Re: [tcpinc] AD review of tcp-eno

"Mirja Kuehlewind (IETF)" <> Thu, 27 July 2017 17:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 05E92131F6A for <>; Thu, 27 Jul 2017 10:05:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); domainkeys=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rDRidRa6I1rK for <>; Thu, 27 Jul 2017 10:05:11 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C3C23132051 for <>; Thu, 27 Jul 2017 10:05:07 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default;; b=ks/fCiIoiEm12yyRpEXDfBDMNx1Ty16P4E3ryzjFBSAzVB9s3GSyNpBgAt1pcQjdBcF1wg4jPUabgwqbubtWQCLJuFReC7bxuK3iQCnzSTdGt+1HhbUye+jQkDXwH9SGpqFtGi9Cr5DZ2o5ZDxztsBEuJmHEeRkBrsqEwJg81ro=; h=Received:Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-PPP-Message-ID:X-PPP-Vhost;
Received: (qmail 21796 invoked from network); 27 Jul 2017 19:05:06 +0200
Received: from (HELO ? ( by with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 27 Jul 2017 19:05:05 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: "Mirja Kuehlewind (IETF)" <>
In-Reply-To: <>
Date: Thu, 27 Jul 2017 19:05:05 +0200
Cc:, tcpinc <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <>
To: Joe Touch <>
X-Mailer: Apple Mail (2.3273)
X-PPP-Message-ID: <>
Archived-At: <>
Subject: Re: [tcpinc] AD review of tcp-eno
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Jul 2017 17:05:14 -0000

Hi Joe again,

see below.

> Am 27.07.2017 um 17:50 schrieb Joe Touch <>:
> On 7/27/2017 8:40 AM, Joe Touch wrote:
>> ...
>>>>>> 2) I’m wondering if it would make sense to specify at the beginning of section 4.7 another requirement that TEPs SHOULD only specify the use of SYN data if there is some a-priori knowledge that the other end is likely to support tcp-eno and the tep (e.g. due to previous successful connections aka session resumption, or application knowledge).
>>>> That section does not appear to address the case where non-user data in
>>>> the SYN is received by a legacy receiver, either because of first
>>>> contact or in contacting a host that has changed configuration since
>>>> last contact. In such cases, there is no way to support transparent
>>>> fallback as required by RFC 1122 -- which is why it is avoided at all
>>>> costs. AFAICT, this optimization is too hazardous to include at all.
>>> It does. The initiator must reset the connection in this case.
>> I would assume then that NO TCP connection is possible to that endpoint
>> - i.e., by aborting the connection, you're saying that this endpoint is
>> not reachable because it's "ENO or nothing“.

No. SYN data is not used by default. As such they could anyway only be used by an tcp-eno aware host. Such a host could decide to retry tcp-eno without syn-data or even tcp with tcp-eno.

>> If so, that needs to be made very clear - especially that it is not
>> appropriate for the TCP layer to try another connection without ENO
>> (i.e., transparent fallback NEVER involves multiple connection attempts
>> - otherwise you're violating RFC1122).

Again there is no transparent fallback. There is an error message to the application and the application can decide what to do.

> The text does address this case, but still a bit too vague IMO. I'd
> appreciate an explicit statement highlighting interaction with legacy
> receivers, including a note that even a previously-visited ENO node
> might be legacy upon next contact, and stating that the connection abort
> MUST NOT include an automatic subsequent attempt at fallback, e.g.,
> because BOTH this violates the nature of ENO (once the client wants ENO,
> it's ENO-or-nothing) *and* because automatic fallback would violate TCP
> semantics.

Agreed. These are good points to note more explicitly.


> Joe