Re: [tcpm] draft-ietf-tcpm-tcp-edo
John Leslie <john@jlc.net> Mon, 06 October 2014 01:31 UTC
Return-Path: <john@jlc.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF7061A0282 for <tcpm@ietfa.amsl.com>; Sun, 5 Oct 2014 18:31:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.472
X-Spam-Level:
X-Spam-Status: No, score=-3.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, URIBL_RHS_DOB=1.514] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnqd7FdMjQoo for <tcpm@ietfa.amsl.com>; Sun, 5 Oct 2014 18:31:08 -0700 (PDT)
Received: from mailhost.jlc.net (mailhost.jlc.net [199.201.159.4]) by ietfa.amsl.com (Postfix) with ESMTP id 430341A0273 for <tcpm@ietf.org>; Sun, 5 Oct 2014 18:31:08 -0700 (PDT)
Received: by mailhost.jlc.net (Postfix, from userid 104) id A5C5BC94A8; Sun, 5 Oct 2014 21:31:04 -0400 (EDT)
Date: Sun, 05 Oct 2014 21:31:04 -0400
From: John Leslie <john@jlc.net>
To: Joe Touch <touch@isi.edu>
Message-ID: <20141006013104.GC72713@verdi>
References: <3C694E6F4F1EBB43B13CE0A47A0A2E01714236@NDJSMBX103.ndc.nasa.gov> <201410021431.s92EVDnC015019@bagheera.jungle.bt.co.uk> <542D68A8.7020203@isi.edu> <201410021614.s92GEowA015383@bagheera.jungle.bt.co.uk> <542D7C8B.2050401@isi.edu> <201410030057.s930vQAu017004@bagheera.jungle.bt.co.uk> <542DF84E.4020404@isi.edu> <201410031114.s93BE6Mw019580@bagheera.jungle.bt.co.uk> <20141004202431.GA72713@verdi> <5430C9FB.2010000@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5430C9FB.2010000@isi.edu>
User-Agent: Mutt/1.4.1i
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/1a7RRxfPU4ImjJkFEZNAcZZywxE
Cc: tcpm IETF list <tcpm@ietf.org>
Subject: Re: [tcpm] draft-ietf-tcpm-tcp-edo
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Oct 2014 01:31:12 -0000
Joe Touch <touch@isi.edu> wrote: > On 10/4/2014 1:24 PM, John Leslie wrote: >> Bob Briscoe <bob.briscoe@bt.com> wrote: >>> <snipP >>> >>> There are three suggested additions to EDO: >>> a) defer extra options until after the SYN/ACK >>> b) require EDO on all segments >> >> Please don't! > > I'm not sure about your concern; we're talking about putting EDO in all > segments of a connection *on which* EDO has been negotiated. Nobody is > expecting EDO to be turned on for all connections. It's hard to know at every connection start whether at some later point extra options will prove useful. >>> c) include the payload size in the EDO option >> >> what about: >> >> d) set the Data Offset field to zero when using EDO? >> >> (I may have missed something, but it seems to me that would prevent >> the horror Bob mentioned.) > > That just means that middleboxes won't see *any* of the options, > including whether a segment is using TCP-AO (and thus modifying the > segment would trash it). Middleboxes which don't understand EDO, indeed, won't see the extra options. But this really doesn't matter, because they'll either pass it correctly or drop it -- the same choices as if they _did_ understand EDO. (I could have sworn it was Joe who said broken middleboxes need to be replaced. ;) > It doesn't address the scenario Bob described. Extended options could > still be merged with user data if the segments are merged or rewritten > in without consideration for EDO. The Data-Offset-Zero case can't lead to merging, because clueless middleboxes won't be able to find _any_ options to merge. ==== It might help for me to detail what I think Data-Offset-Zero means. The original SYN includes a two-byte option announcing that the sender speaks EDO -- that is, it will understand if it receives an EDO packet and it knows how to send one. The SYN-ACK MAY include a four-byte option announcing the option space is larger than 40 bytes. Or it may include in the regular option space a two-byte option simply announcing that it speaks EDO but doesn't want to use it yet. If either of these doesn't happen, the connection is not EDO-capable. But recall that the original SYN-sender knows how to speak EDO; thus the SYN-ACK, upon sending an EDO option, MAY assume the connection to be EDO-capable. (This assumption may prove false if there is a middlebox which doesn't understand EDO. The ambiguity will be short-lived in that case because the SYN-ACK with the EDO option won't arrive.) If the connection _is_ EDO-capable, both endpoints will know that a Data Offset of zero indicates the presence of a four-byte EDO option stating the actual length of the option space. Thus they can start parsing the option space before learning its actual length. Middleboxes which don't understand EDO will of necessity drop the packet instead of misinterpreting some of the actual options as application data. The packet drop will indicate the probable presence of such a middlebox. (I need not go into detail here about how to deal with that, but questions will be welcomed.) Middleboxes which aren't trying to violate layering will simply pass the IP packet without any damage (or drop it, if it violates some rule they're trying to enforce). If a meddlebox drops the SYN or SYN-ACK EDO option, the endpoints won't even try to speak EDO. If paths change and a different middlebox drops a packet, we simply detect the problem when it arises. ==== >> I'm not sure we need to limit our thinking to detection-only -- but >> that seems sufficient for our first RFC (if it's Experimental status). > > It would help if you could give an example of any other option that > corrects middlebox corruption; otherwise, we should set our expectations > for this option accordingly. One _can_ only "correct" middlebox corruption by detecting it and routing around it. Data-Offset-Zero will certainly detect it; and the endpoints can route around it by avoiding EDO. >>> We need experiments (including those already written up) to determine >>> how prevalent various middlebox behaviours are. >> >> I agree experiments are needed. I prefer getting an Experimental >> document out fairly quickly to trying to do all needed Experiments >> before publishing. > > By that logic, all work on all new TCP options should halt dead in its > tracks. I can't think of a way to parse what I wrote so as to lead to that conclusion. (I have to guess you missed the "to" before "trying to do".) Let me restate it: I prefer getting an Experimental document out fairly quickly for EDO. This threatens to drag on interminably if we try to do all the needed experiments before publishing an Experimental-track document. Also, if we describe the experiments in such a document, it will be easier for folks to help us with them. > What we do need is to understand the prevalence of the byzantine > failures we've been discussing (and no, let's not call them just > "behaviors"; there needs to be a limit to what we allow on-path. at some > point, that "behavior" is an attack or a bug and should be fixed rather > than "observed"). I sympathize! But eliminating bad behavior in-the-wild just doesn't happen. We _can_ raise the awareness of it; and that will help _reduce_ it. Just bad-mouthing it general won't even reach the folk who can help us reduce the bad behavior. :^( -- John Leslie <john@jlc.net>
- [tcpm] Asymmetric Middleboxes and Extended Data O… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Eddy, Wesley M. (GRC-LCI0)[MTI SYSTEMS, INC.]
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Wesley Eddy
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Wesley Eddy
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Yoshifumi Nishida
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Pasi Sarolahti
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- [tcpm] draft-ietf-tcpm-tcp-edo John Leslie
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcp-edo John Leslie
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcp-edo John Leslie
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Bob Briscoe
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Bob Briscoe
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch