Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13
"D. Wythe" <alibuda@linux.alibaba.com> Mon, 27 November 2023 07:10 UTC
Return-Path: <alibuda@linux.alibaba.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684BBC14CF1D for <tcpm@ietfa.amsl.com>; Sun, 26 Nov 2023 23:10:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2WwH_6bQU1-Z for <tcpm@ietfa.amsl.com>; Sun, 26 Nov 2023 23:10:26 -0800 (PST)
Received: from out30-98.freemail.mail.aliyun.com (out30-98.freemail.mail.aliyun.com [115.124.30.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89B64C14CE22 for <tcpm@ietf.org>; Sun, 26 Nov 2023 23:10:25 -0800 (PST)
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R151e4; CH=green; DM=||false|; DS=||; FP=0|-1|-1|-1|0|-1|-1|-1; HT=ay29a033018046059; MF=alibuda@linux.alibaba.com; NM=1; PH=DS; RN=1; SR=0; TI=SMTPD_---0VxBLfw._1701069021;
Received: from 30.221.149.95(mailfrom:alibuda@linux.alibaba.com fp:SMTPD_---0VxBLfw._1701069021) by smtp.aliyun-inc.com; Mon, 27 Nov 2023 15:10:22 +0800
Message-ID: <39ff5d77-6a99-a81f-3d36-77454106bd00@linux.alibaba.com>
Date: Mon, 27 Nov 2023 15:10:20 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: tcpm@ietf.org
References: <fc2d032a-eed3-536a-7131-f4c8ba697136@linux.alibaba.com> <CAAK044QNA9dUw=yfPLkRDOFZ58q7vFhbSKNNNADDFNayoZsuUg@mail.gmail.com> <0c8c3062-1efd-fc7c-2497-49a99f8f0b9d@linux.alibaba.com> <CAAK044T_iVVapX5vYF_mgz+=e6by98W2Cw0OF+tHt-ybuKOL1Q@mail.gmail.com>
From: "D. Wythe" <alibuda@linux.alibaba.com>
In-Reply-To: <CAAK044T_iVVapX5vYF_mgz+=e6by98W2Cw0OF+tHt-ybuKOL1Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/2uFPIXSr_XDyQJaULSK9LuQUzqw>
Subject: Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2023 07:10:31 -0000
On 11/24/23 12:44 PM, Yoshifumi Nishida wrote: > Hi Wythe, > > On Wed, Nov 22, 2023 at 10:25 PM D. Wythe <alibuda@linux.alibaba.com> > wrote: > > > Hi Yoshi, > > Thanks for you comments. > > On 11/23/23 3:26 AM, Yoshifumi Nishida wrote: > > Hi Wythe, > > > > I'm not the author of the draft. But, there are the following > texts in > > the draft. > > > > "Once enabled on a connection, all segments in both directions MUST > > include the EDO Extension option." > > "If EDO has been negotiated, any subsequent segments arriving > without > > the EDO Extension option MUST be silently ignored." > > > > So, I think you'll probably see connection timeouts in such cases. > > This may look suboptimal behavior, but at the same time, we > probably > > don't want to think about buggy implementations too much because it > > can be endless. The behavior you describe is prohibited by RFC9293. > > I believe that in that case, connections may not end with timeouts > but > instead receive an erroneous application > response from the server. This is because the server does not support > EDO, and an incorrectly implemented middlebox > copies the EDO support option, which misleading the client. > > > Do you mean incorrectly implemented middle box attaches EDO supported > options used in SYN to data packets from the server? > Or, the middle box copies EDO extension options to the ACKs from the > server for the data packets from the client? > It's a bit hard for me to believe such behavior.. Because I think it > can be complicated to implement such behavior. I believe that the syn-proxy works similar to following : real_client proxy_server----proxy_client real_server syn,options(edo_support) -----> syn,ack,options(edo_support) (due to the reflecting) <------ ack -----> syn,options(nop) -----> syn,ack,options(nop) <------ ack ----> push, options(edo, large_opt), data(any) -------> (adjust the seq,pass-through) read() -> data(large_opt, any) In this scenario, neither the syn-proxy nor the server support with EDO. However, due to the incorrectly reflection, the client wrongly assumes that the server supports it. As a result, a fragment containing extensive TCP options and application data is transmitted to the server, then the server misinterprets the extensive TCP options as application data. > > > BTW, I'm curious about how frequently we see this kind of behavior. > > Previously, I had the belief that this might was a widespread > scenario, > but as I conducted further investigation, > I realized that this issue may only exist in specific > organizations or > regions.. > > We are now convinced that this issue is caused by a type of incorrect > syn-proxy implementation, who > acts as an intermediary to protect against SYN flood attacks by > completing TCP handshakes on behalf of clients, > preventing server overload. > > The problem is that when the syn-proxy receives a syn from the > client, > in order to avoid memory allocation and copying, > some implementations reuse the SYN packets, exchange IP addresses and > ports, and send it out as SYN/ACK to client. > Unfortunately, it did not consider the impact of TCP options being > simply copied. > > A example I found is: > > https://github.com/iqiyi/dpvs/blob/master/src/ipvs/ip_vs_synproxy.c > > From this perspective, it is worth considering that these issues may > only affect certain organizations and regions. > I agree with your point about buggy implementations, as these > types of > issues can be never-ending and are > beyond the protocol's control or responsibility to handle. > > > Thanks for the info. But, does it copy options other than SYN or > SYN/ACK packets? After the handshake, it will only adjust the seq and ack-seq. it only acts as a proxy for syn. Best wishes, D. Wythe > -- > Yoshi
- [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 rs.ietf
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 Yoshifumi Nishida
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 Michael Tuexen
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 rs.ietf
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 Yoshifumi Nishida
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 Joe Touch
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 Joe Touch
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe
- Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13 D. Wythe