Re: [tcpm] TCP reserved bits and793bis
Joe Touch <touch@isi.edu> Wed, 09 July 2014 15:29 UTC
Return-Path: <touch@isi.edu>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0C31A0AF4 for <tcpm@ietfa.amsl.com>; Wed, 9 Jul 2014 08:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1CITxyNdC2g8 for <tcpm@ietfa.amsl.com>; Wed, 9 Jul 2014 08:29:58 -0700 (PDT)
Received: from darkstar.isi.edu (darkstar.isi.edu [128.9.128.127]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10E551A0AF2 for <tcpm@ietf.org>; Wed, 9 Jul 2014 08:29:58 -0700 (PDT)
Received: from [192.168.1.91] (pool-71-105-87-112.lsanca.dsl-w.verizon.net [71.105.87.112]) (authenticated bits=0) by darkstar.isi.edu (8.13.8/8.13.8) with ESMTP id s69FTSel022399 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 9 Jul 2014 08:29:33 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
Content-Type: text/plain; charset="us-ascii"
From: Joe Touch <touch@isi.edu>
In-Reply-To: <20140709110920.GC4461@verdi>
Date: Wed, 09 Jul 2014 08:29:28 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <3124FE3C-F4D9-456F-A22E-B2B691388CDF@isi.edu>
References: <20140702231048.27968.95757.idtracker@ietfa.amsl.com> <53B49D57.70102@isi.edu> <201407031455.s63EtLAb019563@bagheera.jungle.bt.co.uk> <53B57D88.9090706@isi.edu> <6FC2D64C-65F7-423D-A3A2-35258796C3DA@netapp.com> <201407031843.s63IhNU2020277@bagheera.jungle.bt.co.uk> <53B5B96F.1020304@isi.edu> <0C29294E-7C2D-4653-A706-DE5FF44EF4AF@quantum.com> <53BC25EB.8070301@isi.edu> <20140709110920.GC4461@verdi>
To: John Leslie <john@jlc.net>
X-Mailer: Apple Mail (2.1878.2)
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/-LoyKc0qp5t5crpwU2t26qir-90
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, David Borman <David.Borman@quantum.com>
Subject: Re: [tcpm] TCP reserved bits and793bis
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 15:29:59 -0000
Hi, John, On Jul 9, 2014, at 4:09 AM, John Leslie <john@jlc.net> wrote: > Joe Touch <touch@isi.edu> wrote: >> >> There are two interpretations of "Must be zero": >> a) current implementations should drop segments with those bits set >> >> b) current implementations should ignore those bits > > Indeed, we must work around endpoints which do either of these. > >> It says "Must be zero." That can easily be interpreted as requiring that >> when the bits are set the segment is invalid. > > But only so interpreted by an endpoint. No middlebox is entitled to > do that. Right - my claim has always been that there are no such things as middleboxes; there are hosts and there are routers. Routers ought to look no further than L3; everything else is acting like a host, and breaks what we expect when we think of an Internet. That's especially true for boxes that modify L3 or L4 beyond what RFC1812 permits (HBH options, hopcount, IP checksum). > (Of course, a middlebox _is_ entitled to drop an IP packet for any > reason whatsoever.) Anything that is visibly indistinguishable from a link is a link (or a part of a link). The same applies to routers and hosts, to me at least. Intent and mechanism aren't relevant; externally visible behavior is. > Our problem is that currently-deployed "middleboxes" do a bunch of > things which really qualify as "damage". Accept that, but don't argue > that it's a reasonable interpretation of 793. Agreed. >> Note that RFC793 doesn't define what to do when the Data Offset is >> smaller than 5 - so does that mean you should be liberal and process >> such segments, or drop them? > > That's a good question. Let me at least nibble around the edges. > > If the two endpoints have agreed on a meaning, of course the receiver > should process it. That's true for any property. It doesn't mean they're running TCP anymore, though. > If a receiver _hasn't_ agreed on a meaning, it should own up to > having no clue whether there are any options and/or any data. If > the checksum validates, it's probably time to give up and close the > connection; otherwise it could discard the packet. I don't think a single invalid segment should ever affect a connection or connection in progress. I would say "silent drop" to any packet that can't be understood. > If a middlebox sees Data Offset less than five, it similarly > should probably admit it has no clue whether there are any options > or any data. If all it wants to do is rewrite source IP and port, > it should probably do that and pass everything else unchanged, > adjusting the checksum. I disagree; a middlebox that modifies the IP address and/or TCP ports is acting as a host to the downstream components, and should be expected to follow host requirements. In this case, if a host MUST silently drop nonsense packets then so should a box that looks like a host. > If a middlebox wants to do something with options or data, it > probably needs to drop the packet -- because it can't do what it is > designed to do. I think it has to have already dropped it. > Now we get into the really messy area: if a middlebox sees that > something like EDO has been negotiated (which _is_ possible when > it intercepts in both directions), should it process according to > that option? > > IMHO, there's no fully satisfactory answer to that. Myself, I'd > prefer it didn't. A middlebox wanting to meddle that much should > act as an endpoint. (But of course, we can't enforce that.) See above; I've been saying as much for a long time. Actually NAT boxes are a little more complex: - to the upstream (the devices "behind") them, they MUST act like a router (including decreasing the hopcount, etc.) - to the downstream, they MUST act like a host So they get twice the requirements. >> I agree that "liberal" means that, in either case, you MUST NOT generate >> a response segment, ICMP message, or user error. But it's not as clear >> *from the current text*. >> >> The point of all this is that 793bis needs to be updated to make this >> direct and explicit, though. > > Alas, that won't fix the problem. At best, it might change new > middlebox designs. There's no way it could fix deployed middleboxes. > (But it would _feel_ better to have an unambiguous statement that > this is damage!) Sometimes that's the best we can do; sometimes it's better to declare what's deployed "broken" than to try to find a way to accommodate it. Joe
- [tcpm] Fwd: New Version Notification for draft-to… Joe Touch
- [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Bob Briscoe
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Zimmermann, Alexander
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Bob Briscoe
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt John Leslie
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Ted Faber
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Bob Briscoe
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Bob Briscoe
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Bob Briscoe
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt David Borman
- [tcpm] TCP reserved bits and793bis Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Joe Touch
- Re: [tcpm] TCP reserved bits and793bis Wesley Eddy
- Re: [tcpm] TCP reserved bits and793bis Joe Touch
- Re: [tcpm] TCP reserved bits and793bis David Borman
- Re: [tcpm] TCP reserved bits and793bis John Leslie
- Re: [tcpm] TCP reserved bits and793bis Joe Touch
- Re: [tcpm] Fwd: New Version Notification for draf… Yuchung Cheng
- Re: [tcpm] Fwd: New Version Notification for draf… Wesley Eddy
- Re: [tcpm] Fwd: New Version Notification for draf… Joe Touch
- Re: [tcpm] Review: draft-touch-tcpm-tcp-edo-03.txt Jeremy Harris