TCP Fast Open
In computer networking, TCP Fast Open (TFO) is an extension to speed up the opening of successive Transmission Control Protocol (TCP) connections between two endpoints. It works by using a TFO cookie (a TCP option), which is a cryptographic cookie stored on the client and set upon the initial connection with the server.[1] When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the latency in the start of data transmission.
The cookie is generated by applying a block cipher keyed on a key held secret by the server to the client's, generating an authentication tag that is difficult for third parties to spoof, even if they can forge a source IP address or make two-way connections to the same server from other IP addresses. Although it uses cryptographic techniques to generate the cookie, TFO is not intended to provide more security than the three-way handshake it replaces, and does not give any form of cryptographic protection to the resulting TCP connection, or provide identity assurance about either endpoint. It also is not intended to be resistant to man-in-the-middle attacks. If such resistance is required, it may be used in combination with a cryptographic protocol such as TLS or IPsec.
TFO has been difficult to deploy due to protocol ossification; in 2020, no Web browsers used it by default.[2]
TFO presents privacy challenges; the TFO cookie can allow persistently tracking a client across sessions, even by passive observers.[3]
History
The TFO proposal was originally presented in 2011[4] and was published as the experimental RFC 7413 in December 2014.[5] TCP Fast Open shares the goal of bypassing the three-way handshake of TCP with an earlier proposal from 1994, called T/TCP (RFC 1644). In contrast to TCP Fast Open, T/TCP paid no attention to security,[5] opening a path for vulnerabilities and failing to gain traction.
Characteristics
TFO implementations include the following:
- IPv4 support for TFO was merged into the Linux kernel mainline in kernel versions 3.6 (support for clients) and 3.7 (Dec 2012) (support for servers),[6][7] and was turned on by default in kernel version 3.13 (Jan 2014).[8] TFO support for IPv6 servers was merged in kernel version 3.16.[9]
- FreeBSD from version 10.3[10] (support for servers) and 12.0.[11][12] (support for clients).
- Mozilla Firefox from version 58.[13] The support was disabled by default due to network device compatibility issues with TFO and TLS 1.3[14] and eventually removed in version 87.[15]
- Google Chrome and Chromium browsers have support for TFO on Linux, including ChromeOS and Android.
- Exim mail transfer agent (MTA) from version 4.88.[16]
- Unbound DNS Resolver from version 1.5.10.[17]
- BIND Domain Name System (DNS) from version 9.11.0.[18]
- Knot DNS from version 2.6.0.[19]
- Apple's iOS 9 and OS X 10.11 both support TCP Fast Open, but it is not enabled for individual connections by default.[20]
- Microsoft Edge supports TCP Fast Open since Windows 10 Preview build 14352.[21]
- PowerDNS Recursor supports TCP Fast Open from version 4.1.[22]
- dnsmasq supports TCP-fastopen (RFC-7413) from version 2.81.[23]
See also
References
- ^ Kerrisk, Michael (2012-08-01). "TCP Fast Open: expediting web services". LWN.net.
- ^ Rybczyńska 2020.
- ^ Sy et al. 2020, p. 275-279.
- ^ Radhakrishnan S, Cheng Y, Chu J, Jain A, Raghavan B (2011-12-06). "TCP Fast Open" (PDF). ACM CoNEXT.
- ^ a b Cheng, Yuchung; Chu, Jerry; Radhakrishnan, Sivasankar & Jain, Arvind (December 2014). TCP Fast Open. IETF. doi:10.17487/RFC7413. RFC 7413. Retrieved 27 June 2022.
- ^ Kerrisk, Michael (2012-08-01). "TCP Fast Open: expediting web services". LWN.net.
The client-side support has been merged for Linux 3.6
- ^ Vaughan-Nichols, Steven J (2012-12-11). "Linux 3.7 arrives, ARM developers rejoice". Linux and Open Source. ZDNet.
Linux 3.7. TCP Fast Open will now be supported on servers
- ^ "Linux Kernel 3.13, Section 1.10. TCP Fast Open enabled by default". kernelnewbies.org. 19 January 2014. Retrieved 11 February 2014.
- ^ "Linux Kernel 3.16, Section 1.4. TCP Fast Open server mode on IPv6 support". kernelnewbies.org. 3 August 2014. Retrieved 14 September 2014.
- ^ "Implementation of server-side TCP Fast Open (TFO) [RFC7413]: MFC into stable/10 branch". 2015-12-28.
- ^ "This is an implementation of the client side of TCP Fast Open (TFO) [RFC7413]". 2018-02-26.
- ^ "Enable TCP_FASTOPEN by default for FreeBSD 12". 2018-06-24.
- ^ "1188435 - Support TCP Fast Open". 2017-05-05.
- ^ "1398201 - Disable TCP Fast Open for 57". 2017-09-10.
- ^ "1689604 - Remove TCP FastOpen". 2021-03-23.
- ^ "Exim 4.88 released". 2016-12-25.
- ^ "Unbound 1.5.10". Retrieved 2017-12-05.
- ^ "Release Notes for BIND Version 9.11.0". 2016-10-05.
- ^ "Knot DNS 2.6.0". 2017-09-29.
- ^ "Your App and Next Generation Networks". Apple Inc. 2015.
- ^ "Windows 10 build 14352 - New web platform features". Microsoft. Retrieved 2016-05-27.
- ^ "Changelogs for 4.1.x". PowerDNS. 2017-12-04.
- ^ Kelley, Simon (2019-03-10). "Support TCP fastopen on incoming and outgoing connections".
Bibliography
- Rybczyńska, Marta (13 March 2020). "A QUIC look at HTTP/3". LWN.net.
- Sy, Erik; Mueller, Tobias; Burkert, Christian; Federrath, Hannes; Fischer, Mathias (2020). "Enhanced Performance and Privacy for TLS over TCP Fast Open". Proceedings on Privacy Enhancing Technologies. 2020 (2): 271–287. arXiv:1905.03518. doi:10.2478/popets-2020-0027.