----- On Jul 13, 2017, at 8:07 PM, Joe Touch [email protected] wrote: > On 7/6/2017 1:41 AM, Dragoș Niculescu wrote: >> ----- On Jul 5, 2017, at 7:59 PM, Joe Touch [email protected] wrote: >> >>> On 7/5/2017 9:39 AM, Vladimir Olteanu wrote: >>> >>> >>> It can also be stacked as many times as desired for arbitrarily long proxy >>> chains. However: >>> * We avoid using the SYN's payload as extra option space (which, I think, >>> goes >>> against TCP's core philosophy). >>> >>> [Med] This is also true for MP_CONVERT Information Element which is not a >>> TCP >>> option, but a data supplied for proxy purposes in the SYN payload. >>> Fair enough, but this is not a purely layer 5+ protocol. It seems that you >>> are >>> strongly tied to TFO (between the client and the proxy). MP_CONVERT must be >>> part of the SYN's payload, because the following SYN+ACK depends on the >>> contents of MP_CONVERT and signals that the remote server has accepted your >>> connection. >>> The biggest impact of including non-data information in the SYN payload >>> area is >>> that it completely defeats graceful fallback for SYN receivers that don't >>> support the option. As you note, it can be *more* safe when tied to >>> out-of-band >>> context (e.g., prior TFO support), but TCP has NO requirement that such >>> context >>> is absolutely maintained across different connections. You might be >>> speaking to >>> a different stack or demuxed off to a different virtual host behind a load >>> balancer. >>> >>> Ultimately, putting any non-data info in the SYN payload violates the >>> requirement that TCP options can be ignored by receivers that don't support >>> them *without* impacting the ability of *that* connection attempt to >>> succeed. >>> >>> Joe >> SOCKSv6 proposal makes use of extra data in the SYN (SOCKS data, and user >> data), >> but >> its correctness and backward compatibility does not depend on TFO, only its >> RTT >> performance. >> In fact, when TFO is not available neither between client and proxy, nor >> between >> proxy and >> server the SOCKSv6 RTT is still lower than SOCKSv4 and SOCKSv5. But TFO is >> likely to be the most >> common case in the future - Linux kernel has TFO client side on by default >> since >> 3.12 >> (November 2013)[1], and it seems to be the default in all Android phones and >> default >> Linux installs. > What happens with a legacy receiver? > > Joe Legacy receiver will use plain TCP. Proxies (SOCKS and others) are routinely used to bridge new options to legacy receivers. In this case, TFO will work between client and proxy, but not between proxy and legacy server.
-- Dragoș _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
