IETF Logo Mail Archive

Re: [tcpinc] TCP's treatment of data in SYN packets

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Fri, 05 August 2016 01:21 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C8A12D8ED for <tcpinc@ietfa.amsl.com>; Thu, 4 Aug 2016 18:21:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.188
X-Spam-Level:
X-Spam-Status: No, score=-2.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JVubqotamvCO for <tcpinc@ietfa.amsl.com>; Thu, 4 Aug 2016 18:21:31 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E3C912D531 for <tcpinc@ietf.org>; Thu, 4 Aug 2016 18:21:30 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id u751LSHC010635; Thu, 4 Aug 2016 18:21:28 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id u751LRlF019843; Thu, 4 Aug 2016 18:21:27 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: "Black, David" <david.black@emc.com>, Joe Touch <touch@isi.edu>, tcpinc <tcpinc@ietf.org>
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949362F624017@MX307CL04.corp.emc.com>
References: <CAJU8_nU1WzQNFFUn_2o1cACutB01iyQ_hC29PHoutr8TRDKGnA@mail.gmail.com> <579A4669.7030600@isi.edu> <87lh0lselg.fsf@ta.scs.stanford.edu> <CAJU8_nUPrm9JJMrrMbL5+FpP-9CKC6EkidCry9UuZA5ZfyJtoA@mail.gmail.com> <579A8223.8050308@isi.edu> <CAJU8_nXSxr7ykC1TwptBmyP8pNccz52ozq=hF7-EYiaMdDeLBQ@mail.gmail.com> <579BA470.3000405@isi.edu> <CAJU8_nXjhHH1eEXPA3hvhJ3YXsP_v2djGX=X2p9+wyn767Hm5A@mail.gmail.com> <adcaa33a-3bf5-e63a-bd19-fd165b16aa7d@wizmail.org> <87oa5fniu0.fsf@ta.scs.stanford.edu> <9ff12fb6-44f9-b1d0-2e9d-a67683679037@wizmail.org> <CAJU8_nVBem40i5Rqke37UBtOquF_mVBJHkjrtAmNN2qPdHqY=A@mail.gmail.com> <87d1lunvhn.fsf@ta.scs.stanford.edu> <579E9248.7050006@isi.edu> <87popt6nci.fsf@ta.scs.stanford.edu> <87k2g16mvb.fsf@ta.scs.stanford.edu> <579F7076.1080101@isi.edu> <CE03DB3D7B45C245BCA0D243277949362F623EDF@MX307CL04.corp.emc.com> <57A28E5C.7070304@isi.edu> <CE03DB3D7B45C245BCA0D243277949362F624017@MX307CL04.corp.emc.com>
Date: Thu, 04 Aug 2016 18:21:27 -0700
Message-ID: <87eg64dn8o.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/AavSQBW9oOMdB5xisdK5SRKe0tQ>
Subject: Re: [tcpinc] TCP's treatment of data in SYN packets
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David Mazieres expires 2016-11-02 PDT <mazieres-576gyzdgbyb4wezn5yznvcya8i@temporary-address.scs.stanford.edu>
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2016 01:21:33 -0000

Okay, guys.  Thanks for the feedback.  Here's yet another attempt at
revamping the section.  I made sure each SHOULD is followed by an
exception.  Note I made one other change, which is to allow SYN-form ENO
options with no suboptions.  Before that didn't make sense, but now it
does as a way of saying "I don't want to encrypt, but I threw away your
SYN data."

Once we converge on this I will release yet another draft...

Thanks,
David


4.7.  Data in SYN segments

   TEPs MAY specify the use of data in SYN segments so as to reduce the
   number of round trips required for connection setup.  The meaning of
   data in a SYN segment with an ENO option (a SYN+ENO segment) is
   determined by the last TEP identifier in the ENO option, which we
   term the segment's _SYN TEP_.

   A host sending a SYN+ENO segment MUST NOT include data in the segment
   unless the SYN TEP's specification defines the use of such data.
   Furthermore, to avoid conflicting interpretations of SYN data, a
   SYN+ENO option MUST NOT include a non-empty TCP Fast Open (TFO)
   option [RFC7413].

   Because a host can send SYN data before knowing which if any TEP will
   govern a connection, hosts implementing ENO are REQUIRED to discard
   data from SYN+ENO segments when the SYN TEP does not govern the
   connection or when there is any ambiguity over the meaning of the SYN
   data.  This requirement applies to hosts that implement ENO even when
   ENO has been disabled by configuration.  However, note that
   discarding SYN data is already common practice [RFC4987] and the new
   requirement applies only to segments with ENO options.

   More specifically, a host that implements ENO MUST discard the data
   in a received SYN+ENO segment if any of the following applies:

   o  ENO fails and TEP-indicated encryption is disabled for the
      connection,

   o  The received segment's SYN TEP is not the negotiated TEP,

   o  The negotiated TEP does not define the use of SYN data, or

   o  The SYN segment contains a non-empty TFO option or any other TCP
      option implying a conflicting definition of SYN data.

   A host discarding SYN data in compliance with the above requirement
   MUST NOT acknowledge the sequence number of the discarded data, but
   rather MUST acknowledge other host's initial sequence number as if
   the received SYN segment contained no data.  Furthermore, after
   discarding SYN data, such a host MUST NOT assume the SYN data will be
   identically retransmitted, and MUST process data only from non-SYN
   segments.

   If a host sends a SYN+ENO segment with data and receives
   acknowledgment for the data, but the SYN TEP governing the data is
   not the negotiated TEP (either because a different TEP was negotiated
   or because ENO failed to negotiate encryption), then the host MUST
   reset the TCP connection.  Proceeding in any other fashion risks
   misinterpreted SYN data.

   If a host sends a SYN-only SYN+ENO segment bearing data and
   subsequently receives a SYN-ACK segment without an ENO option, that
   host SHOULD reset the connection even if the SYN-ACK segment does not
   acknowledge the SYN data.  The issue is that unacknowledged data may
   nonetheless have been cached by the receiver; later retransmissions
   intended to supersede this unacknowledged data could fail to do so if
   the receiver gives precedence to the cached original data.
   Connection resets are potentially avoidable if SYN data caching is
   empirically found not to occur, or in response to an API command (for
   cases where a higher-layer integrity check would anyway terminate a
   garbled connection).

   To avoid unexpected connection resets, ENO implementations MUST
   disable the use of data in SYN-only segments by default.  Such data
   MAY be enabled by an API command.  In particular, implementations MAY
   provide a per-connection mandatory encryption mode that automatically
   resets a connection if ENO fails, and MAY enable SYN data in this
   mode.

   To satisfy the requirement of the previous paragraph, all TEPs SHOULD
   support a normal mode of operation that avoids data in SYN-only
   segments.  An exception is TEPs intended to be disabled by default.

v2.35.0 | Report a Bug | By Email | System Status