IETF Logo Mail Archive

Re: [tcpm] I-D Action: draft-ietf-tcpm-1323bis-13.txt

Pasi Sarolahti <pasi.sarolahti@iki.fi> Tue, 28 May 2013 08:45 UTC

Return-Path: <pasi.sarolahti@iki.fi>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD35621F93A3 for <tcpm@ietfa.amsl.com>; Tue, 28 May 2013 01:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zw3yPPd8Orxm for <tcpm@ietfa.amsl.com>; Tue, 28 May 2013 01:45:30 -0700 (PDT)
Received: from kirsi1.inet.fi (mta-out.inet.fi [195.156.147.13]) by ietfa.amsl.com (Postfix) with ESMTP id 51C9421F939E for <tcpm@ietf.org>; Tue, 28 May 2013 01:45:30 -0700 (PDT)
Received: from [192.168.1.70] (80.223.92.46) by kirsi1.inet.fi (8.5.140.03) (authenticated as saropa-1) id 5163F40203205B4F; Tue, 28 May 2013 11:45:16 +0300
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Pasi Sarolahti <pasi.sarolahti@iki.fi>
In-Reply-To: <51A3D24F.7050300@isi.edu>
Date: Tue, 28 May 2013 11:45:25 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <62F28CBC-271E-42C4-9D06-1331CE25DC0E@iki.fi>
References: <20130518155753.17946.96581.idtracker@ietfa.amsl.com> <CAK6E8=d_LTZgnGAncdWDAi+7ebd3Lo5aevPeGG0=KSbBMeBhcg@mail.gmail.com> <519A8322.6030405@isi.edu> <26034_1369382276_519F1D83_26034_1735_1_519F1D68.604@uclouvain.be> <E220F4B0-EE27-431C-BCBE-0A0C01C8B0EF@iki.fi> <51A38F9F.4000407@isi.edu> <39EDB63B-7FCB-43F5-9355-474D50976005@iki.fi> <51A3A684.5020400@isi.edu> <B3F294F6-8866-4155-98F6-0927B90346E4@iki.fi> <51A3D24F.7050300@isi.edu>
To: Joe Touch <touch@ISI.EDU>
X-Mailer: Apple Mail (2.1503)
Cc: "tcpm@ietf.org Extensions" <tcpm@ietf.org>
Subject: Re: [tcpm] I-D Action: draft-ietf-tcpm-1323bis-13.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2013 08:45:37 -0000

On May 28, 2013, at 12:38 AM, Joe Touch <touch@ISI.EDU> wrote:

> There are four alternatives here regarding robustness:
> 
> 	1. should the segment be accepted fully?
> 
> 	2 should the segment generate a response (resend last ACK)?
> 
> 	3. should the segment be silently ignored?
> 
> 	4. should the segment generate an error?
> 
> Robustness suggests preferring these in order, where appropriate. However, if the point of TSopt is PAWS protection, then the best you can do is nothing (#3).


After the latest addition, there is some inconsistency between Sec. 3.2 and 4.3.

* In the PAWS algorithm in sec. 4.3., there should be an additional step before R1 for checking if Timestamps option is present, and if not, tell to discard the segment (if negotiation had been successful).

* PAWS algorithm tells to send acknowledgment if the check fails. Shouldn't we then, for consistency, require sending acknowledgment also if TSopt is missing? Current MAY in Sec. 3.2. is not very informative in my mind.

But based on my quick Linux check, I believe that currently implementations follow what sec. 4.3. currently says, and what it said in RFC 1323: "if there is Timestamps option in the segment, then [do PAWS check]....". So this would be relevant change compared to RFC 1323 that should also be highlighted in Appendix H, because it may require action from implementors.

>> But there are possible deployment implications in additional
>> receiver check, too. In a perfect world this might work, but RFC 1323
>> did not have as strict MUST requirement about including TSopt in all
>> segments after handshake, and there are possible middlebox issues as
>> Olivier mentioned. So I think it would be worthwhile addition to the
>> middlebox section, then, to say if a middlebox removes TSopt option,
>> or a resegmenting middlebox does not include it in all segments, that
>> breaks the TCP connection entirely, if this version of spec is
>> followed.
> 
> Sure. It's defeating the value of the TSopt. It's inappropriate for a connection to claim TSopt protection and not have it.

So, to reflect the comment Olivier made earlier, I'd suggest expanding the third bullet in the Security Considerations section with something like following:

OLD:
" *  If the Timestamps option is removed from the <SYN> or <SYN,ACK>
         segment, high speed connections that need PAWS would not have
         that protection.  Middleboxes should not remove the Timestamps
         option."

NEW:
" *  If the Timestamps option is removed from the <SYN> or <SYN,ACK>
         segment, high speed connections that need PAWS would not have
         that protection. Successful negotiation of Timestamps option enforces a stricter verification of incoming segments at receiver. If the Timestamps option was removed from a subsequent data segment after a successful negotiation (for example, as part of re-segmentation), the segment is discarded by the receiver without further processing. Middleboxes should not remove the Timestamps option. One study found that 6% of measured HTTP connections had the Timestamps option removed from data segments [Honda11]."

[Honda11]  M. Honda, Y. Nishida, C. Raiciu, A. Greenhalgh, M. Handley, and H. Tokuda. Is it still possible to extend TCP?. In Proc. of ACM Internet Measurement Conference (IMC) '11, Berlin, Germany, November 2011. 

- Pasi

v2.8.7 | Report a Bug | By Email