Re: [tcpm] Faster application handshakes with SYN/ACK payloads

"Murali Bashyam" <> Thu, 31 July 2008 21:10 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id 9E1543A6D3C; Thu, 31 Jul 2008 14:10:06 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B1773A6D38 for <>; Thu, 31 Jul 2008 14:07:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8RLCaVQ6xruN for <>; Thu, 31 Jul 2008 14:07:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5E1C23A6A05 for <>; Thu, 31 Jul 2008 14:07:12 -0700 (PDT)
Received: by with SMTP id d18so752738and.122 for <>; Thu, 31 Jul 2008 14:07:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=n78I8UIlFfh2FHgN+b1T2P6XiK5ZS2hCMTw0lKioIqY=; b=EOmKkkfYtm25/jrizAZ4YfFbBdTkgEF1WqZqxLksbKzPGGOYAxz4n/IP6wiEFvHISE thAupBzU5s67m5xLRYMobN+rhalxFsW7AdEzOEeJtPV2d51DL0Xe0GNDeX0nYIokxcPS ePucFh/HGYaJ6S0irDLiHW/NJuu9w9xnhibx4=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=TZVOQcRZ1FsC1tcOAobGIO0C6+fjy1gB4GxCfKDRQ5yxOya1UkaD+2jcOA5co3t8LE jIzsLTdybz1m/k5Z9Moc9jfwcL4pxHDFGPWBTC8raB4CPU+V7fyT5rkMMnkqHMEQO2du QB1XjNAAtfRMgQ1sqrxIP+3sT8ifzirBsGqNE=
Received: by with SMTP id h10mr15564941and.80.1217538449275; Thu, 31 Jul 2008 14:07:29 -0700 (PDT)
Received: by with HTTP; Thu, 31 Jul 2008 14:07:29 -0700 (PDT)
Message-ID: <>
Date: Thu, 31 Jul 2008 14:07:29 -0700
From: Murali Bashyam <>
To: Adam Langley <>
In-Reply-To: <>
MIME-Version: 1.0
References: <>
Subject: Re: [tcpm] Faster application handshakes with SYN/ACK payloads
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: multipart/mixed; boundary="===============1836868528=="

There are firewalls that drop SYN packets carrying payload, since it's
considered anomalous behaviour (rightly so given today's end-user
behaviour). Doesn't that defeat the purpose here? I suppose TCP options have
been explored and ruled out for some reason?

On Thu, Jul 31, 2008 at 12:52 PM, Adam Langley <>wrote:

> I posted this a while back and it gathered a little discussion:
> (implementation in [1])
> I would like to have this published as Experimental and to get an
> option number assigned.
> The spec itself includes a somewhat rambling justification because I
> wanted to decouple the spec, which is more general, from the exact
> reason that I wish to start testing this over the Internet at large.
> However, in order to provoke discussion I think I should explain my
> motivation:
> This spec allows for opportunistic encryption of TCP connections with
> no additional round trips. Details of the project can be found at [2],
> however a quick summary follows:
> Although SYN/ACK payloads could be used to accelerate many protocols,
> I'm proposing that, for HTTP, the SYN/ACK payload contains an 8-byte
> random nonce and a 32-byte eliptic-curve public value. The client can
> then perform key agreement and send it's own public value, nonce and
> any encrypted payload in the final ACK. (Or in a following packet,
> that works fine too). Data is then encrypted using Salsa20/8 where the
> key is SHA256(diffie-hellman output + server nonce + client nonce) and
> the IVs are 0 and 2**63 for client->server and server->client, resp.
> Obviously, this open to both a downgrade and man-in-the-middle attack.
> For a specific user, it offers little real security. However,
> amortised over a large set of users, any ISPs performing these attacks
> on a large scale will be detected. (I plan on building a network of
> hosts probing for large scale attacks.) Thus, eavesdroppers are
> removed from the equation and, against the rest, it can protect most
> of the people, most of the time.
> I also plan to sign the resulting packets with TCP-AO at some point,
> if possible. However, given that that is still under development I'm
> going to make that part of the negotiation, above, so that it can be
> deployed without it for now.
> Obviously, this system can only prove itself in time. However, it
> can't prove itself with an option number assigned. And thus, I'm
> looking for a consensus that this is an interesting experiment.
> Thanks
> Having spoken to quite a few people about this, I now have an FAQ on
> the design which is included below:
> * Why Elliptic-curves?
> The payload must be short otherwise SYN-floods could use this as an
> amplification
> to backscatter DDoS another host.
> Also, the reduced computation cost (as compared to Diffie-Hellman over a
> multiplicative finite field) is very nice.
> * Why 25519?
> It's very fast (2000 ops/sec with my C code. 4000 ops/sec with asm). Also,
> the
> server's public value must be constant, otherwise an attacker could eat CPU
> time with a SYN flood and curve25519 is designed for that.
> Since this is constant for all connections, there is no perfect forward
> secrecy.
> * Can't you fit the client's public value in the SYN?
> A SYN generally has 20 bytes of free option space these days. (We can't use
> the
> payload space in a SYN). Since this can't be the last option ever, we need
> to
> leave 4 bytes spare. 2 bytes for the option header means 14 bytes for the
> public value. The closest prime is 2**112-75.
> I'm a bear of little brain and picking my own curve is already a hell of a
> task, but assuming that I can:
> The best, general algorithm currently known for breaking the DH problem on
> elliptic curves is Pollard's Rho. The work involved in this attack is
> sqrt(n),
> which is 2**56 in this case. Critically, once you have solved a single
> instance
> you can precompute tables to speed up breaking more instances. With a
> petabyte
> of storage, you could break 112-bit curves in 2**12 operations, which is
> very
> fast.
> * Can't you use a smaller field anyway?
> Some speedup could be gained by using an EC with a field size around 200
> bits.
> However the effort of defining such a curve is pretty huge. The standard
> curves around that size are slower:
> (table
> 6)
> * Why Salsa20/8?
> It encrypts at two cycles per byte on modern CPUs[1]. The best attack on
> this,
> reduced round, variant is 2**251. It's very unlikely that an attack would
> ever
> break it to the point that it's easier than performing a downgrade attack.
> [1]
> [2]
> --
> Adam Langley
> _______________________________________________
> tcpm mailing list

Murali Bashyam
(c) (510)6736915

----------------------------- CONFIDENTIAL --------------------
This telecommunication and any data attached to, or included in it
is considered confidential, and is intended only for use by the named
recipient. The contents may be legally protected as any one or more of:
copyrighted material, trade-secret protected material, attorney-client
privileged material, attorney workproduct, or as material covered by
any other legally available means. If you received this material in
error, please notify the sender and destroy the original and all copies,
whether electronic or otherwise. Thank you.
------------------------------ CONFIDENTIAL --------------------
tcpm mailing list