TCP Fast Open - Wikipedia

TCP Fast Open - Wikipedia
Jump to content
From Wikipedia, the free encyclopedia
Experimental TCP mechanism
In computer networking,
TCP Fast Open
TFO
) is an extension to speed up the opening of successive
Transmission Control Protocol
(TCP) connections between two endpoints. It works by using a
TFO cookie
(a TCP option), which is a cryptographic cookie stored on the client and set upon the initial connection with the server.
When the client later reconnects, it sends the initial SYN packet along with the TFO cookie data to authenticate itself. If successful, the server may start sending data to the client even before the reception of the final ACK packet of the three-way handshake, thus skipping a round-trip delay and lowering the
latency
in the start of data transmission.
The cookie is generated by applying a
block cipher
keyed on a key held secret by the server to the client's, generating an
authentication tag
that is difficult for third parties to spoof, even if they can forge a source IP address or make two-way connections to the same server from other IP addresses. Although it uses cryptographic techniques to generate the cookie, TFO is not intended to provide more security than the three-way handshake it replaces, and does not give any form of cryptographic protection to the resulting TCP connection, or provide identity assurance about either endpoint. It also is not intended to be resistant to
man-in-the-middle attacks
. If such resistance is required, it may be used in combination with a cryptographic protocol such as
TLS
or
IPsec
TFO has been difficult to deploy due to
protocol ossification
; in 2020, no
Web browsers
used it by default.
TFO presents
challenges; the TFO cookie can allow persistently tracking a client across sessions, even by passive observers.
History
edit
The TFO proposal was originally presented in 2011
and was published as the experimental RFC 7413 in December 2014.
TCP Fast Open shares the goal of bypassing the three-way handshake of TCP with an earlier proposal from 1994, called
T/TCP
(RFC 1644). In contrast to TCP Fast Open, T/TCP paid no attention to security,
opening a path for vulnerabilities and failing to gain traction.
Characteristics
edit
TFO implementations include the following:
IPv4
support for TFO was merged into the
Linux kernel mainline
in kernel versions 3.6 (support for clients) and 3.7 (Dec 2012) (support for servers),
and was turned on by default in kernel version 3.13 (Jan 2014).
TFO support for
IPv6
servers was merged in kernel version 3.16.
FreeBSD
from version 10.3
10
(support for servers) and 12.0.
11
12
(support for clients).
Mozilla Firefox
from version 58.
13
The support was disabled by default due to network device compatibility issues with TFO and
TLS 1.3
14
and eventually removed in version 87.
15
Google Chrome
and
Chromium
browsers have support for TFO on
Linux
, including
ChromeOS
and
Android
Exim
mail transfer agent
(MTA) from version 4.88.
16
Unbound DNS Resolver
from version 1.5.10.
17
BIND
Domain Name System
(DNS) from version 9.11.0.
18
Knot DNS
from version 2.6.0.
19
Apple
's
iOS 9
and
OS X 10.11
both support TCP Fast Open, but it is not enabled for individual connections by default.
20
Microsoft Edge
supports TCP Fast Open since
Windows 10
Preview build 14352.
21
PowerDNS Recursor
supports TCP Fast Open from version 4.1.
22
dnsmasq
supports TCP-fastopen (RFC-7413) from version 2.81.
23
See also
edit
SPDY
SYN cookies
TCP Cookie Transactions
0-RTT
QUIC
References
edit
Kerrisk, Michael (2012-08-01).
"TCP Fast Open: expediting web services"
LWN.net
Rybczyńska 2020
Sy et al. 2020
, p. 275-279.
Radhakrishnan S, Cheng Y, Chu J, Jain A, Raghavan B (2011-12-06).
"TCP Fast Open"
(PDF)
. ACM CoNEXT.
Cheng, Yuchung; Chu, Jerry; Radhakrishnan, Sivasankar & Jain, Arvind (December 2014).
TCP Fast Open
IETF
doi
10.17487/RFC7413
RFC
7413
. Retrieved
27 June
2022
Kerrisk, Michael (2012-08-01).
"TCP Fast Open: expediting web services"
. LWN.net.
The client-side support has been merged for Linux 3.6
Vaughan-Nichols, Steven J (2012-12-11).
"Linux 3.7 arrives, ARM developers rejoice"
Linux and Open Source
. ZDNet.
Linux 3.7. TCP Fast Open will now be supported on servers
"Linux Kernel 3.13, Section 1.10. TCP Fast Open enabled by default"
kernelnewbies.org
. 19 January 2014
. Retrieved
11 February
2014
"Linux Kernel 3.16, Section 1.4. TCP Fast Open server mode on IPv6 support"
kernelnewbies.org
. 3 August 2014
. Retrieved
14 September
2014
"Implementation of server-side TCP Fast Open (TFO) [RFC7413]: MFC into stable/10 branch"
. 2015-12-28.
"This is an implementation of the client side of TCP Fast Open (TFO) [RFC7413]"
. 2018-02-26.
"Enable TCP_FASTOPEN by default for FreeBSD 12"
. 2018-06-24.
"1188435 - Support TCP Fast Open"
. 2017-05-05.
"1398201 - Disable TCP Fast Open for 57"
. 2017-09-10.
"1689604 - Remove TCP FastOpen"
. 2021-03-23.
"Exim 4.88 released"
. 2016-12-25.
"Unbound 1.5.10"
. Retrieved
2017-12-05
"Release Notes for BIND Version 9.11.0"
. 2016-10-05.
"Knot DNS 2.6.0"
. 2017-09-29.
"Your App and Next Generation Networks"
. Apple Inc. 2015.
"Windows 10 build 14352 - New web platform features"
. Microsoft. Archived from
the original
on 2016-06-30
. Retrieved
2016-05-27
"Changelogs for 4.1.x"
. PowerDNS. 2017-12-04.
Kelley, Simon (2019-03-10).
"Support TCP fastopen on incoming and outgoing connections"
Bibliography
edit
Rybczyńska, Marta (13 March 2020).
"A QUIC look at HTTP/3"
LWN.net
Sy, Erik; Mueller, Tobias; Burkert, Christian; Federrath, Hannes; Fischer, Mathias (2020).
"Enhanced Performance and Privacy for TLS over TCP Fast Open"
Proceedings on Privacy Enhancing Technologies
2020
(2):
271–
287.
arXiv
1905.03518
doi
10.2478/popets-2020-0027
External links
edit
RFC
7413
specification
Retrieved from "
Category
TCP extensions
Hidden categories:
Articles with short description
Short description is different from Wikidata
TCP Fast Open
Add topic