Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Wed, 22 February 2017 18:58 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE256129A2D for <tcpinc@ietfa.amsl.com>; Wed, 22 Feb 2017 10:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.902
X-Spam-Level:
X-Spam-Status: No, score=-0.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oy07RvM9PKP9 for <tcpinc@ietfa.amsl.com>; Wed, 22 Feb 2017 10:58:52 -0800 (PST)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58B89129A2A for <tcpinc@ietf.org>; Wed, 22 Feb 2017 10:58:52 -0800 (PST)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.15.2/8.15.2) with ESMTP id v1MIwqX6009606; Wed, 22 Feb 2017 10:58:52 -0800 (PST)
Received: (from dm@localhost) by market.scs.stanford.edu (8.15.2/8.15.2/Submit) id v1MIwpA9008295; Wed, 22 Feb 2017 10:58:51 -0800 (PST)
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Wesley Eddy <wes@mti-systems.com>, tcpinc@ietf.org
In-Reply-To: <16c01c14-0896-c8fd-d7c4-e1dd7254420f@mti-systems.com>
References: <CAJU8_nUGxd0yo2htZg6LY_gSHy8xAjSOY9w4zKFLbVDw+CtZDg@mail.gmail.com> <16c01c14-0896-c8fd-d7c4-e1dd7254420f@mti-systems.com>
Date: Wed, 22 Feb 2017 10:58:51 -0800
Message-ID: <87y3wyaw7o.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/Tis5Jk7kb2nYolI9Qhw1jG_j5ww>
Subject: Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David Mazieres expires 2017-05-23 PDT <mazieres-uahef52gbsnnunrtjtjsagv5ke@temporary-address.scs.stanford.edu>
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 18:58:53 -0000

Wesley Eddy <wes@mti-systems.com> writes:

> 1) edge cases where you're communicating with non-ENO hosts, that do not 
> discard data on SYNs (for whatever reason), and may pollute the data 
> stream delivered to the application, breaking the goals of TCPINC to 
> work without impacting the application's TCP mapping
>
> 2) cases where other TCP extensions (perhaps yet to-be-defined) do 
> something in conflict with that data

Can you make concrete suggestions for wording changes?  In particular,
we intended to address the points you raised with the following language
of section 4.7:

1)

        If a host sends a SYN-only SYN+ENO segment bearing data and
        subsequently receives a SYN-ACK segment without an ENO option,
        that host MUST reset the connection even if the SYN-ACK segment
        does not acknowledge the SYN data...

        To avoid unexpected connection resets, ENO implementations MUST
        disable the use of data in SYN-only segments by default.

2)

        More specifically, a host that implements ENO MUST discard the
        data in a received SYN+ENO segment if any of the following
        applies:
        ...
        * The SYN segment contains a non-empty TFO option or any other
          TCP option implying a conflicting definition of SYN data.

If those aren't clear, the question is how to make them so.

Thanks,
David