One document matched: draft-briscoe-tcpm-syn-op-sis-02.txt
Differences from draft-briscoe-tcpm-syn-op-sis-01.txt
TCP Maintenance and Minor Extensions (tcpm) B. Briscoe
Internet-Draft BT
Updates: 793 (if approved) September 22, 2014
Intended status: Experimental
Expires: March 26, 2015
Extended TCP Option Space in the Payload of an Alternative SYN
draft-briscoe-tcpm-syn-op-sis-02
Abstract
This document describes an experimental method to extend the option
space for connection parameters within the initial TCP SYN segment at
the start of a TCP connection. In this method the TCP client sends
two alternative SYNs: one intended for legacy servers and one
intended for upgraded servers. Once it establishes which type of
server has responded, it continues the connection appropriate to that
server type and aborts the other. The SYN intended for upgraded
servers includes additional options at the end of the payload. It is
designed to traverse all known middleboxes. In the longer term,
clients will be able to send only the SYN intended for upgraded
servers.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 26, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Briscoe Expires March 26, 2015 [Page 1]
Internet-Draft Sister SYNs September 2014
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Motivation for Adoption (to be removed before
publication) . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Experiment Goals . . . . . . . . . . . . . . . . . . . . 4
1.4. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Protocol Specification . . . . . . . . . . . . . . . . . . . 5
2.1. Dual 3-Way Handshake . . . . . . . . . . . . . . . . . . 5
2.2. Retransmission Behaviour . . . . . . . . . . . . . . . . 7
2.3. Segment Structure . . . . . . . . . . . . . . . . . . . . 7
2.3.1. SYN-U Structure (Non-Deterministic) . . . . . . . . . 7
2.3.2. SYN/ACK-U Structure . . . . . . . . . . . . . . . . . 9
2.4. TCP Option Processing . . . . . . . . . . . . . . . . . . 9
2.4.1. Writing TCP Options . . . . . . . . . . . . . . . . . 9
2.4.2. Reading TCP Options . . . . . . . . . . . . . . . . . 10
2.4.3. Forwarding TCP Options . . . . . . . . . . . . . . . 11
3. Discussion of Non-Determinism . . . . . . . . . . . . . . . . 11
4. Migration to Single Handshake . . . . . . . . . . . . . . . . 12
5. Interaction with Pre-Existing TCP . . . . . . . . . . . . . . 13
6. Dual Handshake: The Explicit Variant . . . . . . . . . . . . 13
6.1. Retransmission Behaviour - Explicit Variant . . . . . . . 14
6.2. SYN-L Structure . . . . . . . . . . . . . . . . . . . . . 15
6.3. Corner Cases . . . . . . . . . . . . . . . . . . . . . . 15
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 16
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.1. Normative References . . . . . . . . . . . . . . . . . . 16
10.2. Informative References . . . . . . . . . . . . . . . . . 17
Appendix A. Alternative Protocol Specifications . . . . . . . . 17
A.1. SYN-U Structure (Deterministic) . . . . . . . . . . . . . 17
Appendix B. Comparison of Alternatives . . . . . . . . . . . . . 19
B.1. Implicit vs Explicit Dual Handshake . . . . . . . . . . . 19
B.2. Non-Deterministic vs Deterministic SYN-U . . . . . . . . 20
B.3. Comparison with Other Proposals . . . . . . . . . . . . . 21
Appendix C. Protocol Design Issues (to be Deleted before
Publication) . . . . . . . . . . . . . . . . . . . . 21
Appendix D. Change Log (to be Deleted before Publication) . . . 21
Briscoe Expires March 26, 2015 [Page 2]
Internet-Draft Sister SYNs September 2014
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction
This document describes an experimental method to extend the TCP
option space available in the initial SYN segment of a TCP connection
(i.e. SYN set and ACK not set) [RFC0793]. This extension is
required to support some combinations of TCP options, notably large
ones such as TCP AO [RFC5925] (16B), Multipath TCP [RFC6824] (12B),
and TCP Fast Open [I-D.ietf-tcpm-fastopen] (6-18B) as well as other
options already typically used in TCP connections, such as SACK-ok
(2B), Timestamp (10B), Window Scale (3B), MSS (4B) .
In this method the TCP client sends two alternative SYNs: one
intended for legacy servers and one intended for upgraded servers.
Once it establishes which type of server has responded, it continues
the connection appropriate to that server type and aborts the other.
The SYN intended for upgraded servers includes additional options at
the end of the payload. It is designed to traverse all known
middleboxes.
The ambition of this specification is more than just a low latency
way to extend the TCP option space using two SYNs for parallel
capability negotiation. A larger goal is to enable evolution
towards:
o a single TCP initial segment with more space for control options
and
o a more structured way for TCP to determine which control options
might interact with middleboxes and which are intended solely for
end-system interaction.
1.1. Motivation for Adoption (to be removed before publication)
It is recognised that there could be potential for compressing
together multiple options in order to mitigate the option space
problem. However, it seems inevitable that ultimately more option
space will be needed, particularly given that many of the TCP options
introduced recently consume large numbers of bits in order to provide
sufficient information entropy, which is not amenable to compression.
Extension of TCP option space on a SYN requires support from both
ends. This means it will take many years before the facility is
functional for most pairs of end-points. Therefore, given the
problem is already becoming pressing, a solution needs to start being
deployed now.
Briscoe Expires March 26, 2015 [Page 3]
Internet-Draft Sister SYNs September 2014
1.2. Scope
This experimental specification extends the TCP wire protocol. It is
independent of the dynamic behaviour of TCP and it is independent of
(and thus compatible with) any protocol that encapsulates TCP,
including IPv4 and IPv6.
1.3. Experiment Goals
TCP is critical to the robust functioning of the Internet, therefore
any proposed modifications to TCP need to be thoroughly tested. The
present specification describes an experimental protocol that
provides extra option space on the initial TCP SYN segment. The
intention is to specify the protocol sufficiently so that more than
one implementation can be built in order to test its function,
robustness and interoperability (with itself, with previous version
of TCP, and with various commonly deployed middleboxes).
Success criteria: The experimental protocol will be considered
successful if it satisfies the following requirements in the
consensus opinion of the IETF tcpm working group. {ToDo: describe
success criteria}
Duration: To be credible, the experiment will need to last at least
12 months from publication of the present specification. If
successful, a report on the experiment will be written up. it
would then be appropriate to work on a standards track
specification, in which the experiment report may be included.
1.4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. In this
document, these words will appear with that interpretation only when
in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance.
TCP header: As defined in RFC 793 [RFC0793]. Even though the
present specification places TCP options at the end of the
payload, the term 'TCP header' is still used to mean only those
fields at the head of the segment, delimited by the TCP Data
Offset.
Extra TCP options: TCP options placed in the space that the present
specification makes available beyond the Data Offset, and beyond
any optional payload.
Briscoe Expires March 26, 2015 [Page 4]
Internet-Draft Sister SYNs September 2014
TCP payload: User-data to be passed to the layer above TCP. The
present document redefines the TCP payload so that it does not
include the extra TCP options placed at the end of the payload.
Legacy connection: A connection starting with a SYN that a pre-
existing TCP server will fully understand.
Upgraded connection: A connection starting with an upgraded SYN that
will only be fully understood by a server complying with the
present specification (even though it might appear valid to a pre-
existing TCP server).
Legacy server: A TCP listener complying with pre-existing TCP
specifications, but not with the present document.
Upgraded server: A TCP listener complying with the present document
as well as with pre-existing TCP specifications.
2. Protocol Specification
2.1. Dual 3-Way Handshake
The upgraded TCP client sends two alternative SYNs: a regular SYN in
case the server is legacy and a SYN-U (see Section 2.3.1) in case the
server is upgraded. The two SYNs MUST have the same network
addresses and the same destination port, but different source ports.
Once the client establishes which type of server has responded, it
continues the connection appropriate to that server type and aborts
the other.
The SYN intended for upgraded servers (SYN-U) includes additional TCP
options at the end of the payload (see Section 2.3.1). The options
are placed at the end of the payload to ensure that the SYN-U is more
likely to traverse middleboxes that inspect application-layer
headers, which they expect to be at the start of the payload.
Table 1 summarises the TCP 3-way handshake exchange for each of the
two SYNs between an upgraded TCP client (the active opener) and
either:
1. a legacy server, using the two columns to the left, or
2. an upgraded server, using the two columns to the right
Because the two SYNs come from different source ports, the server
will treat them as separate connections, probably using separate
threads (assuming a threaded server). A load balancer might forward
each SYN to separate replicas of the same logical server. Each
Briscoe Expires March 26, 2015 [Page 5]
Internet-Draft Sister SYNs September 2014
replica will deal with each incoming SYN independently - it does not
need to co-ordinate with the other replica.
+---+-----------------+-----------+---+----------------+------------+
| | Legacy Server | Legacy | | Upgraded | Upgraded |
| | Thread X | Server | | Server Thread | Server |
| | | Thread Y | | X | Thread Y |
+---+-----------------+-----------+---+----------------+------------+
| 1 | >SYN | >SYN-U | | | >SYN | >SYN-U |
| | | | | | | |
| 2 | <SYN/ACK | <SYN/ACK | | | <SYN/ACK | <SYN/ACK-U |
| | | | | | | |
| 3 | Client waits | | | Client waits | |
| | for response to | | | for response | |
| | both SYNs | | | to SYN-U | |
| | | | | | | |
| 4 | >ACK | >RST | | | >RST | >ACK |
| | | | | | | |
| 5 | Cont... | | | | | Cont... |
+---+-----------------+-----------+---+----------------+------------+
Table 1: Dual 3-Way Handshake in Two Server Scenarios
Each column of the table shows the required 3-way handshake exchange
within each connection, using the following symbols:
> means client to server
< means server to client
Cont... means the TCP connection continues as normal
The connection that starts with a regular SYN is called the 'legacy
connection' and the one that starts with a SYN-U is called the
'upgraded connection'. An upgraded server MUST respond to a SYN-U
with an upgraded SYN/ACK (termed a SYN/ACK-U and defined in
Section 2.3.2). Then the client recognises that it is talking to an
upgraded server. The client's behaviour depends on which response it
receives first, as follows:
o If the client first receives a SYN/ACK response on the legacy
connection, it MUST wait for the response on the upgraded
connection. It then proceeds as follows:
* If the response on the upgraded connection is a regular SYN/
ACK, the client MUST reset (RST) the upgraded connection and it
can continue with the legacy connection.
Briscoe Expires March 26, 2015 [Page 6]
Internet-Draft Sister SYNs September 2014
* If the response on the upgraded connection is an upgraded SYN/
ACK-U, the client MUST reset (RST) the legacy connection and it
can continue with the upgraded connection.
o If the client first receives a legacy SYN/ACK response on the
upgraded connection, it MUST reset (RST) the upgraded connection
immediately. It can then wait for the response on the legacy
connection and, once it arrives, continue as normal.
o If the client first receives an upgraded SYN/ACK-U response on the
upgraded connection, it MUST reset (RST) the legacy connection
immediately and continue with the upgraded connection.
2.2. Retransmission Behaviour
If the client receives a response to the SYN, but a short while after
that {duration TBA} the response to the SYN-U has not arrived, it
SHOULD retransmit the SYN-U. If latency is more important than the
extra TCP options, in parallel to any retransmission, or instead of
any retransmission, the client MAY give up on the upgraded (SYN-U)
connection by sending a reset (RST) and completing the 3-way
handshake of the legacy connection.
If the client receives no response at all to either the SYN or the
SYN-U, it SHOULD solely retransmit one or the other, not both. If
latency is more important than the extra TCP options, it will
retransmit the SYN. Otherwise it will retransmit the SYN-U. It MUST
NOT retransmit both segments, because the lack of response could be
due to severe congestion.
2.3. Segment Structure
2.3.1. SYN-U Structure (Non-Deterministic)
{Temporary note: The structure for a SYN-U segment specified in this
section leads to slightly non-deterministic behaviour, so it will be
labelled SYN-UN (for Upgraded Non-deterministic). A deterministic
alternative is given in Appendix A. It is expected that one will be
chosen during the IETF review process, at which point the other will
be deleted.}
A SYN-UN is structured as shown in Figure 1. Up to the payload, it
is identical to a regular TCP SYN segment, with a base TCP header
(TCP hdr) and the usual facility to set the Data Offset (DO) to allow
space for TCP options (TCPopts#2). The significance of '#2' will be
explained later.
Briscoe Expires March 26, 2015 [Page 7]
Internet-Draft Sister SYNs September 2014
Unlike a legacy TCP segment, the payload of a SYN-UN does not
continue to the end of the packet. Instead, it can be seen that
space is provided for additional TCP options at the end of the packet
at an offset from the end of the packet defined using the Extra
Options Offset (EOO) field. The EOO field is read from a new
'SynOpSis' TCP option defined in this specification.
Note that the handshake described earlier (Section 2.1) ensures that
a legacy server will never erroneously pass this mixture of payload
and options to the application. If a SYN carries a payload, a TCP
server holds back the payload from the application until the 3-way
handshake completes. And, once the upgraded client recognises it is
talking to a legacy server it will abort the 3-way handshake of the
upgraded connection. Therefore it will always prevent the mixed
payload from confusing the application.
The SynOpSis TCP option MUST be the final TCP option right-aligned at
the end of the payload so that the server can find it (using the
length of the whole packet found in the network layer header, e.g.
IPv4 or IPv6).
| EPOO |
,---------->|
| DO | | EOO | 2 |
,-------------------->| |<----------------------.<---------.
+---------+-----------+---------+-----------+-----------+----------+
| TCP hdr | TCPopts#2 | Payload | TCPopts#1 | TCPopts#3 | SynOpSis |
+---------+-----------+---------+-----------+-----------+----------+
All offsets are specified in 4-octet (32-bit) words.
Figure 1: The Structure of a SYN-UN segment (not to scale)
The SynOpSis TCP option has Kind SynOpSis, with a value {TBA} (See
Section 7). The internal structure of the SynOpSis TCP option for a
SYN-UN is defined in Figure 2. In general, the SynOpSis TCP option
can have different lengths for different purposes. However, in a
SYN-UN, the SynOpSis TCP option MUST have Length = 8, so that the
server can find where it starts (8 octets before the end of the
segment). The first 4 octets of the option contain a magic number
{TBA} to reduce the chance that arbitrary data within the payload
will be mistaken for a SynOpSis TCP option.
Briscoe Expires March 26, 2015 [Page 8]
Internet-Draft Sister SYNs September 2014
+---------------+---------------+-------------------------------+
| Kind=SynOpSis | Length=8 | Magic Number |
+---------------+---------------+---------------+---------------+
| Magic Number (cont) | EOO | EPOO |
+---------------+---------------+---------------+---------------+
Figure 2: SynOpSis TCP Option for a SYN-UN
Two 1-octet offset fields are placed at the end of the SynOpSis TCP
option for a SYN-UN:
The Extra Options Offset (EOO): The EOO field defines the total size
of the extra TCP options in 4-octet words. The start of the extra
options will be located 4 * (EOO + 2) octets from the end of the
packet. The IP payload size will be 4 * (DO + EOO + 2) +
TCP_payload_size.
The Extra Prefix Options Offset: The EPOO field defines an
additional offset from the start of the extra TCP options that
identifies the extent of those extra TCP options that need to be
processed before any regular TCP options. The EPOO field defines
this offset in 4-octet words.
2.3.2. SYN/ACK-U Structure
The SYN/ACK-U carries a simple SynOpSis flag TCP option as defined in
Figure 3. It solely identifies that the SYN/ACK is from a server
that supports SynOpSis TCP options.
+---------------+---------------+
| Kind=SynOpSis | Length=2 |
+---------------+---------------+
Figure 3: A SynOpSis flag TCP option
2.4. TCP Option Processing
2.4.1. Writing TCP Options
If an upgraded TCP client includes the TCP Fast Open option
[I-D.ietf-tcpm-fastopen] in the SYN, it MUST be placed with the extra
TCP options after the end of the payload. An upgraded TCP client
MUST NOT place any TCP option in the TCP header of a SYN that might
cause a TCP server to pass user-data directly to the application
before the 3-way handshake completes.
Briscoe Expires March 26, 2015 [Page 9]
Internet-Draft Sister SYNs September 2014
In order to ensure that the first extra TCP option aligns on a
4-octet word boundary, a TCP client SHOULD {ToDo: MUST?} start the
extra TCP options with sufficient 1-octet no-op TCP options
[RFC0793]. The number of no-op octets required will be 3 - ((S - 1)
% 4), where S is the IP payload size in octets and '%' is the modulo
operation.
2.4.2. Reading TCP Options
Before processing any TCP options, if the TCP payload is greater than
9 octets, an upgraded server MUST determine whether there is a
SynOpSis TCP option at the end of the packet by checking all the
following conditions:
o The Kind value is the SynOpSis Kind value;
o The length is 8;
o The next 4 octets match the magic number;
o The sum of the value of the EOO field, and all the length fields
found by walking along the TCP options at the end of the payload
exactly reaches the end of the packet.
If any of these conditions fails, the server MUST proceed by
processing any TCP options in the TCP header (TCPopts#2 in Figure 1),
and treat all octets after the Data Offset as user-data.
If an upgraded server finds a valid SynOpSis TCP option at the end of
the packet, it MUST process the TCP options in a SYN-UN in the
following order:
1. The Prefix TCP options (TCPopts#1 in Figure 1)
2. The regular TCP options following the main header but before the
payload (TCPopts#2 in Figure 1);
3. The Suffix TCP options (TCPopts#3 in Figure 1)
This arrangement allows the client to reveal certain TCP options for
processing by middleboxes (TCPopts#2), while concealing others after
the payload. And the client can still control the order in which the
server processes all the TCP options.
Briscoe Expires March 26, 2015 [Page 10]
Internet-Draft Sister SYNs September 2014
2.4.3. Forwarding TCP Options
Middleboxes exist that process some aspects of the TCP header.
Although the present specification defines a new location for extra
TCP options at the end of a packet, this is intended for the
exclusive use of the destination TCP implementation. Legacy
middleboxes will not expect to find TCP options beyond the Data
Offset anyway. A middlebox MUST continue to treat any data beyond
the Data Offset solely as user-data.
A TCP implementation is not necessarily aware whether it is deployed
in a middlebox or in a destination, e.g. a split TCP connection might
use a regular TCP implementation. Therefore, a general-purpose TCP
that implements the present specification will need a configuration
switch to disable any search for TCP options at the end of the
packet.
3. Discussion of Non-Determinism
All the TCP headers and options before the payload of a SYN-UN (see
Section 2.3.1) are completely indistinguishable from a regular SYN.
This makes it very likely that a SYN-UN will be able to traverse any
legacy middlebox, even one that splits a TCP connection. A SYN-UN
can only be distinguished from any legacy SYN by the presence of the
SynOpSis bit-pattern at the end of the packet.
This is termed the non-deterministic segment structure, because there
will be a very small probability (roughly 2^{-48-L}) that payload
data on a regular (non-SynOpSis) SYN could:
o happen to contain a pattern in exactly the right place that
matches the kind, length and magic number of a SynOpSis TCP option
and
o happen to contain a valid sequence of numbers in exactly the right
places to look like a valid sequence of TCP option lengths.
In the above formula, L is the sum of all the bits in all the TCP
option length fields that seem to be in the payload. For instance,
if it appears that there are 2 TCP options before the SynOpSis option
at the end of the payload, then L=2*8=16, and the probability of
incorrectly using user-data as TCP options will then be roughly
2^(-64) = 1 in 18 billion billion (18x10^18). This 'stealth'
approach has been taken in order to maximise the chances of
traversing all the various types of middlebox.
Note that the non-determinism is only in one direction. I.e., there
is a small chance that arbitrary user data might be mistaken for the
Briscoe Expires March 26, 2015 [Page 11]
Internet-Draft Sister SYNs September 2014
SynOpSis TCP option, but it is not possible that a valid SynOpSis TCP
option would ever be mistaken for user data.
{ToDo: It is recognised that it is potentially unsafe to use
probability to determine whether TCP options are hidden at the end of
the payload. If the WG prefers not to use the non-deterministic
structure in Section 2.3.1, it can be replaced with the alternative
more conventional deterministic protocol structure in .
(Appendix A.1), and this discussion of non-determinism could then be
deleted.}
4. Migration to Single Handshake
The strategy of sending two SYNs in parallel is not essential to the
Alternative SYN approach. It is merely an initial strategy that
minimises latency when the client does not know whether the server
has been upgraded. Evolution to a single SYN with greater optio
space could proceed as follows:
o Clients could maintain a white-list of upgraded servers discovered
by experience and send just the upgraded SYN-U in these cases.
o Then, for white-listed servers, the client could send a legacy SYN
only in the rare cases when an attempt to use an upgraded
connection had previously failed (perhaps a mobile client
encountering a new blockage on a new path to a server that it had
previously accessed over a good path).
o In the longer term, once it can be assumed that most servers are
upgraded and the risk of having to fall back to legacy has dropped
to near-zero, clients could send just the upgraded SYN first,
without maintaining a white-list, but still be prepared to send a
legacy SYN in the rare cases when that might fail.
There is concern that, although dual handshake approaches might well
eventually migrate to a single handshake, they do not scale when
there are numerous choices to be made simultaneously. For instance,
trying IPv4 and IPv6 in parallel [RFC6555]; and trying SCTP and TCP
in parallel [I-D.wing-tsvwg-happy-eyeballs-sctp]; and trying ECN and
non-ECN in parallel; and so on. Nonetheless, it is not necessary to
try every possible combination of N choices, which would otherwise
require 2^N handshakes (assuming each choice is between two options).
Instead, a selection of the choices could be attempted together. At
the extreme, two handshakes could be attempted, one with all the new
features, and one without all the new features.
Briscoe Expires March 26, 2015 [Page 12]
Internet-Draft Sister SYNs September 2014
5. Interaction with Pre-Existing TCP
{ToDo: TCP API, TCP States and Transitions, TCP Segment Processing,
Processing and Segment Size Overhead, Connectionless Resets, ICMP
Handling. Interaction with EDO, Interaction with TFO (see
Section 2.4.1), Interactions with Other TCP Variants including SYN
Cookies, Forward-Compatibility, Interaction with TCP assumptions of
Middleboxes. }
6. Dual Handshake: The Explicit Variant
This explicit dual handshake is similar to that in Section 2.1,
except the SYN that the client intends for a legacy server is
explicitly distinguishable from the SYN that would be sent by a
legacy client. Then, in the case of an upgraded server, the server
can reset the legacy connection itself, rather than creating
connection state for at least a round trip until the client resets
the connection.
{Temporary note: The choice between the explicit handshake in the
present section or the handshake in Section 2.1 is a tradeoff between
robustness against middlebox interference and minimal server state.
During the IETF review process, one might be chosen as the only
variant to go forward, at which point the other will be deleted.
Alternatively, the IETF could allow both variants and a client could
be implemented with either, or both. If both, the application could
choose which to use at run-time. Then we will need a section
describing the necessary API.}
For an explicit dual handshake, the TCP client still sends two
alternative SYNs: a SYN-L intended for legacy servers and a SYN-U
intended for upgraded servers. The two SYNs MUST have the same
network addresses and the same destination port, but different source
ports. Once the client establishes which type of server has
responded, it continues the connection appropriate to that server
type and aborts the other. The SYN intended for upgraded servers
includes additional options at the end of the payload (the SYN-U
defined as before in Section 2.3.1).
Table 2 summarises the TCP 3-way handshake exchange for each of the
two SYNs between an upgraded TCP client (the active opener) and
either:
1. a legacy server, using the two columns to the left, or
2. an upgraded server, using the two columns to the right
Briscoe Expires March 26, 2015 [Page 13]
Internet-Draft Sister SYNs September 2014
The table uses the same layout and symbols as Table 1, which have
already been explained in Section 2.1.
+---+-------------+--------------+---+--------------+---------------+
| | Legacy | Legacy | | Upgraded | Upgraded |
| | Server | Server | | Server | Server Thread |
| | Thread X | Thread Y | | Thread X | Y |
+---+-------------+--------------+---+--------------+---------------+
| 1 | >SYN-L | >SYN-U | | | >SYN-L | >SYN-U |
| | | | | | | |
| 2 | <SYN/ACK | <SYN/ACK | | | <RST | <SYN/ACK-U |
| | | | | | | |
| 3 | >ACK | >RST | | | | >ACK |
| | | | | | | |
| 4 | Cont... | | | | | Cont... |
+---+-------------+--------------+---+--------------+---------------+
Table 2: Explicit Variant of Dual 3-Way Handshake in Two Server
Scenarios
As before, an upgraded server MUST respond to a SYN-U with a SYN/ACK-
U. Then, the client recognises that it is talking to an upgraded
server.
Unlike before, an upgraded server MUST respond to a SYN-L with a RST.
However, the client cannot rely on this behaviour, because a
middlebox might strip the SynOpSis TCP option from the SYN-L before
it reaches the server. Then the handshake would effectively revert
to the implicit variant. Therefore the client's behaviour still
depends on which SYN-ACK arrives first, so its response to SYN-ACKs
has to follow the rules specified for the implicit handshake variant
in Section 2.1.
The rules for processing TCP options are unchanged from those in
Section 2.4.
6.1. Retransmission Behaviour - Explicit Variant
If the client receives a RST on one connection, but a short while
after that {duration TBA} the response to the SYN-U has not arrived,
it SHOULD retransmit the SYN-U. If latency is more important than
the extra TCP options, in parallel to any retransmission, or instead
of any retransmission, the client MAY send a SYN without any SynOpSis
option, in case this is the cause of the black-hole. However, the
presence of the RST implies that one of the SYNs with a SynOpSis TCP
option (the SYN-L) probably reached the server, therefore it is more
likely (but not certain) that the lack of response on the other
connection is due to transmission loss or congestion loss.
Briscoe Expires March 26, 2015 [Page 14]
Internet-Draft Sister SYNs September 2014
If the client receives no response at all to either the SYN-L or the
SYN-U, it SHOULD solely retransmit one or the other, not both. If
latency is more important than the extra TCP options, it SHOULD send
a SYN without a SynOpSis TCP option. Otherwise it SHOULD retransmit
the SYN-U. It MUST NOT retransmit both segments, because the lack of
response could be due to severe congestion.
6.2. SYN-L Structure
The SYN-L is merely a SYN with with an extra SynOpSis flag option as
shown in Figure 3 (see Section 2.3.2). It solely identifies that the
SYN is from a client that supports SynOpSis TCP options. In the case
of a legacy server, it will just ignore this TCP option that it
doesn't recognise.
6.3. Corner Cases
There is a small but finite possibility that one load-sharing replica
of a server is upgraded, while another is not. The Implicit
Handshake is robust to this possibility, but the Explicit Handshake
is not., unless the following additional rules are followed:
Both aborted: The client might receive a RST on its legacy
connection in response to its SYN-L, then a regular SYN/ACK on its
upgraded connection in response to its SYN-U. In this case, the
client MUST still respond with a RST on its upgraded connection.
Otherwise, its extra TCP options will be passed as user-data to
the application by the legacy server. If confronted with this
unusual scenario where both connections are aborted, the client's
only recourse is to retry a new dual handshake on different source
ports, or ultimately to fall-back to sending a regular SYN.
Both successful: This could happen in either order but, in both
cases, the client aborts the last connection to respond:
* The client completes the legacy handshake (because it receives
a SYN/ACK), but then, before it has aborted the upgraded
connection, it receives a SYN/ACK-U on it. In this case, the
client MUST abort the upgraded connection even though it would
work. Otherwise the client will have opened both connections,
one with extra TCP options and one without. This could confuse
the application.
* The client completes the the upgraded connection after
receiving a SYN/ACK-U, but then it receives a SYN/ACK on the
legacy connection. In this case, the client MUST abort the
legacy connection.
Briscoe Expires March 26, 2015 [Page 15]
Internet-Draft Sister SYNs September 2014
7. IANA Considerations
This specification requires IANA to allocate one value from the TCP
option Kind name-space, against the name "Sister SYN Options
(SynOpSis)"
Early implementation before the IANA allocation MUST follow [RFC6994]
and use experimental option 254 and magic number 0xHHHH (16 bits)
{ToDo: Value TBA and register this with IANA}, then migrate to the
new option after the allocation.
8. Security Considerations
Certain cryptographic functions have different coverage rules for the
TCP header and TCP payload. Placing some TCP options at the end of
the payload could mean that they are treated differently from regular
TCP options. This is a deliberate feature of the protocol, but
application developers will need to be aware that this is the case.
{ToDo: More}
9. Acknowledgements
The idea of this approach grew out of discussions with Joe Touch
while developing draft-touch-tcpm-syn-ext-opt, and with Jana Iyengar
and Olivier Bonaventure. The idea that it is architecturally
preferable to place a protocol extension behind a higher layer, and
code its location into upgraded implementations, was originally
articulated by Rob Hancock. The following people provided useful
review comments: Joe Touch, Yuchung Cheng.
Bob Briscoe was part-funded by the European Community under its
Seventh Framework Programme through the Trilogy 2 project (ICT-
317756). The views expressed here are solely those of the authors.
10. References
10.1. Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6994] Touch, J., "Shared Use of Experimental TCP Options", RFC
6994, August 2013.
Briscoe Expires March 26, 2015 [Page 16]
Internet-Draft Sister SYNs September 2014
10.2. Informative References
[I-D.ietf-tcpm-fastopen]
Cheng, Y., Chu, J., Radhakrishnan, S., and A. Jain, "TCP
Fast Open", draft-ietf-tcpm-fastopen-09 (work in
progress), July 2014.
[I-D.wing-tsvwg-happy-eyeballs-sctp]
Wing, D. and P. Natarajan, "Happy Eyeballs: Trending
Towards Success with SCTP", draft-wing-tsvwg-happy-
eyeballs-sctp-02 (work in progress), October 2010.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010.
[RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
Dual-Stack Hosts", RFC 6555, April 2012.
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, January 2013.
Appendix A. Alternative Protocol Specifications
This appendix is informative and will be deleted before publication.
It documents protocol alternatives that the IETF may wish to consider
in place of those in the body of the specification.
A.1. SYN-U Structure (Deterministic)
This appendix describes a structure for an upgraded SYN called SYN-UD
(for upgraded deterministic) that is an alternative to the non-
deterministic structure defined in Section 2.3.1. It is termed
'deterministic' because it uses the conventional placement for the
SynOpSis TCP option (instead of the unconventional SYN-UN placement
at the end of the packet, where arbitrary user-data could be mistaken
for the SynOpSis option).
However, given it uses the new SynOpSis TCP option in the TCP header,
it will not always successfully traverse middleboxes. Unlike a SYN-
UN, a SYN-UD will certainly not traverse legacy middleboxes that do
not forward unrecognised TCP options, and it is unlikely to traverse
a legacy middlebox that splits TCP connections, unless it copies
unrecognised TCP options. Nonetheless, like the SYN-UN, the options
are still placed at the end of the payload to ensure that the SYN-UD
is more likely to traverse middleboxes that inspect application-layer
headers, which they expect to be at the start of the payload.
Briscoe Expires March 26, 2015 [Page 17]
Internet-Draft Sister SYNs September 2014
The placement of the SynOpSis TCP option in a SYN-UD segment is shown
in Figure 4. It can be seen that extra TCP options are still placed
at the end of the payload at an offset from the end of the packet
defined using the Extra Options Offset (EOO) field.
The EOO field is read from a new 'SynOpSis' TCP option defined in
this specification. The SynOpSis TCP options is placed in the
regular TCP option space of the SYN-UD.
| DO | | EOO |
,------------------------------------------->| |<----------.
+---------+-----------+----------+-----------+---------+-----------+
| TCP hdr | TCPopts#1 | SynOpSis | TCPopts#3 | Payload | TCPopts#2 |
+---------+-----------+----------+-----------+---------+-----------+
Figure 4: The Structure of an alternative (deterministic) SYN-UD
segment (not to scale)
The SynOpSis TCP option for a SYN-UD segment MUST have Kind SynOpSis,
with a value {TBA} (See Section 7) and Length = 3. In general, the
SynOpSis TCP option can have different lengths for different
purposes. However, in a SYN-UD, the SynOpSis TCP option has Length =
3, so that it can carry the 1-octet EOO field, which MUST be present
in a SYN-UD. The internal structure of the SynOpSis TCP option for a
SYN-UD segment is defined in Figure 5.
+---------------+---------------+---------------+
| Kind=SynOpSis | Length=3 | EOO |
+---------------+---------------+---------------+
Figure 5: SynOpSis TCP Option for a deterministic SYN-UD
The Extra Options Offset (EOO) field defines the total size of the
extra TCP options in 4-octet words. The start of the extra options
will be located 4 * EOO octets from the end of the packet. The IP
packet payload size will be 4 * (DO + EOO) + TCP_payload_size.
An upgraded server MUST process the TCP options in a SYN-UD in the
following order:
1. The regular TCP options following the main header but before the
SynOpSis TCP option (TCPopts#1 in Figure 4)
2. The TCP options at the end of the payload (TCPopts#2 in Figure 4)
Briscoe Expires March 26, 2015 [Page 18]
Internet-Draft Sister SYNs September 2014
3. The regular TCP options following the main header but after the
SynOpSis TCP option (TCPopts#3 in Figure 4);
Appendix B. Comparison of Alternatives
B.1. Implicit vs Explicit Dual Handshake
In the body of this specification, two variants of the dual handshake
are defined:
1. The implicit dual handshake (Section 2.1) with just a regular SYN
(no SynOpSis flag option) on the legacy connection;
2. The explicit dual handshake (Section 6) with a SYN-L (SynOpSis
flag option) on the legacy connection.
Both schemes double up connection state (for a round trip) on the
legacy server. But only the implicit scheme doubles up connection
state (for a round trip) on the upgraded server as well. On the
other hand, the explicit scheme risks delay accessing a legacy server
if a middlebox discards the SYN-L (e.g. some firewalls discard
packets with unrecognised TCP options). Table 3 summarises these
points.
+----------------------------------+---------------+----------------+
| | SYN | SYN-L |
| | (Implicit) | (Explicit) |
+----------------------------------+---------------+----------------+
| Minimum state on upgraded server | - | + |
| | | |
| Minimum risk of delay to legacy | + | - |
| server | | |
+----------------------------------+---------------+----------------+
Table 3: Comparison of Implicit vs. Explicit Dual Handshake on the
Legacy Connection
There is no need for the IETF to choose between these. If the spec
allows either or both, the tradeoff can be left to implementers at
build-time, or to the application at run-time.
Initially clients might choose the Implicit Dual Handshake to
minimise delays due to middlebox interference. But later, perhaps
once more middleboxes support the scheme, clients might choose the
Explicit scheme, to minimise state on upgraded servers.
Briscoe Expires March 26, 2015 [Page 19]
Internet-Draft Sister SYNs September 2014
B.2. Non-Deterministic vs Deterministic SYN-U
Two alternative segment structures for the SYN-U are defined, but in
this case it is recommended that the IETF needs to choose between
them so that only one or the other would be specified:
a. The non-deterministic SYN-UN (Section 2.3.1), with the SynOpSis
TCP option located at the end of the packet;
b. The deterministic SYN-UD (Appendix A.1), with the SynOpSis TCP
option located conventionally in the sequence of TCP options in
the TCP header.
The non-deterministic SYN-UN presents a small risk of user data being
mistaken for TCP options. Also, whether or not the client needs
extra option space, it requires the server to always check for a TCP
option at the end of any SYN with a payload greater than 9 octets.
On the other hand, the deterministic SYN-UD risks delay accessing an
upgraded server because it is visible to middleboxes that discard
packets with unrecognised TCP options. Also the SYN-UD is vulnerable
to being removed by middleboxes that do not forward unrecognised
options, whereas the SYN-UN is likely to traverse all legacy
middleboxes, even split TCP connections. Table 4 summarises these
points.
+---------------------------+---------------------+-----------------+
| | SYN-UN (Non- | SYN-UD |
| | deterministic) | (Deterministic) |
+---------------------------+---------------------+-----------------+
| User data unmistakable | - | + |
| | | |
| No need for upgraded | - | + |
| server to check end of | | |
| every SYN payload | | |
| | | |
| Minimum risk of delay to | + | - |
| upgraded server | | |
| | | |
| Extra TCP options likely | + | - |
| to traverse all | | |
| middleboxes | | |
+---------------------------+---------------------+-----------------+
Table 4: Comparison of Implicit vs. Explicit Dual Handshake on the
Legacy Connection
The IETF needs to choose between SYN-UN and SYN-UD, because if
implementation of either or both were allowed, the two deficiencies
Briscoe Expires March 26, 2015 [Page 20]
Internet-Draft Sister SYNs September 2014
of SYN-UN would still affect server implementations, whether or not
the client used a SYN-UN to take advantage of the two benefits.
Currently this document favours SYN-UN, because SYN-UD's lack of
reliable middlebox traversal introduces a functional deficiency (if
extra option space is absolutely required, the connection cannot even
start). In contrast, SYN-UN's first failing has vanishingly small
probability, and its second failing 'only' increases server
processing - it does not impair the ability of connections to
function outright.
B.3. Comparison with Other Proposals
{ToDo}
Appendix C. Protocol Design Issues (to be Deleted before Publication)
This appendix is informative, not normative. It records outstanding
issues with the protocol design that will need to be resolved before
publication.
Reliance on segmentation boundary: The definition of the position of
the SynOpSis TCP options depends on where the sender decided to
place a segment boundary. In general, a sender cannot rely on
segment boundaries being preserved, e.g. by segmentation
offloading hardware. In the case of a SYN, no more payload data
is sent in the first round trip, therefore using this segment
boundary is probably safe. However, it may constrain future
attempts to send additional data in the first round.
Tie to EDO?: Consider whether a successful SYN/ACK-U implies EDO is
also supported.
Size of SynOpSis magic number: Justify choice.
Appendix D. Change Log (to be Deleted before Publication)
A detailed version history can be accesssed at
<http://datatracker.ietf.org/doc/draft-briscoe-tcpm-syn-op-sis/
history/>
From briscoe...-01 to briscoe...-02:
Technical changes:
* Defined the client behaviour dependent on which response
arrives first.
Briscoe Expires March 26, 2015 [Page 21]
Internet-Draft Sister SYNs September 2014
* Allowed retransmission of either SYN or SYN-U if no response
from either.
* Redefined EOO as an offset from the end of the packet, not from
the beginning of the payload.
* Added section on Migration to a Single Handshake. Reworded
dual handshake so that it is not mandatory for the client to
send dual SYNs simultaneously; only the relation between the
SYNs and the response to either is mandatory, while parallel
SYNs is purely for latency reduction.
* Added rules for writing TCP options, i.e. i) options like TFO
MUST NOT be located in the TCP header and ii) add no-ops to
align on 4-octet boundary.
* Added rules for forwarding TCP options, i.e. only the
destination looks for TCP options after the Data Offset, not
middleboxes.
* Moved the Explicit Handshake variant (SYN-L) into the body from
the appendix, and recommended the choice could be down to
implementers or apps. Included section on corner cases.
* Introduced more normative language throughout the Protocol
Spec.
Editorial changes:
* Added temporary motivation section
* Added confusible terminology to Terminology section.
* Divided protocol spec into sub-sections.
* Handshake table: Clarified that the two columns under each
server represent separate threads, that may run on separate
servers, without co-ordination. Represented message
dependencies in the alignment of the rows.
* Explained the table.
* Explained why a legacy server won't ever pass SYN-U to the app.
* More precisely described loss as 'not arrived before a
timeout', and explained the tradeoff between latency and extra
TCP options.
Briscoe Expires March 26, 2015 [Page 22]
Internet-Draft Sister SYNs September 2014
* Gave reasoning for locating TCP options in three groups.
* Acknowledged Rob Hancock for the architectural idea of hiding
an extension to a protocol in the layer above.
* Appendix about protocol alternatives now only presents the SYN-
UD alternative, given the implicit/explicit handshake choice
has been moved to the body.
* Rewrote appendix about comparing the choices to treat the two
pairs of choices separately, rather than discussing all four
combinations of pairs of choices.
From briscoe...-00 to briscoe...-01:
Technical changes:
* Added the definition of a SYN/ACK-U
* Deterministic Protocol Spec: Replaced SYN/ACK-L with RST (Joe
Touch)
* Added Non-Deterministic Explicit and Deterministic Implicit
Protocol Specs in Appendices
* Added Comparison of Alternatives as an Appendix
* Security Considerations: Added note about crypto coverage of
TCP options in the payload being different from that of other
TCP options.
* Added an appendix to record outstanding Protocol Design Issues,
and included segmentation boundary issue (Yuchung Cheng).
Editorial changes:
* Changed TCP option Kind from SYN-OP-SIS to SynOpSis
* Protocol Spec: Explained why the extra TCP options are placed
at the end of the payload
* Throughout: avoided the ambiguity in the word payload, now that
there are TCP options at the end of the payload. Some might
consider these to be within the payload, while others might
consider them to be placed beyond the payload.
* Segment structure figures: Clarified that they are not to
scale.
Briscoe Expires March 26, 2015 [Page 23]
Internet-Draft Sister SYNs September 2014
* Added placeholder section "Interaction with TCP"
* Acknowledged reviewers
Author's Address
Bob Briscoe
BT
B54/77, Adastral Park
Martlesham Heath
Ipswich IP5 3RE
UK
Phone: +44 1473 645196
Email: bob.briscoe@bt.com
URI: http://bobbriscoe.net/
Briscoe Expires March 26, 2015 [Page 24]
| PAFTECH AB 2003-2026 | 2026-04-21 10:29:03 |