tcpm                                                        M. Boucadair
Internet-Draft                                                    Orange
Intended status: Standards Track                           31 March 2022
Expires: 2 October 2022


                       TCP RST Diagnostic Paylaod
             draft-boucadair-tcpm-rst-diagnostic-payload-01

Abstract

   This document specifies a diagnostic payload format to be returned in
   TCP RST segments.  Such payloads are used to share with the endpoints
   the reasons for which a TCP connection has been reset.  This is meant
   to ease diagnostic and troubleshooting.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 October 2022.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.





Boucadair                Expires 2 October 2022                 [Page 1]


Internet-Draft           RST Diagnostic Payload               March 2022


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  RST Diagnostic Payload  . . . . . . . . . . . . . . . . . . .   3
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
     4.1.  New Registry for TCP Failure Causes . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   A TCP connection [I-D.ietf-tcpm-rfc793bis] can be reset by a peer for
   various reasons, e.g., received data does not correspond to an active
   connection.  Also, a TCP connection can be reset by an on-path
   service function (e.g., CGN [RFC6888], NAT64 [RFC6146], firewall) for
   several reasons.  Typically, a NAT function can generate an RST
   segment to notify the peers upon the expiry of the lifetime of the
   corresponding mapping entry or because an RST segment was received
   from a peer (Section 2.2 of [RFC7857]).  A TCP connection can also be
   closed by a user or an application at any time.  However, the peer
   that receives an RST segment does not have any hint about the reason
   that led to terminating the connection.  Likewise, the application
   that relies upon such a TCP connection may not easily identify the
   reason for a connection closure.  Troubleshooting such events at the
   remote side of the connection that receives the RST segment may not
   be trivial.

   This document fills this void by specifying a format of the
   diagnostic payload that is returned in an RST segment.  Returning
   such data is consistent with the provision in Section 3.5.3 of
   [I-D.ietf-tcpm-rfc793bis] for RST segments.

   This document does not change the conditions under which an RST
   segment is generated (Section 3.5.2 of [I-D.ietf-tcpm-rfc793bis]).

   The generic procedure for processing an RST segment is specified in
   Section 3.5.3 of [I-D.ietf-tcpm-rfc793bis].  Only the deviations from
   that procedure to insert and validate an enclosed diagnostic payload
   is provided in Section 3.

   The first version of the specification is meant to discuss the format
   and the overall approach to ease maintaining the list of codes while
   allowing for adding new codes as needed in the future and



Boucadair                Expires 2 October 2022                 [Page 2]


Internet-Draft           RST Diagnostic Payload               March 2022


   accommodating any existing vendor-specific codes.  An initial version
   of error codes is available at Table 1.  However, the authoritative
   source to retrieve the full list of error codes is the IANA-
   maintained registry Section 4.1.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119][RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This document makes use of the terms defined in Section 4 of
   [I-D.ietf-tcpm-rfc793bis].

3.  RST Diagnostic Payload

   In order to unambiguously identify an RST diagnostic payload that is
   compliant with the present specification, the payload MUST use the
   I-JSON message format [RFC7493].  The following parameters are
   defined:

   rc:  Stands for "Reason Code".  This parameter takes a value from an
      available registry such as the "TCP Failure Causes" registry
      (Section 4.1).

   pen:  Includes a Private Enterprise Number
      [Private-Enterprise-Numbers].  This attribute is included when the
      reason code is not taken from the IANA-maintained registry
      (Section 4.1), but from a vendor-specific registry.

   rd:  Stands for "Reason Description".  It includes a brief
      description of the reason code.  This parameter SHOULD NOT be
      included if a reason code is supplied.  This parameter is useful
      only for codes that are not yet registered or for application-
      specific codes.

   At least "rc" and "rd" parameters MUST be included in an RST
   diagnostic payload.  It is RECOMMENDED to omit "pen" if a reason code
   from the IANA-maintained registry (Section 4.1) fits the reset case.

   Malformed RST diagnostic payload messages MUST be silently ignored by
   the receiver.







Boucadair                Expires 2 October 2022                 [Page 3]


Internet-Draft           RST Diagnostic Payload               March 2022


   A peer that receives a valid diagnostic payload may pass that
   information to the local application in addition to the information
   (MUST-12) described in Section 3.6 of [I-D.ietf-tcpm-rfc793bis].
   That information may also be logged locally, unless a local policy
   specifies otherwise.

   Figure 1 depicts an example of an RST diagnostic payload that is
   generated to inform the peer that the connection is reset because an
   ACK was received while the connection is still in the LISTEN state.

   {
    "rc": 2
   }

            Figure 1: An RST Diagnostic Payload with Reason Code

   Figure 2 shows an example of an RST diagnostic payload that includes
   a free description to report a case that is not covered yet by the
   IANA-maintained registry (Section 4.1).

   {
    "rd": "brief human-readable description"
   }

        Figure 2: An RST Diagnostic Payload with Reason Description

   An RST diagnostic payload may also be reset by an on-path service
   function.  For example, the following diagnostic payload is returned
   by a NAT uppon expiry of the mapping entry to which the TCP
   connection is bound (Figure 3).

   {
    "rc": 8
   }

      Figure 3: An RST Diagnostic Payload to Report Connection Timeout

   Figure 4 illustrates the example of an RST diagnostic payload that is
   returned by a peer that resets a TCP connection for a reason code
   1234 defined by a vendor with the private enterprise number 32473.

   {
    "rc": 1234
    "pen": 32473
   }

       Figure 4: An RST Diagnostic Payload to Report Vendor-Specific
                                Reason Code



Boucadair                Expires 2 October 2022                 [Page 4]


Internet-Draft           RST Diagnostic Payload               March 2022


   Figure 4 uses the Enterprise Number 32473 defined for documentation
   use [RFC5612].

4.  IANA Considerations


4.1.  New Registry for TCP Failure Causes

   This document requests IANA to create a new subregistry entitled "TCP
   Failure Causes" under the "Transmission Control Protocol (TCP)
   Parameters" registry [IANA-TCP].

   Values are taken from RANGE.

   The assignment policy for this registry is "Expert Review"
   (Section 4.5 of [RFC8126]).

   The designated experts may approve registration once they checked
   that the new requested code is not covered by an existing code and if
   the provided reasoning to register the new code is acceptable.  A
   registration request may supply a pointer to a specification where
   that code is defined.  However, a registration may be accepted even
   if no permanent and readily available public specification is
   available.

   The registry is initially populated with the following values:

























Boucadair                Expires 2 October 2022                 [Page 5]


Internet-Draft           RST Diagnostic Payload               March 2022


   +=======+===============================+===========================+
   | Value | Description                   | Specification (if         |
   |       |                               | available)                |
   +=======+===============================+===========================+
   | 1     | Data lost.  New data is       | Sections 3.6.1 and        |
   |       | received after CLOSE is       | 3.10.7.1 of               |
   |       | called                        | [I-D.ietf-tcpm-rfc793bis] |
   +-------+-------------------------------+---------------------------+
   | 2     | Still in LISTEN.              | Section 3.10.7.2 of       |
   |       | Received ACK while the        | [I-D.ietf-tcpm-rfc793bis] |
   |       | connection still in the       |                           |
   |       | LISTEN state                  |                           |
   +-------+-------------------------------+---------------------------+
   | 3     | Malformed Message             | [ThisDocument]            |
   +-------+-------------------------------+---------------------------+
   | 4     | Not Authorized                | [ThisDocument]            |
   +-------+-------------------------------+---------------------------+
   | 5     | Resource Exceeded             | [ThisDocument]            |
   +-------+-------------------------------+---------------------------+
   | 6     | Network Failure.  This        | [ThisDocument]            |
   |       | code can be used by           |                           |
   |       | service functions such        |                           |
   |       | as translators.               |                           |
   +-------+-------------------------------+---------------------------+
   | 7     | Connection Reset              | [ThisDocument]            |
   |       | received from the peer.       |                           |
   |       | This code can be used         |                           |
   |       | by service functions          |                           |
   |       | such as translators.          |                           |
   +-------+-------------------------------+---------------------------+
   | 8     | Destination                   | [ThisDocument]            |
   |       | Unreachable.  This code       |                           |
   |       | can be used by service        |                           |
   |       | functions such as             |                           |
   |       | translators.                  |                           |
   +-------+-------------------------------+---------------------------+
   | 9     | Connection Timeout.This       | [ThisDocument]            |
   |       | code can be used by           |                           |
   |       | service functions such        |                           |
   |       | as translators.               |                           |
   +-------+-------------------------------+---------------------------+

                    Table 1: Initial TCP Failure Causes








Boucadair                Expires 2 October 2022                 [Page 6]


Internet-Draft           RST Diagnostic Payload               March 2022


5.  Security Considerations

   [I-D.ietf-tcpm-rfc793bis] discusses TCP-related security
   considerations.  RST-specific attacks and their mitigations are
   discussed in Section 3.10.7.3 of [I-D.ietf-tcpm-rfc793bis].

   In addition to these considerations, it is RECOMMENDED to control the
   size of acceptable diagnostic payload and keep it as brief as
   possible.  Also, it is RECOMMENDED to avoid leaking privacy-related
   information as part of the diagnostic payload (e.g., including a
   description such as "user X resets explicitly the connection" is not
   recommended).

6.  Acknowledgements

   TBC.

7.  References

7.1.  Normative References

   [I-D.ietf-tcpm-rfc793bis]
              Eddy, W. M., "Transmission Control Protocol (TCP)
              Specification", Work in Progress, Internet-Draft, draft-
              ietf-tcpm-rfc793bis-28, 7 March 2022,
              <https://www.ietf.org/archive/id/draft-ietf-tcpm-
              rfc793bis-28.txt>.

   [Private-Enterprise-Numbers]
              "Private Enterprise Numbers", 4 May 2020,
              <https://www.iana.org/assignments/enterprise-numbers>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC7493]  Bray, T., Ed., "The I-JSON Message Format", RFC 7493,
              DOI 10.17487/RFC7493, March 2015,
              <https://www.rfc-editor.org/info/rfc7493>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.






Boucadair                Expires 2 October 2022                 [Page 7]


Internet-Draft           RST Diagnostic Payload               March 2022


   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

7.2.  Informative References

   [IANA-TCP] IANA YANG, "Transmission Control Protocol (TCP)
              Parameters",
              <https://www.iana.org/assignments/tcp-parameters/tcp-
              parameters.xhtml>.

   [RFC5612]  Eronen, P. and D. Harrington, "Enterprise Number for
              Documentation Use", RFC 5612, DOI 10.17487/RFC5612, August
              2009, <https://www.rfc-editor.org/info/rfc5612>.

   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
              NAT64: Network Address and Protocol Translation from IPv6
              Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146,
              April 2011, <https://www.rfc-editor.org/info/rfc6146>.

   [RFC6888]  Perreault, S., Ed., Yamagata, I., Miyakawa, S., Nakagawa,
              A., and H. Ashida, "Common Requirements for Carrier-Grade
              NATs (CGNs)", BCP 127, RFC 6888, DOI 10.17487/RFC6888,
              April 2013, <https://www.rfc-editor.org/info/rfc6888>.

   [RFC7857]  Penno, R., Perreault, S., Boucadair, M., Ed., Sivakumar,
              S., and K. Naito, "Updates to Network Address Translation
              (NAT) Behavioral Requirements", BCP 127, RFC 7857,
              DOI 10.17487/RFC7857, April 2016,
              <https://www.rfc-editor.org/info/rfc7857>.

Author's Address

   Mohamed Boucadair
   Orange
   35000 Rennes
   France
   Email: mohamed.boucadair@orange.com













Boucadair                Expires 2 October 2022                 [Page 8]