IETF Logo Mail Archive

Re: [tcpm] Exceeding value in MSS option?

Joseph Touch <touch@strayalpha.com> Tue, 27 October 2020 15:25 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 642BA3A0E70 for <tcpm@ietfa.amsl.com>; Tue, 27 Oct 2020 08:25:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.319
X-Spam-Level:
X-Spam-Status: No, score=-1.319 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uo2rsYHShtgA for <tcpm@ietfa.amsl.com>; Tue, 27 Oct 2020 08:25:26 -0700 (PDT)
Received: from server217-4.web-hosting.com (server217-4.web-hosting.com [198.54.116.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A1F23A0E6A for <tcpm@ietf.org>; Tue, 27 Oct 2020 08:25:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=eZgPUb/KDLZofzxVOSjCvzkoVDKpqxsS+UMqLlrqwik=; b=Zj3XTZ5WFJ7oL6MuqWmgIq+QH K8psGiCcVDerSUXEVXmVTANPFZTA0qtN6203dPdcTiFPqm+6AMbr8F/E8ANKu82VpayUu8KgQMkPa T/m7uqCOYKD0B6IMCxLHVoUc02U8v98HgfPXIwReBTYjOIrrRrSF/Gdwcr2ROic7Pp+VluP1PeWEG VHlUvWMzv/a9j1fK+03AlnDjappBVoyjfRpCcIF+s2khLP5+1XrZNZ/UoACd0jXNJer1dzIrlvYNo vs0KVE1comIh3gEkCa91axz6UzdBVZnKDqmN8aFfBTxcxDHvUFQsapi/J/IODVitV6WoFNaWxoHTs s2C99t9mg==;
Received: from cpe-172-250-225-198.socal.res.rr.com ([172.250.225.198]:64645 helo=[192.168.1.14]) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <touch@strayalpha.com>) id 1kXQqe-000Q8W-1Z; Tue, 27 Oct 2020 11:25:24 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Joseph Touch <touch@strayalpha.com>
In-Reply-To: <77ae4653-ff07-ae23-aba3-e0660791a2f9@tele.no>
Date: Tue, 27 Oct 2020 08:25:19 -0700
Cc: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>, "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EA4F0D4F-C5F6-437C-919B-102AC0231DED@strayalpha.com>
References: <4b50b01f-1e39-82c5-1488-1063ef4f0066@tele.no> <8B85DC62-8EB7-45F3-A57A-668D575A0491@strayalpha.com> <77ae4653-ff07-ae23-aba3-e0660791a2f9@tele.no>
To: Frode Kileng <frodek@tele.no>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/aCkTrP39oltmc7X90cqafZ5OLlY>
Subject: Re: [tcpm] Exceeding value in MSS option?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 15:25:29 -0000

So the real question is why tunneled packets didn’t trigger the same issue - isn’t it?

Or are you implying that tunneled traffic shouldn’t be supported?

There are deeper issues going on here. We should avoid being glib about how “best” to do things that shouldn’t be done in the first place.

Joe

> On Oct 26, 2020, at 11:35 PM, Frode Kileng <frodek@tele.no> wrote:
> 
> I do not defending this practice, just trying to communicate their rationale and that there may be other more important fights out there. But I do understand that operators are cautious as I've seen an example of how fragmentation triggered an anti-DDoS feature in a firewall causing traffic from a large number of mobiles to halt.
> 
> Frode
> 
> On 26/10/2020 17:55, Joe Touch wrote:
>> Given how many of us are using VPNs, it’s a shame they don’t work without this.  I guess users of those nets have to shut down their Skypes and other services over VPNs, because, according to you, it doesn’t work.
>> 
>> Joe
>> 
>>> On Oct 26, 2020, at 8:46 AM, Frode Kileng <frodek@tele.no> wrote:
>>> 
>>> On 26/10/2020 15:24, Joe Touch wrote:
>>>>>> On Oct 26, 2020, at 2:35 AM, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
>>>>>> On 26. Oct 2020, at 08:52, Frode Kileng <frodek@tele.no> wrote:
>>>>>> 
>>>>>> 
>>>>>> On 23/10/2020 17:11, Joseph Touch wrote:
>>>>>>>>> On Oct 23, 2020, at 1:37 AM, Frode Kileng <frodek@tele.no <mailto:frodek@tele.no>> wrote:
>>>>>>>>> 
>>>>>>>>> Although maybe not  a "general problem",  a study of MSS middlebox manipluation in  23 European and Asian mobile networks did reveal some issues:
>>>>>>>>> 
>>>>>>>>> - 20 of 23 networks always inserts MSS.
>>>>>>> That IS a general problem, FWIW.
>>>>>>> 
>>>>>>> Besides being published, it should also be reported to the operators of those networks as violating TCP specs.
>>>>>> Do you mean as in "layering violation" or is it explicitly stated in an RFC that MSS clamping is not allowed.
>>>>> I think we should differentiate two issues:
>>>>> (a) a middlebox which reduces the MSS already in an SYN/SYN-ACK segement.
>>>>> (b) a middlebox which adds an MSS option, which wasn't there in the SYN/SYN-ACK segment.
>>>> You can if you want; I do not. Both are violations of TCP processing, whose headers aren’t permitted to be altered in flight. Saying it’s for the good of the endpoints doesn’t change the issue that it should be reported and fixed as an error.
>>>> 
>>>> If TCP is given an MSS by the other end of a connection and packets don’t get through, it can always lower the segment sizes it sends - the is what PLPMTUD does.
>>> I think there may be other more important fights out there than convincing ~90% of the world mobile network operators and their vendors that a practice solving potential black-holing and typically improves performance should stop because it's a layering violation. For example that 2/3rd of the mobile networks I tested have a TCP Proxy and over 70% of such networks breaks MPTCP, TFO or ECN.
>>> 
>>> 
>>> Regards
>>> 
>>> Frode Kileng
>>> 
>>> 
>

v2.23.0 | Report a Bug | By Email