Re: [tcpm] SYN/ACK Payloads, draft 01

Joe Touch <touch@ISI.EDU> Fri, 22 August 2008 17:06 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D3933A68E6; Fri, 22 Aug 2008 10:06:50 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 99C123A6965 for <tcpm@core3.amsl.com>; Fri, 22 Aug 2008 10:06:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yv4+AEH006CZ for <tcpm@core3.amsl.com>; Fri, 22 Aug 2008 10:06:47 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id ACB733A68E6 for <tcpm@ietf.org>; Fri, 22 Aug 2008 10:06:47 -0700 (PDT)
Received: from [75.217.250.128] (128.sub-75-217-250.myvzw.com [75.217.250.128]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m7MH5T2b026281 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 22 Aug 2008 10:05:32 -0700 (PDT)
Message-ID: <48AEF1A0.5040609@isi.edu>
Date: Fri, 22 Aug 2008 10:04:32 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: "Anantha Ramaiah (ananth)" <ananth@cisco.com>
References: <396556a20808111035s2b974233o1e9d3671e82e3350@mail.gmail.com> <20080813172752.AA7A650846@romeo.rtfm.com> <396556a20808131047q781675a3if23d727ef5ae918f@mail.gmail.com> <20080813181630.A1E6750848@romeo.rtfm.com> <396556a20808131145y1be0fb4saeb7bbf74d078268@mail.gmail.com> <20080813195027.C4C5B50848@romeo.rtfm.com> <396556a20808131307r65a9f6a0oe4365be029620b2c@mail.gmail.com> <48A35CFA.4060709@isi.edu> <396556a20808131525i20dabf06w7a7a11e3468e541a@mail.gmail.com> <48A36104.6000000@isi.edu><396556a20808131605w2ccac3ceo21160401e4545c15@mail.gmail.com> <48A383F0.9030601@isi.edu> <0C53DCFB700D144284A584F54711EC5805AA26E1@xmb-sjc-21c.amer.cisco.com> <48AE01DB.1020303@isi.edu> <0C53DCFB700D144284A584F54711EC5805AF79AC@xmb-sjc-21c.amer.cisco.com>
In-Reply-To: <0C53DCFB700D144284A584F54711EC5805AF79AC@xmb-sjc-21c.amer.cisco.com>
X-Enigmail-Version: 0.95.7
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Adam Langley <agl@imperialviolet.org>, tcpm@ietf.org
Subject: Re: [tcpm] SYN/ACK Payloads, draft 01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, Ananth,

Anantha Ramaiah (ananth) wrote:
>  
> <snip>
> 
>>>> I'm wondering why an implementation in user space would expect to 
>>>> find out anything about a TCP connection that hadn't finished 
>>>> handshaking, i.e., the accept call above
>>> This has been done in some stacks today (like ours). The 
>> incoming SYN 
>>> is reported to the application and the application can 
>> suggest whether 
>>> or not to accept the connection. If the application gives a nod, 
>>> proceed with the 3 way handshake else send an RST.
>> Does the app have access to the SYN options? If so, that 
>> seems outside the scope of what TCP should be exposing to the app.
> 
> Ok, currently we don't pass TCP options upwards, we just pass the 4
> tuple (may be 5 tuple if you include VRF's) to the application. The
> application can decide whether to move forward with this connection or
> not. This is simply the access control at the application level for the
> incoming SYN.

That's roughly equivalent to having better resolution of listen() calls,
which seems OK.

(what's a VRF?)

>>> This is different from a 3
>>> way handshake happening (which involves the TCB and the associated 
>>> baggage creation) and then informing the application and 
>> applications 
>>> can reject this connection during accept(). Applications wishing to 
>>> use this special property would set a socket option indicating the 
>>> notification of SYN when the listener is created.
>>>
>>> The advantage is that you don't allocate the memory ahead 
>> of time if 
>>> the application isn't interested in accepting this connection.
>> It seems to me the app already sufficiently controls this in 
>> how/when it issues a accept(). On what basis is it making the 
>> rejection at the time of a SYN? (if by IP address, it could 
>> have done this via a different
>> listen() call).
> 
> 4 or (5 tuple) mainly IP adresses and VRF since dest port and src port
> aren't of much help.. you could push the access control below, but if
> you want to factor in other application factors which could vary from
> application to application (like say # of connections etc.,) then it
> seems expedient to do the check at the application level. Consider the
> case where TCP is library linked to the application and it could
> register a callback to be invoked with the 5 tuple and accept/reject the
> connection synchronously which is efficient in terms of resource
> utilization, i.e, you drop the SYN once it is determined that it is
> "useless" rather than waiting the 3 way handshake to complete. At the
> least, it comes across as an optmization, but YMMV.

These sound like more sophisticated interfaces to the OS, in terms of
how deep to listen for calls, what patterns of ports/addrs to listen
for, etc. Although they're not implemented in the OS, they could be. The
fact that you're implementing them at the app layer isn't a big issue,
and can certainly be easier or a performance win, depending on the system.

This doesn't sound like the issue I'm concerned about - i.e., using
information that circumvents the TWHS.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiu8aAACgkQE5f5cImnZrvBnQCeLXfhXFIEorj3q4an2jNwDt4E
b2gAoNfIwAOSFxc8uS0AC5EI7R5FTAaK
=+u5G
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm