IETF Logo Mail Archive

Re: [tcpm] More TCP option space in a SYN: draft-briscoe-tcpm-syn-op-sis-02

Joe Touch <touch@isi.edu> Mon, 29 September 2014 18:12 UTC

Return-Path: <touch@isi.edu>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 312731A8A15 for <tcpm@ietfa.amsl.com>; Mon, 29 Sep 2014 11:12:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpMmdg7bhBjj for <tcpm@ietfa.amsl.com>; Mon, 29 Sep 2014 11:12:37 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18E761A1B7F for <tcpm@ietf.org>; Mon, 29 Sep 2014 11:12:37 -0700 (PDT)
Received: from [128.9.160.211] (mul.isi.edu [128.9.160.211]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id s8TIBrgF026695 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 29 Sep 2014 11:11:53 -0700 (PDT)
Message-ID: <5429A0E8.3080704@isi.edu>
Date: Mon, 29 Sep 2014 11:11:52 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: John Leslie <john@jlc.net>
References: <542344DA.9020905@isi.edu> <201409250956.s8P9uae9013452@bagheera.jungle.bt.co.uk> <alpine.OSX.2.00.1409251716260.69041@ayourtch-mac> <201409251842.s8PIgUdQ015414@bagheera.jungle.bt.co.uk> <alpine.OSX.2.00.1409260049040.69041@ayourtch-mac> <201409260957.s8Q9vmEd018560@bagheera.jungle.bt.co.uk> <20140926145037.GA82183@verdi> <201409261716.s8QHGC7I020142@bagheera.jungle.bt.co.uk> <20140926195338.GH83009@verdi> <542979DC.7090601@isi.edu> <20140929165839.GJ83009@verdi>
In-Reply-To: <20140929165839.GJ83009@verdi>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/OLnpFgqhHmn7-smXrSgJN46rCYU
Cc: tcpm IETF list <tcpm@ietf.org>
Subject: Re: [tcpm] More TCP option space in a SYN: draft-briscoe-tcpm-syn-op-sis-02
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Sep 2014 18:12:39 -0000


On 9/29/2014 9:58 AM, John Leslie wrote:
> Joe Touch <touch@isi.edu> wrote:
>> On 9/26/2014 12:53 PM, John Leslie wrote:
>>> Bob Briscoe <bob.briscoe@bt.com> wrote:
>>>> " If an upgraded TCP client includes the TCP Fast Open option
>>>> " [I-D.ietf-tcpm-fastopen] in the SYN, it MUST be placed with the extra
>>>> " TCP options after the end of the payload.
>>>
>>> Indeed, that is a good way to ensure that the SYN receiver is aware
>>> of the sender's intent to place something _after_ the data intended to
>>> be passed to the application.
>>
>> I'd like to understand the logic behind this claim.
> 
>    Good!
> 
>> Regardless of where signalling information is placed:
>>
>> - legacy servers will (irrevocably) accept it as
>> application data; the only way to undo it is to
>> terminate the connection*
>>
>> - upgraded servers will know where to find it
>>
>> Except to make parsing more complex, what is the perceived benefit of
>> using trailer-based signalling?
> 
>    Bob, I believe, thinks he can outwit meddleboxes. I'll let him make
> that case.
> 
>    Myself, I see it a a way to coexist with things to come.
> 
>    Joe, I suspect, is thinking how to do this in hardware.

Not specifically. IMO, might create another opportunity to get things
wrong because it's now how we currently process options.

>    Indeed, to a middlebox, harder-to-find translates to "expensive",
> possibly prohibitively expensive. To an actual endpoint, the expense
> is bearable -- if you need to act on both anyway, it's a toss-up...
> 
>    But myself, I think in terms of how to coexist with future things
> like FastOpen. I believe we've got a better shot at ensuring that
> nothing _follows_ our extended options than ensuring that nothing
> precedes them.
> 
>    Repeating Bob's words:
>>
>>>> " If an upgraded TCP client includes the TCP Fast Open option
>>>> " [I-D.ietf-tcpm-fastopen] in the SYN, it MUST be placed with the extra
>>>> " TCP options after the end of the payload.
> 
> and recalling that extended options _can't_ be parsed until the inital
> TCP option invoking extended options is parsed, we see that the receiving
> endpoint _must_ know about the overlap of extended-options and fast-open.
> 
>    That brings us to the tussle of whether either _must_ play with the
> data the other wants to add. To me, the simplest case is that fast-open
> does its job first (hopefully someday to include a byte-count), while
> extended-options comes along and puts its data after fast-open's data
> (and anything else which may come along), trusting the receiver to
> remove it from anything to be passed to the application.

I'm not sure I understand this. User data can't be placed in (or removed
from) the segment until after all the options are handled anyway.

>    I am convinced we will see cases where both fast-open and extended-
> options need to be used.
> 
>    While this tussle could go either way, I prefer to place the
> complexity in extended-options.

It's clearly only the option processing that should ever care where the
options are...

>> *- TCP-FO is particularly dangerous when coupled with dual-SYN (DS)
>> variants when the connection uses a cookie from a previous connection;
>> non-DS FO servers can't prevent passing invalid data to the application
>> by terminating the connection when the SYN-ACK is received by the client.
> 
>    I had to read this twice to get Joe's point. :^(
> 
>    Dual-SYN solutions would be expected to place fast-open in both SYNs,
> probably with the same cookie. In the legacy case, nothing can prevent
> the payload being passed to the application long before the sender
> becomes aware of the state of the other SYN.

Right - the legacy case of FO + any dual-SYN approach has this problem.
It's one that the OOB method is not susceptible to, though.

>    (Obviously, if the legacy SYN is postponed long enough, this ceases
> to be a problem; but by then you've lost most of the latency advantage.)

That would happen only on a DS-capable server. I'm also thinking of the
legacy server case - which might not only open two TCP connections but
(with TFO) would send data to the user too early in the upgraded-SYN
case - and it's corrupt data because the server is interpreting the
extended option as user data.

Joe

v2.23.0 | Report a Bug | By Email