One document matched: draft-floyd-tcp-reset-04.ps
%!PS-Adobe-3.0
%%BoundingBox: 24 24 588 768
%%Title: Enscript Output
%%For: Sally Floyd
%%Creator: GNU enscript 1.6.1
%%CreationDate: Wed May 8 09:49:33 2002
%%Orientation: Portrait
%%Pages: (atend)
%%DocumentMedia: Letter 612 792 0 () ()
%%DocumentNeededResources: (atend)
%%EndComments
%%BeginProlog
%%BeginResource: procset Enscript-Prolog 1.6 1
%
% Procedures.
%
/_S { % save current state
/_s save def
} def
/_R { % restore from saved state
_s restore
} def
/S { % showpage protecting gstate
gsave
showpage
grestore
} bind def
/MF { % fontname newfontname -> - make a new encoded font
/newfontname exch def
/fontname exch def
/fontdict fontname findfont def
/newfont fontdict maxlength dict def
fontdict {
exch
dup /FID eq {
% skip FID pair
pop pop
} {
% copy to the new font dictionary
exch newfont 3 1 roll put
} ifelse
} forall
newfont /FontName newfontname put
% insert only valid encoding vectors
encoding_vector length 256 eq {
newfont /Encoding encoding_vector put
} if
newfontname newfont definefont pop
} def
/SF { % fontname width height -> - set a new font
/height exch def
/width exch def
findfont
[width 0 0 height 0 0] makefont setfont
} def
/SUF { % fontname width height -> - set a new user font
/height exch def
/width exch def
/F-gs-user-font MF
/F-gs-user-font width height SF
} def
/M {moveto} bind def
/s {show} bind def
/Box { % x y w h -> - define box path
/d_h exch def /d_w exch def /d_y exch def /d_x exch def
d_x d_y moveto
d_w 0 rlineto
0 d_h rlineto
d_w neg 0 rlineto
closepath
} def
/bgs { % x y height blskip gray str -> - show string with bg color
/str exch def
/gray exch def
/blskip exch def
/height exch def
/y exch def
/x exch def
gsave
x y blskip sub str stringwidth pop height Box
gray setgray
fill
grestore
x y M str s
} def
% Highlight bars.
/highlight_bars { % nlines lineheight output_y_margin gray -> -
gsave
setgray
/ymarg exch def
/lineheight exch def
/nlines exch def
% This 2 is just a magic number to sync highlight lines to text.
0 d_header_y ymarg sub 2 sub translate
/cw d_output_w cols div def
/nrows d_output_h ymarg 2 mul sub lineheight div cvi def
% for each column
0 1 cols 1 sub {
cw mul /xp exch def
% for each rows
0 1 nrows 1 sub {
/rn exch def
rn lineheight mul neg /yp exch def
rn nlines idiv 2 mod 0 eq {
% Draw highlight bar. 4 is just a magic indentation.
xp 4 add yp cw 8 sub lineheight neg Box fill
} if
} for
} for
grestore
} def
% Line highlight bar.
/line_highlight { % x y width height gray -> -
gsave
/gray exch def
Box gray setgray fill
grestore
} def
% Column separator lines.
/column_lines {
gsave
.1 setlinewidth
0 d_footer_h translate
/cw d_output_w cols div def
1 1 cols 1 sub {
cw mul 0 moveto
0 d_output_h rlineto stroke
} for
grestore
} def
% Column borders.
/column_borders {
gsave
.1 setlinewidth
0 d_footer_h moveto
0 d_output_h rlineto
d_output_w 0 rlineto
0 d_output_h neg rlineto
closepath stroke
grestore
} def
% Do the actual underlay drawing
/draw_underlay {
ul_style 0 eq {
ul_str true charpath stroke
} {
ul_str show
} ifelse
} def
% Underlay
/underlay { % - -> -
gsave
0 d_page_h translate
d_page_h neg d_page_w atan rotate
ul_gray setgray
ul_font setfont
/dw d_page_h dup mul d_page_w dup mul add sqrt def
ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
draw_underlay
grestore
} def
/user_underlay { % - -> -
gsave
ul_x ul_y translate
ul_angle rotate
ul_gray setgray
ul_font setfont
0 0 ul_h_ptsize 2 div sub moveto
draw_underlay
grestore
} def
% Page prefeed
/page_prefeed { % bool -> -
statusdict /prefeed known {
statusdict exch /prefeed exch put
} {
pop
} ifelse
} def
% Wrapped line markers
/wrapped_line_mark { % x y charwith charheight type -> -
/type exch def
/h exch def
/w exch def
/y exch def
/x exch def
type 2 eq {
% Black boxes (like TeX does)
gsave
0 setlinewidth
x w 4 div add y M
0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
closepath fill
grestore
} {
type 3 eq {
% Small arrows
gsave
.2 setlinewidth
x w 2 div add y h 2 div add M
w 4 div 0 rlineto
x w 4 div add y lineto stroke
x w 4 div add w 8 div add y h 4 div add M
x w 4 div add y lineto
w 4 div h 8 div rlineto stroke
grestore
} {
% do nothing
} ifelse
} ifelse
} def
% EPSF import.
/BeginEPSF {
/b4_Inc_state save def % Save state for cleanup
/dict_count countdictstack def % Count objects on dict stack
/op_count count 1 sub def % Count objects on operand stack
userdict begin
/showpage { } def
0 setgray 0 setlinecap
1 setlinewidth 0 setlinejoin
10 setmiterlimit [ ] 0 setdash newpath
/languagelevel where {
pop languagelevel
1 ne {
false setstrokeadjust false setoverprint
} if
} if
} bind def
/EndEPSF {
count op_count sub { pos } repeat % Clean up stacks
countdictstack dict_count sub { end } repeat
b4_Inc_state restore
} bind def
% Check PostScript language level.
/languagelevel where {
pop /gs_languagelevel languagelevel def
} {
/gs_languagelevel 1 def
} ifelse
%%EndResource
%%BeginResource: procset Enscript-Encoding-88591 1.6 1
/encoding_vector [
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/space /exclam /quotedbl /numbersign
/dollar /percent /ampersand /quoteright
/parenleft /parenright /asterisk /plus
/comma /hyphen /period /slash
/zero /one /two /three
/four /five /six /seven
/eight /nine /colon /semicolon
/less /equal /greater /question
/at /A /B /C
/D /E /F /G
/H /I /J /K
/L /M /N /O
/P /Q /R /S
/T /U /V /W
/X /Y /Z /bracketleft
/backslash /bracketright /asciicircum /underscore
/quoteleft /a /b /c
/d /e /f /g
/h /i /j /k
/l /m /n /o
/p /q /r /s
/t /u /v /w
/x /y /z /braceleft
/bar /braceright /tilde /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/space /exclamdown /cent /sterling
/currency /yen /brokenbar /section
/dieresis /copyright /ordfeminine /guillemotleft
/logicalnot /hyphen /registered /macron
/degree /plusminus /twosuperior /threesuperior
/acute /mu /paragraph /bullet
/cedilla /onesuperior /ordmasculine /guillemotright
/onequarter /onehalf /threequarters /questiondown
/Agrave /Aacute /Acircumflex /Atilde
/Adieresis /Aring /AE /Ccedilla
/Egrave /Eacute /Ecircumflex /Edieresis
/Igrave /Iacute /Icircumflex /Idieresis
/Eth /Ntilde /Ograve /Oacute
/Ocircumflex /Otilde /Odieresis /multiply
/Oslash /Ugrave /Uacute /Ucircumflex
/Udieresis /Yacute /Thorn /germandbls
/agrave /aacute /acircumflex /atilde
/adieresis /aring /ae /ccedilla
/egrave /eacute /ecircumflex /edieresis
/igrave /iacute /icircumflex /idieresis
/eth /ntilde /ograve /oacute
/ocircumflex /otilde /odieresis /divide
/oslash /ugrave /uacute /ucircumflex
/udieresis /yacute /thorn /ydieresis
] def
%%EndResource
%%EndProlog
%%BeginSetup
%%IncludeResource: font Courier-Bold
%%IncludeResource: font Courier
/HFpt_w 10 def
/HFpt_h 10 def
/Courier-Bold /HF-gs-font MF
/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
/Courier /F-gs-font MF
/F-gs-font 10 10 SF
/#copies 1 def
% Pagedevice definitions:
gs_languagelevel 1 gt {
<<
/PageSize [612 792]
>> setpagedevice
} if
/d_page_w 564 def
/d_page_h 744 def
/d_header_x 0 def
/d_header_y 744 def
/d_header_w 564 def
/d_header_h 0 def
/d_footer_x 0 def
/d_footer_y 0 def
/d_footer_w 564 def
/d_footer_h 0 def
/d_output_w 564 def
/d_output_h 744 def
/cols 1 def
%%EndSetup
%%Page: (1) 1
%%BeginPageSetup
_S
24 24 translate
/pagenum 1 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 665 M
(Internet Engineering Task Force Sally Floyd) s
5 654 M
(INTERNET DRAFT ICIR) s
5 643 M
(draft-floyd-tcp-reset-04.txt May, 2002) s
5 632 M
( Expires: November, 2002) s
5 599 M
( Inappropriate TCP Resets Considered Harmful) s
5 555 M
( Status of this Memo) s
5 522 M
( This document is an Internet-Draft and is in full conformance with) s
5 511 M
( all provisions of Section 10 of RFC2026.) s
5 489 M
( Internet-Drafts are working documents of the Internet Engineering) s
5 478 M
( Task Force \(IETF\), its areas, and its working groups. Note that) s
5 467 M
( other groups may also distribute working documents as Internet-) s
5 456 M
( Drafts.) s
5 434 M
( Internet-Drafts are draft documents valid for a maximum of six months) s
5 423 M
( and may be updated, replaced, or obsoleted by other documents at any) s
5 412 M
( time. It is inappropriate to use Internet- Drafts as reference) s
5 401 M
( material or to cite them other than as "work in progress.") s
5 379 M
( The list of current Internet-Drafts can be accessed at) s
5 368 M
( http://www.ietf.org/ietf/1id-abstracts.txt) s
5 346 M
( The list of Internet-Draft Shadow Directories can be accessed at) s
5 335 M
( http://www.ietf.org/shadow.html.) s
5 313 M
(Abstract) s
5 291 M
( This document is being written because there are a number of) s
5 280 M
( firewalls in the Internet that inappropriately reset a TCP connection) s
5 269 M
( upon receiving certain TCP SYN packets, in particular, packets with) s
5 258 M
( flags set in the Reserved field of the TCP header. In this document) s
5 247 M
( we argue that this practice is not conformant with TCP standards, and) s
5 236 M
( is an inappropriate overloading of the semantics of the TCP reset.) s
5 225 M
( We also consider the longer-term consequences of this and similar) s
5 214 M
( actions as obstacles to the evolution of the Internet infrastructure.) s
5 192 M
(1. Introduction) s
5 170 M
( TCP uses the RST \(Reset\) bit in the TCP header to reset a TCP) s
5 159 M
( connection. Resets are appropriately sent in response to a) s
5 148 M
( connection request to a nonexistent connection, for example. The TCP) s
5 104 M
(Floyd [Page 1]) s
_R
S
%%Page: (2) 2
%%BeginPageSetup
_S
24 24 translate
/pagenum 2 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( receiver of the reset aborts the TCP connection, and notifies the) s
5 654 M
( application [RFC793, RFC1122, Ste94].) s
5 632 M
( Unfortunately, a number of firewalls and load-balancers in the) s
5 621 M
( current Internet send a reset in response to a TCP SYN packet that) s
5 610 M
( use flags from the Reserved field in the TCP header. Section 3 below) s
5 599 M
( discusses the specific example of firewalls that send resets in) s
5 588 M
( response to TCP SYN packets from ECN-capable hosts.) s
5 566 M
( This document is being written to inform administrators of web) s
5 555 M
( servers and firewalls of this problem, in an effort to encourage the) s
5 544 M
( deployment of bug-fixes [FIXES]. A second purpose of this document) s
5 533 M
( is to consider the longer-term consequences of such middlebox) s
5 522 M
( behavior on the more general evolution of protocols in the Internet.) s
5 500 M
(2. The history of TCP resets.) s
5 478 M
( This section gives a brief history of the use of the TCP reset in the) s
5 467 M
( TCP standards, and argues that sending a reset in response to a SYN) s
5 456 M
( packet that uses bits from the Reserved field of the TCP header is) s
5 445 M
( non-compliant behavior.) s
5 423 M
( RFC 793 contained the original specification of TCP in September,) s
5 412 M
( 1981 [RFC793]. This document defined the RST bit in the TCP header,) s
5 401 M
( and explained that reset was devised to prevent old duplicate) s
5 390 M
( connection initiations from causing confusion in TCP's three-way) s
5 379 M
( handshake. The reset is also used when a host receives data for a) s
5 368 M
( TCP connection that no longer exists.) s
5 346 M
( RFC 793 states the following, in Section 5:) s
5 324 M
( "As a general rule, reset \(RST\) must be sent whenever a segment) s
5 313 M
( arrives which apparently is not intended for the current connection.) s
5 302 M
( A reset must not be sent if it is not clear that this is the case.") s
5 280 M
( RFC 1122 "amends, corrects, and supplements" RFC 793. RFC 1122 says) s
5 269 M
( nothing specific about sending resets, or not sending resets, in) s
5 258 M
( response to flags in the TCP Reserved field.) s
5 236 M
( Thus, there is nothing in RFC 793 or RFC 1122 that suggests that it) s
5 225 M
( is acceptable to send a reset simply because a SYN packet uses) s
5 214 M
( Reserved flags in the TCP header, and RFC 793 explicitly forbids) s
5 203 M
( sending a reset for this reason.) s
5 181 M
( RFC 793 and RFC 1122 both include Jon Postel's famous robustness) s
5 170 M
( principle, also from RFC 791: "Be liberal in what you accept, and) s
5 159 M
( conservative in what you send." RFC 1122 reiterates that this) s
5 148 M
( robustness principle "is particularly important in the Internet) s
5 104 M
(Floyd [Page 2]) s
_R
S
%%Page: (3) 3
%%BeginPageSetup
_S
24 24 translate
/pagenum 3 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( layer, where one misbehaving host can deny Internet service to many) s
5 654 M
( other hosts." The discussion of the robustness principle in RFC 1122) s
5 643 M
( also states that "adaptability to change must be designed into all) s
5 632 M
( levels of Internet host software". The principle "be liberal in what) s
5 621 M
( you accept" doesn't carry over in a clear way \(if at all\) to the) s
5 610 M
( world of firewalls, but the issue of "adaptability to change" is) s
5 599 M
( crucial nevertheless. The challenge is to protect legitimate) s
5 588 M
( security interests without completely blocking the ability of the) s
5 577 M
( Internet to evolve to support new applications, protocols, and) s
5 566 M
( functionality.) s
5 544 M
(2.1. The TCP Reserved Field) s
5 522 M
( RFC 793 says that the Reserved field in the TCP header is reserved) s
5 511 M
( for future use, and must be zero. A rephrasing more consistent with) s
5 500 M
( the rest of the document would have been to say that the Reserved) s
5 489 M
( field should be zero when sent and ignored when received, unless) s
5 478 M
( specified otherwise by future standards actions. However, the) s
5 467 M
( phrasing in RFC 793 does not permit sending resets in response to TCP) s
5 456 M
( packets with a non-zero Reserved field, as is explained in the) s
5 445 M
( section above.) s
5 423 M
(2.2. Behavior of and Requirements for Internet Firewalls) s
5 401 M
( RFC 2979 on the Behavior of and Requirements for Internet Firewalls) s
5 390 M
( [RFC2979], an Informational RFC, contains the following:) s
5 368 M
( "Applications have to continue to work properly in the presence of) s
5 357 M
( firewalls. This translates into the following transparency rule: The) s
5 346 M
( introduction of a firewall and any associated tunneling or access) s
5 335 M
( negotiation facilities MUST NOT cause unintended failures of) s
5 324 M
( legitimate and standards-compliant usage that would work were the) s
5 313 M
( firewall not present.") s
5 291 M
( "A necessary corollary to this requirement is that when such failures) s
5 280 M
( do occur it is incumbent on the firewall and associated software to) s
5 269 M
( address the problem: Changes to either implementations of existing) s
5 258 M
( standard protocols or the protocols themselves MUST NOT be) s
5 247 M
( necessary.") s
5 225 M
( "Note that this requirement only applies to legitimate protocol usage) s
5 214 M
( and gratuitous failures -- a firewall is entitled to block any sort) s
5 203 M
( of access that a site deems illegitimate, regardless of whether or) s
5 192 M
( not the attempted access is standards-compliant.") s
5 170 M
( We would note that RFC 2979 is an Informational RFC. RFC 2026 on) s
5 159 M
( Internet Standards Process says the following in Section 4.2.2: "An) s
5 148 M
( `Informational' specification is published for the general) s
5 104 M
(Floyd [Page 3]) s
_R
S
%%Page: (4) 4
%%BeginPageSetup
_S
24 24 translate
/pagenum 4 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( information of the Internet community, and does not represent an) s
5 654 M
( Internet community consensus or recommendation" [RFC2026].) s
5 632 M
(2.3. Sending Resets as a Congestion Control Mechanism) s
5 610 M
( Some firewalls and hosts send resets in response to SYN packets as a) s
5 599 M
( congestion control mechanism, for example, when their listen queues) s
5 588 M
( are full. These resets are sent without regard to the contents of) s
5 577 M
( the TCP Reserved field. Possibly in response to the use of resets as) s
5 566 M
( a congestion control mechanism, several popular TCP implementations) s
5 555 M
( immediately resend a SYN packet in response to a reset, up to four) s
5 544 M
( times.) s
5 522 M
( We would recommend that the TCP reset not be used as a congestion) s
5 511 M
( control mechanism, because this overloads the semantics of the reset) s
5 500 M
( message, and inevitably leads to more aggressive behavior from TCP) s
5 489 M
( implementations in response to a reset. We would suggest that simply) s
5 478 M
( dropping the SYN packet is the most effective response to congestion.) s
5 467 M
( The TCP sender will retransmit the SYN packet, using the default) s
5 456 M
( value for the Retransmission Timeout \(RTO\), backing-off the) s
5 445 M
( retransmit timer after each retransmit.) s
5 423 M
(2.4. Resets in Response to Changes in the Precedence Field) s
5 401 M
( RFC 793 includes the following in Section 5:) s
5 379 M
( "If an incoming segment has a security level, or compartment, or) s
5 368 M
( precedence which does not exactly match the level, and compartment,) s
5 357 M
( and precedence requested for the connection, a reset is sent and) s
5 346 M
( connection goes to the CLOSED state.") s
5 324 M
( The "precedence" refers to the \(old\) Precedence field in the \(old\)) s
5 313 M
( ToS field in the IP header. The "security" and "compartment" refer) s
5 302 M
( to the obsolete IP Security option. When it was written, this was) s
5 291 M
( consistent with the guideline elsewhere in RFC 793 that resets should) s
5 280 M
( only be sent when a segment arrives which apparently is not intended) s
5 269 M
( for the current connection.) s
5 247 M
( RFC 2873 on "TCP Processing of the IPv4 Precedence Field" discusses) s
5 236 M
( specific problems raised by the sending of resets when the precedence) s
5 225 M
( field has changed [RFC2873]. RFC 2873, currently a Proposed) s
5 214 M
( Standard, specifies that TCP must ignore the precedence of all) s
5 203 M
( received segments, and must not send a reset in response to changes) s
5 192 M
( in the precedence field. We discuss this here to clarify that this) s
5 181 M
( issue never permitted the sending of a reset in response to a segment) s
5 170 M
( with a non-zero TCP Reserved field.) s
5 104 M
(Floyd [Page 4]) s
_R
S
%%Page: (5) 5
%%BeginPageSetup
_S
24 24 translate
/pagenum 5 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
(2.5. Resets in Response to Illegal Option Lengths) s
5 643 M
( RFC 1122 says the following in Section 4.2.2.5 about TCP options) s
5 632 M
( [RFC1122]:) s
5 610 M
( "A TCP MUST be able to receive a TCP option in any segment. A TCP) s
5 599 M
( MUST ignore without error any TCP option it does not implement,) s
5 588 M
( assuming that the option has a length field \(all TCP options defined) s
5 577 M
( in the future will have length fields\). TCP MUST be prepared to) s
5 566 M
( handle an illegal option length \(e.g., zero\) without crashing; a) s
5 555 M
( suggested procedure is to reset the connection and log the reason.") s
5 533 M
( This makes sense, as a TCP receiver is unable to interpret the rest) s
5 522 M
( of the data on a segment that has a TCP option with an illegal option) s
5 511 M
( length. Again, we discuss this here to clarify that this issue never) s
5 500 M
( permitted the sending of a reset in response to a segment with a non-) s
5 489 M
( zero TCP Reserved field.) s
5 467 M
(3. The Specific Example of ECN) s
5 445 M
( This section has a brief explanation of ECN \(Explicit Congestion) s
5 434 M
( Notification\) in general, and the ECN-setup SYN packet in particular.) s
5 412 M
( The Internet is based on end-to-end congestion control, and) s
5 401 M
( historically the Internet has used packet drops as the only method) s
5 390 M
( for routers to indicate congestion to the end nodes. ECN is a recent) s
5 379 M
( addition to the IP architecture to allow routers to set a bit in the) s
5 368 M
( IP packet header to inform end-nodes of congestion, instead of) s
5 357 M
( dropping the packet. ECN requires the cooperation of the transport) s
5 346 M
( end-nodes.) s
5 324 M
( The ECN specification, RFC 2481, was an Experimental RFC from January) s
5 313 M
( 1999 until June 2001, when a revised document [RFC3168] was approved) s
5 302 M
( as Proposed Standard. More information about ECN is available from) s
5 291 M
( the ECN Web Page [ECN].) s
5 269 M
( The use of ECN with TCP requires that both TCP end-nodes have been) s
5 258 M
( upgraded to support the use of ECN, and that both end-nodes agree to) s
5 247 M
( use ECN with this particular TCP connection. This negotiation of ECN) s
5 236 M
( support between the two TCP end-nodes uses two flags that have been) s
5 225 M
( allocated from the Reserved field in the TCP header [RFC2481].) s
5 104 M
(Floyd [Page 5]) s
_R
S
%%Page: (6) 6
%%BeginPageSetup
_S
24 24 translate
/pagenum 6 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15) s
5 654 M
( +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+) s
5 643 M
( | | | U | A | P | R | S | F |) s
5 632 M
( | Header Length | Reserved | R | C | S | S | Y | I |) s
5 621 M
( | | | G | K | H | T | N | N |) s
5 610 M
( +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+) s
5 588 M
( Figure 1: The previous definition of bytes 13 and 14 of the TCP) s
5 577 M
( header.) s
5 555 M
( 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15) s
5 544 M
( +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+) s
5 533 M
( | | | C | E | U | A | P | R | S | F |) s
5 522 M
( | Header Length | Reserved | W | C | R | C | S | S | Y | I |) s
5 511 M
( | | | R | E | G | K | H | T | N | N |) s
5 500 M
( +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+) s
5 478 M
( Figure 2: The current definition of bytes 13 and 14 of the TCP) s
5 467 M
( Header, from RFC 3168.) s
5 445 M
( The two ECN flags in the TCP header are defined from the last two) s
5 434 M
( bits in the Reserved field of the TCP header. Bit 9 in the Reserved) s
5 423 M
( field of the TCP header is designated as the ECN-Echo flag \(ECE\), and) s
5 412 M
( Bit 8 is designated as the Congestion Window Reduced \(CWR\) flag. To) s
5 401 M
( negotiate ECN usage, the TCP sender sends an "ECN-setup SYN packet",) s
5 390 M
( a TCP SYN packet with the ECE and CWR flags set. If the TCP host at) s
5 379 M
( the other end wishes to use ECN for this connection, then it sends an) s
5 368 M
( "ECN-setup SYN-ACK packet", a TCP SYN packet with the ECE flag set) s
5 357 M
( and the CWR flag not set. Otherwise, the TCP host at the other end) s
5 346 M
( returns a SYN-ACK packet with neither the ECE nor the CWR flag set.) s
5 324 M
( So now back to TCP resets. When a TCP host negotiating ECN sends an) s
5 313 M
( ECN-setup SYN packet, an old TCP implementation is expected to ignore) s
5 302 M
( those flags in the Reserved field, and to send a plain SYN-ACK packet) s
5 291 M
( in response. However, there are some broken firewalls and load-) s
5 280 M
( balancers in the Internet that instead respond to an ECN-setup SYN) s
5 269 M
( packet with a reset. Following the deployment of ECN-enabled end) s
5 258 M
( nodes, there were widespread complaints that ECN-capable hosts could) s
5 247 M
( not access a number of websites [Kelson00]. This has been) s
5 236 M
( investigated by the Linux community, and by the TBIT project [TBIT]) s
5 225 M
( in data taken from September, 2000, up to March, 2002, and has been) s
5 214 M
( discussed in an article in Enterprise Linux Today [Cou01]. Some of) s
5 203 M
( the offending equipment has been identified, and a web page [FIXES]) s
5 192 M
( contains a list of non-compliant products and the fixes posted by the) s
5 181 M
( vendors. In March 2002, six months after ECN was approved as) s
5 170 M
( Proposed Standard, ECN-setup SYN packets were answered by a reset) s
5 159 M
( from 203 of the 12,364 web sites tested, and ECN-setup SYN packets) s
5 148 M
( were dropped for 420 of the web sites. Installing software that) s
5 104 M
(Floyd [Page 6]) s
_R
S
%%Page: (7) 7
%%BeginPageSetup
_S
24 24 translate
/pagenum 7 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( blocks packets using flags in TCP's Reserved field is considerably) s
5 654 M
( easier than uninstalling that software later on.) s
5 632 M
(3.1. ECN: The Work-Around.) s
5 610 M
( A work-around for maintaining connectivity in the face of the broken) s
5 599 M
( equipment was described in [Floyd00], and has been specified in RFC) s
5 588 M
( 3168 as a procedure that may be included in TCP implementations. We) s
5 577 M
( describe this work-around briefly below.) s
5 555 M
( To provide robust connectivity even in the presence of faulty) s
5 544 M
( equipment, a TCP host that receives a reset in response to the) s
5 533 M
( transmission of an ECN-setup SYN packet may resend the SYN with CWR) s
5 522 M
( and ECE cleared. This would result in a TCP connection being) s
5 511 M
( established without using ECN. This also has the unfortunate result) s
5 500 M
( of the ECN-capable TCP host not responding properly to the first) s
5 489 M
( valid reset. If a second reset is sent in response to the second) s
5 478 M
( SYN, which had CWR and ECE cleared, then the TCP host should respond) s
5 467 M
( properly by aborting the connection.) s
5 445 M
( Similarly, a host that receives no reply to an ECN-setup SYN within) s
5 434 M
( the normal SYN retransmission timeout interval may resend the SYN and) s
5 423 M
( any subsequent SYN retransmissions with CWR and ECE cleared. To) s
5 412 M
( overcome normal packet loss that results in the original SYN being) s
5 401 M
( lost, the originating host may retransmit one or more ECN-setup SYN) s
5 390 M
( packets before giving up and retransmitting the SYN with the CWR and) s
5 379 M
( ECE bits cleared.) s
5 357 M
( Some TCP implementors have so far decided not to deploy these) s
5 346 M
( workarounds, for the following reasons:) s
5 324 M
( * The work-arounds would result in ECN-capable hosts not responding) s
5 313 M
( properly to the first valid reset received in response to a SYN) s
5 302 M
( packet.) s
5 280 M
( * The work-arounds would limit ECN functionality in environments) s
5 269 M
( without broken equipment, by disabling ECN where the first SYN or) s
5 258 M
( SYN-ACK packet was dropped in the network.) s
5 236 M
( * The work-arounds in many cases would involve a delay of six seconds) s
5 225 M
( or more before connectivity is established with the remote server, in) s
5 214 M
( the case of broken equipment that drops ECN-setup SYN packets. By) s
5 203 M
( accommodating this broken equipment, the work-arounds have been) s
5 192 M
( judged as implicitly accepting both this delay and the broken) s
5 181 M
( equipment that would be causing this delay.) s
5 159 M
( One possibility would be for such work-arounds to be configurable by) s
5 148 M
( the user.) s
5 104 M
(Floyd [Page 7]) s
_R
S
%%Page: (8) 8
%%BeginPageSetup
_S
24 24 translate
/pagenum 8 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( One unavoidable consequence of the work-around of resending a) s
5 654 M
( modified SYN packet in response to a reset is to further erode the) s
5 643 M
( semantics of the TCP reset. Thus, when a box sends a reset, the TCP) s
5 632 M
( host receiving that reset does not know if the reset was sent simply) s
5 621 M
( because of the ECN-related flags in the TCP header, or because of) s
5 610 M
( some more fundamental problem. Therefore, the TCP host resends the) s
5 599 M
( TCP SYN packet without the ECN-related flags in the TCP header. The) s
5 588 M
( ultimate consequence of this absence of clear communications from the) s
5 577 M
( middlebox to the end-nodes could be an extended spiral of) s
5 566 M
( communications specified for transport protocols, as end nodes) s
5 555 M
( attempt to sacrifice as little functionality as possible in the) s
5 544 M
( process of determining which packets will and will not be forwarded) s
5 533 M
( to the other end. This is discussed in more detail in Section 6.1) s
5 522 M
( below.) s
5 500 M
(4. On Combating Obstacles to the Proper Evolution of the Internet) s
5 489 M
(Infrastructure) s
5 467 M
( One of the reasons that this issue of inappropriate resets is) s
5 456 M
( important \(to me\) is that it has complicated the deployment of ECN in) s
5 445 M
( the Internet \(though it has fortunately not blocked the deployment) s
5 434 M
( completely\). It has also added an unnecessary obstacle to the future) s
5 423 M
( effectiveness of ECN.) s
5 401 M
( However, a second, more general reason why this issue is important is) s
5 390 M
( that the presence of equipment in the Internet that rejects valid TCP) s
5 379 M
( packets limits the future evolution of TCP, completely aside from the) s
5 368 M
( issue of ECN. That is, the widespread deployment of equipment that) s
5 357 M
( rejects TCP packets that use Reserved flags in the TCP header could) s
5 346 M
( effectively prevent the deployment of new mechanisms that use any of) s
5 335 M
( these Reserved flags. It doesn't matter if these new mechanisms have) s
5 324 M
( the protection of Experimental or Proposed Standard status from the) s
5 313 M
( IETF, because the broken equipment in the Internet does not stop to) s
5 302 M
( look up the current status of the protocols before rejecting the) s
5 291 M
( packets. TCP is good, and useful, but it would be a pity for the) s
5 280 M
( deployment of broken equipment in the Internet to result in the) s
5 269 M
( "freezing" of TCP in its current state, without the ability to use) s
5 258 M
( the Reserved flags in the future evolution of TCP.) s
5 236 M
( In the specific case of middleboxes that block TCP SYN packets) s
5 225 M
( attempting to negotiate ECN, the work-around described in Section 3.1) s
5 214 M
( is sufficient to ensure that end-nodes could still establish) s
5 203 M
( connectivity. However, there are likely to be additional uses of the) s
5 192 M
( TCP Reserved Field standardized in the next year or two, and these) s
5 181 M
( additional uses might not coexist quite as successfully with) s
5 170 M
( middleboxes that send resets. Consider the difficulties that could) s
5 159 M
( result if a path changes in the middle of a connection's lifetime,) s
5 148 M
( and the middleboxes on the old and new paths have different policies) s
5 104 M
(Floyd [Page 8]) s
_R
S
%%Page: (9) 9
%%BeginPageSetup
_S
24 24 translate
/pagenum 9 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( about exactly which flags in the TCP Reserved field they would and) s
5 654 M
( would not block.) s
5 632 M
( Taking the wider view, the existence of web servers or firewalls that) s
5 621 M
( send inappropriate resets is only one example of functionality in the) s
5 610 M
( Internet that restricts the future evolution of the Internet. The) s
5 599 M
( impact of all of these small restrictions taken together presents a) s
5 588 M
( considerable obstacle to the development of the Internet) s
5 577 M
( architecture.) s
5 555 M
(5. Issues for Transport Protocols) s
5 533 M
( One lesson for designers of transport protocols is that transport) s
5 522 M
( protocols will have to protect themselves from the unknown and) s
5 511 M
( seemingly arbitrary actions of firewalls, normalizers, and other) s
5 500 M
( middleboxes in the network. For the moment, for TCP, this means) s
5 489 M
( sending a non-ECN-setup SYN when a reset is received in response to) s
5 478 M
( an ECN-setup SYN packet. Defensive actions on the side of transport) s
5 467 M
( protocols could include using Reserved flags in the SYN packet before) s
5 456 M
( using them in data traffic, to protect against middleboxes that block) s
5 445 M
( packets using those flags. It is possible that transport protocols) s
5 434 M
( will also have to add additional checks during the course of the) s
5 423 M
( connection lifetime to check for interference from middleboxes along) s
5 412 M
( the path.) s
5 390 M
( The ECN standards document, RFC 3168, contains an extensive) s
5 379 M
( discussion in Section 18 on "Possible Changes to the ECN Field in the) s
5 368 M
( Network", but includes the following about possible changes to the) s
5 357 M
( TCP header:) s
5 335 M
( "This document does not consider potential dangers introduced by) s
5 324 M
( changes in the transport header within the network. We note that) s
5 313 M
( when IPsec is used, the transport header is protected both in tunnel) s
5 302 M
( and transport modes [ESP, AH].") s
5 280 M
( With the current modification of transport-level headers in the) s
5 269 M
( network by firewalls \(as discussed below in Section 6.2\), future) s
5 258 M
( protocol designers might no longer have the luxury of ignoring the) s
5 247 M
( possible impact of changes to the transport header within the) s
5 236 M
( network.) s
5 214 M
( Transport protocols will also have to respond in some fashion to an) s
5 203 M
( ICMP code of "Communication Administratively Prohibited" if) s
5 192 M
( middleboxes start to use this form of the ICMP Destination) s
5 181 M
( Unreachable message to indicate that the packet is using) s
5 170 M
( functionality not allowed [RFC1812].) s
5 104 M
(Floyd [Page 9]) s
_R
S
%%Page: (10) 10
%%BeginPageSetup
_S
24 24 translate
/pagenum 10 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
(6. Issues for Middleboxes) s
5 643 M
( Given that some middleboxes are going to drop some packets because) s
5 632 M
( they use functionality not allowed by the middlebox, the larger issue) s
5 621 M
( remains of how middleboxes should communicate the reason for this) s
5 610 M
( action to the end-nodes, if at all. One suggestion, for) s
5 599 M
( consideration in more depth in a separate document, would be that) s
5 588 M
( firewalls send an ICMP Destination Unreachable message with the code) s
5 577 M
( "Communication Administratively Prohibited" [B01].) s
5 555 M
( We acknowledge that this is not an ideal solution, for several) s
5 544 M
( reasons. First, middleboxes along the reverse path might block these) s
5 533 M
( ICMP messages. Second, some firewall operators object to explicit) s
5 522 M
( communication because it reveals too much information about security) s
5 511 M
( policies. And third, the response of transport protocols to such an) s
5 500 M
( ICMP message is not yet specified.) s
5 478 M
( However, an ICMP "Administratively Prohibited" message could be a) s
5 467 M
( reasonable addition, for firewalls willing to use explicit) s
5 456 M
( communication. One possibility, again to be explored in a separate) s
5 445 M
( document, would be for the ICMP "Administratively Prohibited" message) s
5 434 M
( to be modified to convey additional information to the end host.) s
5 412 M
( We would note that this document does not consider middleboxes that) s
5 401 M
( block complete transport protocols. We also note that this document) s
5 390 M
( is not addressing firewalls that send resets in response to a TCP SYN) s
5 379 M
( packet to a firewalled-off TCP port. Such a use of resets seems) s
5 368 M
( consistent with the semantics of TCP reset. This document is only) s
5 357 M
( considering the problems caused by middleboxes that block specific) s
5 346 M
( packets within a transport protocol when other packets from that) s
5 335 M
( transport protocol are forwarded by the middlebox unaltered.) s
5 313 M
( One complication is that once a mechanism is installed in a firewall) s
5 302 M
( to block a particular functionality, it can take considerable effort) s
5 291 M
( for network administrators to "un-install" that block. It has been) s
5 280 M
( suggested that tweakable settings on firewalls could make recovery) s
5 269 M
( from future incidents less painful all around. Again, because this) s
5 258 M
( document does not address more general issues about firewalls, the) s
5 247 M
( issue of greater firewall flexibility, and the attendant possible) s
5 236 M
( security risks, belongs in a separate document.) s
5 214 M
(6.1. Current Choices for Firewalls) s
5 192 M
( Given a firewall that has decided to drop TCP packets that use) s
5 181 M
( reserved bits in the TCP header, one question is whether the firewall) s
5 170 M
( should also send a Reset, in order to prevent the TCP connection from) s
5 159 M
( consuming unnecessary resources at the TCP sender waiting for the) s
5 148 M
( retransmit timeout. We would argue that whether or not the firewall) s
5 104 M
(Floyd [Page 10]) s
_R
S
%%Page: (11) 11
%%BeginPageSetup
_S
24 24 translate
/pagenum 11 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( feels compelled to drop the TCP packet, it is not appropriate to send) s
5 654 M
( a TCP reset. Sending a TCP reset in response to prohibited) s
5 643 M
( functionality would continue the current overloading of the semantics) s
5 632 M
( of the TCP reset in a way that could be counterproductive all around.) s
5 610 M
( As an example, Section 2.3 has already observed that some firewalls) s
5 599 M
( send resets in response to TCP SYN packets as a congestion control) s
5 588 M
( mechanism. Possibly in response to this \(or perhaps in response to) s
5 577 M
( something else\), some popular TCP implementations immediately resend) s
5 566 M
( a SYN packet in response to a reset, up to four times. Other TCP) s
5 555 M
( implementations, in conformance to the standards, don't resend SYN) s
5 544 M
( packets after receiving a reset. The more aggressive TCP) s
5 533 M
( implementations increase congestion for others, but also increase) s
5 522 M
( their own chances of eventually getting through. Giving these fluid) s
5 511 M
( semantics for the TCP reset, one might expect more TCP) s
5 500 M
( implementations to start resending SYN packets in response to a) s
5 489 M
( reset, completely apart from any issues having to do with ECN.) s
5 478 M
( Obviously, this weakens the effectiveness of the reset when used for) s
5 467 M
( its original purpose, of responding to TCP packets that apparently) s
5 456 M
( are not intended for the current connection.) s
5 434 M
( If we add to this mix the use of the TCP reset by firewalls in) s
5 423 M
( response to TCP packets using reserved bits in the TCP header, this) s
5 412 M
( muddies the waters further. Because TCP resets could be sent due to) s
5 401 M
( congestion, or to prohibited functionality, or because a packet was) s
5 390 M
( received from a previous TCP connection, TCP implementations \(or,) s
5 379 M
( more properly, TCP implementors\) would now have an incentive to be) s
5 368 M
( even more persistent in resending SYN packets in response to TCP) s
5 357 M
( resets. In addition to the incentive mentioned above of resending) s
5 346 M
( TCP SYN packets to increase one's odds of eventually getting through) s
5 335 M
( in a time of congestion, the TCP reset might have been due to) s
5 324 M
( prohibited functionality instead of congestion, so the TCP) s
5 313 M
( implementation might resend SYN packets in different forms to) s
5 302 M
( determine exactly which functionality is being prohibited. Such a) s
5 291 M
( continual changing of the semantics of the TCP reset could be) s
5 280 M
( expected to lead to a continued escalation of measures and) s
5 269 M
( countermeasures between firewalls and end-hosts, with little) s
5 258 M
( productive benefit to either side.) s
5 236 M
( It could be argued that *dropping* the TCP SYN packet due to the use) s
5 225 M
( of prohibited functionality leads to overloading of the semantics of) s
5 214 M
( a packet drop, in the same way that the reset leads to overloading) s
5 203 M
( the semantics of a reset. This is true; from the viewpoint of end-) s
5 192 M
( system response to messages with overloaded semantics, it would be) s
5 181 M
( preferable to have an explicit indication about prohibited) s
5 170 M
( functionality \(for those firewalls for some reason willing to use) s
5 159 M
( explicit indications\). But given a firewall's choice between sending) s
5 148 M
( a reset or just dropping the packet, we would argue that just) s
5 104 M
(Floyd [Page 11]) s
_R
S
%%Page: (12) 12
%%BeginPageSetup
_S
24 24 translate
/pagenum 12 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( dropping the packet does less damage, in terms of giving an incentive) s
5 654 M
( to end-hosts to adopt counter-measures. It is true that just) s
5 643 M
( dropping the packet, without sending a reset, results in delay for) s
5 632 M
( the TCP connection in resending the SYN packet without the prohibited) s
5 621 M
( functionality. However, sending a reset has the undesirable longer-) s
5 610 M
( term effect of giving an incentive to future TCP implementations to) s
5 599 M
( add more baroque combinations of resending SYN packets in response to) s
5 588 M
( a reset, because the TCP sender can't tell if the reset is for a) s
5 577 M
( standard reason, for congestion, or for the prohibited functionality) s
5 566 M
( of option X or reserved bit Y in the TCP header.) s
5 544 M
(6.2. The Complications of Modifying Packet Headers in the Network) s
5 522 M
( In addition to firewalls that send resets in response to ECN-setup) s
5 511 M
( SYN packets and firewalls that drop ECN-setup SYN packets, there also) s
5 500 M
( exist firewalls that by default zero the flags in the TCP Reserved) s
5 489 M
( field, including the two flags used for ECN. We note that in some) s
5 478 M
( cases this could have unintended and undesirable consequences.) s
5 456 M
( If a firewall zeros the ECN-related flags in the TCP header in the) s
5 445 M
( initial SYN packet, then the TCP connection will be set up without) s
5 434 M
( using ECN, and the ECN-related flags in the TCP header will be sent) s
5 423 M
( zeroed-out in all of the subsequent packets in this connection. This) s
5 412 M
( will accomplish the firewall's purpose of blocking ECN, while) s
5 401 M
( allowing the TCP connection to proceed efficiently and smoothly) s
5 390 M
( without using ECN.) s
5 368 M
( If for some reason the ECN-related flags in the TCP header aren't) s
5 357 M
( zeroed in the initial SYN packet from host A to host B, but the) s
5 346 M
( firewall does zero those flags in the responding SYN/ACK packet from) s
5 335 M
( host B to host A, the consequence could be to subvert end-to-end) s
5 324 M
( congestion control for this connection. The ECN specifications were) s
5 313 M
( not written to ensure robust operation in the presence of the) s
5 302 M
( arbitrary zeroing of TCP header fields within the network, because it) s
5 291 M
( didn't occur to the authors of the protocol at the time that this was) s
5 280 M
( a requirement in protocol design.) s
5 258 M
( Similarly, if the ECN-related flags in the TCP header are not zeroed) s
5 247 M
( in either the SYN or the SYN/ACK packet, but the firewall does zero) s
5 236 M
( these flags in later packets in that TCP connection, this could also) s
5 225 M
( have the unintended consequence of subverting end-to-end congestion) s
5 214 M
( control for this connection. The details of these possible) s
5 203 M
( interactions are not crucial for this document, and are described in) s
5 192 M
( the appendix. However, our conclusion, both for the ECN-related) s
5 181 M
( flags in the TCP header and for future uses of the four other bits in) s
5 170 M
( the TCP Reserved field, would be that if it is required for firewalls) s
5 159 M
( to be able to block the use of a new function being added to a) s
5 148 M
( protocol, this is best addressed in the initial design phase by joint) s
5 104 M
(Floyd [Page 12]) s
_R
S
%%Page: (13) 13
%%BeginPageSetup
_S
24 24 translate
/pagenum 13 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( cooperation between the firewall community and the protocol) s
5 654 M
( designers.) s
5 632 M
(7. Conclusions) s
5 610 M
( Our conclusion is that it is not conformant with current standards) s
5 599 M
( for a firewall, load-balancer, or web-server to respond with a reset) s
5 588 M
( to a TCP SYN packet simply because the packet uses flags in the TCP) s
5 577 M
( Reserved field. More specifically, it is not conformant to respond) s
5 566 M
( with a reset to a TCP SYN packet simply because the ECE and CWR flags) s
5 555 M
( are set in the IP header. We would urge vendors to make available) s
5 544 M
( fixes for any nonconformant code, and we could urge ISPs and system) s
5 533 M
( administrators to deploy these fixes in their web servers and) s
5 522 M
( firewalls.) s
5 500 M
( We don't claim that it violates any standard for middleboxes to) s
5 489 M
( arbitrarily drop packets that use flags in the TCP Reserved field,) s
5 478 M
( but we would argue that behavior of this kind, without a clear method) s
5 467 M
( for informing the end-nodes of the reasons for these actions, could) s
5 456 M
( present a significant obstacle to the development of TCP. More work) s
5 445 M
( is clearly needed to reconcile the conflicting interests of providing) s
5 434 M
( security while at the same time allowing the careful evolution of) s
5 423 M
( Internet protocols.) s
5 401 M
(8. Acknowledgements) s
5 379 M
( This document results from discussions and activity by many people,) s
5 368 M
( so I will refrain from trying to acknowledge all of them here. My) s
5 357 M
( specific thanks go to Ran Atkinson, Steve Bellovin, Alex Cannara,) s
5 346 M
( Dennis Ferguson, Ned Freed, Mark Handley, John Klensin, Allison) s
5 335 M
( Mankin, Jitendra Padhye, Vern Paxson, K. K. Ramakrishnan, Jamal Hadi) s
5 324 M
( Salim, Pekka Savola, Alex Snoeren, and Dan Wing for feedback on this) s
5 313 M
( document, and to the End-to-End Research Group, the IAB, and the IESG) s
5 302 M
( for discussion of these issues. I thank Mikael Olsson for numerous) s
5 291 M
( rounds of feedback. I also thank the members of the Firewall Wizards) s
5 280 M
( mailing list for feedback \(generally of disagreement\) on an earlier) s
5 269 M
( draft of this document.) s
5 247 M
( Email discussions with a number of people, including Dax Kelson,) s
5 236 M
( Alexey Kuznetsov, Kacheong Poon, David Reed, Jamal Hadi-Salim, and) s
5 225 M
( Venkat Venkatsubra, have addressed the issues raised by non-) s
5 214 M
( conformant equipment in the Internet that does not respond to TCP SYN) s
5 203 M
( packets with the ECE and CWR flags set. We thank Mark Handley,) s
5 192 M
( Jitentra Padhye, and others for discussions on the TCP initialization) s
5 181 M
( procedures.) s
5 104 M
(Floyd [Page 13]) s
_R
S
%%Page: (14) 14
%%BeginPageSetup
_S
24 24 translate
/pagenum 14 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
(9. Normative References) s
5 643 M
( [RFC793] Postel, J., "Transmission Control Protocol - DARPA Internet) s
5 632 M
( Program Protocol Specification", RFC 793, DARPA, September 1981.) s
5 610 M
( [RFC1122] Braden, R., "Requirements for Internet Hosts --) s
5 599 M
( Communication Layers", STD 3, RFC 1122, October 1989.) s
5 577 M
( [RFC1812] F. Baker, "Requirements for IP Version 4 Routers", RFC) s
5 566 M
( 1812, June 1995.) s
5 544 M
( [RFC2026] S. Bradner, The Internet Standards Process -- Revision 3,) s
5 533 M
( RFC 2026, BCP 9, October 1996.) s
5 511 M
( [RFC2481] K. K. Ramakrishnan and S. Floyd, A Proposal to add Explicit) s
5 500 M
( Congestion Notification \(ECN\) to IP, RFC 2481, January 1999.) s
5 478 M
( [RFC2873] Xiao, X., Hannan, A., Paxson, V., and Crabbe, E., TCP) s
5 467 M
( Processing of the IPv4 Precedence Field, RFC 2873, June 2000.) s
5 456 M
( Proposed Standard.) s
5 434 M
( [RFC2979] N. Freed, Behavior of and Requirements for Internet) s
5 423 M
( Firewalls, RFC 2979, Informational, October 2000.) s
5 401 M
( [RFC3168] K.K. Ramakrishnan, S. Floyd, and D. Black, The Addition of) s
5 390 M
( Explicit Congestion Notification \(ECN\) to IP, RFC 3168, Proposed) s
5 379 M
( Standard, September 2001.) s
5 357 M
(10. Informative References) s
5 335 M
( [B01] Steve Bellovin, A "Reason" Field for ICMP "Administratively) s
5 324 M
( Prohibited" Messages, draft-bellovin-adminprohib-00.txt, internet-) s
5 313 M
( draft, work in progress, December 2001.) s
5 291 M
( [Cou01] Scott Courtney, Why Can't My 2.4 Kernel See Some Web Sites?,) s
5 280 M
( Enterprise Linux Today, Apr 17, 2001. URL) s
5 269 M
( "http://eltoday.com/article.php3?ltsn=2001-04-17-001-14-PS".) s
5 247 M
( [ECN] "The ECN Web Page", URL "http://www.icir.org/floyd/ecn.html".) s
5 225 M
( [FIXES] ECN-under-Linux Unofficial Vendor Support Page, URL) s
5 214 M
( "http://gtf.org/garzik/ecn/".) s
5 192 M
( [Floyd00] Sally Floyd, Negotiating ECN-Capability in a TCP) s
5 181 M
( connection, October 2, 2000, email to the end2end-interest mailing) s
5 170 M
( list. URL "http://www.icir.org/floyd/papers/ECN.Oct2000.txt".) s
5 148 M
( [Kelson00] Dax Kelson, note sent to the Linux kernel mailing list,) s
5 104 M
(Floyd [Page 14]) s
_R
S
%%Page: (15) 15
%%BeginPageSetup
_S
24 24 translate
/pagenum 15 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( September 10, 2000.) s
5 643 M
( [QUESO] Toby Miller, Intrusion Detection Level Analysis of Nmap and) s
5 632 M
( Queso, August 30, 2000. URL) s
5 621 M
( "http://www.securityfocus.com/infocus/1225".) s
5 599 M
( [Ste94] Stevens, W., "TCP/IP Illustrated, Volume 1: The Protocols",) s
5 588 M
( Addison-Wesley, 1994.) s
5 566 M
( [SFO01] FreeBSD ipfw Filtering Evasion Vulnerability, Security Focus) s
5 555 M
( Online, January 23, 2001. URL) s
5 544 M
( "http://www.securityfocus.com/bid/2293".) s
5 522 M
( [TBIT] Jitendra Padhye and Sally Floyd, Identifying the TCP Behavior) s
5 511 M
( of Web Servers, SIGCOMM, August 2001. URL) s
5 500 M
( "http://www.icir.org/tbit/".) s
5 478 M
(11. Security Considerations) s
5 456 M
( One general risk of using Reserved flags in TCP is the risk of) s
5 445 M
( providing additional information about the configuration of the host) s
5 434 M
( in question. However, TCP is sufficiently loosely specified as it) s
5 423 M
( is, with sufficiently many variants and options, that port-scanning) s
5 412 M
( tools such as Nmap and Queso do rather well in identifying the) s
5 401 M
( configuration of hosts even without the use of Reserved flags.) s
5 379 M
( The security considerations and all other considerations of a) s
5 368 M
( possible ICMP Destination Unreachable message with the code) s
5 357 M
( "Communication Administratively Prohibited" will be discussed in a) s
5 346 M
( separate document.) s
5 324 M
( The traditional concern of firewalls is to prevent unauthorized) s
5 313 M
( access to systems, to prevent DoS attacks and other attacks from) s
5 302 M
( subverting the end-user terminal, and to protect end systems from) s
5 291 M
( buggy code. We are aware of one security vulnerability reported from) s
5 280 M
( the use of the Reserved flags in the TCP header [SFO01]. A packet) s
5 269 M
( filter intended only to let through packets in established) s
5 258 M
( connections can let pass a packet not in an established connection if) s
5 247 M
( the packet has the ECE flag set in the reserved field. "Exploitation) s
5 236 M
( of this vulnerability may allow for unauthorized remote access to) s
5 225 M
( otherwise protected services." It is also possible that an) s
5 214 M
( implementation of TCP could appear that has buggy code associated) s
5 203 M
( with the use of Reserved flags in the TCP header, but we are not) s
5 192 M
( aware of any such implementation at the moment.) s
5 170 M
( Unfortunately, misconceived security concerns are one of the reasons) s
5 159 M
( for the problems described in this document in the first place. An) s
5 148 M
( August, 2000, article on "Intrusion Detection Level Analysis of Nmap) s
5 104 M
(Floyd [Page 15]) s
_R
S
%%Page: (16) 16
%%BeginPageSetup
_S
24 24 translate
/pagenum 16 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( and Queso" described the port-scanning tool Queso as sending SYN) s
5 654 M
( packets with the last two Reserved bits in the TCP header set, and) s
5 643 M
( said the following: "[QUESO] is easy to identify, if you see [these) s
5 632 M
( two Reserved bits and the SYN bit] set in the 13th byte of the TCP) s
5 621 M
( header, you know that someone has malicious intentions for your) s
5 610 M
( network." As is documented on the TBIT Web Page, the middleboxes) s
5 599 M
( that block SYNs using the two ECN-related Reserved flags in the TCP) s
5 588 M
( header do not block SYNs using other Reserved flags in the TCP) s
5 577 M
( header.) s
5 555 M
( One lesson appears to be that anyone can effectively ``attack'' a new) s
5 544 M
( TCP function simply by using that function in their publicly-) s
5 533 M
( available port-scanning tool, thus causing middleboxes of all kinds) s
5 522 M
( to block the use of that function.) s
5 500 M
(12. Appendix: The Complications of Modifying Packet Headers) s
5 478 M
( In this section we first show that if the ECN-related flags in the) s
5 467 M
( TCP header aren't zeroed in the initial SYN packet from Host A to) s
5 456 M
( Host B, but are zeroed in the responding SYN/ACK packet from Host B) s
5 445 M
( to Host A, the consequence could be to subvert end-to-end congestion) s
5 434 M
( control for this connection.) s
5 412 M
( Assume that the ECN-setup SYN packet from Host A is received by Host) s
5 401 M
( B, but the ECN-setup SYN/ACK from Host B is modified by a firewall in) s
5 390 M
( the network to a non-ECN-setup SYN/ACK, as in Figure 3 below. RFC) s
5 379 M
( 3168 does not specify that the ACK packet in any way should echo the) s
5 368 M
( TCP flags received in the SYN/ACK packet, because it had not occurred) s
5 357 M
( to the designers that these flags would be modified within the) s
5 346 M
( network.) s
5 324 M
( Host A Firewall or router Host B) s
5 313 M
( -----------------------------------------------------------------) s
5 302 M
( Sends ECN-setup SYN ----------------> Receives ECN-setup SYN) s
5 291 M
( <- Sends ECN-setup SYN/ACK) s
5 280 M
( <- Firewall zeros flags) s
5 269 M
( Receives non-ECN-setup SYN/ACK) s
5 258 M
( Sends ACK and data ----------------> Receives ACK and data) s
5 247 M
( <- Sends data packet with ECT) s
5 236 M
( <- Router sets CE) s
5 225 M
( Receives data packet with ECT and CE) s
5 203 M
( Figure 3: ECN-related flags in SYN/ACK packet cleared in network.) s
5 181 M
( Following RFC 3168, Host A has received a non-ECN-setup SYN/ACK) s
5 170 M
( packet, and must not set ECT on data packets. Host B, however, does) s
5 159 M
( not know that Host A has received a non-ECN-setup SYN/ACK packet, and) s
5 148 M
( Host B may set ECT on data packets. RFC 3168 does not require Host A) s
5 104 M
(Floyd [Page 16]) s
_R
S
%%Page: (17) 17
%%BeginPageSetup
_S
24 24 translate
/pagenum 17 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( to respond properly to data packets received from Host B with the ECT) s
5 654 M
( and CE codepoints set in the IP header. Thus, the data sender, Host) s
5 643 M
( B, might never be informed about the congestion encountered in the) s
5 632 M
( network, thus violating end-to-end congestion control.) s
5 610 M
( Next we show that if the ECN-related flags in the TCP header are not) s
5 599 M
( zeroed in either the SYN or the SYN/ACK packet, but the firewall does) s
5 588 M
( zero these flags in later packets in that TCP connection, this could) s
5 577 M
( also have the unintended consequence of subverting end-to-end) s
5 566 M
( congestion control for this connection. Figure 4 shows this) s
5 555 M
( scenario.) s
5 533 M
( Host A Firewall or router Host B) s
5 522 M
( -----------------------------------------------------------------) s
5 511 M
( Sends ECN-setup SYN ----------------> Receives ECN-setup SYN) s
5 500 M
( Receives ECN-setup SYN/ACK <------------ Sends ECN-setup SYN/ACK) s
5 489 M
( Sends ACK and data ----------------> Receives ACK and data) s
5 478 M
( <- Sends data packet with ECT) s
5 467 M
( <- Router sets CE) s
5 456 M
( Receives data packet with ECT and CE) s
5 445 M
( Sends ACK with ECE ->) s
5 434 M
( Firewall resets ECE ->) s
5 423 M
( Receives plain ACK) s
5 401 M
( Figure 4: ECN-related flags in ACK packet cleared in network.) s
5 379 M
( The ECN-related flags are not changed by the network in the ECN-setup) s
5 368 M
( SYN and SYN/ACK packets for the scenario in Figure 4, and both end) s
5 357 M
( nodes are free to use ECN, and to set the ECT flag in the ECN field) s
5 346 M
( in the IP header. However, if the firewall clears the ECE flag in) s
5 335 M
( the TCP header in ACK packets from Node A to Node B, then Node B will) s
5 324 M
( never hear about the congestion that its earlier data packets) s
5 313 M
( encountered in the network, thus subverting end-to-end congestion) s
5 302 M
( control for this connection.) s
5 280 M
( Additional complications will arise when/if the use of the ECN nonce) s
5 269 M
( in TCP becomes standardized in the IETF [RFC3168], as this could) s
5 258 M
( involve the specification of an additional flag from the TCP Reserved) s
5 247 M
( field for feedback from the TCP data receiver to the TCP data sender.) s
5 236 M
( The primary motivation for the ECN nonce is to allow mechanisms for) s
5 225 M
( the data sender to verify that network elements are not erasing the) s
5 214 M
( CE codepoint, and that data receivers are properly reporting to the) s
5 203 M
( sender the receipt of packets with the CE codepoint set.) s
5 181 M
(13. IANA Considerations) s
5 159 M
( There are no IANA considerations in this document.) s
5 104 M
(Floyd [Page 17]) s
_R
S
%%Page: (18) 18
%%BeginPageSetup
_S
24 24 translate
/pagenum 18 def
/fname (draft-floyd-tcp-reset-04.txt) def
/fdir () def
/ftail (draft-floyd-tcp-reset-04.txt) def
/user_header_p false def
%%EndPageSetup
5 698 M
(draft-floyd-tcp-reset Inappropriate TCP Resets May 2002) s
5 665 M
( AUTHORS' ADDRESSES) s
5 632 M
( Sally Floyd) s
5 621 M
( Phone: +1 \(510\) 666-2989) s
5 610 M
( ICIR \(ICSI Center for Internet Research\)) s
5 599 M
( Email: floyd@icir.org) s
5 588 M
( URL: http://www.icir.org/floyd/) s
5 566 M
( This draft was created in May 2002.) s
5 555 M
( It expires November 2002.) s
5 104 M
(Floyd [Page 18]) s
_R
S
%%Trailer
%%Pages: 18
%%DocumentNeededResources: font Courier-Bold Courier
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-22 14:06:07 |