IETF Logo Mail Archive

Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05

"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Mon, 04 March 2019 15:43 UTC

Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8B7612D84C for <tcpm@ietfa.amsl.com>; Mon, 4 Mar 2019 07:43:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L-Rl_cF7-mda for <tcpm@ietfa.amsl.com>; Mon, 4 Mar 2019 07:43:06 -0800 (PST)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10B9412870E for <tcpm@ietf.org>; Mon, 4 Mar 2019 07:43:06 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id ADC9125A1D; Mon, 4 Mar 2019 16:43:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1551714183; bh=6qX2Xa/B772HsOBqx093KtK+d63PmCYsqqy5+G1BmSc=; h=From:To:Subject:Date:References:In-Reply-To:From; b=DK6ohO4NxWC3nIBcou0oY7PaJs+1cpbqGYm2uI/5W1J/uuiSoAZQAIOi4sN5SwZgZ oV0U3okqTjEAmkkJvTt/zKe3gmw1dIK7OYpAnZFAr+MIsp/NpygJ3zuy9yp4M8aKmR TKxmLHi8UqxTFhe9ebUi6Op/hxHKH5vecwfih5+4=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZiP53NkcY9v; Mon, 4 Mar 2019 16:43:02 +0100 (CET)
Received: from rznt8101.rznt.rzdir.fht-esslingen.de (rznt8101.rznt.rzdir.fht-esslingen.de [134.108.29.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Mon, 4 Mar 2019 16:43:02 +0100 (CET)
Received: from RZNT8114.rznt.rzdir.fht-esslingen.de ([169.254.3.183]) by rznt8101.rznt.rzdir.fht-esslingen.de ([fe80::bd73:d6a9:24d7:95f1%10]) with mapi id 14.03.0415.000; Mon, 4 Mar 2019 16:43:02 +0100
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Olivier Bonaventure <olivier.bonaventure@tessares.net>, "tcpm@ietf.org" <tcpm@ietf.org>
Thread-Topic: [tcpm] Updated version of draft-ietf-tcpm-converters-05
Thread-Index: AQHUv86JmdngfITgq0CMtVlOHS+P7aX6oiiggACAVxCAAErBwIAAO0+AgAASEMA=
Date: Mon, 04 Mar 2019 15:43:01 +0000
Message-ID: <6EC6417807D9754DA64F3087E2E2E03E2D24A93C@rznt8114.rznt.rzdir.fht-esslingen.de>
References: <9DD59801-36CE-407E-98F0-0BB1AAD514A7@tessares.net> <6EC6417807D9754DA64F3087E2E2E03E2D248C3C@rznt8114.rznt.rzdir.fht-esslingen.de> <787AE7BB302AE849A7480A190F8B93302EA27A85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EC6417807D9754DA64F3087E2E2E03E2D24A4B4@rznt8114.rznt.rzdir.fht-esslingen.de> <787AE7BB302AE849A7480A190F8B93302EA27EA2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA27EA2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.2.171]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/Se7Y6PNeR-50c8G9esSjcCfeQa4>
Subject: Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 15:43:10 -0000

Inline [ms2] as far as not sorted out already

-----Original Message-----
From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com] 
Sent: Monday, March 04, 2019 3:43 PM
To: Scharf, Michael; Olivier Bonaventure; tcpm@ietf.org
Subject: RE: [tcpm] Updated version of draft-ietf-tcpm-converters-05

Re-,

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Scharf, Michael [mailto:Michael.Scharf@hs-esslingen.de]
> Envoyé : lundi 4 mars 2019 12:37
> À : BOUCADAIR Mohamed TGI/OLN; Olivier Bonaventure; tcpm@ietf.org
> Objet : RE: [tcpm] Updated version of draft-ietf-tcpm-converters-05
> 
> Hi Med,
> 
> Please also see inline [ms]. I removed the parts that seem to be sorted out.
> 
> Michael
> 
> -----Original Message-----
> From: mohamed.boucadair@orange.com [mailto:mohamed.boucadair@orange.com]
> Sent: Monday, March 04, 2019 7:50 AM
> To: Scharf, Michael; Olivier Bonaventure; tcpm@ietf.org
> Subject: RE: [tcpm] Updated version of draft-ietf-tcpm-converters-05
> 
> Hi Michael,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : tcpm [mailto:tcpm-bounces@ietf.org] De la part de Scharf, Michael
> > Envoyé : lundi 4 mars 2019 00:48
> > À : Olivier Bonaventure; tcpm@ietf.org
> > Objet : Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
> >
> > Hi Olivier,
> >
> > I have read -05. Please find below some comments/questions (with chair hat
> > off):
> >
> > - Page 8: Sorry if I missed this... Can a client ask the converter to send
> > application data in the SYN payload data to the server (possibly even
> without
> > TFO option)? Is it correct that the Convert protocol does not allow such
> use
> > of SYN payload data towards the remote host?
> >
> 
> [Med] The Converter does not track whether a client has negotiated TFO, as
> such any data supplied in the initial SYN is related to the server by the
> converter. The following rule applies:
> 
>    Any user data received by the Transport Converter over the upstream
>    (resp., downstream) connection is relayed over the downstream (resp.,
>    upstream) connection.
> 
> [ms] That is pretty clear for all data in non-SYN segments. But IMHO it opens
> room for interpretation _when_ to relay data included in any of the SYNs and
> SYN,ACK, i.e., whether it would be relayed in SYN segments as well, or
> whether it would be relayed after the three-way handshake. If the handling of
> SYN data is an internal decision of the converter implementation, IMHO the
> draft could call that out explicitly. (I note that w/o TFO the use of payload
> in SYNs should be a corner case, albeit allowed by TCP.)

[Med] The above applies for both non-SYN and SYNs. We can make this explicit:

OLD: 
     Any user data received by the Transport Converter over the upstream
     (resp., downstream) connection is relayed over the downstream (resp.,
     upstream) connection.

NEW: 
     Any user data received by the Transport Converter over the upstream
     (resp., downstream) connection is relayed over the downstream (resp.,
     upstream) connection. In particular, if the initial SYN message contains
     data in its payload (e.g., [RFC7413]), that data MUST be placed 
     right after the Convert TLVs when generating the relayed SYN.

[ms2] Regarding the MUST: Theoretically, the Convert TLV plus the payload could exceed the MTU... That is probably the corner case of a corner case. In that case, I actually believe it is not entirely obvious whether to really use the SYN... Anyway, I don't have a specific preference how to handle SYN payload in the converter. My concern is mainly to be (more) explicit about the fact that payload in SYN is possible in TCP, as this is IMHO something implementers could easily get wrong.

 Also, note
> that in the specific context of page 13 I wonder about payload data sent in
> the SYN sent from the remote host to the converter, i.e., that data is
> destined _to the client_.
> 
> > - Page 18: Is my understanding correct that when a client sends a Connect
> TLV
> > with one of its own addresses as "remote peer IP Address", then the
> transport
> > converter MUST attempt to establish this connection?
> 
> [Med] This is policy-based. The converter may restrict relying MPTCP
> connections on its customer-facing interfaces or may relax it.
> The draft can set a default behavior, though.
> 
> From where I sit, I'd like to allow for a possible future extension similar
> to what is defined for SBCs in https://tools.ietf.org/html/rfc6849 for
> troubleshooting purposes.
> 
> What is your take on this?
> 
> [ms] The exact wording in -05 is: "Upon reception of a Connect TLV, and
> absent any rate limit policy or resource exhaustion conditions, a Transport
> Converter MUST attempt to establish a connection to the address and port that
> it contains." A later statement somehow contradicts this MUST requirement:
> "The Transport Converter may discard a Connect TLV request for various
> reasons (e.g., authorization failed, out of resources, invalid address
> type).". So probably the key question is why to have a capital letter MUST in
> the first place? Of course, this question may matter for troubleshooting.
> 

[Med] Good point. We can update the text as follows: 

OLD: 

   Upon reception of a Connect TLV, and absent any rate limit policy or
   resource exhaustion conditions, a Transport Converter MUST attempt to
   establish a connection to the address and port that it contains.  The
   Transport Converter MUST use by default the TCP options that
   correspond to its local policy to establish this connection.  These
   are the options that it advertises in the Supported TCP Extensions
   TLV.


NEW:

   Upon reception of a Connect TLV, and absent any policy (e.g., rate-limit) or
   resource exhaustion conditions, a Transport Converter attempts to
   establish a connection to the address and port that it contains.  The
   Transport Converter MUST use by default the TCP options that
   correspond to its local policy to establish this connection.  These
   are the options that it advertises in the Supported TCP Extensions
   TLV.

[ms2] That works  for me

>  In other words, a
> > converter that would _not_ set up this connection back to the client would
> > violate the protocol specification?
> 
> [Med] No.
> 
> [ms] Well, in my reading such a converter policy would violates the MUST
> cited above, albeit that may not be the intended meaning of the MUST.
> Actually, I believe that the security considerations in Section 7 lack a
> discussion of (firewall) policies on the client-facing interfaces/network of
> the converter. For instance, let's assume that in the client-facing network
> there would be firewall policies that prevent direct TCP connections between
> different clients, e.g., within the same Wifi network. Depending how the
> converter deals with connect requests to IP addresses in the client-facing
> network, clients could possibly use the converter to bypass firewall policies
> and setup "direct" communication via the converter? Isn't bypassing firewall
> rules something that could be relevant for Section 7?

[Med] Actually, this is similar to hairpining for NATs (fwiw, the default behavior is MUST be enabled; see https://tools.ietf.org/html/rfc4787#section-6).    

Whether this is enabled/disabled is deployment-specific. We can add some text if you think this is helpful. 

[ms2] I agree that this is not an entirely new problem, and I don't have any preference on whether to enable/disable this by default. Yet, I believe that some warning signs would be useful in the security consideration section. 

 Michael

v2.23.0 | Report a Bug | By Email