IETF Logo Mail Archive

Re: [tcpinc] Simultaneous open tie breaking

David Mazieres <dm-list-tcpcrypt@scs.stanford.edu> Tue, 25 August 2015 14:13 UTC

Return-Path: <dm-list-tcpcrypt@scs.stanford.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15901ACDCF for <tcpinc@ietfa.amsl.com>; Tue, 25 Aug 2015 07:13:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 8.477
X-Spam-Level: ********
X-Spam-Status: Yes, score=8.477 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FRT_STOCK2=3.988, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, J_CHICKENPOX_31=0.6, J_CHICKENPOX_37=0.6, MANGLED_BACK=2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DEphlGHHxoeg for <tcpinc@ietfa.amsl.com>; Tue, 25 Aug 2015 07:13:05 -0700 (PDT)
Received: from market.scs.stanford.edu (www.scs.stanford.edu [IPv6:2001:470:806d:1::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C97AE1AC3CD for <tcpinc@ietf.org>; Tue, 25 Aug 2015 07:13:05 -0700 (PDT)
Received: from market.scs.stanford.edu (localhost.scs.stanford.edu [127.0.0.1]) by market.scs.stanford.edu (8.14.7/8.14.7) with ESMTP id t7PED4lC030032; Tue, 25 Aug 2015 07:13:04 -0700 (PDT)
Received: (from dm@localhost) by market.scs.stanford.edu (8.14.7/8.14.7/Submit) id t7PED2ih022667; Tue, 25 Aug 2015 07:13:02 -0700 (PDT)
X-Authentication-Warning: market.scs.stanford.edu: dm set sender to dm-list-tcpcrypt@scs.stanford.edu using -f
From: David Mazieres <dm-list-tcpcrypt@scs.stanford.edu>
To: Tero Kivinen <kivinen@iki.fi>, tcpinc <tcpinc@ietf.org>
In-Reply-To: <21980.21436.540892.217417@fireball.acr.fi>
References: <CABcZeBNEFVkDi38y3G-C2nQF=dzW2mGDsj5DVK_OKVkPwK=G0g@mail.gmail.com> <878u92oadf.fsf@ta.scs.stanford.edu> <CACsn0ckQskjLqo0=YfJrmBEsyCaq0jpcSzGUwKhRo0BzzQ=wDA@mail.gmail.com> <871teuo7nu.fsf@ta.scs.stanford.edu> <CACsn0ckn-QdoXmTgjW8gYQyVqZ0x9JHEYvZO5VHQkG9nKA3-Ew@mail.gmail.com> <87wpwmnenv.fsf@ta.scs.stanford.edu> <CACsn0cnq9cZdkn=yp8-GJfXDGMP8r1sib3qrQQEQYhF25kYZPg@mail.gmail.com> <21980.21436.540892.217417@fireball.acr.fi>
Date: Tue, 25 Aug 2015 07:13:02 -0700
Message-ID: <87a8tfe9sh.fsf@ta.scs.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tcpinc/mGYxWXAQJ9HvSS7G_9CeFRYj_8Q>
Subject: Re: [tcpinc] Simultaneous open tie breaking
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: David Mazieres expires 2015-11-23 PST <mazieres-phzgzkm6kmg22sg4fv8dvywhnw@temporary-address.scs.stanford.edu>
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 14:13:07 -0000

Tero Kivinen <kivinen@iki.fi> writes:

> I do not think the b bit is really going to work, and I agree with
> others that we need proper tie-breaker to solve this issue.
>
> On the other hand I do not think we need to add large tie breaker to
> the frame, we can most likely use something like very small tie
> breaker and sequence numbers for tie-breaker. I.e. whoever has smaller
> 8-bit (or 6-bit) tie breaker is winner,

This is doable, though adds complexity to implementations.  Should this
tie-breaker be sent by every active opener (and therefore consume option
space), or do you imagine that applications intending to use
simultaneous open set an option to include the tie breaker?

> if the tie breakers are same, then we compare initial sequence
> numbers, and whoever has smaller initial sequence number is the
> initiator and other end responder.

I'm very uncomfortable using sequence numbers.  In our initial tests for
tcpcrypt we found sequence numbers got modulated.  If I recall OpenBSD
does this by default when operating as a NAT, and I'm not even sure
there's a way to disable it.  Same for timestamp.

> After that we just need to have rules specifying how we pick up the
> protocol from two ordered list. The most simple solution would be to
> just say we take initiators list, remove all of the protocols not in
> the responders list, and then take first item from initiators list
> that is also supported by responder.

ENO currently does the mirror of this, letting the responder's list
determine priority.  The logic was that passive openers tend to need to
support higher numbers of connections per second, and so may need to
steer choices towards options with better hardware acceleration, etc.

Is your choice of the initiator's list just arbitrary, because you think
we should just settle on one of the two lists and happened to say
initiator?  Or is there an argument to favor the initiator's list over
the responder's?

> I.e. the negotiation would be (with same tie breaker selected randomly
> in both ends):
>
> A->B(0x9453f454) SYN: Tie breaker=33; I can speak Z, Y
> B->A(0x434945e5) SYN: Tie breaker=33; I can speak X, Y, Z
>
> As tie breaker is same, we will check sequence numbers, and as B has
> smaller he is the winner, and both ends know this. Following the rules
> above, the protocol to be used is Y.
>
> There are of course some middleboxes who do mess up with sequence
> numrbers. To detect this we want to tell the result of the exchange to
> both ends:
>
> A->B(0x9453f455) ACK: We are using protocol Y
> B->A(0x434945e6) ACK: We are using protocol Y, I am initiator

This is going to add significant complexity to the protocol, including
some cold code paths that are likely to be weakly tested in some OS
distributions.

If we are going to add another round of exchanges anyway, though, why
not do the tie-breaking there?  We could keep the single b bit as is
(for applications that want to work it out), and then add a
variable-length tie-breaking phase.  E.g.,

    A->B:  SYN ENO<Z, Y>
    B->A:  SYN ENO<X, Y, Z>
    A->B:  ACK ENO<Breaker 0x29892a863ce5>
    B->A:  ACK ENO<Breaker 0xdb636b5918a2>

Here B is chosen as virtual responder because it has a higher
tie-breaker, and at this point the protocol proceeds as usual.

Yet another possibility is hashing the options list and comparing.

Before settling on something, I'd like to get a sense of whether people
think it's okay to ask applications to signal their intent to use
simultaneous open, or whether it's important for TCP-ENO to enable
encryption for existing, unmodified applications that use simultaneous
open.  Those two options put us down different paths.

> Also if application will know it will NEVER do simulatenous opens
> (like web server, or web client), it can do setsockopt that will
> disable the Tie breaker option from the option list, saving byte or
> two.

Obviously a passive opener never needs to include the tie-breaker.  But
this sounds like you want active openers to include a tie-breaker by
default, but want to enable them to opt out of it to save option space.

My personal feeling is that it's unfortunate to waste option space and
add all this complexity to deal with such a fringe case.  But it's not a
strong feeling and I'm happy to modify ENO to suit the option of the
working group.

But... I might have an idea for how to make this work that isn't so bad.
Let me try something based on sorting the option lists and adding a
variable-length tie-breaker option.  I think that might allow
simultaneous open to work out of the box without adding too much
complexity, and would allow people trade-offs in terms of option space
consumed vs. failure probability.

David

v2.23.0 | Report a Bug | By Email