IETF Logo Mail Archive

Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05

"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Mon, 04 March 2019 11:37 UTC

Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1484B131167 for <tcpm@ietfa.amsl.com>; Mon, 4 Mar 2019 03:37:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7JNUnYUYFGL for <tcpm@ietfa.amsl.com>; Mon, 4 Mar 2019 03:36:56 -0800 (PST)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2514A131116 for <tcpm@ietf.org>; Mon, 4 Mar 2019 03:36:52 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id 1CE5425A17; Mon, 4 Mar 2019 12:36:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1551699411; bh=SvMmTbLVJI00lCq9WxfEd6NIEIUtFrKd7dNRMrIUrOQ=; h=From:To:Subject:Date:References:In-Reply-To:From; b=SKq9ThH/kQdvyq4RL7FxZ4fJBRXq004mCQYMiyCo3IT5M+5g82Q4ddIdV3jGKAdAe OBLhi1RVABMM4WpPGLnfa35vdT/9pzuPWXAT8XQ5UsyLE11zg71tRipmzMYeeEYuRW JLWOv+WkqohFXAmKco+AgzRIn/HT2bZZpcO2pzKc=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HJ6WIKPupDWc; Mon, 4 Mar 2019 12:36:49 +0100 (CET)
Received: from rznt8101.rznt.rzdir.fht-esslingen.de (rznt8101.rznt.rzdir.fht-esslingen.de [134.108.29.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Mon, 4 Mar 2019 12:36:49 +0100 (CET)
Received: from RZNT8114.rznt.rzdir.fht-esslingen.de ([169.254.3.183]) by rznt8101.rznt.rzdir.fht-esslingen.de ([fe80::bd73:d6a9:24d7:95f1%10]) with mapi id 14.03.0415.000; Mon, 4 Mar 2019 12:36:49 +0100
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Olivier Bonaventure <olivier.bonaventure@tessares.net>, "tcpm@ietf.org" <tcpm@ietf.org>
Thread-Topic: [tcpm] Updated version of draft-ietf-tcpm-converters-05
Thread-Index: AQHUv86JmdngfITgq0CMtVlOHS+P7aX6oiiggACAVxCAAErBwA==
Date: Mon, 04 Mar 2019 11:36:48 +0000
Message-ID: <6EC6417807D9754DA64F3087E2E2E03E2D24A4B4@rznt8114.rznt.rzdir.fht-esslingen.de>
References: <9DD59801-36CE-407E-98F0-0BB1AAD514A7@tessares.net> <6EC6417807D9754DA64F3087E2E2E03E2D248C3C@rznt8114.rznt.rzdir.fht-esslingen.de> <787AE7BB302AE849A7480A190F8B93302EA27A85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA27A85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.2.171]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/B2VEDJBCHXd_IhtUMqQ5tBUNoPM>
Subject: Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 11:37:05 -0000

Hi Med,

Please also see inline [ms]. I removed the parts that seem to be sorted out.

Michael

-----Original Message-----
From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com] 
Sent: Monday, March 04, 2019 7:50 AM
To: Scharf, Michael; Olivier Bonaventure; tcpm@ietf.org
Subject: RE: [tcpm] Updated version of draft-ietf-tcpm-converters-05

Hi Michael,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : tcpm [mailto:tcpm-bounces@ietf.org] De la part de Scharf, Michael
> Envoyé : lundi 4 mars 2019 00:48
> À : Olivier Bonaventure; tcpm@ietf.org
> Objet : Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
> 
> Hi Olivier,
> 
> I have read -05. Please find below some comments/questions (with chair hat
> off):
> 
> - Page 8: Sorry if I missed this... Can a client ask the converter to send
> application data in the SYN payload data to the server (possibly even without
> TFO option)? Is it correct that the Convert protocol does not allow such use
> of SYN payload data towards the remote host?
> 

[Med] The Converter does not track whether a client has negotiated TFO, as such any data supplied in the initial SYN is related to the server by the converter. The following rule applies: 

   Any user data received by the Transport Converter over the upstream
   (resp., downstream) connection is relayed over the downstream (resp.,
   upstream) connection.
 
[ms] That is pretty clear for all data in non-SYN segments. But IMHO it opens room for interpretation _when_ to relay data included in any of the SYNs and SYN,ACK, i.e., whether it would be relayed in SYN segments as well, or whether it would be relayed after the three-way handshake. If the handling of SYN data is an internal decision of the converter implementation, IMHO the draft could call that out explicitly. (I note that w/o TFO the use of payload in SYNs should be a corner case, albeit allowed by TCP.)

> - Page 8: What happens if the SYN,ACK from the server to the converter
> contains payload data (possibly even without TFO option)?

[Med] Idem as above. 

[ms] My question is whether the converter would relay the payload data from the server's SYN, ACK to the client in
(a) the SYN,ACK after the Convert TLV
(b) separately
(c) both is possible
(d) ... or whether this does not require any text in the specification

I think I can reverse engineer from other text in the I-D that probably (a) and (b) is allowed, i.e., the answer is (c), but can't this be made more explicit?

> - Page 13: If the remote host used payload data in the SYN towards the
> converter (possibly even without TFO option), would this require any special
> handling in the converter?

[Med] Data supplied to the converter is unambiguously distinguished from the data destined to the server. This is covered by this field: 

   The Total Length is the number of 32 bits word, including the header,
   of the bytestream that are consumed by the Convert messages.

[ms] IMHO it would help to make the two different usage patterns of the bytestream more explicit along the lines of your explanation, e.g., "Data added by the Convert protocol to the TCP bytestream in the upstream connection is unambiguously distinguished from payload data in the downstream connection by the total length field in the Convert messages". Also, note that in the specific context of page 13 I wonder about payload data sent in the SYN sent from the remote host to the converter, i.e., that data is destined _to the client_.
 
> - Page 18: Is my understanding correct that when a client sends a Connect TLV
> with one of its own addresses as "remote peer IP Address", then the transport
> converter MUST attempt to establish this connection?

[Med] This is policy-based. The converter may restrict relying MPTCP connections on its customer-facing interfaces or may relax it.  
The draft can set a default behavior, though. 

>From where I sit, I'd like to allow for a possible future extension similar to what is defined for SBCs in https://tools.ietf.org/html/rfc6849 for troubleshooting purposes.  

What is your take on this? 

[ms] The exact wording in -05 is: "Upon reception of a Connect TLV, and absent any rate limit policy or resource exhaustion conditions, a Transport Converter MUST attempt to establish a connection to the address and port that it contains." A later statement somehow contradicts this MUST requirement: "The Transport Converter may discard a Connect TLV request for various reasons (e.g., authorization failed, out of resources, invalid address type).". So probably the key question is why to have a capital letter MUST in the first place? Of course, this question may matter for troubleshooting. 

 In other words, a
> converter that would _not_ set up this connection back to the client would
> violate the protocol specification?

[Med] No.

[ms] Well, in my reading such a converter policy would violates the MUST cited above, albeit that may not be the intended meaning of the MUST. Actually, I believe that the security considerations in Section 7 lack a discussion of (firewall) policies on the client-facing interfaces/network of the converter. For instance, let's assume that in the client-facing network there would be firewall policies that prevent direct TCP connections between different clients, e.g., within the same Wifi network. Depending how the converter deals with connect requests to IP addresses in the client-facing network, clients could possibly use the converter to bypass firewall policies and setup "direct" communication via the converter? Isn't bypassing firewall rules something that could be relevant for Section 7?

> - Page 25/26: Related to the first two comments: In this discussion on TFO
> handling, I wonder what would happen to actual payload data in the SYN or
> SYN,ACK of the connection between the converter and the remote peer.

[Med] This is covered by this rule:

   Any user data received by the Transport Converter over the upstream
   (resp., downstream) connection is relayed over the downstream (resp.,
   upstream) connection.

[ms] See above. I really wonder about the timing of relaying data. SYN payload data would probably be used by application protocols for some specific reason (e.g., low latency delivery). The question is therefore whether the converter would care about low latency delivery, or not. Of course, SYN payload data in TCP may be a corner case, but as the Convert protocol is all about SYNs, it seems somewhat obvious to ask how exactly "normal" SYN payload data would be handled.

Michael

v2.23.0 | Report a Bug | By Email