IETF Logo Mail Archive

Re: [tcpm] TCP reserved bits and793bis

John Leslie <john@jlc.net> Wed, 09 July 2014 11:09 UTC

Return-Path: <john@jlc.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88AED1A03F1 for <tcpm@ietfa.amsl.com>; Wed, 9 Jul 2014 04:09:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHbIYt9rRJQ0 for <tcpm@ietfa.amsl.com>; Wed, 9 Jul 2014 04:09:27 -0700 (PDT)
Received: from mailhost.jlc.net (mailhost.jlc.net [199.201.159.4]) by ietfa.amsl.com (Postfix) with ESMTP id 6C3801A03F2 for <tcpm@ietf.org>; Wed, 9 Jul 2014 04:09:27 -0700 (PDT)
Received: by mailhost.jlc.net (Postfix, from userid 104) id B38B8C94BD; Wed, 9 Jul 2014 07:09:20 -0400 (EDT)
Date: Wed, 09 Jul 2014 07:09:20 -0400
From: John Leslie <john@jlc.net>
To: Joe Touch <touch@isi.edu>
Message-ID: <20140709110920.GC4461@verdi>
References: <20140702231048.27968.95757.idtracker@ietfa.amsl.com> <53B49D57.70102@isi.edu> <201407031455.s63EtLAb019563@bagheera.jungle.bt.co.uk> <53B57D88.9090706@isi.edu> <6FC2D64C-65F7-423D-A3A2-35258796C3DA@netapp.com> <201407031843.s63IhNU2020277@bagheera.jungle.bt.co.uk> <53B5B96F.1020304@isi.edu> <0C29294E-7C2D-4653-A706-DE5FF44EF4AF@quantum.com> <53BC25EB.8070301@isi.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <53BC25EB.8070301@isi.edu>
User-Agent: Mutt/1.4.1i
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/QBelcxpfrGR0MW2vhPcY8l6k5s4
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, David Borman <David.Borman@quantum.com>
Subject: Re: [tcpm] TCP reserved bits and793bis
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2014 11:09:30 -0000

Joe Touch <touch@isi.edu> wrote:
> 
> There are two interpretations of "Must be zero":
>  a) current implementations should drop segments with those bits set
> 
>  b) current implementations should ignore those bits

   Indeed, we must work around endpoints which do either of these.

> It says "Must be zero." That can easily be interpreted as requiring that 
> when the bits are set the segment is invalid.

   But only so interpreted by an endpoint. No middlebox is entitled to
do that.

   (Of course, a middlebox _is_ entitled to drop an IP packet for any
reason whatsoever.)

   Our problem is that currently-deployed "middleboxes" do a bunch of
things which really qualify as "damage". Accept that, but don't argue
that it's a reasonable interpretation of 793.

> Note that RFC793 doesn't define what to do when the Data Offset is 
> smaller than 5 - so does that mean you should be liberal and process 
> such segments, or drop them?

   That's a good question. Let me at least nibble around the edges.

   If the two endpoints have agreed on a meaning, of course the receiver
should process it.

   If a receiver _hasn't_ agreed on a meaning, it should own up to
having no clue whether there are any options and/or any data. If
the checksum validates, it's probably time to give up and close the
connection; otherwise it could discard the packet.

   If a middlebox sees Data Offset less than five, it similarly
should probably admit it has no clue whether there are any options
or any data. If all it wants to do is rewrite source IP and port,
it should probably do that and pass everything else unchanged,
adjusting the checksum.

   If a middlebox wants to do something with options or data, it
probably needs to drop the packet -- because it can't do what it is
designed to do.

   Now we get into the really messy area: if a middlebox sees that
something like EDO has been negotiated (which _is_ possible when
it intercepts in both directions), should it process according to
that option?

   IMHO, there's no fully satisfactory answer to that. Myself, I'd
prefer it didn't. A middlebox wanting to meddle that much should
act as an endpoint. (But of course, we can't enforce that.)

> I agree that "liberal" means that, in either case, you MUST NOT generate 
> a response segment, ICMP message, or user error. But it's not as clear 
> *from the current text*.
> 
> The point of all this is that 793bis needs to be updated to make this 
> direct and explicit, though.

   Alas, that won't fix the problem. At best, it might change new
middlebox designs. There's no way it could fix deployed middleboxes.
(But it would _feel_ better to have an unambiguous statement that
this is damage!)

--
John Leslie <john@jlc.net>

v2.23.0 | Report a Bug | By Email