IETF Logo Mail Archive

Re: [tcpinc] TCP's treatment of data in SYN packets

Joe Touch <touch@isi.edu> Fri, 29 July 2016 20:10 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpinc@ietfa.amsl.com
Delivered-To: tcpinc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACAA112D837 for <tcpinc@ietfa.amsl.com>; Fri, 29 Jul 2016 13:10:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.186
X-Spam-Level:
X-Spam-Status: No, score=-3.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWgoxJyhpOcw for <tcpinc@ietfa.amsl.com>; Fri, 29 Jul 2016 13:10:10 -0700 (PDT)
Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66FC912D672 for <tcpinc@ietf.org>; Fri, 29 Jul 2016 13:10:10 -0700 (PDT)
Received: from [128.9.184.41] ([128.9.184.41]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id u6TK9O9b011834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 29 Jul 2016 13:09:25 -0700 (PDT)
To: Kyle Rose <krose@krose.org>
References: <CAJU8_nU1WzQNFFUn_2o1cACutB01iyQ_hC29PHoutr8TRDKGnA@mail.gmail.com> <579A4669.7030600@isi.edu> <87lh0lselg.fsf@ta.scs.stanford.edu> <CAJU8_nUPrm9JJMrrMbL5+FpP-9CKC6EkidCry9UuZA5ZfyJtoA@mail.gmail.com> <579A8223.8050308@isi.edu> <CAJU8_nXSxr7ykC1TwptBmyP8pNccz52ozq=hF7-EYiaMdDeLBQ@mail.gmail.com> <579BA470.3000405@isi.edu> <CAJU8_nXjhHH1eEXPA3hvhJ3YXsP_v2djGX=X2p9+wyn767Hm5A@mail.gmail.com>
From: Joe Touch <touch@isi.edu>
Message-ID: <579BB7F2.20101@isi.edu>
Date: Fri, 29 Jul 2016 13:09:22 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CAJU8_nXjhHH1eEXPA3hvhJ3YXsP_v2djGX=X2p9+wyn767Hm5A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------080005080401080208010206"
X-MailScanner-ID: u6TK9O9b011834
X-ISI-4-69-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpinc/wWPM-ePOmG99mkwWDLyFdSRYJLQ>
Cc: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>, tcpinc <tcpinc@ietf.org>, David Mazieres expires 2016-10-26 PDT <mazieres-p7v7bih3ykqpkxv5e74y9er6ts@temporary-address.scs.stanford.edu>
Subject: Re: [tcpinc] TCP's treatment of data in SYN packets
X-BeenThere: tcpinc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpinc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpinc/>
List-Post: <mailto:tcpinc@ietf.org>
List-Help: <mailto:tcpinc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpinc>, <mailto:tcpinc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2016 20:10:12 -0000


On 7/29/2016 12:41 PM, Kyle Rose wrote:
> On Fri, Jul 29, 2016 at 2:46 PM, Joe Touch <touch@isi.edu
> <mailto:touch@isi.edu>> wrote:
>
>
>     ...
>     That's why, IMO, if you send ENO, you need to make sure the SENDER
>     doesn't put anything in the SYN data that has to be *changed*.
>     Re-sent is fine. But CHANGED is not.
>
>
> Right, I get that for interoperability with ENO-unaware stacks there
> is no way to change data presented in the SYN.
Then you're basically stuck between the semantics of ENO (which
presumably are: deliver encrypted data if possible or unencrypted if
not) and TCP (never undo data).

I.e., as long as ENO is silently backward compatible, then ENO SYNs MUST
NOT include data.

> In the case where both ends understand ENO but the server is not
> negotiating it,

I have no idea what that means. TCP only *knows* what is assumed for all
endpoints (the specs) and what it negotiates. Everything else is wrong
unless verified (e.g., as with a cookie like in TFO).

> we can define TCP SYN payload semantics differently: essentially, when
> there is an ENO option in the SYN, an ENO-aware server will do one of
> two things:
>
> (1) If it is negotiating ENO, it will hand the data off to the chosen
> TEP, which will then indicate back to ENO whether to ACK the data or not.
>
> (2) If it is not negotiating ENO, it will not ACK the data, and will
> in fact throw it away and explicitly permit transmission of
> *different* data for the same sequence number range.
>
> This seems fine to me: since we're defining it in this case, we get to
> choose the behavior.

Agreed, though I really think redefining the TCP data plane for control
is a bad idea...

> The problem is with interoperability with servers that don't
> understand ENO, because they can't make an informed decision here, and
> don't all throw away SYN data.

Exactly.

>> (4) Require signaling from the client application. This allows a
>> client to decide whether to support SYN data based on a priori
>> knowledge of the server's support for ENO.
>>
>> I'm not sure what you mean here...
> Allow the client to assume that a particular server supports ENO, and
> so choose to send SYN data knowing a priori that the server will be
> able to make the choice I outlined above. If you run a service on a
> particular version of Linux that supports ENO, and distribute a phone
> app that contacts only that service, it seems perfectly fine to tell
> your app to assume the server knows ENO.

Clients have no business telling TCP where to put data IMO. They also
have no way of knowing when this *assumption* is wrong.

If you want this sort of "knowledge", you need to build in persistent
cross-connection state at the TCP layer.

TCP isn't "best effort".

Joe

v2.37.1 | Report a Bug | By Email | System Status