IETF Logo Mail Archive

Re: [tcpinc] Revised version of TCP-ENO

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Thu, 13 August 2015 00:08 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01E2E1B2E4E for <tcpinc@ietfa.amsl.com>; Wed, 12 Aug 2015 17:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.989
X-Spam-Level:
X-Spam-Status: No, score=0.989 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqnDbB170uOS for <tcpinc@ietfa.amsl.com>; Wed, 12 Aug 2015 17:08:29 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABE781B2E4C for <tcpinc@ietf.org>; Wed, 12 Aug 2015 17:08:29 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7D08So3026245; Wed, 12 Aug 2015 17:08:28 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7D08SOq012568; Wed, 12 Aug 2015 17:08:28 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Kyle Rose <krose@krose.org>
In-Reply-To: <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com>
References: <87pp2vqplu.fsf@ta.scs.stanford.edu> <CAJU8_nXAHhf6dqqs0gUEGz49bG7YUO1qaGwaLm04+vstPTyfWg@mail.gmail.com>
Date: Wed, 12 Aug 2015 17:08:28 -0700
Message-ID: <87h9o4rqwz.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/Nlj35H50n611w5NS5N75DtDoPqg>
Cc: tcpinc@ietf.org
Subject: Re: [tcpinc] Revised version of TCP-ENO
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 00:08:31 -0000

Kyle Rose <krose@krose.org> writes:

> What is the meaning of "first valid spec identifier"? This allowance
> for multiple spec identifiers sent by host B makes sense if the chosen
> spec is "the first spec identifier also among those spec identifiers
> that host A sent",

That is the intent.  In other words, if A and B have multiple compatible
spec identifiers, the negotiated spec is the one at the lowest byte
offset in B's SYN segment.

> but otherwise there's no difference between host B
> sending a single static identifier or multiple: if host A supports the
> first in host B's static list, that would get used; otherwise TCP-ENO
> negotiation would fail.

That's right.  So that's why if possible B should send only one.  But in
the case of simultaneous open, both A and B may want to send multiple
supported identifiers, since they don't know what the other side
accepts.  In that case the priority is determined by B.

> You seem to imply the meaning above in figure 8, in which case I think
> the text should be clarified.

I think the confusion is that if you are creating a SYN-ACK in response
to a SYN, there is no reason to include more than one spec identifier.
It's just that we wanted to leave room for the possibility that B' SYN
doesn't depend on A's SYN, either because of simultaneous open, or for
implementation reasons.

Does what I wrote in this email make sense, and if so, can you identify
more precisely the source of the confusion, or suggest a specific edit?

> 3.3:
>
>> A TCP segment MUST
>> include at most one suboption whose high nibble is 0.
>
> Does this mean "A TCP SYN segment including the TCP-ENO option MUST..."?

Yes.  Would the following wording help:  "A TCP segment MUST include at
most one ENO suboption whose high nibble is 0."

> 4.1: Do you want to add the additional requirement that session IDs be
> public, i.e., not be secret to endpoints/applications?

This was the intent of the following bullet in section 4.1:

   o  The session ID MUST NOT contain any confidential data (such as
      data permitting the derivation of session keys).

We didn't use the word "public" because that almost sounds like there's
a requirement to disclose the session ID.  But if the existing wording
is not clear, we are certainly open for suggestions.

Thanks for the feedback.

David

v2.23.0 | Report a Bug | By Email