IETF Logo Mail Archive

Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05

"Scharf, Michael" <Michael.Scharf@hs-esslingen.de> Tue, 05 March 2019 08:32 UTC

Return-Path: <Michael.Scharf@hs-esslingen.de>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9B312785F for <tcpm@ietfa.amsl.com>; Tue, 5 Mar 2019 00:32:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hs-esslingen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FxC8H6ZSsj5w for <tcpm@ietfa.amsl.com>; Tue, 5 Mar 2019 00:32:57 -0800 (PST)
Received: from mail.hs-esslingen.de (mail.hs-esslingen.de [134.108.32.78]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B92A9124B0C for <tcpm@ietf.org>; Tue, 5 Mar 2019 00:32:56 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.hs-esslingen.de (Postfix) with ESMTP id 0E8ED25A21; Tue, 5 Mar 2019 09:32:55 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hs-esslingen.de; s=mail; t=1551774775; bh=DrFELmhzBHahZp/Z1pr7soQTM3Eo/7jUZTsxDlWDWoU=; h=From:To:Subject:Date:References:In-Reply-To:From; b=vpTEqplMMTnBGpB5+vWBA/yYuEqUS/CEQHMQXHOdu6fLoFXEVF7PbpAo2SWYeElcg 9TMQHv8a9awPNub8LA7r2ACsKek3Ui4ThrR47epL7UCE++iEeHBLIz0fue+keMJO7r JgkpiPAFQQhpu0hdnnOou8auAFTDkqiQmRytb2IE=
X-Virus-Scanned: by amavisd-new-2.7.1 (20120429) (Debian) at hs-esslingen.de
Received: from mail.hs-esslingen.de ([127.0.0.1]) by localhost (hs-esslingen.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 134a0xz1Yydq; Tue, 5 Mar 2019 09:32:53 +0100 (CET)
Received: from rznt8101.rznt.rzdir.fht-esslingen.de (rznt8101.rznt.rzdir.fht-esslingen.de [134.108.29.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.hs-esslingen.de (Postfix) with ESMTPS; Tue, 5 Mar 2019 09:32:53 +0100 (CET)
Received: from RZNT8114.rznt.rzdir.fht-esslingen.de ([169.254.3.183]) by rznt8101.rznt.rzdir.fht-esslingen.de ([fe80::bd73:d6a9:24d7:95f1%10]) with mapi id 14.03.0415.000; Tue, 5 Mar 2019 09:32:53 +0100
From: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, Olivier Bonaventure <olivier.bonaventure@tessares.net>, "tcpm@ietf.org" <tcpm@ietf.org>
Thread-Topic: [tcpm] Updated version of draft-ietf-tcpm-converters-05
Thread-Index: AQHUv86JmdngfITgq0CMtVlOHS+P7aX6oiiggACAVxCAAErBwIAAO0+AgAASEMCAAQiJkIAAGGBw
Date: Tue, 05 Mar 2019 08:32:53 +0000
Message-ID: <6EC6417807D9754DA64F3087E2E2E03E2D24B7D9@rznt8114.rznt.rzdir.fht-esslingen.de>
References: <9DD59801-36CE-407E-98F0-0BB1AAD514A7@tessares.net> <6EC6417807D9754DA64F3087E2E2E03E2D248C3C@rznt8114.rznt.rzdir.fht-esslingen.de> <787AE7BB302AE849A7480A190F8B93302EA27A85@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EC6417807D9754DA64F3087E2E2E03E2D24A4B4@rznt8114.rznt.rzdir.fht-esslingen.de> <787AE7BB302AE849A7480A190F8B93302EA27EA2@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <6EC6417807D9754DA64F3087E2E2E03E2D24A93C@rznt8114.rznt.rzdir.fht-esslingen.de> <787AE7BB302AE849A7480A190F8B93302EA285CE@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA285CE@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [134.108.29.249]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/WqUs1ggS6aUcgd1WwfOCLcT1HDw>
Subject: Re: [tcpm] Updated version of draft-ietf-tcpm-converters-05
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 08:33:00 -0000

Inline [ms3]

Michael

> -----Original Message-----
> From: mohamed.boucadair@orange.com
> [mailto:mohamed.boucadair@orange.com]
> Sent: Tuesday, March 5, 2019 8:05 AM
> To: Scharf, Michael; Olivier Bonaventure; tcpm@ietf.org
> Subject: RE: [tcpm] Updated version of draft-ietf-tcpm-converters-05
> 
> Hi Michael,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Scharf, Michael [mailto:Michael.Scharf@hs-esslingen.de]
> > Envoyé : lundi 4 mars 2019 16:43
> > À : BOUCADAIR Mohamed TGI/OLN; Olivier Bonaventure; tcpm@ietf.org
> > Objet : RE: [tcpm] Updated version of draft-ietf-tcpm-converters-05
> >
> > Inline [ms2] as far as not sorted out already
> >
> ...
> > >
> > > > -----Message d'origine-----
> > > > De : tcpm [mailto:tcpm-bounces@ietf.org] De la part de Scharf,
> Michael
> > > > Envoyé : lundi 4 mars 2019 00:48
> > > > À : Olivier Bonaventure; tcpm@ietf.org
> > > > Objet : Re: [tcpm] Updated version of draft-ietf-tcpm-converters-
> 05
> > > >
> > > > Hi Olivier,
> > > >
> > > > I have read -05. Please find below some comments/questions (with
> chair
> > hat
> > > > off):
> > > >
> > > > - Page 8: Sorry if I missed this... Can a client ask the
> converter to
> > send
> > > > application data in the SYN payload data to the server (possibly
> even
> > > without
> > > > TFO option)? Is it correct that the Convert protocol does not
> allow such
> > > use
> > > > of SYN payload data towards the remote host?
> > > >
> > >
> > > [Med] The Converter does not track whether a client has negotiated
> TFO, as
> > > such any data supplied in the initial SYN is related to the server
> by the
> > > converter. The following rule applies:
> > >
> > >    Any user data received by the Transport Converter over the
> upstream
> > >    (resp., downstream) connection is relayed over the downstream
> (resp.,
> > >    upstream) connection.
> > >
> > > [ms] That is pretty clear for all data in non-SYN segments. But
> IMHO it
> > opens
> > > room for interpretation _when_ to relay data included in any of the
> SYNs
> > and
> > > SYN,ACK, i.e., whether it would be relayed in SYN segments as well,
> or
> > > whether it would be relayed after the three-way handshake. If the
> handling
> > of
> > > SYN data is an internal decision of the converter implementation,
> IMHO the
> > > draft could call that out explicitly. (I note that w/o TFO the use
> of
> > payload
> > > in SYNs should be a corner case, albeit allowed by TCP.)
> >
> > [Med] The above applies for both non-SYN and SYNs. We can make this
> explicit:
> >
> > OLD:
> >      Any user data received by the Transport Converter over the
> upstream
> >      (resp., downstream) connection is relayed over the downstream
> (resp.,
> >      upstream) connection.
> >
> > NEW:
> >      Any user data received by the Transport Converter over the
> upstream
> >      (resp., downstream) connection is relayed over the downstream
> (resp.,
> >      upstream) connection. In particular, if the initial SYN message
> contains
> >      data in its payload (e.g., [RFC7413]), that data MUST be placed
> >      right after the Convert TLVs when generating the relayed SYN.
> >
> > [ms2] Regarding the MUST: Theoretically, the Convert TLV plus the
> payload
> > could exceed the MTU... That is probably the corner case of a corner
> case. In
> > that case, I actually believe it is not entirely obvious whether to
> really
> > use the SYN... Anyway, I don't have a specific preference how to
> handle SYN
> > payload in the converter. My concern is mainly to be (more) explicit
> about
> > the fact that payload in SYN is possible in TCP, as this is IMHO
> something
> > implementers could easily get wrong.
> 
> [Med] Agree.

[ms3] To be precise, it is not entirely clear to me whether the MUST is really required. But if implementers would deal with SYN payload this way, the proposed wording would work for me.

> >  Also, note
> > > that in the specific context of page 13 I wonder about payload data
> sent in
> > > the SYN sent from the remote host to the converter, i.e., that data
> is
> > > destined _to the client_.
> > >
> > > > - Page 18: Is my understanding correct that when a client sends a
> Connect
> > > TLV
> > > > with one of its own addresses as "remote peer IP Address", then
> the
> > > transport
> > > > converter MUST attempt to establish this connection?
> > >
> > > [Med] This is policy-based. The converter may restrict relying
> MPTCP
> > > connections on its customer-facing interfaces or may relax it.
> > > The draft can set a default behavior, though.
> > >
> > > From where I sit, I'd like to allow for a possible future extension
> similar
> > > to what is defined for SBCs in https://tools.ietf.org/html/rfc6849
> for
> > > troubleshooting purposes.
> > >
> > > What is your take on this?
> > >
> > > [ms] The exact wording in -05 is: "Upon reception of a Connect TLV,
> and
> > > absent any rate limit policy or resource exhaustion conditions, a
> Transport
> > > Converter MUST attempt to establish a connection to the address and
> port
> > that
> > > it contains." A later statement somehow contradicts this MUST
> requirement:
> > > "The Transport Converter may discard a Connect TLV request for
> various
> > > reasons (e.g., authorization failed, out of resources, invalid
> address
> > > type).". So probably the key question is why to have a capital
> letter MUST
> > in
> > > the first place? Of course, this question may matter for
> troubleshooting.
> > >
> >
> > [Med] Good point. We can update the text as follows:
> >
> > OLD:
> >
> >    Upon reception of a Connect TLV, and absent any rate limit policy
> or
> >    resource exhaustion conditions, a Transport Converter MUST attempt
> to
> >    establish a connection to the address and port that it contains.
> The
> >    Transport Converter MUST use by default the TCP options that
> >    correspond to its local policy to establish this connection.
> These
> >    are the options that it advertises in the Supported TCP Extensions
> >    TLV.
> >
> >
> > NEW:
> >
> >    Upon reception of a Connect TLV, and absent any policy (e.g.,
> rate-limit)
> > or
> >    resource exhaustion conditions, a Transport Converter attempts to
> >    establish a connection to the address and port that it contains.
> The
> >    Transport Converter MUST use by default the TCP options that
> >    correspond to its local policy to establish this connection.
> These
> >    are the options that it advertises in the Supported TCP Extensions
> >    TLV.
> >
> > [ms2] That works  for me
> >
> > >  In other words, a
> > > > converter that would _not_ set up this connection back to the
> client
> > would
> > > > violate the protocol specification?
> > >
> > > [Med] No.
> > >
> > > [ms] Well, in my reading such a converter policy would violates the
> MUST
> > > cited above, albeit that may not be the intended meaning of the
> MUST.
> > > Actually, I believe that the security considerations in Section 7
> lack a
> > > discussion of (firewall) policies on the client-facing
> interfaces/network
> > of
> > > the converter. For instance, let's assume that in the client-facing
> network
> > > there would be firewall policies that prevent direct TCP
> connections
> > between
> > > different clients, e.g., within the same Wifi network. Depending
> how the
> > > converter deals with connect requests to IP addresses in the
> client-facing
> > > network, clients could possibly use the converter to bypass
> firewall
> > policies
> > > and setup "direct" communication via the converter? Isn't bypassing
> > firewall
> > > rules something that could be relevant for Section 7?
> >
> > [Med] Actually, this is similar to hairpining for NATs (fwiw, the
> default
> > behavior is MUST be enabled; see
> https://tools.ietf.org/html/rfc4787#section-
> > 6).
> >
> > Whether this is enabled/disabled is deployment-specific. We can add
> some text
> > if you think this is helpful.
> >
> > [ms2] I agree that this is not an entirely new problem, and I don't
> have any
> > preference on whether to enable/disable this by default. Yet, I
> believe that
> > some warning signs would be useful in the security consideration
> section.
> 
> [Med] I added this NEW text:
> 
>     In deployments where network-assisted connections are not allowed
>     between hosts of a domain (i.e., hairpinning is not allowed),
>     the Converter may be instructed to discard such connections. Absent
>     explicit configuration otherwise, hairpinning is enabled by
>     the Converter (sse {{fig-hairp}}.

[ms3] Works for me

Thanks

Michael

v2.23.0 | Report a Bug | By Email