TCP Fast Open: expediting web services [LWN.net]

TCP Fast Open: expediting web services

Posted Aug 2, 2012 9:42 UTC (Thu) by Los__D (guest, #15263)
Parent article: TCP Fast Open: expediting web services

"In the above steps, if the TFO cookie proves not to be valid, then the server TCP discards the data and sends a segment to the client TCP that acknowledges just the SYN. At this point, the TCP conversation falls back to the normal three-way handshake. If the client TCP is authentic (not malicious), then it will (transparently to the application) retransmit the data that it sent in the SYN segment."

Why does the server discard the data? Shouldn't it just return to the old ways, and defer the delivery until the three-way handshake has completed?

to post comments

TCP Fast Open: expediting web services

Posted Aug 2, 2012 10:59 UTC (Thu) by dan_a (guest, #5325) [Link] (2 responses)

I would think that the problem is the resources in the OS which you could consume by doing this - especially since the handshake has already failed one trustworthiness test.

TCP Fast Open: expediting web services

Posted Aug 2, 2012 11:28 UTC (Thu) by Los__D (guest, #15263) [Link] (1 responses)

But if it is already possible to send data with an normal SYN, and that data gets delivered to the application later, what do you gain from throwing it away when you use TCP Fast Open? If the feature can be used for SYN attacks, they would just do it without Fast Open.

I'm probably missing something, but it doesn't really make sense to me.

TCP Fast Open: expediting web services

Posted Aug 3, 2012 2:17 UTC (Fri) by butlerm (subscriber, #13312) [Link]

If I am not mistaken, most modern TCP stacks do not hold data sent with a SYN, and do not send it either. For most applications, there would be relatively little advantage if they did. Requests usually fit in an MTU (or MSS) worth of data, and in the absence of something like TCP Fast Open, the target endpoint has to wait for an acknowledgement that can carry the full sub-MSS sized request without a problem. Where on the other hand, holding the data simply makes it easier to conduct SYN attacks.