Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
dm-list-tcpcrypt@scs.stanford.edu Wed, 08 March 2017 05:45 UTC
Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDABC1293E8 for <tcpinc@ietfa.amsl.com>; Tue, 7 Mar 2017 21:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.901
X-Spam-Level:
X-Spam-Status: No, score=-0.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJ1oM3j7wlLH for <tcpinc@ietfa.amsl.com>; Tue, 7 Mar 2017 21:45:38 -0800 (PST)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A01126B6D for <tcpinc@ietf.org>; Tue, 7 Mar 2017 21:45:38 -0800 (PST)
Received: from market.scs.stanford.edu (localhost [127.0.0.1]) by market.scs.stanford.edu (8.15.2/8.15.2) with ESMTP id v285jbcb057786; Tue, 7 Mar 2017 21:45:37 -0800 (PST)
Received: (from dm@localhost) by market.scs.stanford.edu (8.15.2/8.15.2/Submit) id v285jbaJ005687; Tue, 7 Mar 2017 21:45:37 -0800 (PST)
From: dm-list-tcpcrypt@scs.stanford.edu
To: Wesley Eddy <wes@mti-systems.com>, tcpinc@ietf.org
In-Reply-To: <9f7dd5ae-79b0-41fe-0601-674476cc7f6a@mti-systems.com>
References: <CAJU8_nUGxd0yo2htZg6LY_gSHy8xAjSOY9w4zKFLbVDw+CtZDg@mail.gmail.com> <16c01c14-0896-c8fd-d7c4-e1dd7254420f@mti-systems.com> <87y3wyaw7o.fsf@ta.scs.stanford.edu> <9f7dd5ae-79b0-41fe-0601-674476cc7f6a@mti-systems.com>
Date: Tue, 07 Mar 2017 21:45:37 -0800
Message-ID: <878togwcce.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/g9MHFb2sIZGOVWtFS5hJka8ex_k>
Subject: Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David Mazieres expires 2017-06-05 PDT <mazieres-b3puawqzytcd7dzhf5sqyiyb62@temporary-address.scs.stanford.edu>
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 05:45:39 -0000
Wesley Eddy <wes@mti-systems.com> writes: >> If a host sends a SYN-only SYN+ENO segment bearing data and >> subsequently receives a SYN-ACK segment without an ENO option, >> that host MUST reset the connection even if the SYN-ACK segment >> does not acknowledge the SYN data... > > > Saying "reset the connection" is interesting to me, because technically > there is not yet any connection (there are TCBs at each side, but > neither has entered ESTABLISHED state). The reset that's sent should > probably *not* acknowledge any data that may have been on the SYN-ACK, > which seems important to state. That way, if some application's > transaction erroneously started due to data on the SYN, any response > piggybacking the SYN-ACK would not be acknowledged, and the RST should > cause the application transaction to fail. I'm trying to tie up loose ends here, and think this is the only relevant point from the mailing list that we may have not yet have satisfactorily addressed in our working draft. Several points in section 4.7 use the term "reset the connection." I've now attempted to define the term more pedantically the first time I use it. Here's the new language: If a host sends a SYN+ENO segment with data and receives acknowledgment for the data, but the SYN TEP governing the data is not the negotiated TEP (either because a different TEP was negotiated or because ENO failed to negotiate encryption), then the host MUST reset the TCP connection by transitioning to TCP's CLOSED state and ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ responding to the acknowledgment with a reset segment as if the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ connection had never existed. Proceeding in any other fashion risks ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ misinterpreted SYN data. I would ideally like to use RFC793 as much as possible as a "subroutine," because your suggestion of specifying exactly what must be in the RST segment risks contradicting RFC793. Hence, my idea that you can transition to CLOSED and pretend you were closed when you got the segment. By maybe I should say "CLOSED or LISTEN" (in keeping with RFC793), or maybe this is a bad idea for some other reason, so I'd appreciate some feedback from the list on how best to do this. Any feedback helps, but specific wording suggestions are even better... Thanks, David
- [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Kyle Rose
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Wesley Eddy
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Joe Touch
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno David Mazieres
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Joe Touch
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Wesley Eddy
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno dm-list-tcpcrypt
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Joe Touch
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Joe Touch
- Re: [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno Joe Touch