Re: [tcpm] Progressing draft-ietf-tcpm-converters

Olivier Bonaventure <> Tue, 21 May 2019 11:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E7BBF12015E for <>; Tue, 21 May 2019 04:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l1LRAgE7V2P0 for <>; Tue, 21 May 2019 04:52:23 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4D4BC12012D for <>; Tue, 21 May 2019 04:52:23 -0700 (PDT)
Received: by with SMTP id e15so18280089wrs.4 for <>; Tue, 21 May 2019 04:52:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to:content-transfer-encoding; bh=kwZi8LaOL0O1cRz2UJFTEqMenmJjh5+OJqvAaDJ+dRM=; b=j2xNu84uZz91d1RD8NIjsoNMRNJy6T/yyF+Bx+vDb6dSxob9trRvPbyFd9pMGxM41G sNBhZOR1j2+F2692ZAevz23TDXLMT0S4mVOCmiJanLJrl40ScdCHx7vkxSsQk9h+hPub 0floviFCZCD8+s65zCJwBfXSEDhfAE8P8iBHlnxPP37wBUCV/S4BTSM06uS/GyhXRYjv MTqNBB368ARRGAO2wdWK34hmv1xwapLJeaOfdu5Dm2j6g/rWFzb9NwxGhvGJXQhO8fcb +nbr8mDkDpwjr+6W308fP+XdPxuWuV2cCyGgnLqA9Rkylx/HcGBKTr1sx0eSA0G+Xq77 L9Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:content-transfer-encoding; bh=kwZi8LaOL0O1cRz2UJFTEqMenmJjh5+OJqvAaDJ+dRM=; b=GMez7ZiHXLhprc5V078DgOptHlUC9cHLTN3UnkICgA04Rg61GUZxLJyQbua2HWcpln x0/Q707rGtlEF806Xm7XaDuBqUvfVNj2KVBkUDYgJ1lpzE/Zn8KrVx45UPGLfPN71Met L+W1/lTI14i6aaCBjqWIx68IMrUMc0MtRroJxDZAw+TfNHbeCfrDeaVp4rcdeUWkg62X ccW1i/OJOKvOZ/NPFqCfJuZs0fNaNKP2loWw8Xb92M5Lv+guweStxpzTTS2sEHPD3m/w 9oBa9Pp9MtwnAGsGPcmAo3CzJ+cCXu95qPj2dwjGwu2csIZOsbOIQJONCE9o/iy5x9jy nE/g==
X-Gm-Message-State: APjAAAUZz+eUKXCoZxSeoNWQ3KPbqODfOU4mQ92mQOsRMxykV3JC8bkE YvXIuJ5F+1NeJ6qEFhL8cpAuKPILaEs6vGAUV5S9DVNt1Xhy3Qj1/qrJVGUdoMCPE89cVO21
X-Google-Smtp-Source: APXvYqz7iWSPParkgprskvCpEEIxbXFcHCVStzKWgfZcqEjNZSwAA1u7bA/AI08qRUlReIYaCokFdg==
X-Received: by 2002:adf:ce90:: with SMTP id r16mr51548822wrn.156.1558439541754; Tue, 21 May 2019 04:52:21 -0700 (PDT)
Received: from ?IPv6:2001:6a8:308f:2:9cf9:5d5b:52e7:b807? ([2001:6a8:308f:2:9cf9:5d5b:52e7:b807]) by with ESMTPSA id a15sm5173210wrw.49.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 May 2019 04:52:21 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Olivier Bonaventure <>
In-Reply-To: <>
Date: Tue, 21 May 2019 13:52:18 +0200
Cc: " Extensions" <>
Message-Id: <>
References: <> <>
To: Yuchung Cheng <>
X-Mailer: Apple Mail (2.3445.104.8)
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [tcpm] Progressing draft-ietf-tcpm-converters
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 May 2019 11:52:26 -0000


>> We believe that a specialised TCP application should be allowed to use its own cookie inside the payload instead of relying on the TCP header to use fast open. The 0-RTT convert protocol is one example, but there could be others. Looking at other application layer protocols, I noticed that TLS1.3 (rfc8446) also includes a cookie which is mainly designed enable servers to get a confirmation of the reachability of the client IP addresses for DTLS, but the same approach could be used when TLS sends its initial data in the SYN as well.
>> Another point that should be clarified in RFC7413 are how middleboxes should handle SYN packets containing a non-zero payload. According to RFC793, such packets are valid TCP packets. The TFO option, defined in RFC7314 is not and should not be considered as an indication that is required to “authorise” the utilisation of payload inside a SYN packet. During the Prague meeting, Christoph Paasch mentioned at the mike that they have one application that uses data inside the SYN and their measurements indicate that sending this SYN without the TFO option enables it to pass through more middleboxes than when the same SYN contains the TFO option.
>> Another point is the socket API. Currently, Linux and MacOS decouple the transmission of data inside the SYN from the utilisation of the TFO option. This makes it possible for a client to send data inside the SYN without enabling TFO. On Windows, the API seems to force the utilisation of TFO when there is data in the SYN. As indicated earlier, RFC793 does not mandate the presence of the TFO to place data inside the SYN.
>> The approach we are proposing has the benefits of RFC7413 but without its drawbacks. Moreover, given that RFC7413 is Experimental, we don't think that there is a harm if we proceed with the approach 0-rtt convert protocol while the IETF can further tweak and adjust the applicability scope of RFC7413. For example, an update can be proposed to RFC7413 to clarify that specialized application-level protocols could place cookie information in their payload and thus not use the TFO option.
> Just to confirm: you mean an API that
> let application sets the TFO cookie (on either server and client)?

No, we suggest to let specific applications use data in the SYN without using the TFO cookie. Those applications can manage their cookie inside the SYN payload if needed. Instead of having TFO cookies that are managed by the TCP stack and have limited size, those specialised protocols would use application-level cookies which can be longer and are managed by these application protocols.

> otherwise obviously application can place any data in their TCP payload for its
> purposes.

This is what we proposed in Prague, i.e. using data in the TCP SYN without the TFO option.