Internet DRAFT - draft-touch-tcpm-sno
draft-touch-tcpm-sno
TCPM WG J. Touch
Internet Draft
Intended status: Experimental July 19, 2018
Expires: January 2019
The TCP Service Number Option (SNO)
draft-touch-tcpm-sno-09.txt
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, except to publish it
as an RFC and to translate it into languages other than English.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 19, 2018.
Touch Expires January 19, 2019 [Page 1]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Abstract
This document specifies a TCP option for service numbers. The
current SYN destination port is used both to indicate the desired
service and as a connection demultiplexing field. This option
separates those two functions, retaining the current destination
port solely for demultiplexing and indicating the service separately
in a service number option (SNO). By decoupling these two functions,
SNO allows a larger number of concurrent connections for a single
service, as might be useful between fixed addresses of proxies.
Table of Contents
1. Introduction...................................................3
2. Conventions used in this document..............................4
3. Background.....................................................4
3.1. IANA port numbers.........................................5
3.2. DNS SRV records...........................................6
3.3. RPC portmapper and RPCBIND................................6
3.4. TCPMUX....................................................7
3.5. Summary of alternatives and comparison to SNO.............8
4. TCP Service Number Option......................................9
4.1. Interaction between SNO and the TCP API..................10
4.1.1. Active OPEN (Unix connect)..........................11
4.1.2. Passive OPEN (Unix listen)..........................11
4.1.3. Impact on the TCP OPEN API..........................11
4.2. Error conditions.........................................12
4.3. Backward compatibility...................................12
5. Issues........................................................13
5.1. Interaction with other protocols and features............13
5.2. Potential use in other transport protocols...............14
Touch Expires January 19, 2019 [Page 2]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
5.3. Discussion of alternative approaches.....................15
5.4. Implementation Issues....................................16
6. SNO impact on TCP option space................................17
7. Security Considerations.......................................17
8. IANA considerations...........................................18
9. References....................................................18
9.1. Normative References.....................................18
9.2. Informative References...................................18
10. Acknowledgments..............................................20
1. Introduction
TCP connections are defined by a socket pair, where each TCP socket
consists of an IP address and a port number. The IP addresses
indicate the network endpoints (hosts) of the connection, and the
port numbers allow a pair of IP endpoints to have more than one
concurrent connection. TCP connections begin when an application on
one host sends a SYN segment to a waiting application on the other
host, determined by the destination port in that segment.
Port numbers thus serve two distinct purposes. For the entirety of a
connection, they help differentiate concurrent connections as part
of the socket pair, and are thus used for demultiplexing within a
host. For the SYN, the destination port also indicates the waiting
application, i.e., the service for that connection, acting as a
service identifier.
Service identifiers need to be coordinated between the endpoints of
a connection, but need not be coordinated with any other component
of the network. To avoid the need for explicit pairwise
coordination, most Internet transport protocols currently use
globally-assigned destination port numbers as service identifiers;
this includes TCP, UDP, SCTP, and DCCP [RFC768] [RFC793] [RFC4960]
[RFC4340]. An assigned port number can be requested from the
Internet Assigned Numbers Authority (IANA) [IANA].
The use of SYN destination ports as both service identifier and
demultiplexing identifier can impact TCP performance. For a given
service, a given pair of endpoints can have at most 2^16 concurrent
connections, or even connections in the TIME-WAIT state (which is
typically expected to last two minutes) [To1999]. This limits
services to at most an average of 550 connections per second, which
can be a constraint on proxy-to-proxy services.
To reduce this impact, this document specifies the TCP service
number option (SNO), which allows services to be specified in an
option separate from the current header destination port field. SNO
Touch Expires January 19, 2019 [Page 3]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
decouples the use of ports for connection demultiplexing and state
management from their use to indicate a desired endpoint service.
This decoupling can substantially increase the number of concurrent
connections to 2^32; even considering current expected TIME-WAIT
delay, that can support up to 35.8M connections per second.
Although it changes TCP SYNs, it does not otherwise affect the
processing of other TCP segments or the TCP state machine. SNO must
be implemented at both ends of a TCP connection to be effective.
2. Conventions used in this document
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [RFC2119].
In this document, these words will appear with that interpretation
only when in ALL CAPS. Lower case uses of these words are not to be
interpreted as carrying RFC-2119 significance.
In this document, the characters ">>" preceding an indented line(s)
indicates a compliance requirement statement using the key words
listed above. This convention aids reviewers in quickly identifying
or finding the explicit compliance requirements of this RFC.
3. Background
TCP supports multiplexing as one of its six core facilities,
allowing a single pair of hosts to have multiple concurrent TCP
sessions (see Sec. 1.5 of [RFC793]). An endpoint address is
associated with a port number, forming a socket; and "A pair of
sockets uniquely identifies each connection." Although ports can be
bound to services uniquely at each endpoint, RFC 793 notes that it
is useful to attach frequently-used services to fixed ports which
are publicly known, but that other services may be discovered by
dynamic means. This document addresses one impact of that
suggestion, and specifies an alternative which alleviates that
impact.
The Internet currently relies on the use of fixed, publicly-agreed
port numbers for most services, whether for public access (e.g.,
HTTP, FTP, DNS) or between pre-arranged pairs (e.g., X11, SSL). Some
of these services use one public port to negotiate other ports for
further exchanges (e.g., FTP, H.323, RPC).
Touch Expires January 19, 2019 [Page 4]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
There are several current methods for determining the port for a
public service:
o Index the service in IANA's port registry
o Index the service in the host's DNS SRV records
o Ask the host directly using an RPC portmapper/bind-like service
o Ask the host for a hand-off using the TCPMUX port (port #1)
Many of these alternatives, including the use of strings as service
identifiers, were described in principle in RFC 814, and have
evolved into deployed capabilities [RFC814]. Each of these
alternatives is summarized below, and each either significantly
limits the number of concurrent connections for a service or incurs
additional latency or management overhead compared to SNO.
3.1. IANA port numbers
The Internet Assigned Numbers Authority currently manages globally
reserved port numbers [RFC6335]. The desired port number for a
service is determined either by an operating system index to a copy
of IANA's table (e.g., getportbyname() in Unix, which indexes the
/etc/services file), or is fixed in inside the application.
The port number space 0..65536 is split into three ranges [RFC2780]:
o 0..1023 "well-known", also called "system" ports
o 1024..49151 "registered", also called "user" ports
o 49152..65535 "dynamic", also called "private" ports
The terms "well-known" and "registered" are misnomers; both of those
port ranges are managed by IANA, and are equally registered and
well-known; they are currently known together as "assigned"
[RFC6335]. System ports are intended for services that run in
privileged mode, sometimes known as "root", although that
distinction is blurred in current operating systems.
IANA-managed ports are allocated globally, for all hosts everywhere
on the public Internet, even though the meaning of a port need be
known only for a particular host. A given service is typically
assigned a single port, which then limits the number of concurrent
connections between two hosts to 2^16, i.e., the number expressible
in the source port field. This assumes that the source port can be
Touch Expires January 19, 2019 [Page 5]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
arbitrary; in may implementations, when a service is bound to a SYN
destination port it is prohibited for use in other connections,
e.g., as a source port for outgoing SYNs.
3.2. DNS SRV records
DNS SRV resource records provide a way to find the port number for a
service based on its string name [RFC2782]. A host asks the DNS to
index "_servicename._tcp.hostname" (underscores required) and the
response is a record that includes both the port number and host's
IP address.
SRV records allow port numbers to be allocated on a per-host basis,
and allow multiple ports to be indicated for a given service. A
system that wants to support a large number of concurrent HTTP
connections could advertise the HTTP service as available on the
entire unassigned (dynamic) port range, in addition to port 80. This
can increase the number of concurrent connections to 2^30 (2^14
dynamic ports and 2^16 source ports), which would be nearly as good
as SNO (2^32).
However, SRV lookups require an additional protocol exchange for
each first-time access, which can traverse much of the same path the
TCP SYN will, i.e., incurring an additional round-trip time of delay
(because DNS servers are often located near the hosts they serve).
Further, using SRV records requires that the dynamic ports be
allocated in advance, and they cannot be reclaimed once advertised.
SRV advertisement may be useful for a single known service, but does
not support a larger number of connections for any (or every)
service on-demand.
Additional challenges for DNS SRV records are autonomy, robustness,
and size of the name space. Many hosts do not have control over
their DNS entries; moving port lookup into the DNS could limit the
services that a host can deploy for public access. This solution
also makes the DNS a required part of the Internet architecture,
even for accessing services on hosts with well-known IP addresses
(e.g., the DNS itself). This decreases network robustness, because
access of services on a host depends on access to the DNS.
3.3. RPC portmapper and RPCBIND
An alternative to indexing the service name at a separate host via
the DNS would be to contact the intended host directly and request
the lookup there. This is how the RPC portmapper (v2) and RPCBIND
(v3 and v4) services work, where the source host contacts the
destination on port #111 [RFC1833][RFC5531]. This service was
Touch Expires January 19, 2019 [Page 6]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
designed for the same basic reason as the TCP port option of this
document: to allow a small subset of a potentially large set of
services to be dynamically bound to a small number of ports. The
differences between portmapper and RPCBIND are not important here,
so they are discussed as a single example.
In both portmapper and RPCBIND the source host contacts the
destination host on port 111, and issues a request including the
desired destination RPC service name. A response indicates the
appropriate port for that RPC service.
Like the DNS SRV solution, portmapper/RPCBIND requires a separate
round-trip (one for UDP; more for TCP) to perform the lookup
operation. This adds to both the communication overhead and
connection establishment latency.
The portmapper service also allows services to be selected on
version, i.e., to have different versions of a service on different
ports, accessed using the same version name but a different version
number. This is handled in some IANA entries, DNS SRV records, and
TCPMUX by using a port keyword that embeds the version number in the
name, e.g., 'imap' vs. 'imap3'. In most other cases, versioning is
indicated and negotiated in-band, inside the protocol (e.g., HTTP).
Unfortunately, portmapper has the same limitation as DNS SRV
records; once a port is advertised for a given service, it cannot be
reclaimed for use by another service. Further, once a given service
is advertised, it is likely that the requesting host will cache the
response. As a result, dynamic ports can be used to extend the port
space for a given service in advance, but they need to be pinned to
that service when it is first requested from that host. Again, this
limits the ability to flexibly support large numbers of connections
for any (or every) service.
3.4. TCPMUX
TCPMUX is a service on TCP port #1 which allows a host to provide a
port name handoff service for itself [RFC1078]. A source host opens
a connection to port 1 on a destination host and transmits
'portname<CR><LF>' in the data stream; the destination replies with
either '+<CR><LF>' (yes, the service is available) or '-<CR><LF>'
(no, the service is not available). If the service is available, the
connection is transferred to the desired service while still in the
OPEN state.
TCPMUX modifies the semantics of TCP connection establishment; its
connections always succeed, and upon receipt of the named service
Touch Expires January 19, 2019 [Page 7]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
the application must determine whether to proceed or not. This
document seeks a more conventional TCP semantics, where unavailable
services result in a rejected connection (e.g., RST in reply and/or
ICMP error message).
TCPMUX further requires all new connections to be received on a
single port; this again limits the number of connections between two
machines to 2^16, which provides no benefit compared to existing
assigned ports as currently used in SYN segments.
3.5. Summary of alternatives and comparison to SNO
Each of the alternatives presented has a significant limitation.
These alternatives are summarized as follows:
o IANA ports: limits a given service to 2^16 concurrent connections
between two IP addresses; fewer if system/user/dynamic boundaries
are preserved
o DNS SRV records: requires an extra round-trip exchange for
lookup, not typically under host control, allows up to 2^30
concurrent connections but requires that the additional space of
2^14 be allocated to services on a given host in advance.
o Portmapper: requires an extra round-trip exchange for lookup,
allows up to 2^30 concurrent connections but requires that the
additional space of 2^14 be allocated to services on a given host
in advance
o TCPMUX: destroys semantics of TCP connection establishment,
limits connections per endpoint pair to 2^16 over all services
SNO allows the destination host to associate services with processes
on a per-connection basis, while avoiding unnecessary additional
round-trips or connections and also while reducing message overhead.
This enables every service to support up to 2^32 concurrent
connections, by decoupling the demultiplexing and service identifier
role of SYN destination ports.
The basic operation of SNO is as follows:
o The source host issues a SYN, picking both source and destination
port numbers arbitrarily that are not currently in use (active or
pending connection).
o The SYN includes SNO, which indicates the IANA assigned port
number of the desired service.
Touch Expires January 19, 2019 [Page 8]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
o The destination host, upon receiving the SYN with SNO, determines
whether the service indicated in the option is running. If so, a
SYN-ACK is issued with a zero-length SNO, indicating success of
the lookup and handoff. The service is bound to that connection
at the destination.
o If the service is not available, the appropriate RST and/or ICMP
error messages are returned.
The benefits to TCP SNO are that:
o For a given service, the number of connections between two given
IP addresses is no longer limited to 2^16; it is expanded to
2^32.
o SNO support is provided at the same host as the intended service,
so the fate of both is shared (i.e., it is more robust than
decoupled service such as DNS SRV).
o SNO is embedded in the TCP SYN segment, avoiding extra round
trips and messages.
o NAT traversal is preserved.
o TCP connection semantics are maintained, i.e., services not
available never connect.
4. TCP Service Number Option
The TCP service number option (SNO) extends the TCP header to
include a 16-bit port field indicating desired service, as shown in
Figure 1.
>> New implementations of TCP MAY implement SNO.
>> SNO SHOULD NOT appear in any TCP segment except SYN and SYN-ACK.
SNO MUST be silently ignored if in any segments except SYN and SYN-
ACK.
SNO includes the mandatory KIND and LENGTH fields [RFC793], as well
as the desired service port number. The current specification uses
the TCP Experimental Option format, with an ExID of 0x5323 in
network-standard byte order (ASCII for "S#") [RFC6994].
The KIND is a single octet (byte) which indicates this is an
experimental option; SNO is supported on both experimental options
(253 and 254); there is no difference as to which experimental
Touch Expires January 19, 2019 [Page 9]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
option is used. The LENGTH is a single octet (byte) interpreted as
an unsigned number that indicates the length of this option in
octets (bytes), including the KIND and LENGTH fields, as well as the
octets of the Service-Number.
+--------+--------+--------+--------+
| 253 | 6 | 0x53 | 0x23 |
+--------+--------+--------+--------+
| Service-Number |
+--------+--------+
Figure 1 TCP SNO SYN option format
Upon receipt of a TCP SYN segment including SNO ('TCP SYN/SNO'), the
Service-Number is matched against a list of available services.
Available services are those that listen on the indicated port
number. E.g., a web server that listens for incoming connections on
port 80 will respond to connections with SYN segments with SNO=80.
The way in which SNO and TCP destination port numbers interacts is
described in Section 4.1. When an incoming TCP SYN/SNO is considered
valid, the connection is completed by returning a SYN-ACK with a
null SNO.
+--------+--------+--------+--------+
| 253 | 4 | 0x53 | 0x23 |
+--------+--------+--------+--------+
Figure 2 TCP Null SNO format, as used in SYN-ACK
>> A TCP SYN/SNO answered with a TCP SYN with a non-null SNO (LENGTH
> 2) or lacking the SNO option MUST cause the initiator to abort the
connection via issuing a RST and by reporting an error to the
application as if the port were not available.
The TCB for that connection is then associated with the process for
the matching service, which then handles all further interactions
with the connection.
4.1. Interaction between SNO and the TCP API
TCP currently uses TCP port numbers to demultiplex connections as
well as to indicate the desired service at the destination. SNO
retains the demultiplexing capability, but overrides service
identification.
Touch Expires January 19, 2019 [Page 10]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
TCP specifies port numbers for connections in the OPEN command. The
current OPEN command is described in RFC 793 Sections 2.7 and 3.8
as:
OPEN (local port, foreign socket, active/passive
[, timeout] [, precedence] [, security/compartment]
[, options])
-> local connection name
The OPEN call is used to initiate connections, corresponding to Unix
connect, and to wait for incoming connection requests, corresponding
to Unix listen. The impact of the SNO option on each of these
variants is described below.
4.1.1. Active OPEN (Unix connect)
During a TCP active OPEN command, SNO interprets the port number of
foreign TCP socket as the SNO Service-Number and selects a random
number as the foreign port. The OPEN command can be extended to
override that random selection by extending the foreign socket to
include both the service identifier and port number as separate
fields.
4.1.2. Passive OPEN (Unix listen)
During a TCP passive OPEN command, SNO interprets the local port
number as the SNO service identifier. The OPEN command can be
extended to allow the listening application to also indicate a
specific destination port by extending the local port to include
both a service identifier and port number as separate fields.
4.1.3. Impact on the TCP OPEN API
Both active OPEN and passive OPEN may need to extend the current
port numbers to include separate service identifiers. It may be
useful to consider that only one service identifier is ever used,
e.g., an active OPEN may need a separate foreign service identifier,
and a passive OPEN may need a separate local service identifier, but
separate service identifiers for both foreign and local would never
occur. As a result, it may be more convenient to consider the TCP
OPEN API as being extended with a single service field as follows:
Touch Expires January 19, 2019 [Page 11]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
SNOPEN (local port, foreign socket, service, active/passive
[, timeout] [, precedence] [, security/compartment]
[, options])
-> local connection name
Legacy uses of the OPEN call can be trivially converted to the new
SNOPEN description. A legacy active OPEN uses the port of the
foreign socket as the service; a legacy passive OPEN uses the local
port as the service.
However, because the most common use is to allow the active foreign
port or passive local port "float" (be unspecified, and thus filled
by the OS with an arbitrary value), most implementations will not
need to modify the TCP OPEN API implementation, or can extend the
API using a separate interface (e.g., Unix setsockopt).
4.2. Error conditions
There are two error conditions for a SYN segment with the SNO option
to be considered:
o SNO not supported
o Invalid port (i.e., no application listening on that port)
The case where SNO is not supported is already addressed in TCP as
an unknown option [RFC793. Implementations are expected to ignore
it, which means the SYN-ACK would not include the SNO confirmation
response.
>> For an invalid port, the receiving TCP should act as it would if
the destination port were a service that is not available, i.e., it
SHOULD return an ICMP port unreachable error message [RFC1122]. This
message MUST include the received TCP header including the SNO
option in its entirety. The destination TCP MUST also send a RST in
response. Other interactions are the result of backward
compatibility, and are discussed in Section 4.3.
4.3. Backward compatibility
The TCP SNO option is designed to interact correctly only on SNO-
supporting implementations.
SNO connection attempts to non-SNO endpoints will be rejected; the
SNO SYN will receive a non-SNO SYN-ACK, at which point the SNO
endpoint will terminate the connection attempt.
Touch Expires January 19, 2019 [Page 12]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
Services on SNO endpoints will support both SNO and non-SNO incoming
connections, without the need for recompilation or relinking.
>> Outgoing connections intended to be compatible with both
implementations MUST either attempt both SNO and non-SNO connections
in parallel or retry a failed SNO attempt with a non-SNO attempt.
5. Issues
The TCP SNO option interacts with some other IP and TCP services,
notably security services. Variants of the option may be useful in
other transport protocols. Also, there were a number of alternate
designs considered which this document captures in summary.
5.1. Interaction with other protocols and features
TCP SNO potentially interacts with any other protocol that
interprets or modifies TCP port numbers. This includes IPsec and
other firewall systems, TCP/MD5 and other TCP security mechanisms,
FTP and other in-band exchange of ports, and network address
translators (NATs).
IPsec uses port numbers to perform access control in transport mode
[RFC4301]. Security policies can define port-specific access
control (PROTECT, BYPASS, DISCARD), as well as port-specific
algorithms and keys. Similarly, firewall policies allow or block
traffic based on port numbers.
Use of port numbers in IPsec selectors and firewalls may assume that
the numbers correspond to well-known services. It is useful to note
that there is no such requirement; any service may run on any port,
subject to mutual agreement between the endpoint hosts. Use of SNO
may interfere with this assumption both within IPsec and in other
firewalling systems, but it does not add a new vulnerability. New
implementations of IPsec and firewall systems may want to support
interpreting SNO in these policy rules, but again should not rely on
either port numbers to indicate a specific service.
TCP SNO occupies space in the TCP SYN segment. Such space is
severely limited in cases where TCP-level security is present, as
noted in detail in Section 5.
>> TCP SNO MUST be protected in the same way that the existing SYN
destination port is protected.
For IPsec, this is not an issue because the entire TCP header and
payload are protected by all IPsec modes. None of the TCP header is
Touch Expires January 19, 2019 [Page 13]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
protected by application-layer security, e.g., TLS, so again this is
not an issue [RFC5246].
The resulting primary concern is TCP-level security, e.g., legacy
TCP/MD5 and its successors TCP-AO [RFC2385][RFC5925]. TCP/MD5 always
excludes TCP options in its hash calculation; this it fails to
protect current critical TCP options such as alternate checksums,
window scale, and timestamp options [RFC793] [RFC7323]. TCP-AO
allows options to be included or excluded, depending on per-
connection parameter. This document recommends, as per above, that
SNO, as all options, be included in TCP-level protection. Note that
it may be difficult to use SNO together with any of these TCP-layer
protection mechanisms unless the TCP option space is extended, as
with TCP EDO and/or EDO-SYN [To2018a][To2018b].
A number of protocols exchange port numbers in-band, notably to
coordinate separate concurrent connections, e.g., FTP (file
transfer) and SIP (teleconferencing) [RFC959][RFC3261]. Because
these protocols coordinate the specific port numbers in advance,
there is no need for SNO to indicate the desired service. As a
result, it is unlikely that it would be useful to augment these
protocols to support SNO in their creation of subordinate
connections. SNO could still be useful in establishing the primary
(first) connection for these services.
Network address and port translators, known collectively as NATs,
not only read TCP ports, but may also translate them [RFC2993]. This
interferes with the use of ports for service identification
[RFC3234]. SNO may allow services to be identified behind NATs if
NATs are not further extended to translate SNO. It is thus unknown
whether SNO will help restore service identification in the presence
of NATs.
TCP connections using SNO continue to use IP addresses and ports,
although both port numbers are typically set arbitrarily.
Translation of these ports should not interfere with the operation
of NATs, though this has not been verified and is not a design
requirement.
5.2. Potential use in other transport protocols
As noted earlier, SNO may be a useful addition to a variety of other
transport protocols, such as UDP, SCTP and DCCP [RFC768] [RFC4960]
[RFC4340]. Adding SNO support to SCTP and DCCP should be
straightforward because both already have an option space. These are
not addressed further in this document, because this focuses on TCP
only.
Touch Expires January 19, 2019 [Page 14]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
DCCP already includes a Service Code that provides a similar way to
separately identify services, but these codes are 32 bits and use a
separate IANA registered space. DCCP does not use Service Codes as a
way to expand the number of concurrent connections to a given IANA
transport service.
UDP lacks options, so adding support for SNO is not feasible.
5.3. Discussion of alternative approaches
The current proposal assumes that the source TCP selects both source
and destination port numbers randomly, that SNO occurs only in SYN
and SYN-ACKs. A number of alternative approaches were considered
during the development of the approach presented herein. These
include:
o A portmapper-like service that returns a specific port number
o Continued demuxing based on SNO
o Dynamic overwriting of the destination port
The first approach, of returning a specific port number for a
service, requires a separate round trip and messages to initiate a
connection. We avoid both the additional time and messages in the
proposed solution which integrates the lookup in the SYN.
Continued demultiplexing based on SNO would violate TCP connection
semantics, which indicate that a connection be uniquely identified
by the 4-tuple: <src addr><src port><dst addr><dst port>. Although
SNO demuxing would increase the connection tuple space, this seems
unnecessary as it is already over 2^32 concurrent connections
between a single pair of host addresses. Finally, this variant
incurs the SNO option overhead on every message, which seems
unnecessarily inefficient. The proposed solution is more efficient
and sufficiently increases the utility of the entire current
connection name space.
Dynamic overwriting of the destination port complicates the
connection establishment on the source side, because the SYN-ACK
would have a different port pair than the SYN. It would further
interfere with NAT traversal. The primary utility for overwriting
the port number would be to facilitate demultiplexing at the
receiver, but this is should already include the entire 4-tuple
anyway. Overall, this variant seems unnecessarily complex for no
real benefit.
Touch Expires January 19, 2019 [Page 15]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
5.4. Implementation Issues
Prototypes underway in both FreeBSD and Linux indicate substantial
challenges with implementing SNO due to errors in option processing
as well as optimizations that interfere with SNO's decoupling of
service and connection identifiers.
Option processing has never been sufficiently described to ensure
interoperable implementation. Both FreeBSD and Linux assume that TCP
options can be processed at a single location in both incoming and
outgoing TCP header processing, but this has never been true. In
particular, options that determine whether a segment is valid (TCP
MD5, TCP-AO, header checksum, etc.) must be processed before any
other header fields are interpreted, whereas options that are
interpreted in the context of header fields (e.g., SACK, etc.) must
be interpreted afterwards.
Keeping track of TCP state can require multiple data structures on
both endpoints, but these structures are currently optimized
assuming that port numbers are overloaded as both service and
connection identifiers. Connections can be in any of the following
11 states: CLOSED, LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-
WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT. CLOSED
is fictional because no connection context exists. The remaining
states are often grouped as follows:
o LISTEN - no connection state yet; tracking which ports are bound
o Active - SYN-SENT, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-
WAIT, CLOSING, and LAST-ACK (sometimes also TIME-WAIT), in which
full connection state is kept
There are two states that are typically not kept in detail - SYN-
RECEIVED and TIME-WAIT. SYN-RECEIVED keeps track of a connection
that has received a SYN but not yet the final ACK of the three-way
handshake; it state is typically not kept in detail to avoid DOS
attacks that overload a server with half-open connections [RFC4987].
Similarly, the TIME-WAIT state is often ignored or kept in aggregate
to avoid state accumulation on busy servers [Fa99].
The challenge implementing SNO involves using the LISTEN queue for
SYN-RECEIVED states. Connections in the LISTEN state are indexed by
the service number: for legacy TCP connections, this is the SYN
destination port, and for SNO connections this is the SNO service
number. In the SYN-RECEIVED state, connections always need to be
indexed by the receive port number of the incoming ACK segment. As a
result, SNO implementations need a distinct SYN-RECEIVED queue; they
Touch Expires January 19, 2019 [Page 16]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
cannot reuse the LISTEN queue to keep track of pending half-open
connections.
The additional state needed for the SYN-RECEIVED queue is the same
regardless of whether it shares space with the LISTEN queue - each
receive port for half-open connections needs to be listed. The key
difference is the index to the queue.
6. SNO impact on TCP option space
SNO needs to fit inside the available TCP option space, which
provides 40 bytes for options. It is useful to consider that TCP SYN
segments may include other options, notably:
o 4 bytes of MSS [RFC793]
o 10 bytes of timestamp [RFC7323]
o 3 bytes of window scale [RFC7323]
o 2 + 8N bytes of SACK, for N SACK blocks [RFC2018][RFC6675]
This leaves only 13 bytes for the SNO option (assuming 1 SACK
block), which is more than sufficient. The experimental variant
described herein uses 6 bytes; a standards-track variant would use
only 4 bytes.
7. Security Considerations
There are four areas of security which the SNO option raises:
1. Interaction with IPsec and firewalls
2. Interaction with TCP/MD5 and TCP-AO security
3. Increased DOS impact
The impact on IPsec and firewalls is discussed in detail in Section
5.1. As noted there, SNO defeats the assumption that port numbers
correspond to specific services, an assumption that was already
defeated between consenting hosts. The SNO option thus raises no new
vulnerability.
The impact of SNO on TCP/MD5 and TCP-AO is also discussed in
Sections 5.1. Use of these services without inclusion of TCP options
makes all options vulnerable, including SNO.
Touch Expires January 19, 2019 [Page 17]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
The additional resources incurred by parsing the SNO option are
minimal.
8. IANA considerations
This document specifies a new TCP option that uses the shared
experimental options format, with ExID = 0x5323 in network-standard
byte order (representing ASCII "S#") [RFC6994]. This ExID has
already been registered with IANA.
9. References
9.1. Normative References
[RFC793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, Sep. 1981 (STANDARD).
[RFC1122] Braden, R. (ed.), "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, Oct. 1989
(STANDARD).
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Mar. 1997 (BEST
CURRENT PRACTICE).
[RFC6994] Touch, J., "Shared Use of Experimental TCP Options",
RFC6994, Aug. 2013 (PROPOSED STANDARD).
9.2. Informative References
[Fa99] T. Faber, J. Touch, and W. Yue, "The TIME-WAIT state in
TCP and Its Effect on Busy Servers", in Proc. IEEE
Infocom, 1999, pp. 1573-1583.
[Fr2008] Freire, S., A. Zuquete, "A TCP-layer name service for TCP
ports", Proc. Usenix, 2008.
[IANA] Internet Assigned Numbers Authority, www.iana.org
[RFC768] Postel, J., "User Datagram Protocol", RFC768, Aug. 1980
(STANDARD).
[RFC814] Clark, D., "NAME, ADDRESSES, PORTS, AND ROUTES", RFC 814,
Jul. 1982 (UNKNOWN).
[RFC959] Postel, J., J. Reynolds, "FILE TRANSFER PROTOCOL (FTP)",
STD 9, RFC 959, Oct. 1985 (STANDARD).
Touch Expires January 19, 2019 [Page 18]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
[RFC1078] Lottor, M., "TCP Port Service Multiplexer (TCPMUX)",
RFC1078, Nov. 1988 (UNKNOWN).
[RFC1833] Srinivasan, R., "Binding Protocols for ONC RPC Version 2",
RFC 1833, Aug. 1995 (PROPOSED STANDARD).
[RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP
Selective Acknowledgment Options", RFC 2018, October 1996.
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, Aug. 1998 (PROPOSED
STANDARD).
[RFC2780] Bradner, S., V. Paxson, "IANA Allocation Guidelines For
Values In the Internet Protocol and Related Headers", BCP
37, RFC 2780, Mar. 2000 (BEST CURRENT PRACTICE).
[RFC2782] Gulbrandsen, A., P. Vixie, L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
Feb. 2000 (PROPOSED STANDARD).
[RFC2993] Hain, T., "Architectural Implications of NAT", RFC 2993,
November 2000 (INFORMATIONAL).
[RFC3234] Carpenter, B., S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234 Feb. 2002 (INFORMATIONAL).
[RFC3261] Rosenberg, J., H. Schulzrinne, G. Camarillo, A. Johnston,
J. Peterson, R. Sparks, M. Handley, E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, Jun. 2002
(PROPOSED STANDARD).
[RFC4301] Kent, S., K. Seo, "Security Architecture for the Internet
Protocol", RFC4301, Dec. 2005 (PROPOSED STANDARD).
[RFC4340] Kohler, E., M. Handley, S. Floyd, "Datagram Congestion
Control Protocol (DCCP)", RFC 4340, Mar. 2006 (PROPOSED
STANDARD).
[RFC4960] Stewart, R. (Ed.), "Stream Control Transmission Protocol",
RFC 4960, Sep. 2007 (PROPOSED STANDARD).
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, Aug. 2007.
Touch Expires January 19, 2019 [Page 19]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
[RFC5246] Dierks, T., E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, Aug. 2008 (PROPOSED
STANDARD).
[RFC5531] Thurlow, R., "RPC: Remote Procedure Call Protocol
Specification Version 2", RFC 5531, May 2006 (DRAFT
STANDARD).
[RFC5925] Touch, J., A. Mankin, R. Bonica, "The TCP Authentication
Option", RFC5925, Jun. 2010 (PROPOSED STANDARD).
[RFC6335] Cotton, M., L. Eggert, J. Touch, M. Westerlund, S.
Cheshire "Internet Assigned Numbers Authority (IANA)
Procedures for the Management of the Transport Protocol
Port Number and Service Name Registry", RFC 6335 / BCP
165, Aug. 2011.
[RFC6675] Blanton, E., Allman, M., Wang, L., Jarvinen, I., Kojo, M.,
and Y. Nishida, "A Conservative Loss Recovery Algorithm
Based on Selective Acknowledgment (SACK) for TCP", RFC
6675, August 2012.
[RFC7323] D. Borman, R. Braden, Jacobson, V., R. Scheffenegger, Ed.,
"TCP Extensions for High Performance", RFC 7323, May 1992
(PROPOSED STANDARD).
[To1999] Touch, J., T. Faber, "The TIME-WAIT state in TCP and its
Effect on Busy Servers", Proc. Infocom, 1999.
[To2006] Touch, J., "A TCP Option for Port Names", draft-touch-tcp-
portnames-00.txt (work in progress), Apr. 2006.
[To2018a] Touch, J., W. Eddy, "TCP Extended Data Offset Option",
draft-ietf-tcpm-tcp-edo (work in progress), Jan. 2018.
[To2018b] Touch, J., T. Faber, "TCP SYN Extended Option Space Using
an Out-of-Band Segment", draft-touch-tcpm-tcp-syn-ext-opt
(work in progress), Jan. 2018.
10. Acknowledgments
This work was inspired by discussions on the IETF mailing list,
notably by suggestions by Keith Moore and Noel Chiappa. Bob Braden
noted some of the origins of the named service concept.
This document is based on an earlier version based on using strings
rather than IANA port numbers, where the receiving host used the
Touch Expires January 19, 2019 [Page 20]
�
Internet-Draft TCP Service Number Option (SNO) July 2018
strings to directly identify services [To2006]. A similar approach
was proposed that also used strings was implemented in Linux, except
that the strings were resolved by a separate server and transmitted
in the TCP segment as data (e.g., as with TCPMUX) [Fr2008].
This work is partly supported by USC/ISI's Postel Center.
This document was initially prepared using 2-Word-v2.0.template.dot.
Authors' Addresses
Joe Touch
Manhattan Beach, CA 90266 USA
Phone: +1 (310) 560-0334
Email: touch@strayalpha.com
URL: http://www.strayalpha.com/
Touch Expires January 19, 2019 [Page 21]
�
