Re: [tcpm] 793bis: TCP Quiet Time

Fernando Gont <fgont@si6networks.com> Thu, 23 January 2020 07:22 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83B8A120072 for <tcpm@ietfa.amsl.com>; Wed, 22 Jan 2020 23:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EKSJPxY-Oa6t for <tcpm@ietfa.amsl.com>; Wed, 22 Jan 2020 23:22:46 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28104120026 for <tcpm@ietf.org>; Wed, 22 Jan 2020 23:22:46 -0800 (PST)
Received: from [192.168.100.103] (unknown [186.183.3.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id B7B8082DC0; Thu, 23 Jan 2020 08:22:42 +0100 (CET)
To: Matt Mathis <mattmathis@google.com>, Joe Touch <touch@strayalpha.com>
Cc: "tcpm@ietf.org" <tcpm@ietf.org>
References: <5D669BDA.3000506@erg.abdn.ac.uk> <5D66A044.3060904@erg.abdn.ac.uk> <5d11289c-0174-8a5e-7f47-b0110564a601@mti-systems.com> <d6d45644-387a-6cee-8087-379c45f36e43@si6networks.com> <4B73D1AE-7901-4F2C-A56F-D4BF6D914050@strayalpha.com> <CAH56bmDx=EoCMhO__5n84cu0ZYDHRs0FvEYqm2KJLuNz+5K=PA@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <42ac39b4-34e0-7b51-cbb1-b158723ab089@si6networks.com>
Date: Thu, 23 Jan 2020 04:20:08 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <CAH56bmDx=EoCMhO__5n84cu0ZYDHRs0FvEYqm2KJLuNz+5K=PA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/o2ZBJv4bHY1cXqeQJWxP14LfptQ>
Subject: Re: [tcpm] 793bis: TCP Quiet Time
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 07:22:48 -0000

On 23/1/20 03:59, Matt Mathis wrote:
> There are two other changes that have largely made this problem moot:
> a) ISS and ephemeral port randomization make it extremely unlikely that 
> segments delayed across a reboot will be in sequence for any connections 
> (at the time this was written, both ISS and ephemeral ports were 
> generated by counters starting from fixed integers).

FWIW, note in many of the randomization schemes (e.g. RFC6528) the 
resulting sequence still looks like a counter for each (src, dst). 
Still, I would expect the problem to be unlikely.



> b) Although not reflected in policy, the effective MSL of the internet 
> has been declining as it gets faster.   There are paths and devices that 
> can delay packets by more than 10 seconds but they don't normally cause 
> packets to be reordered by that much, so a new SYN can't pass an old 
> data segment, which is a requirement for triggering the hazard.

Agreed.



> I would suggest changing the text to say "a theoretical problem....  
> that could be fixed by...  but for the following reasons it is viewed as 
> being sufficiently unlikely to ignore.

I would agree with this. That aside, one might also consider than as 
encryption becomes more pervasive, even in the case the problem took 
place, the connection would be reset, and the application would recover. 
  -- so I guess it would be a hard case to make OSes implement this 
"quiet time".

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492