Re: [tcpm] rfc5961 and suggested updates.

"Smith, Donald" <> Fri, 05 October 2018 16:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DE1E130E55 for <>; Fri, 5 Oct 2018 09:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nGoYv7IajND9 for <>; Fri, 5 Oct 2018 09:40:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E19AB130E51 for <>; Fri, 5 Oct 2018 09:40:47 -0700 (PDT)
Received: from lxomp90v.corp.intranet ( []) by (8.14.8/8.14.8) with ESMTP id w95GeiFa025431 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 5 Oct 2018 10:40:45 -0600
Received: from lxomp90v.corp.intranet (localhost []) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w95Gedab056842; Fri, 5 Oct 2018 11:40:39 -0500
Received: from lxdnp31k.corp.intranet (lxomp81v.corp.intranet []) by lxomp90v.corp.intranet (8.14.8/8.14.8) with ESMTP id w95GedDg056831 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Fri, 5 Oct 2018 11:40:39 -0500
Received: from lxdnp31k.corp.intranet (localhost []) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id w95GecOV042102; Fri, 5 Oct 2018 10:40:38 -0600
Received: from vddcwhubex501.ctl.intranet (vddcwhubex501.ctl.intranet []) by lxdnp31k.corp.intranet (8.14.8/8.14.8) with ESMTP id w95Gect7042094 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 5 Oct 2018 10:40:38 -0600
Received: from PDDCWMBXEX503.ctl.intranet ([fe80::9033:ef22:df02:32a9]) by vddcwhubex501.ctl.intranet ([]) with mapi id 14.03.0339.000; Fri, 5 Oct 2018 10:40:38 -0600
From: "Smith, Donald" <>
To: Joe Touch <>, Neal Cardwell <>
CC: Eric Dumazet <>, "" <>
Thread-Topic: [tcpm] rfc5961 and suggested updates.
Date: Fri, 5 Oct 2018 16:40:37 +0000
Message-ID: <68EFACB32CF4464298EA2779B058889D53E3759D@PDDCWMBXEX503.ctl.intranet>
References: <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [tcpm] rfc5961 and suggested updates.
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 05 Oct 2018 16:40:50 -0000

Has anyone done the math to show this wouldn't be a 64k increase in counters/buffers/challenge ACKs?
Intuitively I know it isn't, in most cases you only have a few open ports/services, so probably 2x, 3x... ?

Is there any value to saying only OPEN sockets, ports or services or is that implied?
Is open socket the same as if it would have been allowed by a filter?
Clearly the OS doesn't know if a middle box would have filtered it, but it could in theory know if a host based filter would have stopped it.

"2.  Recommendation for ACK throttling mechanism
An implementation SHOULD have a per-socket ACK throttling mechanism
which is not shared across the system."

Socket implies open port/service, but if a port is open at the OS level but closed or limited to a specific set of source addresses via ACL, Iptables, IPF  (HFW)… or even a middle box should that be taken into account Packet could be filtered at a higher level than basic OS socket creation so no challenge ack nor counter needed unless it could have been allowed?

If you only send challenge acks for open ports/services would this provide a way to do negative scans?
The src is spoofed, so I don't think so, as the blind reset sender isn't seeing the challenges.

Metric System < +000 > -000
Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto

From: tcpm [] on behalf of Joe Touch []
Sent: Thursday, October 04, 2018 6:30 PM
To: Neal Cardwell
Cc: Eric Dumazet;
Subject: Re: [tcpm] rfc5961 and suggested updates.

FWIW, that makes the most sense to me.

On Oct 4, 2018, at 9:42 AM, Neal Cardwell <> wrote:


I would support the suggestion to publish these recommendations (for
per-connection rather than per-IP-address rate limiting) as an errata
to RFC5961.

This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.