Re: [tcpm] More TCP option space in a SYN: draft-briscoe-tcpm-syn-op-sis-02
Bob Briscoe <bob.briscoe@bt.com> Fri, 26 September 2014 17:16 UTC
Return-Path: <bob.briscoe@bt.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B912A1A8030 for <tcpm@ietfa.amsl.com>; Fri, 26 Sep 2014 10:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.387
X-Spam-Level:
X-Spam-Status: No, score=-3.387 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TtgOO4zB9pCD for <tcpm@ietfa.amsl.com>; Fri, 26 Sep 2014 10:16:21 -0700 (PDT)
Received: from hubrelay-rd.bt.com (hubrelay-rd.bt.com [62.239.224.98]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2883C1A70E2 for <tcpm@ietf.org>; Fri, 26 Sep 2014 10:16:19 -0700 (PDT)
Received: from EVMHR71-UKRD.domain1.systemhost.net (10.36.3.109) by EVMHR65-UKRD.bt.com (10.187.101.20) with Microsoft SMTP Server (TLS) id 14.3.181.6; Fri, 26 Sep 2014 18:16:18 +0100
Received: from EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) by EVMHR71-UKRD.domain1.systemhost.net (10.36.3.109) with Microsoft SMTP Server (TLS) id 8.3.348.2; Fri, 26 Sep 2014 18:16:17 +0100
Received: from bagheera.jungle.bt.co.uk (132.146.168.158) by EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) with Microsoft SMTP Server id 14.3.181.6; Fri, 26 Sep 2014 18:16:14 +0100
Received: from BTP075694.jungle.bt.co.uk ([10.215.130.93]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id s8QHGC7I020142; Fri, 26 Sep 2014 18:16:12 +0100
Message-ID: <201409261716.s8QHGC7I020142@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 26 Sep 2014 18:16:11 +0100
To: John Leslie <john@jlc.net>
From: Bob Briscoe <bob.briscoe@bt.com>
In-Reply-To: <20140926145037.GA82183@verdi>
References: <201409222045.s8MKjZdD002071@bagheera.jungle.bt.co.uk> <542344DA.9020905@isi.edu> <201409250956.s8P9uae9013452@bagheera.jungle.bt.co.uk> <alpine.OSX.2.00.1409251716260.69041@ayourtch-mac> <201409251842.s8PIgUdQ015414@bagheera.jungle.bt.co.uk> <alpine.OSX.2.00.1409260049040.69041@ayourtch-mac> <201409260957.s8Q9vmEd018560@bagheera.jungle.bt.co.uk> <20140926145037.GA82183@verdi>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/S3PAF2PzXjQa83yc249wuqBxgSg
Cc: tcpm IETF list <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] More TCP option space in a SYN: draft-briscoe-tcpm-syn-op-sis-02
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 17:16:24 -0000
John, At 15:50 26/09/2014, John Leslie wrote: > Alas, I haven't found time to completely read any of these drafts; >but I think an overview would be valuable... > >Bob Briscoe <bob.briscoe@bt.com> wrote: > >... > > To be absolutely clear: > > a) SYN-EOS OOB client sends a SYN and an OOB segment to complement > > it, using same src & dst ports. The OOB segment has SYN=0, ACK=0 and > > the seqno is the same as the ISN of the SYN. > > This is draft-touch-tcpm-tcp-syn-ext-opt. Two packets are sent: one >is a SYN; the other isn't. > > > b) SYN-EOS DS client sends 2 complementary SYNs, using same dst port, > > but different src ports and different ISNs. > > This is also draft-touch-tcpm-syn-ext-opt. Two packets are sent: >both are SYNs. Joe asks us to work out which approach is better. > > > c) syn-op-sis client sends 2 alternative SYNs, using same dst port, > > but different src ports and different ISNs. > > This is draft-briscoe-tcpm-syn-op-sis. One packet is sent, but Bob >expects a totally separate packet to be sent proposing a separate >connection, and only one of these connections will completely open. > > > a & b use the word 'complement', which means an upgraded server needs > > to have received both segments to start an upgraded connection. > > I agree with Bob here. > > > c uses the word 'alternative', which means a server can start a > > connection when it receives either, and the upgraded handshake only > > completes if it's an upgraded server. > > Likewise... > > And I note that there's no _need_ to specify anything about the >overlap between the two proposed connections. > > I like this a lot better, because I never trust that two packets >will always reach the same endpoint. Meddleboxes and muddleboxes are >too common and too varied in their world-views. > > I'd like to remind folks of two other drafts: > >- draft-ietf-tcpm-fastopen "allows data to be carried in the SYN" packet. > Something like this is inevitable; and _will_ put application-layer > data in the inital SYN (to reduce experienced latency). This is referenced from both drafts. You have to be careful using fast open as well as putting TCP options in the payload. I've written the following into draft-briscoe-syn-op-sis, and a similar rule will be needed in draft-touch-tcpm-tcp-syn-ext-opt: " If an upgraded TCP client includes the TCP Fast Open option [I-D.ietf-tcpm-fastopen] in the SYN, it MUST be placed with the extra TCP options after the end of the payload. An upgraded TCP client MUST NOT place any TCP option in the TCP header of a SYN that might cause a TCP server to pass user-data directly to the application before the 3-way handshake completes. " See <http://tools.ietf.org/html/draft-briscoe-tcpm-syn-op-sis-02#section-2.4.1> >- draft-nishida-tcpm-apaws "can provide protection against old duplicates" > without using timestamps. (Timestamps will eat up ten bytes in _every_ > packet.) This should reduce the demand for option space in the SYN. Most certainly agree. See quoted text under the next point... >==== > > Hopefully I don't need to draw attention to draft-touch-tcpm-edo. >This seems to be moving towards consensus on how to increase the option >space on every packet _after_ the initial SYN. > > Thus, in most cases, for today's traffic there is little need to >worry about extending the option space in the initial SYN. There seems >to be plenty of time to experiment... Not sure I'm so relaxed. Quoting <http://tools.ietf.org/html/draft-briscoe-tcpm-syn-op-sis-02#section-1.1> "1.1. Motivation for Adoption (to be removed before publication) It is recognised that there could be potential for compressing together multiple options in order to mitigate the option space problem. However, it seems inevitable that ultimately more option space will be needed, particularly given that many of the TCP options introduced recently consume large numbers of bits in order to provide sufficient information entropy, which is not amenable to compression. Extension of TCP option space on a SYN requires support from both ends. This means it will take many years before the facility is functional for most pairs of end-points. Therefore, given the problem is already becoming pressing, a solution needs to start being deployed now. " > >>Probably the best way to decide is to implement both, get them in > >>parallel into the olde wilde internets and see what sticks better! > > > > Before going to the trouble of implementation, some middlebox > > traversal testing of the proposed packet formats might weed out the > > field. I have a suspicion that the OOB segment won't get very far in > > many cases - it's unlikely that all firewalls and intrusion detection > > systems will allow the unusual ACK=0, SYN=0 and the same seqno as the SYN. > > I agree with Bob that we don't need formal Experimental status to >test how often an OOB packet will fail to pass a middlebox. > > For any Experimental-status document, I recommend: > >- that the various on-the-wire formats be kept as similar as possible; > >- that any acknowledgment of extra option space in an initial SYN > include a checksum or hash of the extra options to ensure that both > ends have the same view of what options have been signaled; Not convinced on this one. Each TCP option has its own way for the 'server' to confirm whether it supports an option requested by the client. And support for the option to extend the option space is confirmed by the server. So it seems redundant for the server to feedback yet another confirmation via a checksum of all the extra options requested. >- that any timing questions be specifically explored as part of the > experiment. (This includes _whether_ there should be any overlap > between the experimental SYN and the legacy SYN.) Good point. >- that an explicit allocation of one (or more, possibly) dedicated > option number be requested from IANA. > >==== > > IMHO, Bob's SYN-U cases are best condensed into a single format >where the SYN sender explicitly notes the position in the payload to be >occupied by additional TCP options, and guarantees that no application- >layer data will follow these. Good point about the guarantee. >The receiving endpoint would search for >the extra options whether or not it found the SYN-U option in the >initial SYN, This won't work. This would require every server to hold a list of valid TCP options and their valid length fields. This list is large, and the list of future options yet to be defined is even larger (and obviously unknown). If the server has to check every sequence of bytes starting at every byte within the payload for a match with all possible TCP options, when searching through any arbitrary payload, it will continually return loads of false matches (and it will consume excessive cycles). This also doesn't provide any path to add new options. >and reply including a checksum/hash of the options it >found. (The receiving endpoint MUST find some confirmation that >these options were intended, or _it_ bears the responsibility to >reverse any action on the extended options and pass the payload where >it otherwise would have gone.) No need for all this - see above and see drafts. > I'm not sure this entire middlebox-transit idea is worth the trouble; >but it probably deserves to be an optional part of the experiment. The reason I came up with syn-op-sis is to be able to be near-certain that it will get through current middleboxes. I think the group will find such near-certainty to be liberating, compared to the minefield we currently have to tip-toe through. The only case I can think of where there could be a blockage is where a split TCP connection holds back any payload on the SYN until the 3WHS completes. > The SYN-U sender MUST deal with the danger of its additional options >being passed to the application as data. For legacy receivers it can do >this by aborting before the end of the three-way handshake. But there >must be coordination with tcpm-fastopen to protect against such data >being passed to the application before the SYN-U sender can abort. >(This is not a trivial consideration!) Altho certainly not a trivial consideration, it is trivial to be safe against this - see the rule already in the syn-op-sis draft, quoted above, which is careful to be specific about TFO, as well as generalising to anything in the future that might be like TFO (e.g. tcpcrypt uses the TCP payload for control messages). > I believe that much deserves to be settled _before_ tcpm-fastopen >is published as an RFC. (NB that document currently has been approved >for publication, but is waiting on a Point-Raised writeup.) > > The fastopen mechanism calls for the SYN sender to request a >Fast Open Cookie, which the SYN receiver will generate and return in >the SYN-ACK. In a _future_ connection, the SYN sender can send that >cookie, and all payload data will go to the application _before_ the >three-way handshake completes. Thus there is no way to use both >fastopen and SYN-U in the same connection. This is unfortunate!!! As above, syn-op-sis contains text solving this already. And the same approach can be used by the other drafts. > (Note that fastopen will be Experimental; and deficiencies can be >fixed before it reaches Proposed Standard: it's just best to consider >overlaps like this before the RFC is published.) > >==== > > The question of separating payload data to go to the application >from extended TCP options clearly requires action by the SYN receiver. >This is fairly simple if the SYN sender can ensure that _none_ of the >payload data should go to the application (and thus not use fastopen >at all): of course the connection must still be aborted if the SYN >receiver doesn't acknowledge separating out the extended options. > > IMHO, the SYN sender should never use SYN-U unless extra option >space in the SYN is needed; and it's probably better to never use >SYN-U for connections where latency of setup is the over-riding factor. >But YMMV. I wonder whether such overlap is worth the trouble to try >to design into the protocol. In the syn-op-sis spec there is a choice between two variants of the protocol (I recommend the choice can be made by implementers, not the IETF). The choice I've recommended removes any risk of extra latency on the upgraded connection. I've included a discussion of the tradeoff between them in Appendix B.1: <http://tools.ietf.org/html/draft-briscoe-tcpm-syn-op-sis-02#appendix-B.1> BTW, I spend most of my time these days working on a project to remove latency from protocols. Cheers Bob >-- >John Leslie <john@jlc.net> ________________________________________________________________ Bob Briscoe, BT
- [tcpm] More TCP option space in a SYN: draft-bris… Bob Briscoe
- Re: [tcpm] draft-briscoe-tcpm-syn-op-sis-02 John Leslie
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Zimmermann, Alexander
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Andrew Yourtchenko
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Andrew Yourtchenko
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Andrew Yourtchenko
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Andrew Yourtchenko
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Andrew Yourtchenko
- Re: [tcpm] More TCP option space in a SYN: draft-… John Leslie
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… John Leslie
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… John Leslie
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… John Leslie
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Joe Touch
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe
- Re: [tcpm] More TCP option space in a SYN: draft-… Scharf, Michael (Michael)
- Re: [tcpm] More TCP option space in a SYN: draft-… John Leslie
- Re: [tcpm] More TCP option space in a SYN: draft-… Bob Briscoe