IETF Logo Mail Archive

Re: [tcpinc] TCP-ENO draft 04 posted

Joe Touch <touch@isi.edu> Sat, 30 July 2016 01:33 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8505512D5F9 for <tcpinc@ietfa.amsl.com>; Fri, 29 Jul 2016 18:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level:
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rS-5ePGZHxM3 for <tcpinc@ietfa.amsl.com>; Fri, 29 Jul 2016 18:33:19 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E788E12D5CA for <tcpinc@ietf.org>; Fri, 29 Jul 2016 18:33:18 -0700 (PDT)
Received: from [192.168.1.189] (cpe-172-250-251-17.socal.res.rr.com [172.250.251.17]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u6U1WcQQ021310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 29 Jul 2016 18:32:48 -0700 (PDT)
To: David Mazieres expires 2016-10-27 PDT <mazieres-km7uit28qazn68v63terznb4fn@temporary-address.scs.stanford.edu>, tcpinc <tcpinc@ietf.org>
References: <87invokuu8.fsf@ta.scs.stanford.edu> <579BCAD1.4020509@isi.edu> <87fuqskpjh.fsf@ta.scs.stanford.edu> <579BE560.2060300@isi.edu> <87d1lwkm5i.fsf@ta.scs.stanford.edu>
From: Joe Touch <touch@isi.edu>
Message-ID: <579C03B4.6090303@isi.edu>
Date: Fri, 29 Jul 2016 18:32:36 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <87d1lwkm5i.fsf@ta.scs.stanford.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/jqmzBXm5OIc-0q-dTu67yJiKr7s>
Subject: Re: [tcpinc] TCP-ENO draft 04 posted
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jul 2016 01:33:20 -0000


On 7/29/2016 5:24 PM, David Mazieres wrote:
> Joe Touch <touch@isi.edu> writes:
>
>> Fair enough, but then you really need to re-implement the bulk of what
>> TFO does if you intend to act on previous state as if it were known for
>> future connections.
> Yes, except the reimplementation may turn out to be simplified by the
> fact that A) TEPs have a cryptographically strong way to check data
> integrity at their disposal, and B) there may be extrinsic information
> about the server-side SYN handling. 
Sure, but TFO achieves a way to rely on safe early use of SYN data that
doesn't change. That's what you get with a TFO-like solution.

...
>  E.g., if TCPINC ever integrates
> with DANE, there could be a DNS record promising that a server always
> implements some TEP and is always willing to engage in some server
> authentication pre-protocol.  In that case, the client can count on the
> server observing ENO's requirement to discard unexpected SYN data.
DNS hints can tell you what might succeed, but can't guarantee it. You
don't know if TCP will be preceded by a DNS lookup - it's not integrated
inside TCP.


>
>>>   1. Is the current section 4.7 setting the right goals?
>> IMO, it is incomplete.
>>
>> The first goal should be correct TCP behavior in all cases.
> I don't understand.  Don't we already have RFC793 and the whole IETF
> process to ensure correct TCP behavior? 
If everyone follows it...(and that's the trick here)

>  I'm not saying TCP-ENO should
> advocate incorrect behavior, 
That's where we disagree - if you intend on sending SYN data that
changes if not ACKd, I do.

> just that A) most correctness requirements
> are implicit (or by normative citation of RFC793), and B) from
> time to time the IETF sees value in deviating from RFC793 (e.g., TFO).
Certainly - e.g., the meaning of the URG pointer changed too. But in all
cases there's a strong expectation that these changes do not affect
legacy TCP. In the case of URG, it was because we all believed strongly
that this was compliant with all known implementations and that the
failure mode was relatively gentle to TCP semantics.

> There's no reason to write the spec in such a way as to complicate or
> redundantly prohibit future TFO-like things *if* the IETF wants to
> pursue them.
Agreed. But I'm still not sure that's what's going on here..

>> I appreciate the desire to avoid TFO with ENO, but then you need to
>> stick to non-TFO semantics.
> Unless a TEP specifies TFO-like semantics, right? 

Yes, but that means success of TFO-like gives you permission to do more
with the SYN-data (or do it earlier). Even TFO doesn't give permission
to change data that hasn't yet been ACKd.

>  There may be value in
> having a TEP replicate or incorporate TFO, but for backwards
> compatibility A) it should do so without including option 34, and B)
> older versions of the TEP should ignore the SYN data.
And legacy TCP cannot be required to discard the SYN-data. You cannot
control the server side if it's legacy.

>
>> That means that previous connection state can be used only as a hint,
>> and that the connection MUST be able to undo 100% of that hint when (not
>> if) it is wrong.
>>
>> In that case, you have only two options:
>>
>>    1) require that ENO never *send* SYN data
>>
>>     2) require that failed ENO negotiation MUST result in a dropped
>> connection
>>
>> In the case of #2, the question is what to do next.
> I could see going with #2 if that's the sentiment of the working group,
I've noted my concern there... (see the end of this message for more on
that)


> but my preference would be to leave it up to the individual TEP, 

Do you mean that you would let the TEP indicate which of the two above
is selected for a given endpoint? That's fine, as long as both work
(again, see the end of this thread)...

> for two
> reasons.  First, we don't have any empirical evidence about SYN data
> buffering, 
Agreed...

> and it does seem like something that can be probed for or
> annouced at a different layer of abstraction.
On a per-connection basis, yes. As a persistent endpoint property, no -
for the same reason as the fact that you can't use ENO state from past
connections.

>   Second, as things evolve,
> who's to say some future TEP won't have a better workaround for the
> problem?

RFC793, until this issue is locked down in a different way, IMO.
>
> As a compromise, how about making #2 a SHOULD, so as to minimize the
> chances of TEP accidentally messing this up without closing the door on
> intentional deviations?

#1 is a MUST unless you can guarantee that a given TCP stack will
automatically retry with different connection parameters (#2). Otherwise
you've made your TCP brittle by turning on ENO. I don't mind if you want
to shoot yourself in the foot that way, but I suspect few users of ENO
capability would want that.

(i.e., there's no room here for a SHOULD, unless you want to say "SHOULD
do #2 if the TCP stack implements automatic retry" -- however, you're
now hurting all connections that make the mistake of using ENO to a
legacy endpoint. That might be OK, if you think the hints you're using
are usually correct, though).

Joe

v2.35.0 | Report a Bug | By Email | System Status