[tcpm] Re: Comments on draft-ietf-tcpm-tcp-edo-13
"touch@strayalpha.com" <touch@strayalpha.com> Mon, 15 July 2024 03:54 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5910FC14F6FA for <tcpm@ietfa.amsl.com>; Sun, 14 Jul 2024 20:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZWeg5EnZeEg for <tcpm@ietfa.amsl.com>; Sun, 14 Jul 2024 20:54:15 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B47CC14F5E4 for <tcpm@ietf.org>; Sun, 14 Jul 2024 20:54:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=iIjwiAJ//Aa7cbko+L7HYsMq6+yyrWe5G1WU4YNYeBg=; b=uSeV/g4po5tw+6v9a6p3zKXW9S GyHl7+br2+Fyy79s4UQRSdHeEcoOf3a1ikH/3nsQ6wPpKPxz6+eXNa0cjeNp03hrTONsqUmZOSqb2 A+yxFzaNYQw8Eh8ZDeNo7+KlBWwFrWcYRRirmS5rjZwnn+H5x9WyzRfK5I2R78QYsm+haK7rjBB1F hFsGlhDfgqYD6J0NYyNqlFeyOU2zC2a+CwJWIcSvdURjjPTUOerxphyVNJgztMoQlVcDVyQBZin2v 445QMrABtWfg8XCnTfVQhU7onJWBuCeWQ2P4zx3V3A/SnN/jXsNWAfmX/1zlJGCkR//OnhbOv/xxO VLJmpI8A==;
Received: from [172.56.184.83] (port=21438 helo=smtpclient.apple) by server217.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from <touch@strayalpha.com>) id 1sTCmz-008UXd-1o; Sun, 14 Jul 2024 23:54:13 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_FF21729D-0438-4B2B-B925-FC07D32C3831"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: "touch@strayalpha.com" <touch@strayalpha.com>
In-Reply-To: <78EC7C86-74C9-4660-80A0-4DBE7A2080FD@amazon.co.jp>
Date: Sun, 14 Jul 2024 20:54:01 -0700
Message-Id: <83640080-E907-4679-A068-F15A73C70184@strayalpha.com>
References: <78EC7C86-74C9-4660-80A0-4DBE7A2080FD@amazon.co.jp>
To: "Iwashima, Kuniyuki" <kuniyu@amazon.co.jp>
X-Mailer: Apple Mail (2.3774.600.62)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Message-ID-Hash: 3MGJUL3BWATOWPYBJCIJW2FXZQXEBWHB
X-Message-ID-Hash: 3MGJUL3BWATOWPYBJCIJW2FXZQXEBWHB
X-MailFrom: touch@strayalpha.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tcpm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [tcpm] Re: Comments on draft-ietf-tcpm-tcp-edo-13
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/evLGnsoCa0nltyBTcH-0wXBY0mE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Owner: <mailto:tcpm-owner@ietf.org>
List-Post: <mailto:tcpm@ietf.org>
List-Subscribe: <mailto:tcpm-join@ietf.org>
List-Unsubscribe: <mailto:tcpm-leave@ietf.org>
Hi, Kuniyuki, Thanks for the detailed feedback. Some notes below. Joe — Dr. Joe Touch, temporal epistemologist www.strayalpha.com > On Jul 9, 2024, at 6:39 PM, Iwashima, Kuniyuki <kuniyu@amazon.co.jp> wrote: > > Hi Joe, > > I wanted to send summary of feedback to EDO draft and related works after IETF 118, but it somehow slipped on my mind. > Sorry for the long delay. (and thanks for the heads-up, Yoshi). > > > ## Suggestion > > I have three suggestions about EDO fallback, EDO Extension limit, and logging. > > 1) EDO fallback > > In the sentence below, > >>> The EDO Extension option MAY be used only if confirmed when the > connection transitions to the ESTABLISHED state, e.g., a client is > enabled after receiving the EDO Supported option in the SYN/ACK and > the server is enabled after seeing the EDO Extension option in the > > -> the server is enabled after seeing the _valid _ EDO Extension option in the <-- > > final ACK of the three-way handshake. If either of those segments > lacks the appropriate EDO option, the connection MUST NOT use any > EDO options on any other segments. > > I'd suggest adding "valid" like above to make it clear that the following "lacks the appropriate EDO" means > > i) ACK of 3WHS lacks EDO Extension option > ii) ACK of 3WHS has invalid/malformed EDO Extension > > and these segments should be dropped instead of triggering non-EDO fallback. Will do. > 2) EDO Extension limit > > As I told before, I think it would be better to clarify that EDO Extension MUST NOT be included more than once in a segment. > > If TCP header includes multiple same options, Linux uses the latest one and ignores the other preceding ones. > However, EDO Extension requires copying data into the linear buffer, the number of such an operation should be limited within the single segment to avoid DoS. Agreed; will do. > 3) Logging > > In the following sentence, the 2nd MUST should be changed to SHOULD. > >>> If EDO has been negotiated, any subsequent segments arriving > without the EDO Extension option MUST be silently ignored. Such > events MAY be logged as warning errors and logging MUST be rate > > -> events MAY be logged as warning errors and logging SHOULD be rate <- > > limited. > > Because there are two other places that mentions that EDO SHOULD log some events, not MUST. > >>> When an endpoint receives a segment using the 6-byte EDO > Extension option, it MUST validate the Segment_Length field with the > length of the segment as indicated in the TCP pseudoheader. If the > segment lengths do not match, the segment MUST be discarded and an > error SHOULD be logged in a rate-limited manner. > >>> Due to the potential impacts of legacy middleboxes (discussed in > Section 7), a TCP implementation supporting EDO SHOULD log any > events within an EDO connection when options that are malformed or > show other evidence of tampering arrive Agreed - will do. > That's all of my suggestions. > > In my implementation, EDO options are parsed as follows: > > - SYN segments > - EDO Supported (length == 2) is parsed > - other EDO option (length != 2) is ignored (option is skipped) Other EDO option (length !=2) should not be ignored; it should generate a RST in response. The option indicates a malformed SYN. I’ll add an explicit rule about that. > - non-SYN segments > - if not negotiated, all EDO options are ignored (option is skipped) Yes - we have to do this - it’s what legacy endpoints (those that don’t understand EDO) will do. > - if negotiated, > - EDO Supported or EDO option with invalid length (!= 4/6) is ignored (option is skipped) > - segment with multiple EDO Extension is dropped > - segment with invalid header/segment length is dropped > - EDO Extension is parsed > > If this behaviour is correct, I think I read the draft as intended and have no other comments. Yes, those seem reasonable. > ## Implementation > > Here's the EDO implementation of Linux kernel, tcpdump, and packetdrill. > > - https://github.com/q2ven/linux/tree/edo > - https://github.com/nsdyoshi/tcpdump/tree/tcp-edo-option > - https://github.com/q2ven/packetdrill/tree/edo > > The basic uAPI can be checked in this presentation. > > https://www.youtube.com/watch?si=bbBuPaAE5y__3IZW&t=2575&v=Na1FYAjLBeU&feature=youtu.be > > Note that the constant TCP_EXT_DATA_OFFSET for setsockopt() is 44. > > > The packetdrill repo has some scripts to test all possible EDO fallback scenarios, and SNMP stats can be used to check the negotiation result. > > ---8<--- > # ./packetdrill ../tcp/edo/edo-fallback-server-syn.pkt > # nstat | grep EDO > TcpExtTCPEDOFallbackSYN 1 0.0 > # ./packetdrill ../tcp/edo/edo-fallback-client-synack.pkt > # nstat | grep EDO > TcpExtTCPEDOFallbackSYNACK 1 0.0 > # ./packetdrill ../tcp/edo/edo-fallback-server-ack.pkt > # nstat | grep EDO > TcpExtTCPEDOFallbackACK 1 0.0 > # ./packetdrill ../tcp/edo/edo-fallback-cross-syn.pkt > # nstat | grep EDO > TcpExtTCPEDOFallbackSYN 1 0.0 > # ./packetdrill ../tcp/edo/edo-fallback-cross-synack.pkt > # nstat | grep EDO > TcpExtTCPEDOFallbackSYNACK 1 0.0 > # ./packetdrill ../tcp/edo/edo-sack.pkt > # nstat | grep EDO > TcpExtTCPEDOSuccess 1 0.0 > ---8<--- > > > Another script shows that more than 60 bytes header can be sent with EDO Extension. > In this example, 4 SACK blocks are sent with 8 bytes EDO Extension (including ExID 0x0ed0). > > ---8<--- > # ./packetdrill ../tcp/edo/edo-sack.pkt -v > ... > connect syscall: 1720572792.643631 > outbound sniffed packet: 0.000044 S 2116065219:2116065219(0) win 65535 <edoOK,mss 1440,sackOK,TS val 3401991024 ecr 0,nop,wscale 8> > inbound injected packet: 0.000101 S. 0:0(0) ack 2116065220 win 65535 <nop,nop,edoOK,mss 9000,sackOK> > outbound sniffed packet: 0.000114 . 2116065220:2116065220(0) ack 1 win 65535 <edo 28 28> > inbound injected packet: 0.000128 . 12:13(1) ack 2116065220 win 65535 <edo 28 29> > outbound sniffed packet: 0.000133 . 2116065220:2116065220(0) ack 1 win 65535 <edo 40 40,nop,nop,sack 12:13> > inbound injected packet: 0.000147 . 10:11(1) ack 2116065220 win 65535 <edo 28 29> > outbound sniffed packet: 0.000154 . 2116065220:2116065220(0) ack 1 win 65535 <edo 48 48,nop,nop,sack 10:11 12:13> > inbound injected packet: 0.000168 . 8:9(1) ack 2116065220 win 65535 <edo 28 29> > outbound sniffed packet: 0.000172 . 2116065220:2116065220(0) ack 1 win 65535 <edo 56 56,nop,nop,sack 8:9 10:11 12:13> > inbound injected packet: 0.000185 . 6:7(1) ack 2116065220 win 65535 <edo 28 29> > outbound sniffed packet: 0.000299 . 2116065220:2116065220(0) ack 1 win 65535 <edo 64 64,nop,nop,sack 6:7 8:9 10:11 12:13> > ---8<--- > > > Also, with MPTCP, we can see the effect of EDO Extension easily. Note that GRO must be turned off. Yes, we’re aware that GRO does not convert packets in ways consistent with TCP options. > > ---8<--- > Client: > $ sudo ethtool -K enp39s0 gro off > $ sudo sysctl net.ipv4.tcp_ext_data_offset=2 > $ mptcpize run iperf3 -c 10.0.0.36 -t 3 > > Server: > $ sudo ethtool -K enp39s0 gro off > $ sudo sysctl net.ipv4.tcp_ext_data_offset=2 > $ mptcpize run iperf3 -s > > tcpdump : > > IP 10.0.0.241.59560 > 10.0.0.36.5201: Flags [.], seq 84863089:84872006, ack 1, win 491, options [exp-edo hlen 64 seglen 8981 ,nop,nop,TS val 3197826953 ecr 2719828622,mptcp 22 dss ack 3678162956 seq 2861367221292019959 subseq 2596157316 len 8917,nop,nop], length 8917 > ---8<--- > > > Moreover, there is a debug sysctl knob to include NOPs after EDO. > > ---8<--- > $ sudo sysctl net.ipv4.tcp_nops=128 > > tcpdump: > IP 10.0.0.36.5201 > 10.0.0.241.44092: Flags [.], ack 47501509, win 41719, options [exp-edo hlen 180 seglen 180 ,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,TS val 2719945746 ecr 3197944077,mptcp 12 dss ack 8813009640328282684], length 0 > ---8<--- > > > Please let me know if you find weird/non-compliant behaviour. I’m not sure what you mean; is there some way you think this might be unexpected? > I hope this help make things forward. > > Best regards, > Kuniyuki > > > > >
- [tcpm] Comments on draft-ietf-tcpm-tcp-edo-13 Iwashima, Kuniyuki
- [tcpm] Re: Comments on draft-ietf-tcpm-tcp-edo-13 touch@strayalpha.com
- [tcpm] Re: Comments on draft-ietf-tcpm-tcp-edo-13 Iwashima, Kuniyuki
- [tcpm] Re: Comments on draft-ietf-tcpm-tcp-edo-13 touch@strayalpha.com
- [tcpm] Re: Comments on draft-ietf-tcpm-tcp-edo-13 Iwashima, Kuniyuki