Re: [tcpinc] AD review of tcp-eno

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Thu, 27 July 2017 17:05 UTC

Return-Path: <ietf@kuehlewind.net>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05E92131F6A for <tcpinc@ietfa.amsl.com>; Thu, 27 Jul 2017 10:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); domainkeys=pass (1024-bit key) header.from=ietf@kuehlewind.net header.d=kuehlewind.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDRidRa6I1rK for <tcpinc@ietfa.amsl.com>; Thu, 27 Jul 2017 10:05:11 -0700 (PDT)
Received: from kuehlewind.net (kuehlewind.net [83.169.45.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3C23132051 for <tcpinc@ietf.org>; Thu, 27 Jul 2017 10:05:07 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=ks/fCiIoiEm12yyRpEXDfBDMNx1Ty16P4E3ryzjFBSAzVB9s3GSyNpBgAt1pcQjdBcF1wg4jPUabgwqbubtWQCLJuFReC7bxuK3iQCnzSTdGt+1HhbUye+jQkDXwH9SGpqFtGi9Cr5DZ2o5ZDxztsBEuJmHEeRkBrsqEwJg81ro=; h=Received:Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-PPP-Message-ID:X-PPP-Vhost;
Received: (qmail 21796 invoked from network); 27 Jul 2017 19:05:06 +0200
Received: from pd9e11f0f.dip0.t-ipconnect.de (HELO ?192.168.178.33?) (217.225.31.15) by kuehlewind.net with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 27 Jul 2017 19:05:05 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <d93a8eb8-ca36-04d7-11e1-92608f6daee4@isi.edu>
Date: Thu, 27 Jul 2017 19:05:05 +0200
Cc: draft-ietf-tcpinc-tcpeno.all@ietf.org, tcpinc <tcpinc@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FD72512-F4AB-4305-A156-9B70CB1C6422@kuehlewind.net>
References: <55B07DA5-E274-4720-A919-83483094B9A0@tik.ee.ethz.ch> <80C705CD-8A24-49A9-A1B8-6FA7B2162941@kuehlewind.net> <baad59c7-03cb-738a-e1b9-185931fe96a2@isi.edu> <E855DFC2-1D60-4FF5-B67A-3E2DE4B44541@kuehlewind.net> <68220a4f-01dd-61dc-0e68-8c9fc68587bf@isi.edu> <d93a8eb8-ca36-04d7-11e1-92608f6daee4@isi.edu>
To: Joe Touch <touch@isi.edu>
X-Mailer: Apple Mail (2.3273)
X-PPP-Message-ID: <20170727170506.21790.67089@lvps83-169-45-111.dedicated.hosteurope.de>
X-PPP-Vhost: kuehlewind.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/ScJ6HBxMlyvrGZZA-XMhVycn_Ws>
Subject: Re: [tcpinc] AD review of tcp-eno
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2017 17:05:14 -0000

Hi Joe again,

see below.

> Am 27.07.2017 um 17:50 schrieb Joe Touch <touch@isi.edu>du>:
> 
> FWIW:
> 
> 
> On 7/27/2017 8:40 AM, Joe Touch wrote:
>> ...
>>>>>> 2) I’m wondering if it would make sense to specify at the beginning of section 4.7 another requirement that TEPs SHOULD only specify the use of SYN data if there is some a-priori knowledge that the other end is likely to support tcp-eno and the tep (e.g. due to previous successful connections aka session resumption, or application knowledge).
>>>> That section does not appear to address the case where non-user data in
>>>> the SYN is received by a legacy receiver, either because of first
>>>> contact or in contacting a host that has changed configuration since
>>>> last contact. In such cases, there is no way to support transparent
>>>> fallback as required by RFC 1122 -- which is why it is avoided at all
>>>> costs. AFAICT, this optimization is too hazardous to include at all.
>>> It does. The initiator must reset the connection in this case.
>> I would assume then that NO TCP connection is possible to that endpoint
>> - i.e., by aborting the connection, you're saying that this endpoint is
>> not reachable because it's "ENO or nothing“.

No. SYN data is not used by default. As such they could anyway only be used by an tcp-eno aware host. Such a host could decide to retry tcp-eno without syn-data or even tcp with tcp-eno.

>> 
>> If so, that needs to be made very clear - especially that it is not
>> appropriate for the TCP layer to try another connection without ENO
>> (i.e., transparent fallback NEVER involves multiple connection attempts
>> - otherwise you're violating RFC1122).

Again there is no transparent fallback. There is an error message to the application and the application can decide what to do.

> 
> The text does address this case, but still a bit too vague IMO. I'd
> appreciate an explicit statement highlighting interaction with legacy
> receivers, including a note that even a previously-visited ENO node
> might be legacy upon next contact, and stating that the connection abort
> MUST NOT include an automatic subsequent attempt at fallback, e.g.,
> because BOTH this violates the nature of ENO (once the client wants ENO,
> it's ENO-or-nothing) *and* because automatic fallback would violate TCP
> semantics.

Agreed. These are good points to note more explicitly.

Mirja


> 
> Joe