[tcpm] draft-ietf-tcpm-converter: Praveen's Comment
<mohamed.boucadair@orange.com> Tue, 02 April 2019 06:28 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 789E3120090 for <tcpm@ietfa.amsl.com>; Mon, 1 Apr 2019 23:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rkk4GiKOS16Y for <tcpm@ietfa.amsl.com>; Mon, 1 Apr 2019 23:28:35 -0700 (PDT)
Received: from orange.com (mta240.mail.business.static.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4763012001E for <tcpm@ietf.org>; Mon, 1 Apr 2019 23:28:35 -0700 (PDT)
Received: from opfedar04.francetelecom.fr (unknown [xx.xx.xx.6]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id 44YK6914ZBz2xZh; Tue, 2 Apr 2019 08:28:33 +0200 (CEST)
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.32]) by opfedar04.francetelecom.fr (ESMTP service) with ESMTP id 44YK6902zSz1xpl; Tue, 2 Apr 2019 08:28:33 +0200 (CEST)
Received: from OPEXCAUBMA2.corporate.adroot.infra.ftgroup ([fe80::e878:bd0:c89e:5b42]) by OPEXCAUBM7C.corporate.adroot.infra.ftgroup ([fe80::2c53:f99a:e2a9:19c6%21]) with mapi id 14.03.0439.000; Tue, 2 Apr 2019 08:28:32 +0200
From: mohamed.boucadair@orange.com
To: "tcpm@ietf.org" <tcpm@ietf.org>, "pravb@microsoft.com" <pravb@microsoft.com>
Thread-Topic: draft-ietf-tcpm-converter: Praveen's Comment
Thread-Index: AdTpHUjyJVzjtSnASnuB/GHn+JiZWg==
Date: Tue, 02 Apr 2019 06:28:31 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302EA50E39@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.245]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B93302EA50E39OPEXCAUBMA2corp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/qOzPSDklF_qUkvfrE5jhkVk4KCQ>
Subject: [tcpm] draft-ietf-tcpm-converter: Praveen's Comment
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2019 06:28:38 -0000
Hi Praveen, all, During the Prague meeting, you raised a comment about the inability of your implementation to send data in a SYN without enabling TFO. I suggest to following change to the draft to take into account your comment: OLD: Standard TCP ([RFC0793], Section 3.4<https://tools.ietf.org/html/rfc0793#section-3.4>) allows a SYN packet to carry data inside its payload but forbids the receiver from delivering it to the application until completion of the three-way-handshake. This restriction was motivated by two concerns. First, duplicate SYNs can cause problems for some applications that rely on TCP [RFC7413<https://tools.ietf.org/html/rfc7413>]. Second, TCP suffers from SYN flooding attacks [RFC4987<https://tools.ietf.org/html/rfc4987>]. TCP Fast Open [RFC7413<https://tools.ietf.org/html/rfc7413>] solves these two problems for applications that can tolerate replays by using the TCP Fast Open option that includes a cookie. However, the utilization of this option consumes space in the limited TCP extended header. Furthermore, there are situations, as noted in Section 7.3 of [RFC7413]<https://tools.ietf.org/html/rfc7413#section-7.3> where it is possible to accept the payload of SYN packets without creating additional security risks such as a network where addresses cannot be spoofed and the Transport Converter only serves a set of hosts that are identified by these addresses. For these reasons, this specification does not mandate the use of the TCP Fast Open option when the Client sends a connection establishment packet towards a Transport Converter. The Convert protocol includes an optional Cookie TLV that provides similar protection as the TCP Fast Open option without consuming space in the extended TCP header. NEW: Standard TCP ([RFC0793], Section 3.4<https://tools.ietf.org/html/rfc0793#section-3.4>) allows a SYN packet to carry data inside its payload but forbids the receiver from delivering it to the application until completion of the three-way-handshake. This restriction was motivated by two concerns. First, duplicate SYNs can cause problems for some applications that rely on TCP [RFC7413<https://tools.ietf.org/html/rfc7413>]. Second, TCP suffers from SYN flooding attacks [RFC4987<https://tools.ietf.org/html/rfc4987>]. TCP Fast Open [RFC7413<https://tools.ietf.org/html/rfc7413>] solves these two problems for applications that can tolerate replays by using the TCP Fast Open option that includes a cookie. However, the utilization of this option consumes space in the limited TCP extended header. Furthermore, there are situations, as noted in Section 7.3 of [RFC7413]<https://tools.ietf.org/html/rfc7413#section-7.3> where it is possible to accept the payload of SYN packets without creating additional security risks such as a network where addresses cannot be spoofed and the Transport Converter only serves a set of hosts that are identified by these addresses. For these reasons, this specification does not mandate the use of the TCP Fast Open option when the Client sends a connection establishment packet towards a Transport Converter. The Convert protocol includes an optional Cookie TLV that provides similar protection as the TCP Fast Open option without consuming space in the extended TCP header. o Implementation Note: For implementations which do not allow to insert data in the payload of a SYN without making use of TFO option, a cookie-less TFO mode is used. Considerations related to the use of the Cookie TLV apply also for such cookie-less TFO mode. Please let us know if this change addresses your concern. Thank you. Cheers, Med
- [tcpm] draft-ietf-tcpm-converter: Praveen's Comme… mohamed.boucadair