Re: [tcpinc] [tcpm] WGLC for draft-ietf-tcpinc-tcpeno

"Scharf, Michael (Nokia - DE)" <> Tue, 07 February 2017 06:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7ADEF1293FD; Mon, 6 Feb 2017 22:53:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z_UBBovdSoHT; Mon, 6 Feb 2017 22:53:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EC1BD12009C; Mon, 6 Feb 2017 22:53:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6HssaODc2deMfDAafEeuvtg4F9f960hPHfMihwgV4is=; b=HKkA99lVCqT2OhFZvtO1kcNFa/VXqehV2XUu7geqrNw97CBA9kxHl7pQHRNxrS/hcDd8jYFTsp0aoQcqAhE3d4MJUyGLaisX8E6lLe6BW28GhD2SwdRl2+Kv6XSR9SW0ENY5GVMie3uWwDreZ1lJm1OY4g6+kTEfR3BndKzyO80=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.5; Tue, 7 Feb 2017 06:53:36 +0000
Received: from ([]) by ([]) with mapi id 15.01.0888.025; Tue, 7 Feb 2017 06:53:36 +0000
From: "Scharf, Michael (Nokia - DE)" <>
To: Joe Touch <>, David Mazieres expires 2017-05-06 PDT <>, "Holland, Jake" <>, "" <>
Thread-Topic: [tcpm] [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno
Thread-Index: AQHSfaH8bHX24B8Ba06t1pm3vEt1naFWrKGAgAE+RACAAg8N8IAAYQAAgAHG0YCAAP1Ouw==
Date: Tue, 07 Feb 2017 06:53:35 +0000
Message-ID: <>
References: <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: de-DE, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: e4c583c4-3264-4074-951c-08d44f2609f5
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:AM5PR0701MB2547;
x-microsoft-exchange-diagnostics: 1; AM5PR0701MB2547; 7:uQZIfVbbd2yO/5isdlkgb6Qc0kidKUj8Vz7Fb6WpwfuCYRIc8RfadwoTdqqdiqMDJetFSwwFU8xRhRPylGsakw0DXGeOY07qZzHrmTKJKdgPUkN5gJIT69AvD4pR/g0wc0bzEkrgcMP1nKBOghJkLt9f885A87HpXa46YIi0/mCZORT4iqwTaD4eZsboYDFVeUwZYDwCPlK3npkrpaicZELvpTtf/jFppDN/9ggpfKTEGe6dN5FPLiBNINnDddSGfHq/uExZGNh7IBKS8vIBu9Mh4NqEA7zrKXQVXKRLoT0+fzWDt2jhxPgNt6ASuT8tBKFWETIN5mDMrMfQKq0Z7KaNLUHJgySZb3o2Tg5nIhEAgMCZEMb4pvIl+wNlyTX/L5rAGAc2yogzruRN56NJj4fYMgiLeQwN28/p39ELp/4CwVziKqfPcrxIEng11Y6cGQVtgsBRmPY0Cc+4X257r5QA6UacIMddXQmsaRAL/UKFSZwCgWf8k9Bzq2MqY1FdOAQ9WTzix7fV4hVILsmOkA==
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(244540007438412)(82608151540597);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(20170203043)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123562025)(20161123560025)(20161123564025)(20161123558025)(6072148); SRVR:AM5PR0701MB2547; BCL:0; PCL:0; RULEID:; SRVR:AM5PR0701MB2547;
x-forefront-prvs: 0211965D06
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39860400002)(39840400002)(39850400002)(39450400003)(39410400002)(24454002)(199003)(377424004)(76104003)(377454003)(189002)(99286003)(53936002)(3280700002)(92566002)(101416001)(55016002)(6246003)(53546003)(93886004)(2906002)(230783001)(6436002)(25786008)(54356999)(50986999)(76176999)(33656002)(9686003)(8936002)(66066001)(102836003)(6116002)(189998001)(3846002)(81156014)(81166006)(8676002)(2900100001)(561944003)(4326007)(6506006)(122556002)(68736007)(97736004)(6306002)(7736002)(305945005)(74316002)(7696004)(2950100002)(2171002)(86362001)(5660300001)(229853002)(77096006)(3660700001)(38730400002)(106116001)(105586002)(106356001)(2501003); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5PR0701MB2547;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2017 06:53:35.8772 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2547
Archived-At: <>
Cc: "" <>
Subject: Re: [tcpinc] [tcpm] WGLC for draft-ietf-tcpinc-tcpeno
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Working group mailing list for TCP Increased Security \(tcpinc\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Feb 2017 06:53:41 -0000

I'd agree to Joe's proposal "Although this protocol could benefit from extended SYN space, e.g., to support in-band key coordination, future TEPs should expect to use only the currently available space."

Michael (chair hat off)

From: Joe Touch <>
Sent: Monday, February 6, 2017 17:34
To: David Mazieres expires 2017-05-06 PDT; Scharf, Michael (Nokia - DE); Holland, Jake;
Subject: Re: [tcpm] [tcpinc] WGLC for draft-ietf-tcpinc-tcpeno


On 2/5/2017 5:26 AM, David Mazieres wrote:
> "Scharf, Michael (Nokia - DE)" <> writes:
>> While TCPM discusses large SYN options (for a long time already), all
>> known solutions have downsides. I do not believe that a non-TCPM
>> document should speculate on the feasibility solutions.
> Michael, what do you think of the new proposed wording?
>    Various proposals exist to increase the maximum space for options in
>    the TCP header.  Though these proposals are highly experimental--
The non-SYN extension is currently a WG document and intended for
>    particularly those that apply to SYN segments
The SYN extension proposals all have significant known issues and are
both highly experimental and difficult to deploy.

> --TCP-layer encryption
>    could significantly benefit from the availability of increased SYN
>    option space.
It might be useful to differentiate between the potential use of non-SYN
vs. SYN space.

You should be more explicit that "Although this protocol could benefit
from extended SYN space, e.g., to support in-band key coordination,
future TEPs should expect to use only the currently available space."

IMO, the following is speculative and not useful:

>   In particular, if future TEPs can perform key
>    agreement by embedding public keys or Diffie-Hellman parameters
>    within suboption data, it will simplify protocols and reduce the
>    number of round trips required for connection setup.  With large
>    options, the 32-byte limit on length bytes could prove insufficient.
>    This draft intentionally aborts TCP-ENO if a length byte is followed
>    by an octet in the range 0x00-0x9f.
The following appears to direct TCPM docs to update this doc, which is
not appropriate. If there is a SYN extension, it is much more likely to
be a stand-alone doc to update RFC793 and other docs would individually
update protocols that might benefit from that space.

>   Any document updating TCP's
>    option size limit can also define the format of larger suboptions by
>    updating this draft to assign meaning to such currently undefined
>    byte sequences.

> Our goal is not to second-guess TCPM, but rather to provide TCPM with a
> data point that they have a "customer" for large SYN options in the
> unlikely event that some proposal is ever deemed realistic.  I could
> make the wording even stronger, as in:
>    These proposals are highly experimental--with those that apply to SYN
>    segments particularly unlikely to be adopted any time soon--but
>    TCP-layer encryption could significantly benefit from the
>    availability of increased SYN option space.
Actually, the above is much more useful (IMO), but most of the rest of
the paragraph can be omitted.


> But that could be seen as second-guessing TCPM in the other
> direction--telling TCPM we *don't* expect them to standardize large SYN
> options anytime soon.  (Of course, it's true that I don't expect them to
> do that, but it might not be my place to say so in an RFC unless you
> sign off on the language...)
> As always, concrete suggestions on wording are appreciated.
> Thanks,
> David
> _______________________________________________
> tcpm mailing list