idnits 2.17.1 draft-kohler-tcpm-extopt-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.5 on line 250. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 266. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 273. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 279. ** Found boilerplate matching RFC 3978, Section 5.4, paragraph 1 (on line 242), which is fine, but *also* found old RFC 2026, Section 10.4C, paragraph 1 text on line 38. ** The document seems to lack an RFC 3978 Section 5.1 IPR Disclosure Acknowledgement -- however, there's a paragraph with a matching beginning. Boilerplate error? ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (19 September 2004) is 7153 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC 3168' is defined on line 213, but no explicit reference was found in the text == Unused Reference: 'RFC 3360' is defined on line 216, but no explicit reference was found in the text == Unused Reference: 'RFC 3517' is defined on line 219, but no explicit reference was found in the text == Unused Reference: 'SB00' is defined on line 223, but no explicit reference was found in the text ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 1323 (Obsoleted by RFC 7323) -- Obsolete informational reference (is this intentional?): RFC 2385 (Obsoleted by RFC 5925) -- Obsolete informational reference (is this intentional?): RFC 3517 (Obsoleted by RFC 6675) Summary: 8 errors (**), 0 flaws (~~), 6 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force Eddie Kohler 2 INTERNET-DRAFT UCLA 3 draft-kohler-tcpm-extopt-00.txt 19 September 2004 4 Expires: March 2005 6 Extended Option Space for TCP 8 Status of this Memo 10 This document is an Internet-Draft. 12 By submitting this Internet-Draft, we certify that any applicable 13 patent or other IPR claims of which we are aware have been 14 disclosed, or will be disclosed, and any of which we become aware 15 will be disclosed, in accordance with RFC 3668 (BCP 79). 17 By submitting this Internet-Draft, we accept the provisions of 18 Section 3 of RFC 3667 (BCP 78). 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six 26 months and may be updated, replaced, or obsoleted by other documents 27 at any time. It is inappropriate to use Internet-Drafts as 28 reference material or to cite them other than a "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/1id-abstracts.html 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html 36 Copyright Notice 38 Copyright (C) The Internet Society (2004). All Rights Reserved. 40 Abstract 42 This memo describes a reinterpretation of the TCP Data Offset field, 43 affecting the previously illegal code points 0-4, that allows 44 endpoints to fit more than 40 bytes of option into TCP segments. 46 1. Introduction 48 The TCP datagram format has space for up to 40 bytes of TCP options 49 [RFC 793]. Although this is adequate in most cases, a combination of 50 options such as TCP MD5 [RFC 2385], SACK (Selective Acknowledgement) 51 [RFC 2018], and Timestamp [RFC 1323] will not fit in the currently 52 available option space. In fact, SACK alone could take up more 53 space than is available, given a sufficiently complex loss pattern. 54 A mechanism supporting larger option space might support currently 55 illegal option combinations, simplify the deployment of any future 56 TCP options, and discourage kludges that try to fit too much data 57 into too little option space. Further motivation and discussion 58 TBA. 60 The amount of space used for options is determined by the TCP 61 header's 4-bit Data Offset field, or DO. This number equals the 62 offset of application data relative to the start of the TCP header, 63 measured in 32-bit words. The fixed portion of the TCP header is 20 64 bytes long, so 5 is the smallest legal value for DO; it indicates 65 the absence of options. The largest possible value, 15, indicates a 66 data offset of 60 bytes, and thus 40 bytes of option space. The 67 values 0 through 4 are currently illegal. The proposed mechanism 68 uses these code points to indicate extended option space, taking 69 more than 40 bytes. 71 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 72 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 73 this document are to be interpreted as described in [RFC 2119]. 75 2. Mechanism 77 A TCP implementing this Internet-Draft MUST interpret the TCP 78 header's DO field according to the following table. The 79 intepretation of values 5-15 is identical to that of [RFC 793]. 81 DO Data Offset Option Space Min. TCP Length 82 -- ----------- ------------ --------------- 83 0 68 48 68 84 1 84 64 84 85 2 148 128 148 86 3 276 256 276 87 4 infinity whole packet 20 88 5-15 DO*4 (DO*4)-20 DO*4 90 A segment's TCP length MUST equal or exceed the Min. TCP Length 91 value indicated by its DO field. A receiving TCP MUST ignore any 92 segment that is too short. 94 TCP segments with DO between 0 and 4 are called extended segments. 96 2.1. Requesting Extended Segments with SYN 98 Extended segments MUST NOT be sent unless their use was approved 99 during the TCP three-way handshake. Approval happens when an 100 extended segment (here, the SYN) is acknowledged by another extended 101 segment (the SYNACK). 103 An endpoint performing active open indicates its desire to use 104 extended segments by sending an extended SYN, that is, a SYN with 105 DO < 5. If an extended SYNACK arrives in response, the endpoint 106 will send an ACK and continue, using extended and nonextended 107 segments as appropriate. If the connection attempt fails (through a 108 timeout, ICMP destination unreachable, or received TCP RST), or the 109 received SYNACK is not extended, the active endpoint MUST try again 110 with a non-extended SYN. Unless the connection attempt failed 111 through a RST, the active endpoint MUST clean up any remote state 112 before retrying, by sending a RST and waiting at least a short 113 interval (roughly 1 round-trip time, or 100 ms, if no RTT is 114 available) to discourage packet reordering. 116 A listening endpoint receiving an extended SYN MUST either respond 117 with an extended SYNACK (to allow the use of extended segments), or 118 reset the connection with a non-extended RST (to prevent their use). 120 Requiring a full handshake to approve the use of extended segments 121 has the side effect of ensuring that any middleboxes on both parts 122 of the path can handle extended segments (or at least won't drop 123 them). 125 The procedures described in this section can delay connection 126 establishment, or definitive connection refusal, by up to a SYN 127 timeout (on the order of 3 seconds). 129 2.2. Requesting Extended Segments with SYNACK 131 A passive, listening endpoint MAY also request the use of extended 132 segments, by sending an extended SYNACK in response to a non- 133 extended SYN. Approval is granted if the response ACK is extended. 134 This procedure is riskier than requesting extended segments on the 135 SYN, however. An active endpoint with a "legacy" implementation 136 might reset the connection in response to the extended SYNACK, and 137 not retry. Furthermore, a listening endpoint implementing this 138 procedure must distinguish SYN transmissions from retransmissions, 139 preventing the use of SYN cookies [SYNCOOKIES]. 141 A listening endpoint receiving a non-extended SYN MAY respond with 142 an extended SYNACK to request the use of extended segments. If an 143 extended ACK arrives in response, the endpoint will continue using 144 extended and nonextended segments as appropriate. If the extended 145 SYNACK transmission fails (a timeout occurs, a retransmitted non- 146 extended SYN is received, or a non-extended RST is received), it 147 MUST try again with a non-extended SYNACK. If a non-extended ACK is 148 received, it MUST send a non-extended SYNACK retransmission; the 149 hope is that the active endpoint will use any options specified on 150 the retransmission. 152 An active-open endpoint that sent a non-extended SYN, but received 153 an extended SYNACK, MUST either respond with an extended ACK (to 154 allow the use of extended segments), or reset the connection with a 155 non-extended RST (to prevent their use). 157 3. Stability Considerations 159 Existing "legacy" TCP implementations -- both those in end hosts, 160 and those in middleboxes such as firewalls -- clearly will not 161 process extended segments according to this memo. On encountering 162 an extended segment, legacy implementations might drop the segment 163 as erroneous, act as if the segment had no options, reset the 164 connection, or even conceivably crash. Even if endpoints were able 165 to complete an extended-segment handshake, a path change (perhaps 166 induced by mobility) might introduce a legacy middlebox into the 167 connection, leading to possible connection reset. For these 168 reasons, TCP connections SHOULD NOT use extended segments, or the 169 extended segment handshake, unless it is considered required. APIs 170 SHOULD let applications allow the use of extended segments; this API 171 SHOULD be off by default. 173 Legacy endpoints that treat extended segments as if they have DO 5 174 are particularly problematic. The risk is that any options on the 175 packet, including the mandatory MSS option, will be ignored; and 176 that any options on retransmitted SYN or SYNACK packets will 177 likewise be ignored. This risk should be investigated further. 178 Modern open-source operating systems, at least, appear to drop 179 extended segments. 181 4. Security Considerations 183 TCP implementations that follow this document will respond more 184 slowly to some received RSTs, specifically those sent in response to 185 extended SYNs and SYNACKs. Endpoints that implement the algorithm 186 in Section 2.2 cannot use SYN cookies to protect against SYN-flood 187 denial-of-service attacks. (Others?) 189 5. Acknowledgements 191 This mechanism was developed in conversation with Mark Allman, 192 following conversation with Wes Eddy. 194 Normative References 196 [RFC 793] J. Postel, editor. Transmission Control Protocol. 197 RFC 793. 199 [RFC 2119] S. Bradner. Key Words For Use in RFCs to Indicate 200 Requirement Levels. RFC 2119. 202 Informative References 204 [RFC 1323] V. Jacobson, R. Braden, and D. Borman. TCP Extensions 205 for High Performance. RFC 1323, May 1992. 207 [RFC 2018] M. Mathis, J. Mahdavi, S. Floyd, and A. Romanow. TCP 208 Selective Acknowledgement Options. RFC 2018, October 1996. 210 [RFC 2385] A. Heffernan. Protection of BGP Sessions via the TCP MD5 211 Signature Option. RFC 2385, August 1998. 213 [RFC 3168] K.K. Ramakrishnan, S. Floyd, and D. Black. The Addition 214 of Explicit Congestion Notification (ECN) to IP. RFC 3168. 216 [RFC 3360] S. Floyd. Inappropriate TCP Resets Considered Harmful. 217 RFC 3360. 219 [RFC 3517] E. Blanton, M. Allman, K. Fall, and L. Wang. A 220 Conservative Selective Acknowledgment (SACK)-based Loss Recovery 221 Algorithm for TCP. RFC 3517. 223 [SB00] Alex C. Snoeren and Hari Balakrishnan. An End-to-End 224 Approach to Host Mobility. Proc. 6th Annual ACM/IEEE 225 International Conference on Mobile Computing and Networking 226 (MOBICOM '00), August 2000. 228 [SYNCOOKIES] Daniel J. Bernstein. SYN Cookies. 229 http://cr.yp.to/syncookies.html, as of July 2003. 231 Authors' Addresses 232 Eddie Kohler 233 4531C Boelter Hall 234 UCLA Computer Science Department 235 Los Angeles, CA 90095 236 USA 238 Full Copyright Statement 240 Copyright (C) The Internet Society 2004. This document is subject 241 to the rights, licenses and restrictions contained in BCP 78, and 242 except as set forth therein, the authors retain all their rights. 244 This document and the information contained herein are provided on 245 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 246 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE 247 INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR 248 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 249 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 250 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 252 Intellectual Property 254 The IETF has been notified of intellectual property rights claimed 255 in regard to some or all of the specification contained in this 256 document. For more information consult the online list of claimed 257 rights. 259 The IETF takes no position regarding the validity or scope of any 260 Intellectual Property Rights or other rights that might be claimed 261 to pertain to the implementation or use of the technology described 262 in this document or the extent to which any license under such 263 rights might or might not be available; nor does it represent that 264 it has made any independent effort to identify any such rights. 265 Information on the procedures with respect to rights in RFC 266 documents can be found in BCP 78 and BCP 79. 268 Copies of IPR disclosures made to the IETF Secretariat and any 269 assurances of licenses to be made available, or the result of an 270 attempt made to obtain a general license or permission for the use 271 of such proprietary rights by implementers or users of this 272 specification can be obtained from the IETF on-line IPR repository 273 at http://www.ietf.org/ipr. 275 The IETF invites any interested party to bring to its attention any 276 copyrights, patents or patent applications, or other proprietary 277 rights that may cover technology that may be required to implement 278 this standard. Please address the information to the IETF at ietf- 279 ipr@ietf.org.