Re: Feedback on TCP Fast Open?

On 3/08/2013 11:19 a.m., Peter Lepeska wrote:
> "it's unclear how beneficial it would
> > be for us since we already have such gains for browser preconnect (our
> > browser feature that learns from past web browsing to speculatively
> > establish connections, typically just TCP connections but perhaps doing a
> > TLS or other handshakes too as needed)"
>
> It would benefit any time you encounter a host that preconnect has not 
> learned about yet. Surely this provides a benefit.

Yet assuming TFO does require that prior key exchange mentioned by Nico 
(I have not yet read the TFO spec). That means that preconnect will has 
also already been done right?
So gains are 0 in that case.
Its main benefit seems to be allowing for prefetching to be skipped or 
short-circuited if it is used as the initial step of such prefetch.

> It also has lower cost since it will result in fewer (zero) connection 
> mistakes since it's not doing anything speculatively. Don't get me 
> wrong I'm a big fan of the benefits of speculative prefetching in 
> general, but only in the case where the underlying protocol can't 
> solve the problem without mistakes.
>
> TCP Fast Open seems great as long as it doesn't introduce any other 
> problems (such as increased DoS vulnerability).

It is clearly lowering the capacity barrier SYN-flood DDoS need to reach 
in exchange for 1 RTT on legitimate TCP setup.
The big question though is; overall which are more common: DDoS 
SYN-flood packets or legitimate SYN?

Amos


>
> Peter
>
> Peter
>
>
>
> On Fri, Aug 2, 2013 at 5:15 PM, Nico Williams <nico@cryptonector.com 
> <mailto:nico@cryptonector.com>> wrote:
>
>     On Fri, Aug 2, 2013 at 3:56 PM, Poul-Henning Kamp
>     <phk@phk.freebsd.dk <mailto:phk@phk.freebsd.dk>> wrote:
>     > In message
>     <655C07320163294895BBADA28372AF5D07CBF8@FR712WXCHMBA15.zeu.alcatel-l
>     > ucent.com <http://ucent.com>>, "Scharf, Michael (Michael)" writes:
>     >
>     >>As mentioned today on the mic, the TCPM working group has a
>     working group
>     >>item that allows data to be carried in the SYN and SYN-ACK
>     packets and that
>     >>is consumed by the receiving end during the initial connection
>     handshake,
>     >
>     > Uhm, didn't we try that once with TTCP only to find out that it
>     > opened a major DoS hole ?
>
>     This one is different.  You must have done one normal exchange and
>     exchange "key material" (cached on both ends, free to fall off the
>     cache at any time) to be used for fast opens.
>
>     Nico
>     --
>
>

Received on Saturday, 3 August 2013 00:05:43 UTC