a gross hack in which TCP-ENO compactly encodes timestamp and SACK availability, window scaling, etc., in lieu of larger options.  I don't expect people would be very happy with something like > that from day one.  But we don't want to shut the door to such an optimization either, in case TCPINC becomes a runaway success.  (We've been careful to leave a bunch of reserved suboptions in the TCP-> ENO spec just in case we need extra bits for such optimizations.)

I've not followed this thread. But this discussion about long options in SYN, modifying existing TCP options, etc. really scares me. I've always thought TCPINC's objective is to provide *payload* encryption, and negotiating this should IMHO not require any complex option.

I am also confused about the actual technical details in this discussion. In my understanding, the SYN-ACK for any modern high-speed TCP stack has to carry MSS (4 bytes), windows scale (3 bytes), and SACK permitted (2 bytes). This means that at most 31 bytes are left (in theory, we have plenty of other TCP extensions consuming parts of it). Also, I believe some middleboxes/firewalls may act upon those options in the SYN-ACK, i.e., they cannot easily be replaced or encoded in a more compact way. As a result, I somehow don't understand how to get a 32 byte value into SYN-ACK without EDO (draft-ietf-tcpm-tcp-edo). And for EDO there are deployment challenges with using it in the SYN-ACK, see the discussion in TCPM.

In any case, this sort of discussion on SYN option space IMHO should be taken to the TCPM list.

Michael