Re: [tcpm] TCP Long Options - Why not as payload in SYNs?
"Adam Langley" <agl@imperialviolet.org> Mon, 14 July 2008 23:42 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 531E93A677E; Mon, 14 Jul 2008 16:42:04 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67B043A68A0 for <tcpm@core3.amsl.com>; Mon, 14 Jul 2008 16:42:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YU0AhSRBmrto for <tcpm@core3.amsl.com>; Mon, 14 Jul 2008 16:42:01 -0700 (PDT)
Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.230]) by core3.amsl.com (Postfix) with ESMTP id 6E3883A6767 for <tcpm@ietf.org>; Mon, 14 Jul 2008 16:42:01 -0700 (PDT)
Received: by rv-out-0506.google.com with SMTP id b25so4440049rvf.49 for <tcpm@ietf.org>; Mon, 14 Jul 2008 16:42:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=NuZJrZLKaqVNGMKup3fBKP3vD1Na6D00v/mAJRlVJzI=; b=dutSEkiwUhBZ1PUpdkkXfP2y56XCLqYXbqObHWFKSNXwL8pCQ0lOo8o7iOJA4RlckS 7Wss767NkUaWj0jkzkGDm5nHGKzv5JBreJspKS5stPlXMED9swOyA/Mg0nq6nTONv814 h4L/MNr4GaY/Oj4pSz78IyenejgeIaoC7ZcaM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=o2DgJ9+sHuH3fBZvc/vQFMey5LB8iDvdTIWTFKAVmQL0qKGv26UsltvjrS6H5ILjOj J0qDS+EbMDI9hj/Is3mImDyJWqb9/XRC4EXiBovd7vBB32e4I5WjjUohs9i5zP+bLQWb 4c9DYKApB4tTP2Et7fNByoIEWLOW3Rfp8/FgY=
Received: by 10.141.63.9 with SMTP id q9mr6948979rvk.47.1216078945900; Mon, 14 Jul 2008 16:42:25 -0700 (PDT)
Received: by 10.141.186.3 with HTTP; Mon, 14 Jul 2008 16:42:25 -0700 (PDT)
Message-ID: <396556a20807141642g4cb384e8v1a9065996908d30a@mail.gmail.com>
Date: Mon, 14 Jul 2008 16:42:25 -0700
From: Adam Langley <agl@imperialviolet.org>
To: Joe Touch <touch@isi.edu>
In-Reply-To: <487BCBCD.7030103@isi.edu>
MIME-Version: 1.0
Content-Disposition: inline
References: <20080714121424.GA31382@ikr.uni-stuttgart.de> <78C9135A3D2ECE4B8162EBDCE82CAD7703E66F37@nekter> <487BAFCF.3020402@isi.edu> <487BBF1C.7000101@isi.edu> <487BCBCD.7030103@isi.edu>
X-Google-Sender-Auth: 16ca312aae3fa8ef
Cc: tcpm@ietf.org, Caitlin Bestler <Caitlin.Bestler@neterion.com>
Subject: Re: [tcpm] TCP Long Options - Why not as payload in SYNs?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
On Mon, Jul 14, 2008 at 2:57 PM, Joe Touch <touch@isi.edu> wrote: > - we can show that there are NO versions of extending TCP options that are > truly backward compatible > i.e., that use a single SYN I believe that's true if you're talking about extending the options in a SYN packet. > - we can also show that there are NO versions of extending TCP options that > are compatible with SYN cookies > as long as the ISN is the same length, there's only so much > place for state Well, it's reasonable for stacks to disable certain features when using SYN cookies. Until very recently, I believe that Linux would forget about SACK permitted options in the SYN when cookies were in use. It got around that by using the TCP timestamp as extra cookie space. (I'm informed that BSD uses the same timestamp/cookie trick.) If SYN cookies are only enabled when some attack heuristic is met, that's a reasonable thing to do. Extensions which involve SYN options thus need to cope with the case where they are ignored by a host under attack. (I've a draft, that I'll probably post tomorrow, that does exactly that.) AGL -- Adam Langley agl@imperialviolet.org http://www.imperialviolet.org _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] TCP Long Options - Why not as payload in S… Michael Scharf
- Re: [tcpm] TCP Long Options - Why not as payload … Adam Langley
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Michael Scharf
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Adam Langley
- Re: [tcpm] TCP Long Options - Why not as payload … Caitlin Bestler
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Christian Huitema
- Re: [tcpm] TCP Long Options - Why not as payload … Sergio Freire
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch
- Re: [tcpm] TCP Long Options - Why not as payload … Adam Langley
- Re: [tcpm] TCP Long Options - Why not as payload … Joe Touch