RE: [tcpm] WGLC for UTO

"Caitlin Bestler" <Caitlin.Bestler@neterion.com> Tue, 30 October 2007 17:08 UTC

Return-path: <tcpm-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImuZt-0006ef-OJ; Tue, 30 Oct 2007 13:08:33 -0400
Received: from tcpm by megatron.ietf.org with local (Exim 4.43) id 1ImuZs-0006eZ-DE for tcpm-confirm+ok@megatron.ietf.org; Tue, 30 Oct 2007 13:08:32 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImuZs-0006d0-3g for tcpm@ietf.org; Tue, 30 Oct 2007 13:08:32 -0400
Received: from mx.neterion.com ([72.1.205.142] helo=owa.neterion.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ImuZf-0003mr-9t for tcpm@ietf.org; Tue, 30 Oct 2007 13:08:25 -0400
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [tcpm] WGLC for UTO
Date: Tue, 30 Oct 2007 13:07:47 -0400
Message-ID: <78C9135A3D2ECE4B8162EBDCE82CAD77027653E9@nekter>
In-Reply-To: <472756CC.8070809@isi.edu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [tcpm] WGLC for UTO
Thread-Index: AcgbDzCxKNxs0yBzQJubbzxrsPhgTAABuhbQ
References: <20071015161355.CDC992CA32C@lawyers.icir.org> <44C4AF94-CC5D-4702-914E-764583E2AADA@nokia.com><78C9135A3D2ECE4B8162EBDCE82CAD77026345DE@nekter><4717E7D6.7000407@isi.edu><14C200C0-73DE-4550-A1E2-5B43BEE29BAF@nokia.com> <472756CC.8070809@isi.edu>
From: "Caitlin Bestler" <Caitlin.Bestler@neterion.com>
To: "Joe Touch" <touch@ISI.EDU>, "Lars Eggert" <lars.eggert@nokia.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 41c17b4b16d1eedaa8395c26e9a251c4
Cc: tcpm@ietf.org
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Errors-To: tcpm-bounces@ietf.org


-----Original Message-----
From: Joe Touch [mailto:touch@ISI.EDU] 
Sent: Tuesday, October 30, 2007 9:08 AM
To: Lars Eggert
Cc: tcpm@ietf.org
Subject: Re: [tcpm] WGLC for UTO



Lars Eggert wrote:
> On 2007-10-19, at 2:10, ext Joe Touch wrote:
...
>> - sec 3 "In addition to"
>> There is no reason in requiring (via SHOULD) a refresh of 
>> SYN-coordinated state. Either that state is coordinated, or it is
not.
>> If not, then the connection is in error.
> 
> The intent was to make UTO work with SYN cookie implementations that 
> can't encode whether a UTO option was present in the cookie, by 
> including the option also in the first non-SYN packets.

That should be deemed non-compliant. The point of the SYN cookie is to
reestablish the entirety of state that would have been established by
the SYN; if the cookie can't do that, a cookie should not be used.

TCP has no provisions for post-SYN establishment of new connection state
AFAIK. Requiring this of this option would be new, and, IMO, a bit
confusing for designers. What happens if the post-SYN packet lacks the
option? do you declare state mis-synchronization and drop it?

----------End of Original Message
--------------------------------------------------------

The idea here is to recognize that existing stacks establish the TCB at
two different times: on first SYN or on the Ack of the SYN-ACK.

To be very pedantic, the TCB is *always* established when the SYN is
received. It's just that a SYN Cookie encodes the "TCB" in the SYN
cookie value and "stores" the TCB on the network.

Which would be a problem with UTO if the UTO option were only present
in the SYN cookie. Basically there isn't any more room in the SYN
Cookie without stealing information from elsewhere (such as timing
resolution or cryptographic quality).

That won't happen. Instead anyone using SYN Cookies will simply NEVER
support UTO for *any* connection (in which case whether it was in the
SYN is irrelevant, which does encode very efficiently).

The redundant transmission of the UTO option allows a receiver that
uses SYN Cookies to establish connections safely to enable that support
only when it is *actually* creating the full-sized TCB. This same
benefit
actually applies to any strategy where allocation of a full TCB is
deferred
until after the round-trip (which is a generally recommended practice,
although there can be debate about how much the proto-TCB should be
condensed and where it should be stored).


As to Lars comment, the idea of having it both places is to allow 
implementations that create the full TCB on receipt of the SYN to
properly create the TCB. Currently, most software based SYN Cookies
implementations include a "no attack detected" mode where the TCBs
are created immediately.



_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www1.ietf.org/mailman/listinfo/tcpm