IETF Logo Mail Archive

Re: [tcpm] Exceeding value in MSS option?

Joe Touch <touch@strayalpha.com> Tue, 27 October 2020 22:28 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 402753A15A6 for <tcpm@ietfa.amsl.com>; Tue, 27 Oct 2020 15:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.317
X-Spam-Level:
X-Spam-Status: No, score=-1.317 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Am7v0IWFBW2g for <tcpm@ietfa.amsl.com>; Tue, 27 Oct 2020 15:28:20 -0700 (PDT)
Received: from server217-4.web-hosting.com (server217-4.web-hosting.com [198.54.116.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D99C3A15C4 for <tcpm@ietf.org>; Tue, 27 Oct 2020 15:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Transfer-Encoding:Content-Type:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uEqIxL0kOTiTJ0s4Hb4RWU+4fdJk3vgHE8s9rS2G534=; b=M0af0rDBOktlkhECdAHF7gA0xs 2RR6CRav5ps4lY2J37Lw+BZ9u1qzz+wEfl1tOEq2cw6KNeVjqCncOyxAM5zLqgfTEyEr9V5VY6Ekx gc3A4VGzm5fnWoEXiWvsfHtC7ekaW5x2/YZQiJfJ/moNDw9Vb9zi8cjvn59sL2Utu33wWzF51IAHj W2QZ+M+JxMxIZjuyoTZXb+gQn43/Dg0W1er/vEgTCEoTGK0vkhxcMXF8dX+3Gis3/EfB9lDtQPsgU yXO9n5xXuxXTBaPMYWjPVy+Et9cJxa2Y+uvFtZbDmHhDpC9D7pPyFA4N6yrLpc/oP7L8favbr9Dyg Gx08poHA==;
Received: from cpe-172-250-225-198.socal.res.rr.com ([172.250.225.198]:62233 helo=[192.168.1.16]) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <touch@strayalpha.com>) id 1kXXRs-002nny-21; Tue, 27 Oct 2020 18:28:17 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail-0F796794-1CFD-4135-A968-B9F3ABBE5587"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <CAD4huA4ck0TGD6SHa3zw-JnTLnkvM5rHq1EWNNSDaRHsmRpm8A@mail.gmail.com>
Date: Tue, 27 Oct 2020 15:28:11 -0700
Cc: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>, "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Message-Id: <1CDD590A-83D0-4F96-9354-F66653D3CA12@strayalpha.com>
References: <CAD4huA4ck0TGD6SHa3zw-JnTLnkvM5rHq1EWNNSDaRHsmRpm8A@mail.gmail.com>
To: Steven Sommars <stevesommarsntp@gmail.com>
X-Mailer: iPhone Mail (18A8395)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/ITLSjtPydcXcENVbjMUnDqdIffE>
Subject: Re: [tcpm] Exceeding value in MSS option?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 22:28:22 -0000

These issues have been addressed at length in intarea and tsvwg. It wouldn’t hurt if the end systems used PLPMTUD, but fragmentation support in GRE and other tunnels is also supported. 

Ultimately, if you tunnel and cannot guarantee end system cooperation, frag/reassembly is on you. 

Joe

> On Oct 27, 2020, at 2:52 PM, Steven Sommars <stevesommarsntp@gmail.com> wrote:
> 
> 
> Much of today's mobile traffic IP traffic is GTP (GPRS Tunneling protocol) tunneled within the core network (per the 3GPP specifications).   There can be one or two back-to-back  bidirectional  tunnels between the base station and the PGW/GGSN (gateways to the Internet).   The 3GIP IP MTU requirements weren't very clear at the time, but we interpreted the requirement to be a 1500-byte subscriber IP MTU.     For those portions of the core network that used IP/ATM (AAL5), transport of a ~1540 byte tunneled packet (IP MTU + about 40 bytes for GTP/IPv4 header) was  usually provided.   [I'm using 40 bytes for simplicity, could be smaller or larger.]  Ethernet was cheaper and more readily available, so transport of 1540 byte packets was needed.  [I'll skip other headers that are often used: VLAN, MPLS, etc.]       The cellular carriers often leased IP/Ethernet transport and at times only ~1500 byte MTUs were available.  
> 
> If the IP/Ethernet transport network supports sufficiently large IP MTUs, life is simpler.   If not, how does one stuff 1540 bytes into a 1500 byte packet?   
> - Avoid core network IP fragmentation.    I'll list some of the options & their drawbacks.
>         -   Resegment TCP (e.g., proxy).    ===  many drawbacks
>         -   Fragment subscriber packet  (ignore DF bit)    ===   many drawbacks
>         -   Drop packets that would require fragmentation (PMTUD).  ===  PMTU black hole was an issue
>         -   Signal to the subscriber device that the IP MTU should be reduced.   ===   This was proposed in 3GPP starting in the late 1990's, but I don't know what happened.
>         -   Insert/Alter TCP MSS option during SYN/ACK.   ===   Not strictly legal, but it typically worked well.
> - Implement core network IP fragmentation/reassembly.   Done correctly this is undetectable by the subscriber- or server-side.   However,
>         -   Transport network bandwidth requirements increased slightly.
>         -    IP reassembly can be resource intensive.    [I've seen performance drop by over 100x when IP reassembly was needed on some older hardware.]
>         -    IP reassembly may fail.
>         -    Fragmentation and reassembly may trigger missequencing.
>  
> Is TCPM the right forum for discussing these end-to-end principle related items?   RFC3234 has a somewhat dated (2002) middlebox taxonomy.
> 
> 
> 
> 
> 
>> On Tue, Oct 27, 2020 at 10:25 AM Joseph Touch <touch@strayalpha.com> wrote:
>> So the real question is why tunneled packets didn’t trigger the same issue - isn’t it?
>> 
>> Or are you implying that tunneled traffic shouldn’t be supported?
>> 
>> There are deeper issues going on here. We should avoid being glib about how “best” to do things that shouldn’t be done in the first place.
>> 
>> Joe
>> 
>> > On Oct 26, 2020, at 11:35 PM, Frode Kileng <frodek@tele.no> wrote:
>> > 
>> > I do not defending this practice, just trying to communicate their rationale and that there may be other more important fights out there. But I do understand that operators are cautious as I've seen an example of how fragmentation triggered an anti-DDoS feature in a firewall causing traffic from a large number of mobiles to halt.
>> > 
>> > Frode
>> > 
>> > On 26/10/2020 17:55, Joe Touch wrote:
>> >> Given how many of us are using VPNs, it’s a shame they don’t work without this.  I guess users of those nets have to shut down their Skypes and other services over VPNs, because, according to you, it doesn’t work.
>> >> 
>> >> Joe
>> >> 
>> >>> On Oct 26, 2020, at 8:46 AM, Frode Kileng <frodek@tele.no> wrote:
>> >>> 
>> >>> On 26/10/2020 15:24, Joe Touch wrote:
>> >>>>>> On Oct 26, 2020, at 2:35 AM, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
>> >>>>>> On 26. Oct 2020, at 08:52, Frode Kileng <frodek@tele.no> wrote:
>> >>>>>> 
>> >>>>>> 
>> >>>>>> On 23/10/2020 17:11, Joseph Touch wrote:
>> >>>>>>>>> On Oct 23, 2020, at 1:37 AM, Frode Kileng <frodek@tele.no <mailto:frodek@tele.no>> wrote:
>> >>>>>>>>> 
>> >>>>>>>>> Although maybe not  a "general problem",  a study of MSS middlebox manipluation in  23 European and Asian mobile networks did reveal some issues:
>> >>>>>>>>> 
>> >>>>>>>>> - 20 of 23 networks always inserts MSS.
>> >>>>>>> That IS a general problem, FWIW.
>> >>>>>>> 
>> >>>>>>> Besides being published, it should also be reported to the operators of those networks as violating TCP specs.
>> >>>>>> Do you mean as in "layering violation" or is it explicitly stated in an RFC that MSS clamping is not allowed.
>> >>>>> I think we should differentiate two issues:
>> >>>>> (a) a middlebox which reduces the MSS already in an SYN/SYN-ACK segement.
>> >>>>> (b) a middlebox which adds an MSS option, which wasn't there in the SYN/SYN-ACK segment.
>> >>>> You can if you want; I do not. Both are violations of TCP processing, whose headers aren’t permitted to be altered in flight. Saying it’s for the good of the endpoints doesn’t change the issue that it should be reported and fixed as an error.
>> >>>> 
>> >>>> If TCP is given an MSS by the other end of a connection and packets don’t get through, it can always lower the segment sizes it sends - the is what PLPMTUD does.
>> >>> I think there may be other more important fights out there than convincing ~90% of the world mobile network operators and their vendors that a practice solving potential black-holing and typically improves performance should stop because it's a layering violation. For example that 2/3rd of the mobile networks I tested have a TCP Proxy and over 70% of such networks breaks MPTCP, TFO or ECN.
>> >>> 
>> >>> 
>> >>> Regards
>> >>> 
>> >>> Frode Kileng
>> >>> 
>> >>> 
>> > 
>> 
>> _______________________________________________
>> tcpm mailing list
>> tcpm@ietf.org
>> https://www.ietf.org/mailman/listinfo/tcpm
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email