draft-ietf-tcpm-tcp-uto-06.txt   draft-ietf-tcpm-tcp-uto-07.txt 
TCP Maintenance and Minor L. Eggert TCP Maintenance and Minor L. Eggert
Extensions (tcpm) Nokia Extensions (tcpm) Nokia
Internet-Draft F. Gont Internet-Draft F. Gont
Intended status: Standards Track UTN/FRH Intended status: Standards Track UTN/FRH
Expires: December 13, 2007 June 11, 2007 Expires: May 16, 2008 November 13, 2007
TCP User Timeout Option TCP User Timeout Option
draft-ietf-tcpm-tcp-uto-06 draft-ietf-tcpm-tcp-uto-07
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 13, 2007. This Internet-Draft will expire on May 16, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
The TCP user timeout controls how long transmitted data may remain The TCP user timeout controls how long transmitted data may remain
unacknowledged before a connection is forcefully closed. It is a unacknowledged before a connection is forcefully closed. It is a
local, per-connection parameter. This document specifies a new TCP local, per-connection parameter. This document specifies a new TCP
option - the TCP User Timeout Option - that allows one end of a TCP option - the TCP User Timeout Option - that allows one end of a TCP
connection to advertise its current user timeout value. This connection to advertise its current user timeout value. This
information provides advice to the other end to adapt its user information provides advice to the other end of the TCP connection to
timeout accordingly. Increasing the user timeouts on both ends of a adapt its user timeout accordingly. Increasing the user timeouts on
TCP connection allows it to survive extended periods without end-to- both ends of a TCP connection allows it to survive extended periods
end connectivity. Decreasing the user timeouts allows busy servers without end-to-end connectivity. Decreasing the user timeouts allows
to explicitly notify their clients that they will maintain the busy servers to explicitly notify their clients that they will
connection state only for a short time without connectivity. maintain the connection state only for a short time without
connectivity.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Operation . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Changing the Local User Timeout . . . . . . . . . . . . . 6 3.1. Changing the Local User Timeout . . . . . . . . . . . . . 6
3.2. UTO Option Reliability . . . . . . . . . . . . . . . . . . 8 3.2. UTO Option Reliability . . . . . . . . . . . . . . . . . . 8
3.3. Option Format . . . . . . . . . . . . . . . . . . . . . . 8 3.3. Option Format . . . . . . . . . . . . . . . . . . . . . . 9
3.4. Reserved Option Values . . . . . . . . . . . . . . . . . . 9 3.4. Reserved Option Values . . . . . . . . . . . . . . . . . . 10
4. Interoperability Issues . . . . . . . . . . . . . . . . . . . 10 4. Interoperability Issues . . . . . . . . . . . . . . . . . . . 10
4.1. Middleboxes . . . . . . . . . . . . . . . . . . . . . . . 10 4.1. Middleboxes . . . . . . . . . . . . . . . . . . . . . . . 10
4.2. TCP Keep-Alives . . . . . . . . . . . . . . . . . . . . . 10 4.2. TCP Keep-Alives . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12
8.2. Informative References . . . . . . . . . . . . . . . . . . 13 8.2. Informative References . . . . . . . . . . . . . . . . . . 13
Appendix A. Document Revision History . . . . . . . . . . . . . . 13 Appendix A. Document Revision History . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
Intellectual Property and Copyright Statements . . . . . . . . . . 16 Intellectual Property and Copyright Statements . . . . . . . . . . 16
1. Introduction 1. Introduction
The Transmission Control Protocol (TCP) specification [RFC0793] The Transmission Control Protocol (TCP) specification [RFC0793]
defines a local, per-connection "user timeout" parameter that defines a local, per-connection "user timeout" parameter that
specifies the maximum amount of time that transmitted data may remain specifies the maximum amount of time that transmitted data may remain
unacknowledged before TCP will forcefully close the corresponding unacknowledged before TCP will forcefully close the corresponding
connection. Applications can set and change this parameter with OPEN connection. Applications can set and change this parameter with OPEN
and SEND calls. If an end-to-end connectivity disruption lasts and SEND calls. If an end-to-end connectivity disruption lasts
longer than the user timeout, no acknowledgments will be received for longer than the user timeout, no acknowledgments will be received for
any transmission attempt, including keep-alives, and the TCP any transmission attempt, including keep-alives, and the TCP
connection will close when the user timeout occurs. connection will close when the user timeout occurs.
This document specifies a new TCP option - the TCP User Timeout
Option - that allows one end of a TCP connection to advertise its
current user timeout value. This information provides advice to the
other end of the connection to adapt its user timeout accordingly.
That is, TCP remains free to disregard the advice provided by the UTO
option if local policies suggest it to be appropriate.
Increasing the user timeouts on both ends of a TCP connection allows
it to survive extended periods without end-to-end connectivity.
Decreasing the user timeouts allows busy servers to explicitly notify
their clients that they will maintain the connection state only for a
short time without connectivity.
In the absence of an application-specified user timeout, the TCP In the absence of an application-specified user timeout, the TCP
specification [RFC0793] defines a default user timeout of 5 minutes. specification [RFC0793] defines a default user timeout of 5 minutes.
The Host Requirements RFC [RFC1122] refines this definition by The Host Requirements RFC [RFC1122] refines this definition by
introducing two thresholds, R1 and R2 (R2 > R1), that control the introducing two thresholds, R1 and R2 (R2 > R1), that control the
number of retransmission attempts for a single segment. It suggests number of retransmission attempts for a single segment. It suggests
that TCP should notify applications when R1 is reached for a segment, that TCP should notify applications when R1 is reached for a segment,
and close the connection when R2 is reached. [RFC1122] also defines and close the connection when R2 is reached. [RFC1122] also defines
the recommended values for R1 (three retransmissions) and R2 (100 the recommended values for R1 (three retransmissions) and R2 (100
seconds), noting that R2 for SYN segments should be at least 3 seconds), noting that R2 for SYN segments should be at least 3
minutes. Instead of a single user timeout, some TCP implementations minutes. Instead of a single user timeout, some TCP implementations
offer finer-grained policies. For example, Solaris supports offer finer-grained policies. For example, Solaris supports
different timeouts depending on whether a TCP connection is in the different timeouts depending on whether a TCP connection is in the
SYN-SENT, SYN-RECEIVED, or ESTABLISHED state [SOLARIS-MANUAL]. SYN-SENT, SYN-RECEIVED, or ESTABLISHED state [SOLARIS-MANUAL].
Although some TCP implementations allow applications to set their Although some TCP implementations allow applications to set their
local user timeout, TCP has no in-protocol mechanism to signal local user timeout, TCP has no in-protocol mechanism to signal
changes to the local user timeout to the other end. This causes changes to the local user timeout to the other end of a connection.
local changes to be ineffective in allowing a connection to survive This causes local changes to be ineffective in allowing a connection
extended periods without connectivity, because the other end will to survive extended periods without connectivity, because the other
still close the connection after its user timeout expires. end will still close the connection after its user timeout expires.
The ability to inform the other end about the local user timeout for The ability to inform the other end of a connection about the local
the connection can improve TCP operation in scenarios that are user timeout can improve TCP operation in scenarios that are
currently not well supported. One example of such scenarios are currently not well supported. One example of such scenarios are
mobile hosts that change network attachment points based on current mobile hosts that change network attachment points based on current
location. Such hosts, maybe using Mobile IP [RFC3344], HIP [RFC4423] location. Such hosts, maybe using Mobile IP [RFC3344], HIP [RFC4423]
or transport-layer mobility mechanisms [I-D.eddy-tcp-mobility], are or transport-layer mobility mechanisms [I-D.eddy-tcp-mobility], are
only intermittently connected to the Internet. In between connected only intermittently connected to the Internet. In between connected
periods, mobile hosts may experience periods without end-to-end periods, mobile hosts may experience periods without end-to-end
connectivity. Other factors that can cause transient connectivity connectivity. Other factors that can cause transient connectivity
disruptions are high levels of congestion or link or routing failures disruptions are high levels of congestion or link or routing failures
inside the network. In these scenarios, a host may not know exactly inside the network. In these scenarios, a host may not know exactly
when or for how long connectivity disruptions will occur, but it when or for how long connectivity disruptions will occur, but it
might be able to determine an increased likelihood for such events might be able to determine an increased likelihood for such events
based on past mobility patterns and thus benefit from using longer based on past mobility patterns and thus benefit from using longer
user timeouts. In other scenarios, the time and duration of a user timeouts. In other scenarios, the time and duration of a
connectivity disruption may even be predictable. For example, an connectivity disruption may even be predictable. For example, an
orbiting node on a non-geostationary satellite might experience orbiting node on a non-geostationary satellite might experience
connectivity disruptions due to line-of-sight blocking by other connectivity disruptions due to line-of-sight blocking by other
planetary bodies. The timing of these events may be computable from planetary bodies. The timing of these events may be computable from
orbital mechanics. orbital mechanics.
This document specifies a new TCP option - the TCP User Timeout
Option - that allows one end of a TCP connection to advertise its
current user timeout value. This information provides advice to the
other end of the connection to adapt its user timeout accordingly.
That is, TCP remains free to disregard the advice provided by the UTO
option if local policies suggest it to be appropriate.
Increasing the user timeouts on both ends of a TCP connection allows
it to survive extended periods without end-to-end connectivity.
Decreasing the user timeouts allows busy servers to explicitly notify
their clients that they will maintain the connection state only for a
short time without connectivity.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Operation 3. Operation
Use of the TCP User Timeout Option can be enabled either on a per- Use of the TCP User Timeout Option can be enabled either on a per-
application basis, e.g., through a socket option, or controlled by a connection basis, e.g., through a socket option, or controlled by a
system-wide setting. TCP maintains four per-connection state system-wide setting. TCP maintains four per-connection state
variables to control the operation of the UTO option, three of which variables to control the operation of the UTO option, three of which
(LOCAL_UTO, ENABLED and CHANGEABLE) are new: (ADV_UTO, ENABLED and CHANGEABLE) are new:
USER_TIMEOUT USER_TIMEOUT
TCP's USER TIMEOUT parameter, as specified in [RFC0793]. TCP's USER TIMEOUT parameter, as specified in [RFC0793].
LOCAL_UTO ADV_UTO
UTO option advertised to the remote TCP peer. This is an UTO option advertised to the remote TCP peer. This is an
application-specified value, and may be specified on a system-wide application-specified value, and may be specified on a system-wide
basis. If unspecified, it default to the default system-wide USER basis. If unspecified, it defaults to the default system-wide
TIMEOUT. USER TIMEOUT.
ENABLED (Boolean) ENABLED (Boolean)
Flag that controls whether the UTO option is enabled for a Flag that controls whether the UTO option is enabled for a
connection. Defaults to false. connection. Defaults to false.
CHANGEABLE (Boolean) CHANGEABLE (Boolean)
Flag that controls whether USER_TIMEOUT (TCP's USER_TIMEOUT Flag that controls whether USER_TIMEOUT (TCP's USER_TIMEOUT
parameter) may be changed based on an UTO option received from the parameter) may be changed based on an UTO option received from the
other end. Defaults to true and becomes false when an application other end of the connection. Defaults to true and becomes false
explicitly sets USER_TIMEOUT. when an application explicitly sets USER_TIMEOUT.
Note that an exchange of UTO options between both ends of a Note that an exchange of UTO options between both ends of a
connection is not a binding negotiation. Transmission of a UTO connection is not a binding negotiation. Transmission of a UTO
option is a suggestion that the other end consider adapting its user option is a suggestion that the other end consider adapting its user
timeout. This adaptation only happens if the the other end has timeout. This adaptation only happens if the the other end of the
explicitly allowed it (both ENABLED and CHANGEABLE are true). connection has explicitly allowed it (both ENABLED and CHANGEABLE are
true).
Before opening a connection, an application that wishes to use the Before opening a connection, an application that wishes to use the
UTO option SHOULD enable its use by setting ENABLED to true. It MAY UTO option enables its use by setting ENABLED to true. It may choose
pick an appropriate local UTO by setting LOCAL_UTO, which is an appropriate local UTO by explicitly setting ADV_UTO; otherwise,
otherwise set to the default USER TIMEOUT value. Finally, the UTO is set to the default USER TIMEOUT value. Finally, the
application should determine whether it will allow the local USER application should determine whether it will allow the local USER
TIMEOUT to change based on received UTO options from the other end. TIMEOUT to change based on received UTO options from the other end of
The default is to allow this for connections that do not have a a connection. The default is to allow this for connections that do
specific user timeout concerns. If an application explicitly sets not have specific user timeout concerns. If an application
the USER TIMEOUT, CHANGEABLE MUST become false, to prevent UTO explicitly sets the USER TIMEOUT, CHANGEABLE MUST become false, to
options from the other end to override local application requests. prevent UTO options from the other end to override local application
Alternatively, applications MAY set or clear CHANGEABLE directly. requests. Alternatively, applications can set or clear CHANGEABLE
directly through socket API calls.
Performing these steps before an active or passive open causes UTO Performing these steps before an active or passive open causes UTO
options to be exchanged in the SYN and SYN-ACK packets and is a options to be exchanged in the SYN and SYN-ACK packets and is a
reliable way to initially exchange and potentially adapt to UTO reliable way to initially exchange, and potentially adapt to, UTO
values. Systems MAY provide system-wide default settings for the values. TCP implementations MAY provide system-wide default settings
ENABLED, LOCAL_UTO and CHANGEABLE connection parameters. for the ENABLED, ADV_UTO and CHANGEABLE connection parameters.
In addition to exchanging UTO options in the SYN segments, a In addition to exchanging UTO options in the SYN segments, a
connection that has enabled UTO options SHOULD include a UTO option connection that has enabled UTO options SHOULD include a UTO option
in the first packet that does not have the SYN flag set. This helps in the first packet that does not have the SYN flag set. This helps
to minimize the amount of state information TCP must keep for to minimize the amount of state information TCP must keep for
connections in non-synchronized states, and is particularly useful connections in non-synchronized states, and is particularly useful
when mechanisms such as "SYN cookies" [I-D.ietf-tcpm-syn-flood] are when mechanisms such as "SYN cookies" [RFC4987] are implemented,
implemented, allowing a newly-established TCP connection to benefit allowing a newly-established TCP connection to benefit from the
from the information advertised by the UTO option, even if the UTO information advertised by the UTO option, even if the UTO contained
contained in the initial SYN segment was not recorded. in the initial SYN segment was not recorded.
A host that supports the UTO option SHOULD include one in the next A host that supports the UTO option SHOULD include one in the next
possible outgoing segment whenever it starts using a new user timeout possible outgoing segment whenever it starts using a new user timeout
for the connection. This allows the other end to adapt its local for the connection. This allows the other end of the connection to
user timeout for the connection accordingly. A TCP implementation adapt its local user timeout accordingly. A TCP implementation that
that does not support the UTO option MUST silently ignore it does not support the UTO option MUST silently ignore it [RFC1122],
[RFC1122], thus ensuring interoperability. thus ensuring interoperability.
Hosts MUST impose upper and lower limits on the user timeouts they Hosts MUST impose upper and lower limits on the user timeouts they
use for a connection. Section 3.1 discusses user timeout limits and use for a connection. Section 3.1 discusses user timeout limits and
discusses potentially problematic effects of some user timeout potentially problematic effects of some user timeout settings.
settings.
Finally, it is worth noting that TCP's option space is limited to 40 Finally, it is worth noting that TCP's option space is limited to 40
bytes. As a result, if other TCP options are in use, they may bytes. As a result, if other TCP options are in use, they may
already consume all the available TCP option space, thus preventing already consume all the available TCP option space, thus preventing
the use of the UTO option specified in this document. Therefore, TCP the use of the UTO option specified in this document. Therefore, TCP
option space issues should be considered before enabling the UTO option space issues should be considered before enabling the UTO
option. option.
3.1. Changing the Local User Timeout 3.1. Changing the Local User Timeout
When a host receives a TCP User Timeout Option, it must decide When a host receives a TCP User Timeout Option, it must decide
whether to change the local user timeout of the corresponding whether to change the local user timeout of the corresponding
connection. If the CHANGEABLE flag is false, USER_TIMEOUT MUST NOT connection. If the CHANGEABLE flag is false, USER_TIMEOUT MUST NOT
be changed, regardless of the received UTO option. Without this be changed, regardless of the received UTO option. Without this
restriction, the UTO option would modify TCP semantics, because an restriction, the UTO option would modify TCP semantics, because an
application-requested USER TIMEOUT could be overridden by peer application-requested USER TIMEOUT could be overridden by peer
requests. In this case, they SHOULD, however, notify the application requests. In this case TCP SHOULD, however, notify the application
about the user timeout value received from the other end. about the user timeout value received from the other end system.
In general, unless the application on the local host has requested a In general, unless the application on the local host has requested a
specific USER TIMEOUT for the connection, CHANGEABLE will be true and specific USER TIMEOUT for the connection, CHANGEABLE will be true and
hosts SHOULD adjust the local TCP USER TIMEOUT (USER_TIMEOUT) in hosts SHOULD adjust the local TCP USER TIMEOUT (USER_TIMEOUT) in
response to receiving a UTO option, as described in the remainder of response to receiving a UTO option, as described in the remainder of
this section. this section.
The UTO option specifies the user timeout in seconds or minutes, The UTO option specifies the user timeout in seconds or minutes,
rather than in number of retransmissions or round-trip times (RTTs). rather than in number of retransmissions or round-trip times (RTTs).
Thus, the UTO option allows hosts to exchange user timeout values Thus, the UTO option allows hosts to exchange user timeout values
skipping to change at page 7, line 14 skipping to change at page 7, line 14
To protect against these effects, implementations MUST impose limits To protect against these effects, implementations MUST impose limits
on the user timeout values they accept and use. The remainder of on the user timeout values they accept and use. The remainder of
this section describes a RECOMMENDED scheme to limit TCP's USER this section describes a RECOMMENDED scheme to limit TCP's USER
TIMEOUT based on upper and lower limits. TIMEOUT based on upper and lower limits.
Under the RECOMMENDED scheme, and when CHANGEABLE is true, each end Under the RECOMMENDED scheme, and when CHANGEABLE is true, each end
SHOULD compute the local USER TIMEOUT for a connection according to SHOULD compute the local USER TIMEOUT for a connection according to
this formula: this formula:
USER_TIMEOUT = min(U_LIMIT, max(LOCAL_UTO, REMOTE_UTO, L_LIMIT)) USER_TIMEOUT = min(U_LIMIT, max(ADV_UTO, REMOTE_UTO, L_LIMIT))
Each field is to be interpreted as follows: Each field is to be interpreted as follows:
USER_TIMEOUT USER_TIMEOUT
USER TIMEOUT value to be adopted by the local TCP for this USER TIMEOUT value to be adopted by the local TCP for this
connection. connection.
U_LIMIT U_LIMIT
Current upper limit imposed on the user timeout of a connection by Current upper limit imposed on the user timeout of a connection by
the local host. the local host.
LOCAL_UTO ADV_UTO
User timeout advertised to the remote TCP peer in a TCP User User timeout advertised to the remote TCP peer in a TCP User
Timeout Option. Timeout Option.
REMOTE_UTO REMOTE_UTO
Last "user timeout" value received from the other end in a TCP Last user timeout value received from the other end in a TCP User
User Timeout Option. Timeout Option.
L_LIMIT L_LIMIT
Current lower limit imposed on the user timeout of a connection by Current lower limit imposed on the user timeout of a connection by
the local host. the local host.
This means that, provided they are within the upper and lower limits, The RECOMMENDED formula results in the maximum of the two advertised
the maximum of the two advertised values will be adopted for the user values to be adopted for the user timeout of the connection on both
timeout of the connection. The rationale is that choosing the ends, provided they are within the upper and lower limits. The
maximum of the two values will let the connection survive longer rationale is that choosing the maximum of the two values will let the
periods without end-to-end connectivity. If the end that announced connection survive longer periods without end-to-end connectivity.
the lower of the two user timeout values did so in order to reduce If the end that announced the lower of the two user timeout values
the amount of TCP state information that must be kept on the host, it did so in order to reduce the amount of TCP state information that
can, nevertheless, close or abort the connection whenever it wants. must be kept on the host, it can close or abort the connection
whenever it wants.
It must be noted that the two endpoints of the connection will not It must be noted that the two endpoints of the connection will not
necessarily adopt the same user timeout. necessarily adopt the same user timeout.
Enforcing a lower limit (L_LIMIT) prevents connections from closing Enforcing a lower limit (L_LIMIT) prevents connections from closing
due to transient network conditions, including temporary congestion, due to transient network conditions, including temporary congestion,
mobility hand-offs and routing instabilities. mobility hand-offs and routing instabilities.
An upper limit (U_LIMIT) can reduce the effect of resource exhaustion An upper limit (U_LIMIT) can reduce the effect of resource exhaustion
attacks. Section 5 discusses the details of these attacks. attacks. Section 5 discusses the details of these attacks.
Note that these limits MAY be specified as system-wide constants or Note that these limits MAY be specified as system-wide constants or
at other granularities, such as on per-host, per-user, per-outgoing- at other granularities, such as on per-host, per-user, per-outgoing-
interface or even per-connection basis. Furthermore, these limits interface or even per-connection basis. Furthermore, these limits
need not be static. For example, they MAY be a function of system need not be static. For example, they MAY be a function of system
resource utilization or attack status and could be dynamically resource utilization or attack status and could be dynamically
adapted. adapted.
The Host Requirements RFC [RFC1122] does not impose any limits on the The Host Requirements RFC [RFC1122] does not impose any limits on the
length of the user timeout. However, a time interval of at least 100 length of the user timeout. However, it recommends a time interval
seconds is RECOMMENDED. Consequently, the lower limit (L_LIMIT) of at least 100 seconds. Consequently, the lower limit (L_LIMIT)
SHOULD be set to at least 100 seconds when following the RECOMMENDED SHOULD be set to at least 100 seconds when following the RECOMMENDED
scheme described in this section. Adopting a user timeout smaller scheme described in this section. Adopting a user timeout smaller
than the current retransmission timeout (RTO) for the connection than the current retransmission timeout (RTO) for the connection
would likely cause the connection to be aborted unnecessarily. would likely cause the connection to be aborted unnecessarily.
Therefore, the lower limit (L_LIMIT) MUST be larger than the current Therefore, the lower limit (L_LIMIT) MUST be larger than the current
retransmission timeout (RTO) for the connection. It is worth noting retransmission timeout (RTO) for the connection. It is worth noting
that an upper limit may be imposed on the RTO, provided it is at that an upper limit may be imposed on the RTO, provided it is at
least 60 seconds [RFC2988]. least 60 seconds [RFC2988].
3.2. UTO Option Reliability 3.2. UTO Option Reliability
skipping to change at page 8, line 51 skipping to change at page 9, line 8
It is important to note that although these mechanisms can improve It is important to note that although these mechanisms can improve
transmission reliability for the UTO option, they do not guarantee transmission reliability for the UTO option, they do not guarantee
delivery (a three-way handshake would be required for this). delivery (a three-way handshake would be required for this).
Consequently, implementations MUST NOT assume that UTO options are Consequently, implementations MUST NOT assume that UTO options are
transmitted reliably. transmitted reliably.
3.3. Option Format 3.3. Option Format
Sending a TCP User Timeout Option informs the other end of the Sending a TCP User Timeout Option informs the other end of the
current local user timeout for the connection and suggests that the connection of the current local user timeout and suggests that the
other end adapt its user timeout accordingly. The user timeout value other end adapt its user timeout accordingly. The user timeout value
included in a UTO option contains the LOCAL_UTO value, that is included in a UTO option contains the ADV_UTO value, that is expected
expected to be adopted for the TCP's USER TIMEOUT parameter during to be adopted for the TCP's USER TIMEOUT parameter during the
the synchronized states of a connection (ESTABLISHED, FIN-WAIT-1, synchronized states of a connection (ESTABLISHED, FIN-WAIT-1, FIN-
FIN-WAIT-2, CLOSE-WAIT, CLOSING, or LAST-ACK). Connections in other WAIT-2, CLOSE-WAIT, CLOSING, or LAST-ACK). Connections in other
states MUST use the default timeout values defined in [RFC0793] and states MUST use the default timeout values defined in [RFC0793] and
[RFC1122]. [RFC1122].
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Kind = X | Length = 4 |G| User Timeout | | Kind = TBD | Length = 4 |G| User Timeout |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
(One tick mark represents one bit.) (One tick mark represents one bit.)
Figure 1: Format of the TCP User Timeout Option Figure 1: Format of the TCP User Timeout Option
Figure 1 shows the format of the TCP User Timeout Option. It Figure 1 shows the format of the TCP User Timeout Option. It
contains these fields: contains these fields:
Kind (8 bits) Kind (8 bits)
A TCP option number [RFC0793] to be assigned by IANA upon This MUST be TBD, i.e., the TCP option number [RFC0793] assigned
publication of this document (see Section 6). by IANA upon publication of this document (see Section 6). [[Note
to the RFC Editor: Throughout this document, replace "TBD" with
the TCP option number that IANA has allocated and remove this
note.]]
Length (8 bits) Length (8 bits)
Length of the TCP option in octets [RFC0793]; its value MUST be 4. Length of the TCP option in octets [RFC0793]; its value MUST be 4.
Granularity (1 bit) Granularity (1 bit)
Granularity bit, indicating the granularity of the "User Timeout" Granularity bit, indicating the granularity of the "User Timeout"
field. When set (G = 1), the time interval in the "User Timeout" field. When set (G = 1), the time interval in the "User Timeout"
field MUST be interpreted as minutes. Otherwise (G = 0), the time field MUST be interpreted as minutes. Otherwise (G = 0), the time
interval in the "User Timeout" field MUST be interpreted as interval in the "User Timeout" field MUST be interpreted as
seconds. seconds.
User Timeout (15 bits) User Timeout (15 bits)
Specifies the user timeout suggestion for this connection.. It Specifies the user timeout suggestion for this connection. It
MUST be interpreted as a 15-bit unsigned integer. The granularity MUST be interpreted as a 15-bit unsigned integer. The granularity
of the timeout (minutes or seconds) depends on the "G" field. of the timeout (minutes or seconds) depends on the "G" field.
3.4. Reserved Option Values 3.4. Reserved Option Values
An TCP User Timeout Option with a "User Timeout" field of zero and a An TCP User Timeout Option with a "User Timeout" field of zero and a
"Granularity" bit of either minutes (1) or seconds (0) is reserved "Granularity" bit of either minutes (1) or seconds (0) is reserved
for future use. TCP implementations MUST NOT send it and MUST ignore for future use. Current TCP implementations MUST NOT send it and
it upon reception. MUST ignore it upon reception.
4. Interoperability Issues 4. Interoperability Issues
This section discusses interoperability issues related to introducing This section discusses interoperability issues related to introducing
the TCP User Timeout Option. the TCP User Timeout Option.
4.1. Middleboxes 4.1. Middleboxes
A TCP implementation that does not support the TCP User Timeout A TCP implementation that does not support the TCP User Timeout
Option MUST silently ignore it [RFC1122], thus ensuring Option MUST silently ignore it [RFC1122], thus ensuring
skipping to change at page 10, line 29 skipping to change at page 10, line 36
failures caused by unknown options is small and they are a result of failures caused by unknown options is small and they are a result of
incorrectly implemented TCP stacks that violate existing requirements incorrectly implemented TCP stacks that violate existing requirements
to ignore unknown options, they do not warrant special measures. to ignore unknown options, they do not warrant special measures.
Thus, this document does not define a mechanism to negotiate support Thus, this document does not define a mechanism to negotiate support
of the TCP User Timeout Option during the three-way handshake. of the TCP User Timeout Option during the three-way handshake.
Stateful firewalls usually time out connection state after a period Stateful firewalls usually time out connection state after a period
of inactivity. If such a firewall exists along the path, it may of inactivity. If such a firewall exists along the path, it may
close or abort connections regardless of the use of the TCP User close or abort connections regardless of the use of the TCP User
Timeout Option. In the future, such firewalls may learn to parse the Timeout Option. In the future, such firewalls may learn to parse the
TCP User Timeout Option and adapt connection state management TCP User Timeout Option in unencrypted TCP segments and adapt
accordingly. connection state management accordingly.
4.2. TCP Keep-Alives 4.2. TCP Keep-Alives
Some TCP implementations, such as those in BSD systems, use a Some TCP implementations, such as those in BSD systems, use a
different abort policy for TCP keep-alives than for user data. Thus, different abort policy for TCP keep-alives than for user data. Thus,
the TCP keep-alive mechanism might abort a connection that would the TCP keep-alive mechanism might abort a connection that would
otherwise have survived the transient period without connectivity. otherwise have survived the transient period without connectivity.
Therefore, if a connection enables keep-alives that is also using the Therefore, if a connection that enables keep-alives is also using the
TCP User Timeout Option, then the keep-alive timer MUST be set to a TCP User Timeout Option, then the keep-alive timer MUST be set to a
value larger than that of the adopted USER TIMEOUT. value larger than that of the adopted USER TIMEOUT.
5. Security Considerations 5. Security Considerations
Lengthening user timeouts has obvious security implications. Lengthening user timeouts has obvious security implications.
Flooding attacks cause denial of service by forcing servers to commit Flooding attacks cause denial of service by forcing servers to commit
resources for maintaining the state of throw-away connections. resources for maintaining the state of throw-away connections.
However, TCP implementations do not become more vulnerable to simple However, TCP implementations do not become more vulnerable to simple
SYN flooding by implementing the TCP User Timeout Option, because SYN flooding by implementing the TCP User Timeout Option, because
skipping to change at page 11, line 15 skipping to change at page 11, line 26
However, when an attacker completes the three-way handshakes of its However, when an attacker completes the three-way handshakes of its
throw-away connections it can amplify the effects of resource throw-away connections it can amplify the effects of resource
exhaustion attacks, because the attacked server must maintain the exhaustion attacks, because the attacked server must maintain the
connection state associated with the throw-away connections for connection state associated with the throw-away connections for
longer durations. Because connection state is kept longer, lower- longer durations. Because connection state is kept longer, lower-
frequency attack traffic, which may be more difficult to detect, can frequency attack traffic, which may be more difficult to detect, can
already exacerbate resource exhaustion. already exacerbate resource exhaustion.
Several approaches can help mitigate this issue. First, Several approaches can help mitigate this issue. First,
implementations can require prior peer authentication, e.g., using implementations can require prior peer authentication, e.g., using
IPsec [RFC4301], before accepting long user timeouts for the peer's IPsec [RFC4301] or TCP-MD5 [RFC2385], before accepting long user
connections. Similarly, a host can start to accept long user timeouts for the peer's connections. Similarly, a host can start to
timeouts for an established connection only after in-band accept long user timeouts for an established connection only after
authentication has occurred, for example, after a TLS handshake in-band authentication has occurred, for example, after a TLS
across the connection has succeeded [RFC4346]. Although these are handshake across the connection has succeeded [RFC4346]. Although
arguably the most complete solutions, they depend on external these are arguably the most complete solutions, they depend on
mechanisms to establish a trust relationship. external mechanisms to establish a trust relationship.
A second alternative that does not depend on external mechanisms A second alternative that does not depend on external mechanisms
would introduce a per-peer limit on the number of connections that would introduce a per-peer limit on the number of connections that
may use increased user timeouts. Several variants of this approach may use increased user timeouts. Several variants of this approach
are possible, such as fixed limits or shortening accepted user are possible, such as fixed limits or shortening accepted user
timeouts with a rising number of connections. Although this timeouts with a rising number of connections. Although this
alternative does not eliminate resource exhaustion attacks from a alternative does not eliminate resource exhaustion attacks from a
single peer, it can limit their effects. Reducing the number of single peer, it can limit their effects. Reducing the number of
high-UTO connections a server supports in the face of an attack turns high-UTO connections a server supports in the face of an attack turns
that attack into a denial-of-service attack against the service of that attack into a denial-of-service attack against the service of
skipping to change at page 12, line 9 skipping to change at page 12, line 20
Note that if TCP needs to close or abort connections with a long TCP Note that if TCP needs to close or abort connections with a long TCP
User Timeout Option to shed load, these connections are still no User Timeout Option to shed load, these connections are still no
worse off than without the option. worse off than without the option.
Finally, upper and lower limits on user timeouts, discussed in Finally, upper and lower limits on user timeouts, discussed in
Section 3.1, can be an effective tool to limit the impact of these Section 3.1, can be an effective tool to limit the impact of these
sorts of attacks. sorts of attacks.
6. IANA Considerations 6. IANA Considerations
This section is to be interpreted according to [RFC2434]. This section is to be interpreted according to
[I-D.narten-iana-considerations-rfc2434bis].
This document does not define any new namespaces. It uses an 8-bit This document does not define any new namespaces. It requests that
TCP option number maintained by IANA at IANA allocate a new 8-bit TCP option number for the UTO option from
the registry maintained at
http://www.iana.org/assignments/tcp-parameters. http://www.iana.org/assignments/tcp-parameters.
7. Acknowledgments 7. Acknowledgments
The following people have improved this document through thoughtful The following people have improved this document through thoughtful
suggestions: Mark Allman, Caitlin Bestler, David Borman, Bob Braden, suggestions: Mark Allman, Caitlin Bestler, David Borman, Bob Braden,
Marcus Brunner, Wesley Eddy, Gorry Fairhurst, Abolade Gbadegesin, Ted Marcus Brunner, Wesley Eddy, Gorry Fairhurst, Abolade Gbadegesin, Ted
Faber, Guillermo Gont, Tom Henderson, Joseph Ishac, Jeremy Harris, Faber, Guillermo Gont, Tom Henderson, Joseph Ishac, Jeremy Harris,
Alfred Hoenes, Phil Karn, Michael Kerrisk, Dan Krejsa, Jamshid Alfred Hoenes, Phil Karn, Michael Kerrisk, Dan Krejsa, Jamshid
Mahdavi, Kostas Pentikousis, Juergen Quittek, Anantha Ramaiah, Joe Mahdavi, Kostas Pentikousis, Juergen Quittek, Anantha Ramaiah, Joe
skipping to change at page 12, line 34 skipping to change at page 12, line 47
Stiemerling. Stiemerling.
Lars Eggert has been partly funded by Ambient Networks, a research Lars Eggert has been partly funded by Ambient Networks, a research
project supported by the European Commission under its Sixth project supported by the European Commission under its Sixth
Framework Program. Framework Program.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.narten-iana-considerations-rfc2434bis]
Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs",
draft-narten-iana-considerations-rfc2434bis-08 (work in
progress), October 2007.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981. RFC 793, September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts - [RFC1122] Braden, R., "Requirements for Internet Hosts -
Communication Layers", STD 3, RFC 1122, October 1989. Communication Layers", STD 3, RFC 1122, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 2434,
October 1998.
8.2. Informative References 8.2. Informative References
[I-D.eddy-tcp-mobility] [I-D.eddy-tcp-mobility]
Eddy, W., "Mobility Support For TCP", Eddy, W., "Mobility Support For TCP",
draft-eddy-tcp-mobility-00 (work in progress), April 2004. draft-eddy-tcp-mobility-00 (work in progress), April 2004.
[I-D.ietf-tcpm-syn-flood]
Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", draft-ietf-tcpm-syn-flood-05 (work in
progress), May 2007.
[MEDINA] Medina, A., Allman, M., and S. Floyd, "Measuring [MEDINA] Medina, A., Allman, M., and S. Floyd, "Measuring
Interactions Between Transport Protocols and Middleboxes", Interactions Between Transport Protocols and Middleboxes",
Proc. 4th ACM SIGCOMM/USENIX Conference on Internet Proc. 4th ACM SIGCOMM/USENIX Conference on Internet
Measurement , October 2004. Measurement , October 2004.
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, August 1998.
[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission [RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission
Timer", RFC 2988, November 2000. Timer", RFC 2988, November 2000.
[RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344, [RFC3344] Perkins, C., "IP Mobility Support for IPv4", RFC 3344,
August 2002. August 2002.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006. (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol
(HIP) Architecture", RFC 4423, May 2006. (HIP) Architecture", RFC 4423, May 2006.
[RFC4987] Eddy, W., "TCP SYN Flooding Attacks and Common
Mitigations", RFC 4987, August 2007.
[SOLARIS-MANUAL] [SOLARIS-MANUAL]
Sun Microsystems, "Solaris Tunable Parameters Reference Sun Microsystems, "Solaris Tunable Parameters Reference
Manual", Part No. 806-7009-10, 2002. Manual", Part No. 806-7009-10, 2002.
Appendix A. Document Revision History Appendix A. Document Revision History
To be removed upon publication [[Note to the RFC Editor: Section to be removed upon publication.]]
+----------+--------------------------------------------------------+ +----------+--------------------------------------------------------+
| Revision | Comments | | Revision | Comments |
+----------+--------------------------------------------------------+ +----------+--------------------------------------------------------+
| 07 | Addressed working group last call comments. |
| 06 | Includes a note on the limited space for TCP options | | 06 | Includes a note on the limited space for TCP options |
| | and miscelaneous editorial changes(suggested by | | | and miscelaneous editorial changes(suggested by |
| | Anantha Ramaiah). Includes possible enforcement of | | | Anantha Ramaiah). Includes possible enforcement of |
| | per-outgoing-interface limits for the UTO, and | | | per-outgoing-interface limits for the UTO, and |
| | miscellaneous editorial changes (suggested by Alfred | | | miscellaneous editorial changes (suggested by Alfred |
| | Hoenes). Includes relevant changes to reflect WG | | | Hoenes). Includes relevant changes to reflect WG |
| | consesus how the local user timeout should be selected | | | consesus how the local user timeout should be selected |
| | (i.e., record both the current user timeout, and the | | | (i.e., record both the current user timeout, and the |
| | advertised UTO). | | | advertised UTO). |
| 05 | Made behavior on when to change/not change the local | | 05 | Made behavior on when to change/not change the local |
 End of changes. 47 change blocks. 
113 lines changed or deleted 126 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/