Re: [tcpm] AD review of draft-ietf-tcpm-converters-14
Mirja Kuehlewind <ietf@kuehlewind.net> Fri, 24 January 2020 13:49 UTC
Return-Path: <ietf@kuehlewind.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60741200D7; Fri, 24 Jan 2020 05:49:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDQJkE9YSFQx; Fri, 24 Jan 2020 05:49:38 -0800 (PST)
Received: from wp513.webpack.hosteurope.de (wp513.webpack.hosteurope.de [IPv6:2a01:488:42:1000:50ed:8223::]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3DA312006B; Fri, 24 Jan 2020 05:49:37 -0800 (PST)
Received: from 200116b824ebc200bd8262b58bd1130c.dip.versatel-1u1.de ([2001:16b8:24eb:c200:bd82:62b5:8bd1:130c]); authenticated by wp513.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1iuzL3-00013X-NN; Fri, 24 Jan 2020 14:49:33 +0100
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mirja Kuehlewind <ietf@kuehlewind.net>
In-Reply-To: <787AE7BB302AE849A7480A190F8B933031410A7D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Date: Fri, 24 Jan 2020 14:49:33 +0100
Cc: "draft-ietf-tcpm-converters.all@ietf.org" <draft-ietf-tcpm-converters.all@ietf.org>, tcpm IETF list <tcpm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2A965C09-D40D-49CA-B5D6-F4E7063EF0C7@kuehlewind.net>
References: <4DF47B41-2A8F-4FC1-8734-4D133F3EBBE5@kuehlewind.net> <787AE7BB302AE849A7480A190F8B933031410A7D@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
To: mohamed.boucadair@orange.com
X-Mailer: Apple Mail (2.3445.104.11)
X-bounce-key: webpack.hosteurope.de;ietf@kuehlewind.net;1579873778;68a7e9ce;
X-HE-SMSGID: 1iuzL3-00013X-NN
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/6_Fai8uMiggQizzZRpefeMUL7DI>
Subject: Re: [tcpm] AD review of draft-ietf-tcpm-converters-14
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 13:49:42 -0000
Hi Med, Regarding the port, I think that#s a good approach. As the whole working group is cc’ing, let’s wait a week or so to see if there are only objection as you propose. Mirja > On 24. Jan 2020, at 13:42, <mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com> wrote: > > Hi Mirja, > > We are currently preparing changes to take into account your review. Our plan is to have a revised version by the next week but I would like to report on this comment: > >> 6) Can you maybe add some more text (in section 5 maybe) why a >> separate port number is used/needed? As the client has to be >> explicitly configured it could easily be configured with an address >> and port number. Is this to avoid collisions with other protocols? >> What would be the scenario here? > > After carefully re-reading https://tools.ietf.org/html/rfc7605#section-7.1 and taking into account the deployment models, an IP address will be needed to be supplied/discovered anyway... so the port number can be supplied/discovered as well. > > Unless there is an objection, we will update the draft to only register a service name without asking for any specific port. The name will be typically used to build service labels that can be then used to retrieve a service port number using, e.g., DNS SRV. > > Thank you. > > Cheers, > Olivier & Med > >> -----Message d'origine----- >> De : Mirja Kuehlewind [mailto:ietf@kuehlewind.net] >> Envoyé : jeudi 9 janvier 2020 22:28 >> À : draft-ietf-tcpm-converters.all@ietf.org >> Cc : tcpm IETF list >> Objet : AD review of draft-ietf-tcpm-converters-14 >> >> Hi authors, >> >> I finally did my AD review for draft-ietf-tcpm-converters-14 (actually >> I'm still not fully finished with the review of the appendix but would >> like to send out this first batch of questions now). >> >> As you can see below, I have a whole bunch of questions/comments. Some >> of these may only be editorial in the end but I would like to make >> sure that I understand all the technical parts correctly before we >> move on with the processing. >> >> I think there are basically two main technical points I would like to >> get some clarification on, both probably related to things that have >> been introduced later in the life time of the doc but maybe not >> consequently been changed throughout the whole doc. >> >> One is besiaclly point 8 below but there are some related other points >> below: It is not fully clear which packets can carry Convert messages. >> I think initially Convert messages were only supposed to be in the SYN >> and SYN/ACK. But then later you enabled it also for other packets, >> however, it seem the only real case that needs this is when an error >> message is send by the client. But sending Convert messages in other >> packet than the SYN and the SYN/ACK seems more complicated because all >> TCP payload data is transmitted reliable and must be ack'ed and evil. >> retransmitted. Maybe it’s okay if only an error message is send and a >> reset right after (so no retransmission), however, this is not >> specified, and I wonder if the complexity is really needed worth the >> benefit of being able to log more concrete errors in the converter. >> >> The other point is basically point 12 below about the TCP option field >> in the Connect TLV (also related to point 17 below). This is not well >> enough specified and seem also quite complex as a generic mechanism. I >> would think the converter should usually try to use the same option as >> the client did send in his SYN to the converter, if supported by the >> converter TCP implementation. The TFO cookie might be a special case. >> I’m not sure if that needs to be generalised or if having a separate >> TLV for that one case might be simpler. Please also reconsider this >> but in any case it needs more explanation in the spec. >> >> Please see all my questions/comments below. I may send another >> message, when I have reviewed the appendix tomorrow (hopefully with >> none or only few additional comments). >> >> Thanks! >> Mirja >> >> ---------------------- >> >> 1) I was initially a bit confused about the setup in Figure 6 and >> respectively the paragraph just before that figure in sec 3.2: It >> wasn't clear to me how the server might know the converter address (or >> if the proxy maybe has to be on path). I assume the “use case” is that >> there was a previous connection using the converter and now the server >> tries to reconnect but of course only knows the converter address, or >> something? Maybe you could add slightly more text here. I also I would >> recommend to explicitly mention that this setup still has to be >> explicitly configured by the client but using an out of band protocol >> (which is out or scope for this spec). Further I think it would be >> good to mention here already that the converter also inserts the >> respective TCP option in the SYN to the client (if possible due to >> space limits) and refer to section 4.2 for a concrete example. >> >> Btw. shouldn't there be some discussion about MTU issue if options are >> added by the converter? >> >> 2) The following paragraph in section 3.2. seems to specify protocol >> requirements but don’t use normative language: >> >> "If the downstream (or upstream) connection fails for some reason >> (excessive retransmissions, reception of an RST segment, etc.), >> then >> the Converter should force the tear-down of the upstream (or >> downstream) connection. >> >> The same reasoning applies when the upstream connection ends. In >> this case, the Converter should also terminate the downstream >> connection by using FIN segments. If the downstream connection >> terminates with the exchange of FIN segments, the Converter should >> initiate a graceful termination of the upstream connection.” >> >> I recommend to use normativen language here (SHOULD instead of should; >> or maybe even MUST?). However, as this text is part of a kind of >> overview section, it doesn’t seem to be a really good fit to use >> normative language in that section. So maybe the whole discussion >> about use of TFO (or not) should be moved to an own section? >> >> >> 3) Just to double-check, I'm wondering a bit about this phrasing in >> sec 3.3.1: >> "If no entry is found, the Transport Converter MUST silently >> ignore the packet.” >> That means the converter will drop the packet (with no other action), >> right? Why do you use term ignore here (instead of drop or discard)? >> Or does this have any other implication? >> Note that this term is used several times in the doc. >> >> 4) Also a quick question about this in sec 3.3.1: >> "A Transport Converter may operate in address preservation mode (that >> is, the Converter does not rewrite the source IP address (i.e., >> C==T)) or address sharing mode (that is, an address pool is shared >> among all Clients serviced by the Converter (i.e., C!=T)); refer to >> Appendix D for more details. Which behavior to use by a Transport >> Converter is deployment-specific.” >> I guess preservation mode can only be used if the converter is on >> path. I think that should be explicitly noted here. >> >> 5) Sec 3.3.2: To be honest I’m not sure I fully understand this >> section, especially this sentence: >> "Upon receipt of a secondary subflow by the Transport Converter from a >> Client, the Converter follows the same behavior specified in >> Section 3.3.1 for processing Non-SYNs.” >> Do you mean by "receipt of a secondary subflow” the SYN on that >> subflow or other data? For the SYN I would expect that there is no >> payload data and therefore nothing to proxy. For other subflow >> packets, I guess you need to reorder first, so probably it would be >> good to mention that…? Maybe it’s just me misunderstanding something >> but I believe more explanation is needed here. >> >> 6) Can you maybe add some more text (in section 5 maybe) why a >> separate port number is used/needed? As the client has to be >> explicitly configured it could easily be configured with an address >> and port number. Is this to avoid collisions with other protocols? >> What would be the scenario here? >> >> 7) Sec 5.1: >> "The Unassigned field MUST be set to zero in this version of the >> protocol. These bits are available for future use [RFC8126].” >> Why is there a reference to RFC8126 here? >> >> 8) Also sec 5.1 but probably editorial: >> "Data added by the Convert Protocol to the TCP bytestream is >> unambiguously distinguished from payload data by the Total Length >> field in the Convert messages.” >> I believe what you want to say here is that the total length is used >> to figure out where potential other payload data might start. However, >> what I would understand from this sentence is that the total length >> field can be used to distinguish SYNs that carry the Convert protocol >> from SYNs that may carry other payload only, which I don’t think is >> the case. >> >> 8) I first have a more general question about the function of the >> protocol. Sec 5 says: >> "Convert messages may appear only in a SYN, SYN+ACK, or ACK.” >> I’m not sure I understand the ACK case here because if you add a >> CONVERT message to a TCP packet that means you add payload data. I was >> reading this as pure ACK but that can't be the case. So do you mean by >> this you can only send new data if your previous data was ACK or >> something else…? >> However, I believe there is usually just one message from the client >> in the SYN and the one message from the converter in the SYN/ACK, and >> then the connection is either closed or switched to the actual payload >> transmission. So I was assuming that's the only communication pattern >> you can have. Or is the idea that multiple client-converter exchanges >> can be done on the same TCP connection also after the TCP handshake >> and then any time in the connection you would be able to switch over >> to sending other payload data? I think this need further clarification >> in the draft. >> >> Note that section 7 also say: >> "In this section, we only discuss >> the middleboxes that modify SYN and SYN+ACK packets since the >> Convert >> Protocol places its messages in such packets.” >> >> 9) This point is probably related to the previous point. In section >> 5.1 you say that the connection MUST be reset (if length is zero) but >> in all other sections you say the connection must be closed if there >> is a problem. Assuming the Convert protocol will only be used in SYN >> and SYN/ACK, reset is probably more appropriate. If it can be used >> also in later packets you probably have to say something like “close >> or reset if the handshake is not completed”…? >> >> E.g. see sec 5.2.1: >> "If two or more >> instances of the same TLV are exchanged over a Convert connection, >> the associated TCP connections MUST be closed.” >> Is that close or reset? >> >> Also related: >> The next section (5.2.2) says: >> "Type 0x0 is a reserved valued. Implementations MUST discard messages >> with such TLV.” >> (Nit s/valued/value/) >> And in sec 5.2.5: >> "Connect TLVs witch such messages MUST be discarded by the Transport >> Converter." >> I guess every time you say in the document that a message is discarded >> that would also lead somehow to closing the connection most likely by >> to sending a reset, no? Or should the SYN just be drop and no reply >> send for any reason? Please clarify. >> >> 10) Probably editorial in sec 5.2.4: >> "A Transport Converter SHOULD include in this >> list the TCP options that it accepts from Clients; these options >> are >> included by the Transport Converter in the SYN packets that it >> sends >> to initiate connections.” >> I had to read the second half twice because it suddenly talks about a >> completely different “scenario” than replying to an Info TLV. Maybe >> some rewording could help a bit like >> "A Transport Converter SHOULD include in this >> list the TCP options that it accepts from Clients; these options >> are >> also included by the Transport Converter in the SYN packets if it >> initiates connections to the client.” >> Or maybe even use normative language here: >> “the Transport Convert SHOULD also include the same option in the SYN >> if >> it initiates a connection to the client.” >> >> 11) sec 5.2.5: Maybe also be slightly more clear here: >> "For incoming connections destined to a Client >> serviced via a Transport Converter, these fields convey the source >> port number and IP address.” >> Proposed >> "For incoming connections destined to a Client >> serviced via a Transport Converter, these fields convey the source >> port number and IP address of the SYN packet received by the >> Transport Converter from the server.” >> >> 12) I have a couple of question about the TCP options field in the >> Connect TLV, basically this text in section 5.2.5: >> " Upon reception of a Connect TLV, and absent any policy (e.g., >> rate- >> limit) or resource exhaustion conditions, a Transport Converter >> attempts to establish a connection to the address and port that it >> contains. The Transport Converter MUST use by default the TCP >> options that correspond to its local policy to establish this >> connection. These are the options that it advertises in the >> Supported TCP Extensions TLV. >> >> >> Bonaventure, et al. Expires May 7, 2020 [Page >> 22] >> Internet-Draft Convert Protocol November >> 2019 >> >> >> Upon reception of an extended Connect TLV, and absent any rate >> limit >> policy or resource exhaustion conditions, a Transport Converter >> MUST >> attempt to establish a connection to the address and port that it >> contains. It MUST include the options of the 'TCP Options' sub- >> field >> in the SYN sent to the Server in addition to the TCP options that >> it >> would have used according to its local policies. For the TCP >> options >> that are listed without an optional value, the Transport Converter >> MUST generate its own value. For the TCP options that are included >> in the 'TCP Options' field with an optional value, it MUST copy the >> entire option for use in the connection with the destination peer. >> This feature is required to support TCP Fast Open.” >> >> First of all the upper paragraph is probably old and should have been >> removed, right? >> >> Then I’m not certain about the new approach with the TCP option field. >> If the converter actually ends up in a split connection (with e.g. >> MPTCP on client side but without it on server side), I thought it can >> only announce those options in the SYN to the server that are actually >> implemented in the converter and it will be able to support later in >> the connection. So blindly copying the options provided by the client >> doesn’t seem right. Or what do I miss? >> >> I understand the case where you want to use TFO between the client and >> the convert but can’t use it anymore between the the client and the >> server then. However you can only use TFO with the second connection >> you make to a server. So in the first connection either TFO was used >> between the convert and the server and the convert could now use it >> again with the cookie it received or TFO was used end-to-end in the >> first connection and it now clear to me why the converter is used now. >> Maybe I’m missing something but I think the drafts would at least need >> more explanation about the motivation to have this. >> >> If it’s really only about TFO cookies and we are sure we want to have >> that feature, maybe an own TLV would be simpler? >> >> 13) In sec 5.2.6 do you mean by "extended TCP header” the TCP option >> space? I’m not sure that "extended TCP header” is a clearly defined >> term; as least I’m not 100% sure what you mean… >> >> 14) nit in sec 5.2.7: >> s/The Cookie TLV (Figure 20 is an optional/The Cookie TLV (Figure 20) >> is an optional/ -> missing closing bracket >> >> 15) Sec 5.2.7: >> Question about normative language: >> "If the received SYN did not contain a Cookie TLV, and cookie >> validation is required, the Transport Converter should compute a >> Cookie bound to this Client address and return a Convert message >> containing the fixed header, an Error TLV set to "Missing Cookie" >> and >> the computed Cookie and close the connection.” >> Is this maybe a MAY condition? All of it? Or something like this >> "If the received SYN did not contain a Cookie TLV, and cookie >> validation is required, the Transport Converter MAY compute a >> Cookie bound to this Client address. It MUST return a Convert >> message >> containing the fixed header and Error TLV set to "Missing Cookie” >> and MAY add >> the computed Cookie. After sending the Error TLV is MUST/SHOULD >> close/reset >> the connection.” >> Not fully sure what is the intention here… >> >> 15) sec 5.2.8: >> What's the purpose of the client sending an Unsupported Version error? >> If the converter replies with a different version than requested used >> by the client, that's simply a fatal error/implementation error and >> the client can only reset the connection I think. >> >> More generally if I read this correctly there are only 3 errors that >> could be sent by the client. I guess those errors would be send in the >> first packet after the SYN/ACK is received…? Related to my question >> above, I think it would be much easier to only have Convert message in >> the SYN and SYN/ACK and no explicit error message from the client. >> Otherwise more explanation in the draft would be need how this >> actually is supposed to work. >> >> 16) sec 5.2.8: >> "A Client which receives this error code MUST cache the received >> Cookie and include it in subsequent Convert messages sent to >> that >> Transport Converter.” >> This seems to be a slightly weird normative MUST. Sure you have to >> cache the cookie in oder to be able to use the converter, however, >> there may be cases where you loose the cache and then sending a >> Connect without the cookie to get a new Cookie is a valid option. So >> you may use SHOULD here or even better reword it completely... >> >> 17) There is an Unsupported TCP Option in section 5.2.8. However, this >> error is not mentioned in 5.2.5. In contrast sec 5.2.5 says that the >> converter MUST open a connection and MUST use these options. This is >> related to my point 12 above but it was not clear to me that options >> can be rejected, however, this whole part seems to make the protocol >> really complicated and as I said if the only use case is TFO I would >> prefer to rather have a separate specific TLV for that case only. >> >> 18) I think section 6.7 should still say something about if this >> option is supported or not… >> >> 19) section 7: >> "Consider a middlebox that removes the SYN payload. The Client can >> detect this problem by looking at the acknowledgment number field >> of >> the SYN+ACK returned by the Transport Converter. The Client MUST >> stop to use this Transport Converter given the middlebox >> interference.” >> If the converter received a SYN without a Convert message in the >> payload on the respective port, it is supposed to anyway send a >> SYN/ACK? I would assume it would rather send a RESET, no? I think that >> needs to be further specified. >> >> 20) Sec 7 also says: >> “If an Error was returned by the Transport Converter, a message to >> close >> the connection would normally follow from the Converter.” >> However sec 5.2.8 says: >> "Upon reception of an Error TLV, a >> Client MUST close the associated connection.” >> I assume one of these is not correct… please clarify which end is >> suppose to do what in case of an error. >> >> 21) The text in sec 7 then further says: >> "If no such >> message is received, the Client may continue to use this >> Converter.” >> Isn’t that a bit dangerous? >> >> 22) section 8.5: Why are the authentication mechanism discussed in >> this section MPTCP specific? I think the same mechanisms could also be >> applied to Converters supporting other options, no? >> >> 23) sec 8.3: >> "Means to protect against SYN flooding attacks MUST also be enabled >> [RFC4987].” >> Not sure if the use of MUST is clear here. Which part of RFC4987 does >> this MUST relate to? All of it? Maybe a SHOULD or no normative >> language is more appropriate? >> >> 24) sec 9.2: Maybe call the new registry the "The TCP Convert Protocol >> (Convert) >> Parameters” (TCP added)…? >> >> 25) sec 9.2.2: >> "The values in the range 192-255 can be assigned for Private Use.” >> IANA does not assigned any value for Private use, they can just be >> used, so this should be >> "The values in the range 192-255 are reserved for Private Use.” >> if that is what you want? >> >> 26) also on section 9.2.X: "Specification Required" includes having an >> expert review and RFC8126 says: >> "As with Expert Review (Section 4.5), clear guidance to the designated >> expert should be provided when defining the registry, and thorough >> understanding of Section 5 is important.” >> So please provide further guidance about what the expert is supported >> to evaluate. >> >> 27) Not sure if the following references need to be normative as there >> no normative requirement connect to them but only an optional case is >> discussed: RFC4279, RFC7250 …? >> >> However, RFC7323, RFC2018, RFC6978, RFC6978, RFC2827, RFC6181 should >> probably be normative references…? >> >> 28) The term “experimental option” is used with two different meaning >> in the intro of section 6 (options that are defined in an exp RFC) and >> in section 6.9 (options with kind 254 and 255). Please clarify this at >> both places. >> >> >> >> >> >> >> >> >> >
- [tcpm] AD review of draft-ietf-tcpm-converters-14 Mirja Kuehlewind
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… Mirja Kuehlewind
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… mohamed.boucadair
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… mohamed.boucadair
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… Mirja Kuehlewind
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… Olivier Bonaventure
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… Mirja Kühlewind (IETF)
- Re: [tcpm] AD review of draft-ietf-tcpm-converter… Scharf, Michael