IETF Logo Mail Archive

Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13

Yoshifumi Nishida <nsd.ietf@gmail.com> Fri, 24 November 2023 04:44 UTC

Return-Path: <nsd.ietf@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 973E2C14CE39 for <tcpm@ietfa.amsl.com>; Thu, 23 Nov 2023 20:44:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eufh1v4jaUM for <tcpm@ietfa.amsl.com>; Thu, 23 Nov 2023 20:44:25 -0800 (PST)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8DA3C14CE2C for <tcpm@ietf.org>; Thu, 23 Nov 2023 20:44:25 -0800 (PST)
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-40842752c6eso10061855e9.1 for <tcpm@ietf.org>; Thu, 23 Nov 2023 20:44:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700801064; x=1701405864; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RUcJt6Uoc1hCEwhPL5xvAQqtkNY4ywfeo39yRHoAOUs=; b=I7vJjc+9NNbfzjUTX+OFxmWs3qQKbdR0PdsKWRHGz8W9/WAPxOneQrhGUxJEZQoBxs qKA4gvKGdfBDt+3TWGhAvQzWz4/gd8bY6vQXjJ6a3RVNldUquz64lcqafOUc8CtZ1lai uOWkrBuNqJvUivQM6GEmqCBpZEXlGNC0lKlaOJBmItfi3BMEhNM8t2Rq+v8ErhJv5/7Y 5tJVv97vW0GIvg6LyR++OsorICGIe6wPFI05a3Y3aw+jbxWEYaXgUXZ4AV+Bx4Hq4XH9 TT3nSHNkKEZFB+fd8qndqROzrU9uSltsTR13Go6tiz7MSXkQsnOCeq7y/pVFayPS8RpL B2uA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700801064; x=1701405864; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RUcJt6Uoc1hCEwhPL5xvAQqtkNY4ywfeo39yRHoAOUs=; b=CTueC22WLYImtPJTYoK55Lg9zFAvFN4I+T6s+5n0yYIf91uqmJ/ZcUkul3jPa56wip 1GkQrYsCDGnU4fmz1cRkin7QstaTELtm0n2EgA0gDWysq2dJ16Jy5doB4ecszk5X1Pax hsirjtg3ivfw8bEN8jxUPHm8FkOq7EOu57g+lDYB9orpSeD6VUD8Ugca5N0wpNt9tyDb PuMHpMyWK8GOVAR58CTZuvP8H81m12WEFBZs+kanhTF0eRhS8wVa1F5fBnpsSI4dkaHb oux2uuo3fkNKWZD0eHHUefHAy5nllLV48xW0esr40kUUF70umrwdKM7qYyWKPP5fdveM /4sQ==
X-Gm-Message-State: AOJu0YwqP9tr7yOUbYuMVZ/5wlPih1VtO7wwmRoo2FwGTbR2Vbxvav4m wECWTx5cbQFlXxD0xt35HB8LpLTk11otpoafXQTEA6g5
X-Google-Smtp-Source: AGHT+IGzdCk5fTn6bcmYR0avMS1e5D+RYrEiYiaewqyKPs8+ypr2UbHjpF2XDLrVKJ0pTDOX7CwFw6uqNchnPFkPC+Y=
X-Received: by 2002:a05:600c:3b17:b0:40a:49c1:94d9 with SMTP id m23-20020a05600c3b1700b0040a49c194d9mr1288165wms.27.1700801063848; Thu, 23 Nov 2023 20:44:23 -0800 (PST)
MIME-Version: 1.0
References: <fc2d032a-eed3-536a-7131-f4c8ba697136@linux.alibaba.com> <CAAK044QNA9dUw=yfPLkRDOFZ58q7vFhbSKNNNADDFNayoZsuUg@mail.gmail.com> <0c8c3062-1efd-fc7c-2497-49a99f8f0b9d@linux.alibaba.com>
In-Reply-To: <0c8c3062-1efd-fc7c-2497-49a99f8f0b9d@linux.alibaba.com>
From: Yoshifumi Nishida <nsd.ietf@gmail.com>
Date: Thu, 23 Nov 2023 20:44:12 -0800
Message-ID: <CAAK044T_iVVapX5vYF_mgz+=e6by98W2Cw0OF+tHt-ybuKOL1Q@mail.gmail.com>
To: "D. Wythe" <alibuda@linux.alibaba.com>
Cc: tcpm@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003e8e5e060ade9b25"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/qSwkAx0wXgeviQvxeOxBiWcMLGA>
Subject: Re: [tcpm] Comments to draft-ietf-tcpm-tcp-edo-13
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Nov 2023 04:44:26 -0000

Hi Wythe,

On Wed, Nov 22, 2023 at 10:25 PM D. Wythe <alibuda@linux.alibaba.com> wrote:

>
> Hi Yoshi,
>
> Thanks for you comments.
>
> On 11/23/23 3:26 AM, Yoshifumi Nishida wrote:
> > Hi Wythe,
> >
> > I'm not the author of the draft. But, there are the following texts in
> > the draft.
> >
> > "Once enabled on a connection, all segments in both directions MUST
> > include the EDO Extension option."
> > "If EDO has been negotiated, any subsequent segments arriving without
> > the EDO Extension option MUST be silently ignored."
> >
> > So, I think you'll probably see connection timeouts in such cases.
> > This may look suboptimal behavior, but at the same time, we probably
> > don't want to think about buggy implementations too much because it
> > can be endless. The behavior you describe is prohibited by RFC9293.
>
> I believe that in that case, connections may not end with timeouts but
> instead receive an erroneous application
> response from the server. This is because the server does not support
> EDO, and an incorrectly implemented middlebox
> copies the EDO support option, which misleading the client.
>

Do you mean incorrectly implemented middle box attaches EDO supported
options used in SYN to data packets from the server?
Or,  the middle box copies EDO extension options to the ACKs from the
server for the data packets from the client?
It's a bit hard for me to believe such behavior.. Because I think it can be
complicated to implement such behavior.

> BTW, I'm curious about how frequently we see this kind of behavior.
>
> Previously, I had the belief that this might was a widespread scenario,
> but as I conducted further investigation,
> I realized that this issue may only exist in specific organizations or
> regions..
>
> We are now convinced that this issue is caused by a type of incorrect
> syn-proxy implementation, who
> acts as an intermediary to protect against SYN flood attacks by
> completing TCP handshakes on behalf of clients,
> preventing server overload.
>
> The problem is that when the syn-proxy receives a syn from the client,
> in order to avoid memory allocation and copying,
> some implementations reuse the SYN packets, exchange IP addresses and
> ports, and send it out as SYN/ACK to client.
> Unfortunately, it did not consider the impact of TCP options being
> simply copied.
>
> A example I found is:
>
> https://github.com/iqiyi/dpvs/blob/master/src/ipvs/ip_vs_synproxy.c
>
>  From this perspective, it is worth considering that these issues may
> only affect certain organizations and regions.
> I agree with your point about buggy implementations, as these types of
> issues can be never-ending and are
> beyond the protocol's control or responsibility to handle.
>

Thanks for the info. But, does it copy options other than SYN or SYN/ACK
packets?
--
Yoshi

v2.23.0 | Report a Bug | By Email