Re: [tcpinc] TCP's treatment of data in SYN packets
Kyle Rose <krose@krose.org> Wed, 27 July 2016 18:11 UTC
Return-Path: <krose@krose.org>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B88DB12D836 for <tcpinc@ietfa.amsl.com>; Wed, 27 Jul 2016 11:11:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nliWA47cJuO6 for <tcpinc@ietfa.amsl.com>; Wed, 27 Jul 2016 11:11:30 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE80B12D821 for <tcpinc@ietf.org>; Wed, 27 Jul 2016 11:11:29 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id s63so41704370qkb.2 for <tcpinc@ietf.org>; Wed, 27 Jul 2016 11:11:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xQNMhJB+XpUyEWF8SYJFQCt2eje1hPjzuUxyPYpmkqU=; b=KP6CTtN6ZQzitjx5IpkM8Ffj2imFPjv3BrGO6meX35vSmIYhG/fvhGBdyw8/qWIC47 b1Lj3I2xHqVBHVFI5EuFfUPOcw6e9l37f4Vk/twB3wJGmjpMZlrWF0kmjgUP1Bqs9bGo ifzsfe27JoHHFBguq2Bqz+1J6PY+qMMflA3dM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xQNMhJB+XpUyEWF8SYJFQCt2eje1hPjzuUxyPYpmkqU=; b=gnLkXuitKFRD1teid2RSEQ3VpyL0GJoN9VoUc/zGABiYBc949wNCcBrfD6UzmQT4ZU qulrf7nMqgqKzfH2kMROktlxmCVGlX0t0h6Tedebm3Tp9RgBY3Da5Oqar6OME5IFizMN QLtvLoOziMNSj8zYa+bPA3iR+vguMjalSsGrYXMoQn7FlZn90s/bgAeXvG3jXFmV60bt N/TzSAVELM4MOcfHctmXlwLBkvtl+GhW3LcXIyByVObzyeclJ+R2AfOEgdFQrjsiOazg RXlBS5ei78sixWjosTekvX1slENPX+a8imAKM7LVoFIvSWL6iF3jZbFQFVHXuueIxfib hZ5g==
X-Gm-Message-State: AEkoouvg9187qdaeyaS77VrsEAN2MtWmnd3ZEIGpNpqffW+Uap3+ok/L0uo5pz+ZPxpcqAy9Ii1V9PSW9WoHzQ==
X-Received: by 10.55.41.167 with SMTP id p39mr36715225qkp.119.1469643089079; Wed, 27 Jul 2016 11:11:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.94.70 with HTTP; Wed, 27 Jul 2016 11:11:28 -0700 (PDT)
X-Originating-IP: [72.246.0.14]
In-Reply-To: <87wpk7x9v6.fsf@ta.scs.stanford.edu>
References: <CAJU8_nU1WzQNFFUn_2o1cACutB01iyQ_hC29PHoutr8TRDKGnA@mail.gmail.com> <CAK6E8=d3psZBS1yX56fRQ-SP7qCN_vem5tNB8O42zPyo0TKj7Q@mail.gmail.com> <CAJU8_nWMBbqLLsYQ3GhqRk8YkptqjCF40h_R7HNSOrqHwLbgxQ@mail.gmail.com> <87wpk7x9v6.fsf@ta.scs.stanford.edu>
From: Kyle Rose <krose@krose.org>
Date: Wed, 27 Jul 2016 14:11:28 -0400
Message-ID: <CAJU8_nWni5wu2BJLT_j559RjRT=GgrkyurQi2uwE7v8Mo61NHA@mail.gmail.com>
To: David Mazieres expires 2016-10-25 PDT <mazieres-y5hsfgismf3ham3zvhiu5rn43n@temporary-address.scs.stanford.edu>
Content-Type: multipart/alternative; boundary="001a11493a044599260538a1f2b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/oxKk2Sm_jKmaKdpEGvguyLyy3gs>
Cc: tcpinc <tcpinc@ietf.org>, "tcpm@ietf.org Extensions" <tcpm@ietf.org>, Praveen Balasubramanian <pravb@microsoft.com>, "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, Yuchung Cheng <ycheng@google.com>, Christoph Paasch <cpaasch@apple.com>
Subject: Re: [tcpinc] TCP's treatment of data in SYN packets
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2016 18:11:33 -0000
On Wed, Jul 27, 2016 at 1:35 PM, David Mazieres <
dm-list-tcpcrypt@scs.stanford.edu> wrote:
> What I had in mind was something along the lines of saying that the last
> TEP suboption in host A's SYN segment is the SYN TEP, and that host B
> MUST ignore and MUST NOT ACK any data in SYN segments unless the
> negotiated TEP is the SYN TEP and that TEP explicitly defines the use of
> data in SYN segments. Furthermore, SYN data MUST be discarded in the
> event that TCP-ENO is disabled, even when such data has already been
> ACKed. TEPs MAY define the use of data in SYN segments for when they
> are the SYN TEP, but SHOULD limit such usage to cases in which it is
> known that the passive opener and network path both support ENO.
>
It's interoperability with older stacks that drove my question: if there
are multiple machines behind an IP, some of which support ENO and some of
which don't, do we break the charter by sending *any* data in the SYN
(outside of TFO, which as we've established is unusable for tcpinc)?
The charter says: q( The protocol must gracefully fall-back to TCP if the
remote peer does not support the proposed extensions. )
If TCP's behavior in the absence of a TFO cookie is to discard data in the
SYN, normatively and (especially) observationally, then your second
sentence ("Furthermore, SYN data MUST be dscarded...") is true when a host
doesn't support ENO, and so we can safely put whatever we like in the SYN.
If not, then unexpected data in the SYN *might* be forwarded to the
application as garbage by some TCP stacks, resulting in mostly-undefined
behavior but almost certainly connection breakage; in that case, do we need
some explicit signaling from the server on a prior connection for when SYN
data on resumption attempts is okay, or is "...but SHOULD limit such
usage..." good enough?
Kyle
- Re: [tcpinc] TCP's treatment of data in SYN packe… Black, David
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Black, David
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Black, David
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Black, David
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Derek Fawcus
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Jeremy Harris
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] [tcpm] TCP's treatment of data in SY… Derek Fawcus
- [tcpinc] TCP's treatment of data in SYN packets Kyle Rose
- Re: [tcpinc] [tcpm] TCP's treatment of data in SY… Joe Touch
- Re: [tcpinc] [tcpm] TCP's treatment of data in SY… Gavin McCullagh
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Jeremy Harris
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Derek Fawcus
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Jeremy Harris
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Wesley Eddy
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Joe Touch
- Re: [tcpinc] TCP's treatment of data in SYN packe… Derek Fawcus
- Re: [tcpinc] TCP's treatment of data in SYN packe… David Mazieres
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Kyle Rose
- Re: [tcpinc] TCP's treatment of data in SYN packe… Yuchung Cheng