Re: [tcpm] Progressing draft-ietf-tcpm-converters

Yuchung Cheng <> Mon, 20 May 2019 17:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 76C0D1201C3 for <>; Mon, 20 May 2019 10:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.41
X-Spam-Status: No, score=-7.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, URIBL_SBL=10, URIBL_SBL_A=0.1, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cHzyh57Nh6a1 for <>; Mon, 20 May 2019 10:24:39 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D58A120091 for <>; Mon, 20 May 2019 10:24:39 -0700 (PDT)
Received: by with SMTP id 198so163031wme.3 for <>; Mon, 20 May 2019 10:24:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=/HonKtfs/FRHJo41zIQVkiTqQ/3QZmLS2eydSvP8R4g=; b=JWN2yUchzFcOfW3dZcO6i1IZzGN7QRqLVi1UFmUgvr6Pch9nU4RN66H8OKMoVpQdFj RtAsSWOYskyrWGGOg1RhWLe1bDrH6vCpXn0tUvESv6JY7T7WQkyO0KAwZz1AWGU7jc+0 kAnWPAsS3xBQMgIKVX5KrkDscmMBFAN6TNBV+0p5jnhSsHCA8iynQ5rqHmAUmi758Nk8 eHjglBe7/G/NDoPBS3r2KjWngw3+jDNUZuDigFRIXmrWUw45+cmnh9VbbrSctqzQktdi 7xIvJ8Zej+sEISieBItVzXeQKV5UWATDGfy9eTTBxFht2k8lQ1Ai30baJVeps+L1ZYjS Hsvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=/HonKtfs/FRHJo41zIQVkiTqQ/3QZmLS2eydSvP8R4g=; b=JbpG0mYrvOsyjMTIsUeD7raYrtQOolVhSdWwjeMmqnsExxQxHvC16qeOgmkAeBCTMl aLDmnhrh4aexBMNKWsFNjkdS5ShTml6DNVFu//mpZTZYagRWQInGI9jArSN89vvYwm5o Z5vW2daMd5wK8QxTtOHC/hToD0wu1zGMEi1LzLl8MDmYImyUXnECrNGUG38eHFVGjTq0 n9lOfHqvlvlPKRZG5KD0W98BINFUv6U8/k9s0dI9iXkEBj6cTlbZ8FdT//qLLHggEMcB WCYDC2WSEsiGTpxeGawaiFDL0KtEjZMfKLbGCcRsiI5WihObd/+Yo0mIp+y8JELMw+jz EAvA==
X-Gm-Message-State: APjAAAXOVUiM1DAcEK+xKyKn+xeg0PbHsEW8gt1WYaRPSVd9zwp1Xp/o Iua75dpPvmKg72kLBHjvwYCiM3rD+qjxI4kqy6Pflw==
X-Google-Smtp-Source: APXvYqxtv1n+Exrb3B80AXwqVJkyHC0KNxxCjSa4t8jvMkQwbsa2GVsdULaFGtDnWBXkDg3Bckpx44dNoeWAJmXhckg=
X-Received: by 2002:a1c:6206:: with SMTP id w6mr201315wmb.56.1558373077240; Mon, 20 May 2019 10:24:37 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Yuchung Cheng <>
Date: Mon, 20 May 2019 10:24:00 -0700
Message-ID: <>
To: Olivier Bonaventure <>
Cc: " Extensions" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [tcpm] Progressing draft-ietf-tcpm-converters
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 May 2019 17:24:42 -0000

On Mon, May 20, 2019 at 10:07 AM Olivier Bonaventure
<> wrote:
> Hello,
> During the Prague meeting, I presented the updated version of draft-ietf-tcpm-converter. This new draft places data inside the SYN, but does not use the TFO option defined in RFC7413. After the meeting, we had some discussions by email with Praveen Balasubramanian and Christoph Paasch. Praveen suggested to use an empty TFO option, but we do not believe that this would be a good solution. I would like to summarise the main points of the discussion and solicit the opinion of the working group.
> According to RFC793, a SYN can contain a non-zero payload. The Experimental RFC7413 proposes the utilisation of a  cookie to protect the server from some forms of attacks. RFC7413 was designed for generic application-level that do not include the possibility of placing the cookie in the first packet of the payload. For this reason, RFC7413 uses a TCP option to encode the cookie. This design choice limits the length of the cookies and thus their security.
> The 0-RTT convert protocol is a specialised application level protocol that takes a different approach by putting the cookie inside the SYN payload as part of the application data. This reduces the consumption of TCP options and enables the utilisation of longer and more secure cookies. We believe that this is the right approach in the long term.
> We believe that a specialised TCP application should be allowed to use its own cookie inside the payload instead of relying on the TCP header to use fast open. The 0-RTT convert protocol is one example, but there could be others. Looking at other application layer protocols, I noticed that TLS1.3 (rfc8446) also includes a cookie which is mainly designed enable servers to get a confirmation of the reachability of the client IP addresses for DTLS, but the same approach could be used when TLS sends its initial data in the SYN as well.
> Another point that should be clarified in RFC7413 are how middleboxes should handle SYN packets containing a non-zero payload. According to RFC793, such packets are valid TCP packets. The TFO option, defined in RFC7314 is not and should not be considered as an indication that is required to “authorise” the utilisation of payload inside a SYN packet. During the Prague meeting, Christoph Paasch mentioned at the mike that they have one application that uses data inside the SYN and their measurements indicate that sending this SYN without the TFO option enables it to pass through more middleboxes than when the same SYN contains the TFO option.
> Another point is the socket API. Currently, Linux and MacOS decouple the transmission of data inside the SYN from the utilisation of the TFO option. This makes it possible for a client to send data inside the SYN without enabling TFO. On Windows, the API seems to force the utilisation of TFO when there is data in the SYN. As indicated earlier, RFC793 does not mandate the presence of the TFO to place data inside the SYN.
> The approach we are proposing has the benefits of RFC7413 but without its drawbacks. Moreover, given that RFC7413 is Experimental, we don't think that there is a harm if we proceed with the approach 0-rtt convert protocol while the IETF can further tweak and adjust the applicability scope of RFC7413. For example, an update can be proposed to RFC7413 to clarify that specialized application-level protocols could place cookie information in their payload and thus not use the TFO option.
Just to confirm: you mean an API that
let application sets the TFO cookie (on either server and client)?
otherwise obviously application can place any data in their TCP payload for its

> As indicated during the Prague meeting, we would like to finalize the 0-rtt convert protocol soon. Unless there are objections, we would like to ask to kindly issue a WGLC for the draft.
> Comments are more than welcome.
> Olivier and Med
> --
> Disclaimer:
> <>
> _______________________________________________
> tcpm mailing list