Re: [tcpm] Asymmetric Middleboxes and Extended Data Offset (EDO)
Bob Briscoe <bob.briscoe@bt.com> Thu, 02 October 2014 14:31 UTC
Return-Path: <bob.briscoe@bt.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 877101A0275 for <tcpm@ietfa.amsl.com>; Thu, 2 Oct 2014 07:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.387
X-Spam-Level:
X-Spam-Status: No, score=-3.387 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lVObJZkz2b3Q for <tcpm@ietfa.amsl.com>; Thu, 2 Oct 2014 07:31:18 -0700 (PDT)
Received: from hubrelay-rd.bt.com (hubrelay-rd.bt.com [62.239.224.98]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5851A026E for <tcpm@ietf.org>; Thu, 2 Oct 2014 07:31:17 -0700 (PDT)
Received: from EVMHR71-UKRD.domain1.systemhost.net (10.36.3.109) by EVMHR66-UKRD.bt.com (10.187.101.21) with Microsoft SMTP Server (TLS) id 14.3.195.1; Thu, 2 Oct 2014 15:31:15 +0100
Received: from EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) by EVMHR71-UKRD.domain1.systemhost.net (10.36.3.109) with Microsoft SMTP Server (TLS) id 8.3.348.2; Thu, 2 Oct 2014 15:31:15 +0100
Received: from bagheera.jungle.bt.co.uk (132.146.168.158) by EPHR02-UKIP.domain1.systemhost.net (147.149.100.81) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 15:31:15 +0100
Received: from BTP075694.jungle.bt.co.uk ([10.215.130.93]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id s92EVDnC015019; Thu, 2 Oct 2014 15:31:13 +0100
Message-ID: <201410021431.s92EVDnC015019@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 02 Oct 2014 15:31:12 +0100
To: "Eddy, Wesley M. (GRC-LCI0)[MTI SYSTEMS, INC.]" <wesley.m.eddy@nasa.gov>
From: Bob Briscoe <bob.briscoe@bt.com>
In-Reply-To: <3C694E6F4F1EBB43B13CE0A47A0A2E01714236@NDJSMBX103.ndc.nasa .gov>
References: <201410021150.s92Bov3U014372@bagheera.jungle.bt.co.uk> <3C694E6F4F1EBB43B13CE0A47A0A2E01714236@NDJSMBX103.ndc.nasa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpm/aEHjIFozI5cCZSEW7d-VPFRqPV4
Cc: tcpm IETF list <tcpm@ietf.org>, Joe Touch <touch@isi.edu>
Subject: Re: [tcpm] Asymmetric Middleboxes and Extended Data Offset (EDO)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2014 14:31:21 -0000
Wes, I agree that combining EDO with generic middlebox hardening would be nice. However, it's hard to provide a general-purpose middlebox hardening solution for all cases; most generic solutions introduce overhead - complexity, processing or extra round-trip latency - and each case has different sensitivities to different types of overhead. For instance, in the design of MPTCP, there's a 3-way check to protect against asymmetric option removal <http://tools.ietf.org/html/rfc6824#section-2.1>. It's MPTCP-specific because MPTCP is perceived as more relevant to longer flows, so the extra start-up latency of this 3-way check is less of a concern. Also, if EDO used a 3-way check, it would not be able to extend the option space on any of the 3WHS segments, which would reduce its usefulness. Section 6 of the above MPTCP RFC <http://tools.ietf.org/html/rfc6824#section-6> discusses asymmetric option removal (see Fig 16) and how MPTCP was hardened against it. It is also a useful enumeration of other possible middlebox problems (and how MPTCP was designed to work round them and to work with them). ==Segment Coalescing== A colleague (Phil Eardley) has just pointed out that segment coalescing could be a problem for EDO. I suspect segments in the 3WHS won't get coalesced because there's nothing to coalesce with. But then later segments might be coalesced. If this were the case, it would mean even a 3-way EDO capability negotiation would appear to have worked. But then subsequent segments could end up with a corrupted coalesced payload, with TCP options embedded at regular intervals throughout. Regards Bob At 14:29 02/10/2014, Eddy, Wesley M. (GRC-LCI0)[MTI SYSTEMS, INC.] wrote: >Hi Bob, I think there's a generic problem that many options share >of detecting middlebox compatibility issues, and that for some >subset of them (EDO included) those issues could cause corruption of user data. > >This motivates stronger ways to validate segments (e.g. the form of >TCP-AO that's compatible with NAT, with the TCP option flag set ... >possibly with some new unkeyed algorithm). It should be done in >common and not re-invented on a per-option basis IMHO. > > > >-----Original Message----- >From: Bob Briscoe [mailto:bob.briscoe@bt.com] >Sent: Thursday, October 02, 2014 7:50 AM >To: Joe Touch; Eddy, Wesley M. (GRC-LCI0)[MTI SYSTEMS, INC.] >Cc: tcpm IETF list >Subject: Asymmetric Middleboxes and Extended Data Offset (EDO) > >Joe, Wes, > >It is known that new TCP options are removed on x% of paths. >It is also known that y% of paths are asymmteric Let's assume z% of >the TCP-option-removing middleboxes are on the asymmetric part of a path. > >(x y and z are left as an exercise for the experimenter. I'm offline >at the mo, but I know there are papers that give good estimates of x >and y at least). > >Also some middleboxes behave asymmetrically, for instance firewalls >have stricter rules for traffic arriving from the public side vs the >private side. Such a device might remove unknown TCP options in one >direction, but not the other. > >==Legend== >C = TCP client >S = TCP server >EDO = EDO delivered >!X-EDO-X! = Middlebox removes EDO TCP option >Extra-opts = TCP options beyond the Data Offset (preserved) >???!!! = confused or crashes > >==Scenarios== > >1. EDO not removed from SYN, but middlebox removes EDO from SYN/ACK >1.1 Extra Options on SYN/ACK > > C -> EDO -> S > C <- !X-EDO-X! Extra-opts <- S > C ???!!! > >1.2 Extra Options on subsequent segment from server > > C -> EDO -> S > C <- !X-EDO-X! <- S > ... > C <- !X-EDO-X! Extra-opts <- S > C ???!!! > >2. EDO not removed from SYN or SYN/ACK >2.1 Middlebox removes EDO from subsequent segment from server > > C -> EDO -> S > C <- EDO Extra-opts <- S > ... > C <- !X-EDO-X! Extra-opts <- S > C ???!!! > >2.2 Middlebox removes EDO from subsequent segment from client > > C -> EDO -> S > C <- EDO Extra-opts <- S > ... > C -> Extra-opts !X-EDO-X! -> S > ???!!! S > > >==Commentary== > >Case #1: >The passive opener (server) thinks that the connection supports EDO, >so it sends a SYN/ACK confirming this. But before it reaches the >client, a middlebox removes unknown TCP options, but forwards the >payload unchanged, including the extra TCP options. > >Without the EDO option, the client believes everything beyond the >Data Offset in the SYN/ACK is payload, so it passes both the extra >TCP options and the actual payload to the app. > >Outcome in both cases under #1: > TCP delivers corrupt user-data to the client. > >Case #2: >The 3WHS negotiating EDO completes correctly, so both ends correctly >think that the connection supports EDO. But later in the connection, >a middlebox starts removing unknown TCP options, but continues to >forward the payload unchanged. This is probably much less likely >than case 1.1, but might be due to a path change, or the behaviour >of a middlbox being different for segments with SYN=0. > >Again, without the EDO option, the receiving end believes everything >beyond the Data Offset is payload, so it passes both the extra TCP >options and the actual payload to the app. > >Outcome in case #2.1: > TCP delivers corrupt user-data to the client. >Outcome in case #2.2: > TCP delivers corrupt user-data to the server. > >==Implications== > >I found the above problem when I was working through all the >possible problems if I was to integrate EDO with >draft-briscoe-tcpm-syn-op-sis (to extend TCP option space on non-SYN >packets subsequent to extending space on the SYN). > >In the light of the above, I won't be integrating EDO with >syn-op-sis. I don't think we should introduce anything to TCP with a >known risk of delivering corrupt user-data, even if the risk is low. >If there were a middlebox behaviour that 'just' blocked the new >feature, it would be another matter. But if asymmetry does cause TCP >to deliver corrupt data to certain users, the same users will >continually experience bizarre and unreliable behaviour - very >expensive for customer support people to diagnose. > >I shall be adding a section to the syn-op-sis draft to define how >syn-op-sis can be used to extend the TCP option space on any packet >as well as the SYN (it's fairly obvious). I believe it will be >immune to the above problem. (Joe, I'll also add an Appendix for the >alternative protocol structure I mentioned in response to you not >liking the trailer-based structure.) > >As you know, I was amazed when it was proposed that EDO should go >forward for proposed standard. I said in the TCPM meeting that it >should be at least experimental, because these days any new TCP >options need to be tested against a wide range of middlebox >behaviours. With the above problems, I think we should revisit the >decision even to adopt EDO. > >Sorry guys, EDO looked promising, but our job is to ensure TCP >continues to be robust. > > >Regards > > >Bob > > >________________________________________________________________ >Bob Briscoe, BT ________________________________________________________________ Bob Briscoe, BT
- [tcpm] Asymmetric Middleboxes and Extended Data O… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Eddy, Wesley M. (GRC-LCI0)[MTI SYSTEMS, INC.]
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Wesley Eddy
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Wesley Eddy
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Yoshifumi Nishida
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Joe Touch
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Pasi Sarolahti
- Re: [tcpm] Asymmetric Middleboxes and Extended Da… Bob Briscoe
- [tcpm] draft-ietf-tcpm-tcp-edo John Leslie
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcp-edo John Leslie
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcp-edo John Leslie
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Bob Briscoe
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Bob Briscoe
- Re: [tcpm] draft-ietf-tcpm-tcp-edo Joe Touch