IETF Logo Mail Archive

Re: [tcpinc] Simultaneous open tie breaking

dm-list-tcpcrypt@scs.stanford.edu Thu, 27 August 2015 16:16 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C5E1B32E2 for <tcpinc@ietfa.amsl.com>; Thu, 27 Aug 2015 09:16:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.91
X-Spam-Level:
X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XwXVW8A8hV9P for <tcpinc@ietfa.amsl.com>; Thu, 27 Aug 2015 09:16:51 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1EA41B3276 for <tcpinc@ietf.org>; Thu, 27 Aug 2015 09:16:51 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7RGGpxQ009412 for <tcpinc@ietf.org>; Thu, 27 Aug 2015 09:16:51 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7RGGpVG029840; Thu, 27 Aug 2015 09:16:51 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: dm-list-tcpcrypt@scs.stanford.edu
To: tcpinc <tcpinc@ietf.org>
In-Reply-To: <21983.1982.269406.945195@fireball.acr.fi>
Date: Thu, 27 Aug 2015 08:40:26 -0700
Message-ID: <87egiokadx.fsf@ta.scs.stanford.edu>
References: <CABcZeBNEFVkDi38y3G-C2nQF=dzW2mGDsj5DVK_OKVkPwK=G0g@mail.gmail.com> <878u92oadf.fsf@ta.scs.stanford.edu> <CACsn0ckQskjLqo0=YfJrmBEsyCaq0jpcSzGUwKhRo0BzzQ=wDA@mail.gmail.com> <871teuo7nu.fsf@ta.scs.stanford.edu> <CACsn0ckn-QdoXmTgjW8gYQyVqZ0x9JHEYvZO5VHQkG9nKA3-Ew@mail.gmail.com> <87wpwmnenv.fsf@ta.scs.stanford.edu> <CACsn0cnq9cZdkn=yp8-GJfXDGMP8r1sib3qrQQEQYhF25kYZPg@mail.gmail.com> <21980.21436.540892.217417@fireball.acr.fi> <87a8tfe9sh.fsf@ta.scs.stanford.edu> <21983.1982.269406.945195@fireball.acr.fi>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/JZcQiQkKuLctHhrNSeNF4TOSN3A>
Subject: Re: [tcpinc] Simultaneous open tie breaking
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 16:16:52 -0000

Tero Kivinen <kivinen@iki.fi> writes:

>> This is doable, though adds complexity to implementations.  Should this
>> tie-breaker be sent by every active opener (and therefore consume option
>> space), or do you imagine that applications intending to use
>> simultaneous open set an option to include the tie breaker?
>
> I think tcpinc charter says we must work with unmodified applications,
> so I think the default needs to be send it, but allow API call to
> disable it. 

Well, it would be nice to have some evidence that always sending the
tie-breaker would make things work with unmodified applications.  I'm
not saying such applications don't exist, but I think we are debating
the point with insufficient data.

> Also as tie-breaker is only needed in the simultaneous opens, and
> simulatenous opens with NATs in the middle are not that common.

Again, we need some evidence here.  As far as I can tell, it's not even
possible to make simultaneous open work reliably *without* NATs or at
least stateful firewalls (that are likely to modulate sequence numbers
and timestamps) on both ends, because otherwise you risk RST segments.
Also, there's really no reason applications would use simultaneous open
without NATs.  I may be wrong, in which case I would love for someone to
explain how applications use simultaneous open without NATs.

Now you are asserting that simultaneous open is not common *with* NATs.
You may be right.  But also we may both be right, in which case the
conclusion is that simultaneous open just isn't really used period, so
let's not add a lot of complexity or option space to deal with something
that doesn't happen.

>> Before settling on something, I'd like to get a sense of whether people
>> think it's okay to ask applications to signal their intent to use
>> simultaneous open, or whether it's important for TCP-ENO to enable
>> encryption for existing, unmodified applications that use simultaneous
>> open.  Those two options put us down different paths.
>
> By our charter, I think we need to work with unmodified applications,
> but we can provide API to allow optimizations and other things later.

But for that we need an example application.  Otherwise, we can argue
about whether simultaneous open should work with or without NATs, with
or without sequence number modulation, etc., but we are basically
designing in the dark.  I mean if we are giving up on NAT anyway, then
we could break the tie with port numbers and IP addresses.

I don't mind something simple like dedicating one bit to simultaneous
open in case that's someday useful.  But if we start to add a lot of
complexity or consume a lot of option space, I don't think we can
justify that in the abstract--we need to look at real applications.

David

v2.23.0 | Report a Bug | By Email