Re: [tcpinc] TCP's treatment of data in SYN packets

["David Mazieres" <dm-list-tcpcrypt@scs.stanford.edu>]

Oops, I failed to notice that you had in-line comments as well.  Please
read this instead of the previous version.

Sorry,
David

4.7.  Data in SYN segments

   TEPs MAY specify the use of data in SYN segments so as to reduce the
   number of round trips required for connection setup.  The meaning of
   data in a SYN segment with an ENO option (a SYN+ENO segment) is
   determined by the last TEP identifier in the ENO option, which we
   term the segment's _SYN TEP_.

   A SYN+ENO segment MUST NOT include data unless the SYN TEP's
   specification defines the use of such data.  Furthermore, a SYN+ENO
   option MUST NOT include a non-empty TCP Fast Open (TFO) option
   [RFC7413].

   A host implementing ENO, even if ENO has been disabled by
   configuration, MUST discard the data in a received SYN+ENO segment if
   any of the following applies:

   o  Encryption is disabled for the connection,

   o  The received segment's SYN TEP is not the negotiated TEP,

   o  The negotiated TEP does not define the use of SYN data, or

   o  The SYN segment contains a non-empty TFO option or any other TCP
      option implying a conflicting definition of SYN data.

   A host MUST NOT acknowledge the sequence number of any discarded SYN
   data, but rather MUST acknowledge the other host's initial sequence
   number as if the received SYN segment contained no data.
   Furthermore, a host MUST NOT assume discarded SYN data will be
   identically retransmitted.  If later non-SYN segments contain
   different data for the same sequence numbers as SYN data, the host
   MUST process only data from non-SYN segments.

   If a host receives acknowledgment for data in a SYN+ENO segment but
   the SYN TEP governing that data is not the negotiated TEP (either
   because a different TEP was negotiated, or because encryption is
   disabled), then the host that sent the SYN+ENO segment MUST reset the
   TCP connection.  Proceeding in any other fashion risks misinterpreted
   SYN data.

   If a host sends data in a SYN-only SYN+ENO segment and subsequently
   receives a SYN-ACK segment without an ENO option, the host SHOULD
   reset the connection even if the SYN-ACK segment does not acknowledge
   the SYN data.  The reason is that a host sending a SYN-ACK segment
   without an ENO option does not necessarily follow the requirements of
   this section, and in particular could buffer SYN data and later
   process it instead of the contents of non-SYN segments with the same
   sequence numbers.  Barring empirical evidence against the existence
   of such buffering, it is not safe to assume unacknowledged SYN data
   has been discarded.

   To avoid unexpected connection resets, TEPs SHOULD support a normal
   mode of operation that does not make use of data in SYN-only
   segments.  Moreover, implementations SHOULD enable data in SYN-only
   segments only if explicitly requested by the application or in cases
   where such use is unlikely to cause connection failure.
   Implementations MAY provide a per-connection mandatory encryption
   mode that automatically resets a connection if ENO fails.  For TEPs
   that support it, an implementation MAY default to using SYN data when
   in mandatory encryption mode.