IETF Logo Mail Archive

Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13

"D. Wythe" <alibuda@linux.alibaba.com> Mon, 27 November 2023 07:10 UTC

Return-Path: <alibuda@linux.alibaba.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684BBC14CF1D for <tcpm@ietfa.amsl.com>; Sun, 26 Nov 2023 23:10:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.999
X-Spam-Level:
X-Spam-Status: No, score=-9.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2WwH_6bQU1-Z for <tcpm@ietfa.amsl.com>; Sun, 26 Nov 2023 23:10:26 -0800 (PST)
Received: from out30-98.freemail.mail.aliyun.com (out30-98.freemail.mail.aliyun.com [115.124.30.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89B64C14CE22 for <tcpm@ietf.org>; Sun, 26 Nov 2023 23:10:25 -0800 (PST)
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R151e4; CH=green; DM=||false|; DS=||; FP=0|-1|-1|-1|0|-1|-1|-1; HT=ay29a033018046059; MF=alibuda@linux.alibaba.com; NM=1; PH=DS; RN=1; SR=0; TI=SMTPD_---0VxBLfw._1701069021;
Received: from 30.221.149.95(mailfrom:alibuda@linux.alibaba.com fp:SMTPD_---0VxBLfw._1701069021) by smtp.aliyun-inc.com; Mon, 27 Nov 2023 15:10:22 +0800
Message-ID: <39ff5d77-6a99-a81f-3d36-77454106bd00@linux.alibaba.com>
Date: Mon, 27 Nov 2023 15:10:20 +0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-US
To: tcpm@ietf.org
References: <fc2d032a-eed3-536a-7131-f4c8ba697136@linux.alibaba.com> <CAAK044QNA9dUw=yfPLkRDOFZ58q7vFhbSKNNNADDFNayoZsuUg@mail.gmail.com> <0c8c3062-1efd-fc7c-2497-49a99f8f0b9d@linux.alibaba.com> <CAAK044T_iVVapX5vYF_mgz+=e6by98W2Cw0OF+tHt-ybuKOL1Q@mail.gmail.com>
From: "D. Wythe" <alibuda@linux.alibaba.com>
In-Reply-To: <CAAK044T_iVVapX5vYF_mgz+=e6by98W2Cw0OF+tHt-ybuKOL1Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/2uFPIXSr_XDyQJaULSK9LuQUzqw>
Subject: Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2023 07:10:31 -0000



On 11/24/23 12:44 PM, Yoshifumi Nishida wrote:
> Hi Wythe,
>
> On Wed, Nov 22, 2023 at 10:25 PM D. Wythe <alibuda@linux.alibaba.com> 
> wrote:
>
>
>     Hi Yoshi,
>
>     Thanks for you comments.
>
>     On 11/23/23 3:26 AM, Yoshifumi Nishida wrote:
>     > Hi Wythe,
>     >
>     > I'm not the author of the draft. But, there are the following
>     texts in
>     > the draft.
>     >
>     > "Once enabled on a connection, all segments in both directions MUST
>     > include the EDO Extension option."
>     > "If EDO has been negotiated, any subsequent segments arriving
>     without
>     > the EDO Extension option MUST be silently ignored."
>     >
>     > So, I think you'll probably see connection timeouts in such cases.
>     > This may look suboptimal behavior, but at the same time, we
>     probably
>     > don't want to think about buggy implementations too much because it
>     > can be endless. The behavior you describe is prohibited by RFC9293.
>
>     I believe that in that case, connections may not end with timeouts
>     but
>     instead receive an erroneous application
>     response from the server. This is because the server does not support
>     EDO, and an incorrectly implemented middlebox
>     copies the EDO support option, which misleading the client.
>
>
> Do you mean incorrectly implemented middle box attaches EDO supported 
> options used in SYN to data packets from the server?
> Or,  the middle box copies EDO extension options to the ACKs from the 
> server for the data packets from the client?
> It's a bit hard for me to believe such behavior.. Because I think it 
> can be complicated to implement such behavior.

I believe that the syn-proxy works similar to following :

real_client proxy_server----proxy_client                         real_server

syn,options(edo_support)
     ----->
            syn,ack,options(edo_support)             (due to the reflecting)
               <------
     ack
     ----->
                                     syn,options(nop)
                                              ----->
                                             syn,ack,options(nop)
                                                    <------
                                     ack
                                     ---->
push, options(edo, large_opt), data(any)
     ------->
(adjust the seq,pass-through)
read()  -> data(large_opt, any)

In this scenario, neither the syn-proxy nor the server support with EDO.
However, due to the incorrectly reflection, the client wrongly assumes 
that the server supports it.

As a result, a fragment containing extensive TCP options and application 
data is transmitted to the server,
then the server misinterprets the extensive TCP options as application data.

>
>     > BTW, I'm curious about how frequently we see this kind of behavior.
>
>     Previously, I had the belief that this might was a widespread
>     scenario,
>     but as I conducted further investigation,
>     I realized that this issue may only exist in specific
>     organizations or
>     regions..
>
>     We are now convinced that this issue is caused by a type of incorrect
>     syn-proxy implementation, who
>     acts as an intermediary to protect against SYN flood attacks by
>     completing TCP handshakes on behalf of clients,
>     preventing server overload.
>
>     The problem is that when the syn-proxy receives a syn from the
>     client,
>     in order to avoid memory allocation and copying,
>     some implementations reuse the SYN packets, exchange IP addresses and
>     ports, and send it out as SYN/ACK to client.
>     Unfortunately, it did not consider the impact of TCP options being
>     simply copied.
>
>     A example I found is:
>
>     https://github.com/iqiyi/dpvs/blob/master/src/ipvs/ip_vs_synproxy.c
>
>      From this perspective, it is worth considering that these issues may
>     only affect certain organizations and regions.
>     I agree with your point about buggy implementations, as these
>     types of
>     issues can be never-ending and are
>     beyond the protocol's control or responsibility to handle.
>
>
> Thanks for the info. But, does it copy options other than SYN or 
> SYN/ACK packets?

After the handshake, it will only adjust the seq and ack-seq.  it only 
acts as a proxy for syn.

Best wishes,
D. Wythe

> --
> Yoshi

v2.23.0 | Report a Bug | By Email