IETF Logo Mail Archive

Re: [tcpinc] TCP's treatment of data in SYN packets

Joe Touch <touch@isi.edu> Mon, 01 August 2016 00:06 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B4C312D0A2 for <tcpinc@ietfa.amsl.com>; Sun, 31 Jul 2016 17:06:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level:
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Llf8jIFEwLcA for <tcpinc@ietfa.amsl.com>; Sun, 31 Jul 2016 17:06:30 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3919A12D095 for <tcpinc@ietf.org>; Sun, 31 Jul 2016 17:06:30 -0700 (PDT)
Received: from [192.168.1.189] (cpe-172-250-251-17.socal.res.rr.com [172.250.251.17]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u7105VZ5024289 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 31 Jul 2016 17:05:41 -0700 (PDT)
To: David Mazieres expires 2016-10-28 PDT <mazieres-jat7tv6bmd95tdfrcp343a63r2@temporary-address.scs.stanford.edu>, Kyle Rose <krose@krose.org>, Jeremy Harris <jgh@wizmail.org>
References: <CAJU8_nU1WzQNFFUn_2o1cACutB01iyQ_hC29PHoutr8TRDKGnA@mail.gmail.com> <579A4669.7030600@isi.edu> <87lh0lselg.fsf@ta.scs.stanford.edu> <CAJU8_nUPrm9JJMrrMbL5+FpP-9CKC6EkidCry9UuZA5ZfyJtoA@mail.gmail.com> <579A8223.8050308@isi.edu> <CAJU8_nXSxr7ykC1TwptBmyP8pNccz52ozq=hF7-EYiaMdDeLBQ@mail.gmail.com> <579BA470.3000405@isi.edu> <CAJU8_nXjhHH1eEXPA3hvhJ3YXsP_v2djGX=X2p9+wyn767Hm5A@mail.gmail.com> <adcaa33a-3bf5-e63a-bd19-fd165b16aa7d@wizmail.org> <87oa5fniu0.fsf@ta.scs.stanford.edu> <9ff12fb6-44f9-b1d0-2e9d-a67683679037@wizmail.org> <CAJU8_nVBem40i5Rqke37UBtOquF_mVBJHkjrtAmNN2qPdHqY=A@mail.gmail.com> <87d1lunvhn.fsf@ta.scs.stanford.edu>
From: Joe Touch <touch@isi.edu>
Message-ID: <579E9248.7050006@isi.edu>
Date: Sun, 31 Jul 2016 17:05:28 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <87d1lunvhn.fsf@ta.scs.stanford.edu>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/lu7dmIjxXj0AX0_sLZ0LPfDJSRM>
Cc: tcpinc <tcpinc@ietf.org>
Subject: Re: [tcpinc] TCP's treatment of data in SYN packets
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 00:06:31 -0000

Hi, David,

There are two problems with the text:
1) it's never clear whether you're talking about:
    - all hosts, including legacy ones
    - hosts that support ENO, whether the segment includes the ENO
option or not
    - hosts that support ENO and are processing a segment including the
ENO option
Wherever you say "host" below, you should be clear about the case you're
indicating.

2) the text is still incorrect about interaction with legacy hosts

Joe

On 7/30/2016 11:59 PM, David Mazieres wrote:
> Okay, guys.  This is getting long and feels a bit pedantic, but how
> about the following?
>
> David
>
>
> 4.7.  Data in SYN segments
>
>    A SYN segment containing an ENO option MUST NOT include a TCP Fast
>    Open (TFO) option [RFC7413].  However, TEPs MAY specify the use of
>    data in SYN segments to achieve similar benefits to TFO.
>
>    The last TEP identifier suboption in host A's SYN segment is the _SYN
>    TEP_.  The use of data in host A's SYN segment is goverend by the SYN
>    TEP.  If the SYN TEP's specification does not define the use of SYN
>    data, then host A's SYN segment MUST NOT contain data and host B MUST
>    discard any SYN data.  Host B MUST also discard SYN data if either
>    the SYN TEP differs from the negotiated TEP or host B disables
>    encryption.
>
>    The use of data in B's SYN-ACK segment is governed by the negotiated
>    TEP.  If the negotiated TEP's specification does not define the use
>    of SYN data, then host B's SYN-ACK segment MUST NOT contain data and
>    host A MUST discard any SYN data.  Host A MUST also discard SYN data
>    if host A disables encryption.  In the event that host B is an active
>    opener (because of simultaneous open), host B's SYN-only segment MUST
>    NOT include data.
>
>    A host MUST NOT act on discarded data under any circumstances.  In
>    particular, after a host discards SYN data, if a later non-SYN
>    segment contains different data for the same sequence numbers, the
>    host MUST process the contents of the non-SYN segment only.
>    Furthermore, when a host discards SYN data, it MUST NOT acknowledge
>    the sequence number of the discarded data.  Rather, it MUST
>    acknowledge the other host's initial sequence number as if the
>    received SYN segment contained no data.
>
>    If host A's SYN segment contains data, host B's SYN-ACK segment
>    acknowledges that data, and either encryption is disabled or the
>    negotiated TEP is not the SYN TEP, then host A MUST reset the TCP
>    connection.  Under such circumstances, the acknowledged data is
>    defined by the SYN TEP, which does not govern the connection.  Hence,
>    there is significant risk of host B misinterpreting SYN data.
>
>    If host A sends SYN data, host B does not acknowledge the SYN data,
>    and host B's SYN-ACK segment does not include an ENO option, then
>    host A SHOULD reset the connection. 
MUST. There is no case where you can do otherwise and retain the
semantics of TCP to the legacy host.

>  The reason is that a legacy host
>    B, if it does not implement ENO, could buffer and later act on SYN
>    data even without first acknowledging that data.
That's incorrect - what it CAN do is buffer the SYN data and ACK it
later, and act on it once ACKd.  The issue is that TCP does not have a
strict rule for what happens if data is received but not ACKd and later
overwritten - there's no rule of "latest data is kept".

>   Barring empirical
>    evidence against the existence of unacknowledged data buffering, it
>    is not safe for host A to assume its SYN data has been discarded.
>
>    To avoid unexpected resets, TEPs SHOULD support a normal mode of
>    operation that does not make use of data in SYN segments, and SHOULD
>    enable data in host A's SYN segment only if explicitly requested by
>    the application or in cases where such use is unlikely to cause
>    connection failure.  Implementations MAY provide a per-connection
>    mandatory-encryption mode that automatically resets a connection if
>    ENO fails.  If supported by the TEP, host A MAY enable SYN data when
>    the application requests mandatory-encryption mode.

The above is fine, FWIW, and what I was expecting - i.e., it's OK to
send data in the SYN when you think your bet is likely to win, and that
also means you're willing to take the RESET hit on legacy endpoints if
you're wrong. So the gamble is yours to win or pay the cost of.

Joe

v2.37.1 | Report a Bug | By Email | System Status