Re: [conex] Act bits and Positioning (Was Re: Fwd: Review: draft-ietf-conex-destopt-06)

Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> Mon, 15 September 2014 13:43 UTC

Return-Path: <mirja.kuehlewind@tik.ee.ethz.ch>
X-Original-To: conex@ietfa.amsl.com
Delivered-To: conex@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 717901A034E for <conex@ietfa.amsl.com>; Mon, 15 Sep 2014 06:43:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.552
X-Spam-Level:
X-Spam-Status: No, score=-5.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1whGUyO3sEgi for <conex@ietfa.amsl.com>; Mon, 15 Sep 2014 06:43:26 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DDA01A034B for <conex@ietf.org>; Mon, 15 Sep 2014 06:43:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 9F07BD930E; Mon, 15 Sep 2014 15:43:24 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id sYRuu7s5WFB1; Mon, 15 Sep 2014 15:43:24 +0200 (MEST)
Received: from [192.168.178.32] (stgt-5f71746d.pool.mediaWays.net [95.113.116.109]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: mirjak) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 6141BD9309; Mon, 15 Sep 2014 15:43:23 +0200 (MEST)
Message-ID: <5416ECFA.9020602@tik.ee.ethz.ch>
Date: Mon, 15 Sep 2014 15:43:22 +0200
From: =?windows-1252?Q?Mirja_K=FChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Bob Briscoe <bob.briscoe@bt.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>
References: <201408121058.09210.mirja.kuehlewind@ikr.uni-stuttgart.de> <53EA6068.6090100@tik.ee.ethz.ch> <201408131906.s7DJ6V2s029587@bagheera.jungle.bt.co.uk> <53ECE6C9.40300@tik.ee.ethz.ch> <53ECE917.6000803@tik.ee.ethz.ch> <201408141915.s7EJFVI8000808@bagheera.jungle.bt.co.uk> <53FB741A.9010500@tik.ee.ethz.ch> <201408261727.s7QHRlxB026767@bagheera.jungle.bt.co.uk> <53FF4E3F.4060502@tik.ee.ethz.ch> <201408282005.s7SK5ke4004064@bagheera.jungle.bt.co.uk> <54073A5B.20207@tik.ee.ethz.ch> <201409082217.s88MHFDj018480@bagheera.jungle.bt.co.uk> <E87B771635882B4BA20096B589152EF62882B883@eusaamb107.ericsson.se> <201409090759.s897xriV019964@bagheera.jungle.bt.co.uk> <540F0C78.7050309@tik.ee.ethz.ch> <201409091743.s89HheQJ021974@bagheera.jungle.bt.co.uk> <E87B771635882B4BA20096B589152EF6288300FD@eusaamb107.ericsson.se> <54169A68.30000@tik.ee.ethz.ch> <201409150815.s8F8FYlk021300@bagheera.jungle.bt.co.uk>
In-Reply-To: <201409150815.s8F8FYlk021300@bagheera.jungle.bt.co.uk>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/conex/91uQqwBJTZZd31PCyn7yF8SYw6c
Cc: "ralli@tid.es" <ralli@tid.es>, "conex@ietf.org" <conex@ietf.org>
Subject: Re: [conex] Act bits and Positioning (Was Re: Fwd: Review: draft-ietf-conex-destopt-06)
X-BeenThere: conex@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Congestion Exposure working group discussion list <conex.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/conex>, <mailto:conex-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/conex/>
List-Post: <mailto:conex@ietf.org>
List-Help: <mailto:conex-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/conex>, <mailto:conex-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Sep 2014 13:43:32 -0000

Hi Bob,

but usually there should also be no destination option that will be 
proceeded by intermediate nodes. As we are mis-using this anyway and 
assuming that this is not the usually case, it is unlikely that other 
options will also require to be placed first.

Mirja

On 15.09.2014 10:15, Bob Briscoe wrote:
> Suresh,
>
> You're best-placed to have experience of what the IESG will think of this.
>
> Personally, irrespective of the IESG, I wouldn't REQUIRE any header to
> have to be processed first, because it is so clearly impossible to state
> the same requirement for other headers.
>
>
> Bob
>
> At 08:51 15/09/2014, Mirja Kühlewind wrote:
>> I also would prefer to say that the CDO MUST be first and give it a
>> try and see what the IESG says. If there are concerns, we can still
>> change it to MUST be among the first 3...
>>
>> Mirja
>>
>>
>> On 12.09.2014 05:33, Suresh Krishnan wrote:
>>> Hi Bob/Mirja,
>>> Sounds fine to me as well. I can live with any value of X but the only
>>> one that really makes sense is 1 :-)
>>>
>>> Thanks
>>> Suresh
>>>
>>> -----Original Message-----
>>> *From:* Bob Briscoe [bob.briscoe@bt.com]
>>> *Received:* Tuesday, 09 Sep 2014, 1:44PM
>>> *To:* Mirja Kühlewind [mirja.kuehlewind@tik.ee.ethz.ch]
>>> *CC:* Suresh Krishnan [suresh.krishnan@ericsson.com]; Carlos Ucendo
>>> [ralli@tid.es]; ConEx IETF list [conex@ietf.org]
>>> *Subject:* Re: Act bits and Positioning (Was Re: [conex] Fwd: Review:
>>> draft-ietf-conex-destopt-06)
>>>
>>> Mirja,
>>>
>>> Agree with you on all 3 new responses:
>>> * act bits = 00
>>> * CDO SHOULD be first destopt, and MUST be among
>>> the first X destopts: that works for me.
>>>      X=3?
>>> * CDO is always in the destopt position before
>>> any IPsec, and ConEx doesn't work within an ESP tunnel.
>>>
>>>
>>> Bob
>>>
>>> At 15:19 09/09/2014, Mirja Kühlewind wrote:
>>>> Hi,
>>>>
>>>> see inline
>>>>
>>>> On 09.09.2014 09:59, Bob Briscoe wrote:
>>>>> Suresh,
>>>>>
>>>>> At 05:36 09/09/2014, Suresh Krishnan wrote:
>>>>>> Hi Bob,
>>>>>>   Thanks a lot for your comments. I will respond to two specific
>>>>>> issues
>>>>>> that you brought up
>>>>>>
>>>>>> act bits being 01: Please note that the Conex option is a
>>>>>> *destination*
>>>>>> option. Non conex-aware nodes on path will not even process the
>>>>>> option.
>>>>>> So we do not need to be worried about the packet being dropped by
>>>>>> intermediate nodes, and we need to know if the destination does not
>>>>>> understand it. Hence I think this should stay as 01.
>>>>>
>>>>> I was aware that the act bits are only processed by the destination.
>>>>>
>>>>> My point was that ConEx only requires sender support (ie. you can have
>>>>> ConEx on one half-connection but not the other - there is no need to
>>>>> negotiate ConEx for a connection). So it would be very bad for a
>>>>> destination to drop a packet just before delivering it to the
>>>>> destination process just because it doesn't recognise a ConEx header
>>>>> that it doesn't need to understand anyway.
>>>>>
>>>>> Note to Mirja: Given this misunderstanding, perhaps the draft should
>>>>> give a reason:
>>>>>          "The act bits MUST be 00, because a ConEx packet needs to be
>>>>> passed to the destination process even if the destination does not
>>>>> understand ConEx."
>>>> I agree with Bob, as the receiver does not need
>>>> to proceed the option in our case at all and it
>>>> does even know if it has to be there. Suresh?
>>>>
>>>>>
>>>>>
>>>>>> CDO as the first option: As you rightly note, this is just a
>>>>>> performance
>>>>>> optimization. I do believe that the performance penalty for
>>>>>> conex-aware
>>>>>> nodes will be pretty severe if they need to process all destination
>>>>>> options before deciding if the CDO is present or not.
>>>>>
>>>>> Surely a ConEx node can stop when it gets to the CDO option (which
>>>>> will
>>>>> usually be first). It doesn't need to continue and process all the
>>>>> other
>>>>> options within the destopt header.
>>>>>
>>>>>> Please note that
>>>>>> this needs to be done on *all* packets passing through the conex
>>>>>> aware
>>>>>> node.
>>>>>
>>>>> On packets without a destopt that is quick.
>>>>>
>>>>> The really bad case is for packets from senders that don't support
>>>>> ConEx
>>>>> but are using many other destopts. Then the on-path ConEx node would
>>>>> walk along every destopt until the end.
>>>>>
>>>>>> I do think it is OK to change the MUST to a SHOULD but with a
>>>>>> severe warning.
>>>>>
>>>>> OK, thanks.
>>>>>
>>>>> Would it be OK to say "As an optimization, a ConEx implementation MAY
>>>>> limit the depth of its search for CDO to two or three destination
>>>>> options"?
>>>> My assumption was that search for the CDO if
>>>> multiple options are present is not feasible in fast path.
>>>>
>>>> So if the CDO is not first, there are two options:
>>>> 1) forward the packet to slow path
>>>> 2) ignore the CDO
>>>>
>>>> Actually case 1) is probably no option because
>>>> this would forward all present traffic to slow
>>>> path because none of the traffic has a CDO at all.
>>>>
>>>> 2) is at least not feasible for something like a
>>>> policer that really needs to look at all ConEx-enable packets.
>>>>
>>>> Limiting the search depth, would translate into
>>>> "the CDO SHOULD be the first option and MUST be
>>>> among the first X options"... is that a solution?
>>>>
>>>>
>>>> Bob, see further below...
>>>>
>>>>>
>>>>>
>>>>> I have also added to my response to Mirja below, with an extra thought
>>>>> about ESP tunnels (inline - search for 'ESP tunnel' - it's a long way
>>>>> down!)...
>>>>>
>>>>>
>>>>>> Cheers
>>>>>> Suresh
>>>>>>
>>>>>> On 09/08/2014 06:17 PM, Bob Briscoe wrote:
>>>>>> > Mirja,
>>>>>> >
>>>>>> > At 16:57 03/09/2014, Mirja Kühlewind wrote:
>>>>>> >> Hi again,
>>>>>> >>
>>>>>> >>
>>>>>> >> On 28.08.2014 22:05, Bob Briscoe wrote:
>>>>>> >>>>>>>>>>>> * Suggested deleting example of Not-ConEx-capable
>>>>>> packets
>>>>>> (see
>>>>>> >>>>>>>>>>>> separate thread to conex-tcp-modifications authors about
>>>>>> TCP pure
>>>>>> >>>>>>>>>>>> ACKs).
>>>>>> >>>>>>>>>>> I can remove the example but not sure why you are
>>>>>> suggesting
>>>>>> >>>>>>>>>>> this. If
>>>>>> >>>>>>>>>>> you actually imply that the X bit should never be zero
>>>>>> that we
>>>>>> >>>>>>>>>>> have to
>>>>>> >>>>>>>>>>> discuss if the X bit is needed at all.
>>>>>> >>>>>>>>>> I have never thought the X flag was needed. There's
>>>>>> probably some
>>>>>> >>>>>>>>>> email
>>>>>> >>>>>>>>>> on the list somewhere in the past from me that says that.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> As I put in one of the comment bubbles:
>>>>>> >>>>>>>>>> "The only need I can see for the X-flag is if
>>>>>> >>>>>>>>>> the Reserved field gets used in future for
>>>>>> >>>>>>>>>> something in addition to ConEx. Then there
>>>>>> >>>>>>>>>> would be a need to identify packets that
>>>>>> >>>>>>>>>> are not ConEx-capable but still carry the
>>>>>> >>>>>>>>>> CDO option (for the new reason)."
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> Can anyone think of a use for the X flag?
>>>>>> >>>>>>>>> I thought the X bit unset means: I'm a ConEx aware
>>>>>> sender and i
>>>>>> >>>>>>>>> want to
>>>>>> >>>>>>>>> follow the rules but I don't have any feedback for this
>>>>>> (control)
>>>>>> >>>>>>>>> data
>>>>>> >>>>>>>>> so I'm unable to give you useful ConEx information and if
>>>>>> you use
>>>>>> >>>>>>>>> this
>>>>>> >>>>>>>>> packet for your estimation of the current congestion
>>>>>> level, you
>>>>>> >>>>>>>>> might
>>>>>> >>>>>>>>> underestimate it.
>>>>>> >>>>>>>>>
>>>>>> >>>>>>>>> Doesn't that make sense...?
>>>>>> >>>>>>> Not to me. What does "feedback for this (control) data" mean?
>>>>>> Feedback
>>>>>> >>>>>>> is about a path used by a 5-tuple. This control data is about
>>>>>> to be
>>>>>> >>>>>>> sent
>>>>>> >>>>>>> over such a path. If the sender has feedback about that
>>>>>> path, the
>>>>>> >>>>>>> feedback applies to everything sent over the path, at the IP
>>>>>> layer,
>>>>>> >>>>>>> whatever categorisation the next packet has at L4.
>>>>>> >>>>>> If you do not get any feedback on a path, e.g. a receiver only
>>>>>> sending
>>>>>> >>>>>> ACKs, you will never be able to send any ConEx markings. So
>>>>>> what's the
>>>>>> >>>>>> point about marking a packet as ConEx-enabled?
>>>>>> >>>>> OK, this is a good example for when a ConEx-enabled flag
>>>>>> might be
>>>>>> >>>>> useful. However,...
>>>>>> >>>>>
>>>>>> >>>>> ...This doesn't justify marking pure ACKs as not-ConEx-enabled.
>>>>>> If a
>>>>>> >>>>> sender sends a pure ACK now, all it knows is that it might
>>>>>> not have
>>>>>> >>>>> enough feedback to be able to set ConEx markings on a whole
>>>>>> sequence of
>>>>>> >>>>> packets later in the flow,... but only if it keeps sending
>>>>>> solely pure
>>>>>> >>>>> ACKs from now on. However, a sender can't be sure that it won't
>>>>>> have
>>>>>> >>>>> enough feedback in future, because usually an app (let alone
>>>>>> the
>>>>>> >>>>> transport layer) cannot predict whether there will be more data
>>>>>> to send
>>>>>> >>>>> later, even if it's not sending any now.
>>>>>> >>>>>
>>>>>> >>>>> Once a sender has had no feedback for at least a round trip, it
>>>>>> has 2
>>>>>> >>>>> options for subsequent packets:
>>>>>> >>>>> a) turn off ConEx-enabled;
>>>>>> >>>>> b) keep sending packets with ConEx-enabled set, but
>>>>>> conservatively add
>>>>>> >>>>> some credit.
>>>>>> >>>>>
>>>>>> >>>>> Even if it subsequently sends some data, it will still have to
>>>>>> do (a) or
>>>>>> >>>>> (b) on these data packets, at least for one further round trip,
>>>>>> until it
>>>>>> >>>>> gets the feedback. So this is nothing to do with whether the
>>>>>> packet
>>>>>> >>>>> being sent is a pure ACK. It is to do with whether feedback has
>>>>>> recently
>>>>>> >>>>> been received.
>>>>>> >>>> Okay, rewrote the paragraph slightly:
>>>>>> >>>>
>>>>>> >>>> "If the X bit is zero all other three bits are undefined and
>>>>>> thus
>>>>>> >>>> should be ignored and forwarded unchanged by network nodes.
>>>>>> The X
>>>>>> bit
>>>>>> >>>> set to zero means that the connection is ConEx-capable but this
>>>>>> packet
>>>>>> >>>> MUST NOT be accounted when determining ConEx information in
>>>>>> an audit
>>>>>> >>>> function. This can be the case if no feedback on the congestion
>>>>>> status
>>>>>> >>>> is (currently) available for e.g. for control packets (not
>>>>>> carrying
>>>>>> >>>> any user data). As an example a TCP receiver that only sends
>>>>>> pure
>>>>>> ACKs
>>>>>> >>>> will usually send them as ACK are usually not ECN-capable as ACK
>>>>>> >>>> usually are not ECN-capable and TCP does not have a mechanism to
>>>>>> >>>> announce ACK lost. Thus congestion information about ACKs are
>>>>>> not
>>>>>> >>>> available."
>>>>>> >>>>
>>>>>> >>>> Is this okay?
>>>>>> >>> The main problem is saying 'not available *for* control
>>>>>> packets'. But
>>>>>> >>> just changing 'for' to 'from' would still make this too
>>>>>> unclear to be
>>>>>> >>> understood.
>>>>>> >>>
>>>>>> >>> Also need to:
>>>>>> >>> * Make it clear the example is TCP-specific.
>>>>>> >>> * Focus on loss first, then ECN.
>>>>>> >>> * 'mechanism to announce ACK loss' is not really understandable.
>>>>>> >>> * Avoid 'control packets', which is too general, given this is an
>>>>>> >>> example, so it can be specific.
>>>>>> >>> * Nit: duplicated word (for e.g. for) and duplicated phrase (as
>>>>>> ACK are
>>>>>> >>> usually not ECN-capable as ACK usually are not ECN-capable).
>>>>>> >>>
>>>>>> >>> How about:
>>>>>> >>>
>>>>>> >>> First 2 sentences unchanged, then...
>>>>>> >>> "This can be the case if no congestion feedback is (currently)
>>>>>> available
>>>>>> >>> e.g. in TCP if one endpoint has been receiving data but sending
>>>>>> nothing
>>>>>> >>> but pure ACKs (no user data) for some time. This is because pure
>>>>>> ACKs do
>>>>>> >>> not advance the sequence number, so the TCP endpoint receiving
>>>>>> them
>>>>>> >>> cannot reliably tell whether any have been lost due to
>>>>>> congestion.
>>>>>> Pure
>>>>>> >>> TCP ACKs cannot be ECN-marked either [RFC3168]."
>>>>>> >> Fine for me. Done.
>>>>>> >>
>>>>>> >>
>>>>>> >>>>>> Further note, in the TCP mods we only look at the payload
>>>>>> because we
>>>>>> >>>>>> assume, for simplification, all packets have the same size.
>>>>>> Therefore
>>>>>> >>>>>> a packet that carries no data would not decrease the CEG/LEG.
>>>>>> If ACKs
>>>>>> >>>>>> should get marked, we need to rewrite all this stuff in the
>>>>>> tcp
>>>>>> mods
>>>>>> >>>>>> doc...
>>>>>> >>>>> I don't think we should avoid changing tcp-mods if its 'not
>>>>>> right'.
>>>>>> >>>>>
>>>>>> >>>>> I hope you see the problem from my explanation above - whether
>>>>>> there is
>>>>>> >>>>> enough feedback /now/ to ConEx-mark a packet has nothing to
>>>>>> do with
>>>>>> >>>>> whether the packet being sent /now/ is capable of generating
>>>>>> feedback
>>>>>> >>>>> /in the next round/.
>>>>>> >>>>>
>>>>>> >>>>> If you want to make a simplifying assumption, it is on the safe
>>>>>> side for
>>>>>> >>>>> a sender to assume that all incoming feedback is about packets
>>>>>> of the
>>>>>> >>>>> same size. It's not safe for a sender to assume that all
>>>>>> packets
>>>>>> it is
>>>>>> >>>>> sending are the same size. Anyway, it knows what size it is
>>>>>> sending, so
>>>>>> >>>>> it doesn't need this simplification.
>>>>>> >>>> Okay, the assumption is (only) that feedback is based on packets
>>>>>> that
>>>>>> >>>> are the same size. If we send you a packet we of course
>>>>>> decrease the
>>>>>> >>>> LEG/CEG by the actually payload bytes. But taking this
>>>>>> assumption be
>>>>>> >>>> simply do not account for headers at all (nor incoming neither
>>>>>> >>>> outcoming) because we can anyway just estimated the header
>>>>>> bits and
>>>>>> >>>> there simply assume it will equal out. Which mean if we send
>>>>>> a pure
>>>>>> >>>> ACK we will not decrease the LEG/CEG because there are no
>>>>>> payload
>>>>>> >>>> bytes. I believe that this simplification makes thing much
>>>>>> simpler and
>>>>>> >>>> is therefore useful but will not allow for marking pure ACKs...
>>>>>> >>> I thought the earlier definition said that ConEx accounts for the
>>>>>> size
>>>>>> >>> of the IP header that contains the CDO and everything within it.
>>>>>> Also,
>>>>>> >>> there's the TCP header size on a pure ACK.
>>>>>> >> Yes, especially when a network node accounts
>>>>>> >> ConEx marks. But in the (TCP) sender we just
>>>>>> >> don't care about the header bits for
>>>>>> >> simplification. We are aware that all bits will
>>>>>> >> be accounted but as we assume equal size packets that should be
>>>>>> fine.
>>>>>> >>
>>>>>> >>
>>>>>> >>> That's the basis on which I am assuming that pure ACKs are worth
>>>>>> >>> counting. A pure ACK will count as at least 86B (and more if
>>>>>> there
>>>>>> are
>>>>>> >>> additional TCP options or IP extensions).
>>>>>> >>>
>>>>>> >>> IPv6 header: 40B
>>>>>> >>> CDO dest opt: 6B
>>>>>> >>> TCP header: 40B
>>>>>> >>> Total: 86B
>>>>>> >>>
>>>>>> >>> If there are more IP extensions, I guess it will be hard for TCP
>>>>>> to know
>>>>>> >>> though.
>>>>>> >> Yes, so how should I implement that?
>>>>>> > I guess just assume that any IP extensions will
>>>>>> > be constant on every packet in a flow, therefore
>>>>>> > assuming none will be similar to assuming some.
>>>>>> >
>>>>>> >>>> You didn't convince me (yet) that this should be changed but
>>>>>> this
>>>>>> >>>> would need to be changed in the tcp mods doc and not this one
>>>>>> anyway.
>>>>>> >>> Agreed (that this would affect tcp-mods, not destopt).
>>>>>> >>>
>>>>>> >>> What is 'this' that you aren't yet convinced by?
>>>>>> >> 'this' is the fact that I need to changed
>>>>>> >> something in the tcp mods document. I might
>>>>>> >> remove the statement (if existent) that control
>>>>>> >> packets should be not-ConEx capable but I would
>>>>>> >> still like to recommend it because I believe it
>>>>>> >> makes things overly complicated otherwise. The
>>>>>> >> point is I believe that at the location in the
>>>>>> >> (Linux) code where you implement the counting,
>>>>>> >> you don't even have the information how large
>>>>>> >> the pure ACK will be in the end...
>>>>>> > See next comment.
>>>>>> >
>>>>>> >>>>> The simplification I propose (that feedback is all about the
>>>>>> same size
>>>>>> >>>>> packets, rather than all the sent packets are the same size) is
>>>>>> likely
>>>>>> >>>>> to be pretty good, given the receiver doesn't get loss or ECN
>>>>>> info about
>>>>>> >>>>> pure ACKs, so they are automatically removed from the set of
>>>>>> packets
>>>>>> >>>>> that the sender assumes to be the same size. And, and if
>>>>>> some of
>>>>>> the
>>>>>> >>>>> feedback is about smaller data packets, at least this
>>>>>> simplification
>>>>>> >>>>> will always be on the safe side.
>>>>>> >>>>>
>>>>>> >>>>> If I correctly understand the simplification you propose, a
>>>>>> ConEx sender
>>>>>> >>>>> will more often under-declare congestion than over-declaring,
>>>>>> which is
>>>>>> >>>>> not safe.
>>>>>> >>>> I don't believe so. Was this just of a different
>>>>>> understanding of
>>>>>> what
>>>>>> >>>> we proposed or can you explain further...?
>>>>>> >>> I thought you were proposing that a TCP sender assumes all the
>>>>>> packets
>>>>>> >>> it sends are full-sized, even if they aren't. But I believe
>>>>>> you have
>>>>>> >>> said that is not what you proposed.
>>>>>> >> No, when reducing the congestion counter(s) we
>>>>>> >> use the actual number of payload bytes. We also
>>>>>> >> use the real number of acknowledged bytes to
>>>>>> >> increase the counter(s). We simply do not care
>>>>>> >> about the header bytes at all assuming that on
>>>>>> >> average all packets have the same size and
>>>>>> >> therefor the number of (marked) header bytes
>>>>>> >> (either ECN or ConEx) in total will be about right.
>>>>>> > OK. I understand now.
>>>>>> >
>>>>>> > Ultimately TCP has to put a number in the Data
>>>>>> > Offset field, so it has to know the size of its
>>>>>> > own header. However, for an initial
>>>>>> > (experimental) implementation, if you need your
>>>>>> > proposal to assume all TCP options within one
>>>>>> > flow are the same size, it would be reasonable
>>>>>> > (it's not actually true, e.g. SACK, but there
>>>>>> > should at least be no bias, so you will overstate as much as
>>>>>> understate).
>>>>>> >
>>>>>> > You say earlier that it is too complicated to
>>>>>> > implement code within TCP that knows the size of
>>>>>> > a pure ACK. If TCP code doesn't know the size of
>>>>>> > a TCP header, then Linux must be using magic
>>>>>> > instead of code. Because, surely, the whole point
>>>>>> > of the TCP code is to write a TCP header.
>>>>>> >
>>>>>> >>>>>>>>>>>> ==Fast-path==
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>> * CDO as first destination option: changed from MUST to
>>>>>> SHOULD
>>>>>> >>>>>>>>>>>> (with
>>>>>> >>>>>>>>>>>> an example of when not to).
>>>>>> >>>>>>>>>>> I believe this really needs to be a MUST. I know that
>>>>>> might
>>>>>> >>>>>>>>>>> restrict
>>>>>> >>>>>>>>>>> the use of ConEx with potential other options that might
>>>>>> have the
>>>>>> >>>>>>>>>>> same
>>>>>> >>>>>>>>>>> requirement (for different reasons). But if you don't put
>>>>>> a MUST
>>>>>> >>>>>>>>>>> here,
>>>>>> >>>>>>>>>>> you cannot implemented the suggested way in the fast
>>>>>> path.
>>>>>> >>>>>>>>>> A SHOULD still means it will be the first option in all
>>>>>> current
>>>>>> >>>>>>>>>> implementations. However, I suggest a SHOULD, precisely
>>>>>> because
>>>>>> >>>>>>>>>> performance reasons are not absolute, so they don't
>>>>>> require a
>>>>>> >>>>>>>>>> MUST. If
>>>>>> >>>>>>>>>> another dest opt cannot work at all unless it is first,
>>>>>> that would
>>>>>> >>>>>>>>>> be a
>>>>>> >>>>>>>>>> valid reason for CDO coming second, because it still
>>>>>> works,
>>>>>> it's
>>>>>> >>>>>>>>>> /just/
>>>>>> >>>>>>>>>> slower.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> The IESG will (rightly) be very wary of any draft that
>>>>>> says an
>>>>>> >>>>>>>>>> option
>>>>>> >>>>>>>>>> MUST be the first option.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> I suggested the following text after this: "(This is not
>>>>>> >>>>>>>>>> stated as a 'MUST', because some future destination option
>>>>>> might
>>>>>> >>>>>>>>>> need to
>>>>>> >>>>>>>>>> be placed first for functional rather than just
>>>>>> performance
>>>>>> >>>>>>>>>> reasons.)"
>>>>>> >>>>>>>>> So our fast path implementation must simply assume that
>>>>>> there is no
>>>>>> >>>>>>>>> CDO
>>>>>> >>>>>>>>> in case it cannot find it as the first option. Otherwise
>>>>>> all
>>>>>> >>>>>>>>> non-ConEx
>>>>>> >>>>>>>>> packets would need to go to the slow path to make sure
>>>>>> there
>>>>>> is no
>>>>>> >>>>>>>>> ConEx
>>>>>> >>>>>>>>> option. That means to me that this must be a MUST...?
>>>>>> >>>>>>> OK, I see the problem, but how much of a performance problem
>>>>>> would it
>>>>>> >>>>>>> really be for the fast path of a ConEx function to step along
>>>>>> dest
>>>>>> >>>>>>> opts
>>>>>> >>>>>>> until it gets to CDO then stops (rather than stop if CDO
>>>>>> is not
>>>>>> >>>>>>> first)?
>>>>>> >>>>>> So that's the different between you looking at one bit at a
>>>>>> defined
>>>>>> >>>>>> position or having a chain of conditional look-ups where the
>>>>>> length is
>>>>>> >>>>>> unknown. I believe that is something you would avoid to
>>>>>> implement in
>>>>>> >>>>>> fast path as the processing time is not fixed anymore... that
>>>>>> would be
>>>>>> >>>>>> my guess but I'm not an expert in this area.
>>>>>> >>>>> AFAICT, fast path implementations generally work along
>>>>>> sequences of
>>>>>> >>>>> extensions. So I don't think this is a problem. Bear in mind
>>>>>> that we are
>>>>>> >>>>> not asking general fast path forwarding implementations to do
>>>>>> this. Only
>>>>>> >>>>> ConEx functions specifically written to find the ConEx
>>>>>> header.{Note 1}
>>>>>> >>>>>
>>>>>> >>>>> {Note 1} OK, we do suggest that general forwarding functions
>>>>>> could do
>>>>>> >>>>> DoS protection using the ConEx header. But that's stated as
>>>>>> optional and
>>>>>> >>>>> 'aspirational'. If such an experiment proves useful, you never
>>>>>> know,
>>>>>> >>>>> there could be demand for ConEx to migrate into the hop-by-hop
>>>>>> options
>>>>>> >>>>> (according to the v6 spec, hop-by-hop and dest options share
>>>>>> the
>>>>>> same
>>>>>> >>>>> option number space, so this would be a straightforward
>>>>>> migration, just
>>>>>> >>>>> moving where the CDO is placed, but using the same option
>>>>>> number
>>>>>> and
>>>>>> >>>>> format).
>>>>>> >>>> There might be also further use cases for e.g. traffic
>>>>>> management or
>>>>>> >>>> multipath routing where general forwarding nodes need to
>>>>>> access this
>>>>>> >>>> information.
>>>>>> >>>>
>>>>>> >>>> So what's the solution here?
>>>>>> >>> I think this will get thrown back by the IESG if we say 'MUST be
>>>>>> first'.
>>>>>> >>> And I think 'SHOULD be first' is a doable implementation for
>>>>>> ConEx-aware
>>>>>> >>> nodes. That is sufficient for experimental. Any experiments where
>>>>>> >>> general forwarding nodes access ConEx will already be reading a
>>>>>> destopt
>>>>>> >>> at every hop, which is not what was intended, but it would be
>>>>>> doable
>>>>>> >>> just for an experiment that wanted to prove ConEx has wider uses.
>>>>>> >> I know that this might be a problem with IESG review, but... it's
>>>>>> broken...
>>>>>> >>
>>>>>> >>> Everyone involved in IPv6 knows that the attempt to design
>>>>>> extensibility
>>>>>> >>> into v6 failed. It won't be news to the IESG that we can't add an
>>>>>> >>> extension that can be processed at every hop on the fast path.
>>>>>> >>>
>>>>>> >>> If a destopt is sufficient to prove ConEx useful, then
>>>>>> implementers will
>>>>>> >>> want to satisfy this demand. Then
>>>>>> >>> * either there is even more pressure on the IETF to address this
>>>>>> failing
>>>>>> >>> in v6 (and maybe someone will),
>>>>>> >>> * or ConEx has to continue with this destopt solution, just like
>>>>>> >>> everyone else is finding hacks round this failing in v6.
>>>>>> >>>
>>>>>> >>> But don't ask me. Ask Suresh.
>>>>>> >> Yes! Unfortunately he did not response until
>>>>>> >> now. Maybe he is/was on holidays; will ping him again.
>>>>>> >>
>>>>>> >>
>>>>>> >>>>>>> Then "CDO SHOULD be first" would give no different
>>>>>> performance
>>>>>> to "CDO
>>>>>> >>>>>>> MUST be first", if CDO actually was first. If CDO had to be
>>>>>> placed
>>>>>> >>>>>>> second on a certain packet, "CDO SHOULD be first" would take
>>>>>> just one
>>>>>> >>>>>>> more op than "CDO MUST be first".
>>>>>> >>>>>>>
>>>>>> >>>>>>> Note: I've just re-read the spec of the IPv6 header. We
>>>>>> need to
>>>>>> >>>>>>> specify
>>>>>> >>>>>>> that CDO goes in the "Destination Options (before routing
>>>>>> header)",
>>>>>> >>>>>>> not
>>>>>> >>>>>>> the "Destination Options (before upper-layer header)".
>>>>>> Then it
>>>>>> >>>>>>> won't be
>>>>>> >>>>>>> encrypted by an ESP header.
>>>>>> >>>>>> Thanks. I wasn't fully aware of this. But the difference
>>>>>> for my
>>>>>> >>>>>> understanding is if immediate node listed in the routing
>>>>>> header
>>>>>> should
>>>>>> >>>>>> proceed this option or not. In our case it is probably not
>>>>>> important
>>>>>> >>>>>> which one we choose as it should be processed by none of the
>>>>>> receivers.
>>>>>> >>>>> You're correct that CDO isn't processed by any of the nodes
>>>>>> listed in
>>>>>> >>>>> the routing header as destinations. The phrase "before routing
>>>>>> header"
>>>>>> >>>>> is just how its placement is described. We should clarify
>>>>>> that this
>>>>>> >>>>> isn't anything to do with the processing of the routing header.
>>>>>> >>>>>
>>>>>> >>>>>> Where did you read that the later one is not encrypted though?
>>>>>> >>>>> ESP encrypts everything after the ESP header, and it comes just
>>>>>> before
>>>>>> >>>>> the second dest opts. So it would be no good putting CDO
>>>>>> after it.
>>>>>> >>>>>
>>>>>> >>>>> See the ESP spec, on "ESP Header Location":
>>>>>> >>>>> <http://tools.ietf.org/html/rfc2406#section-3.1>
>>>>>> >>>>> "  The destination options extension header(s) could appear
>>>>>> >>>>>     either before or after the ESP header depending on the
>>>>>> semantics
>>>>>> >>>>>     desired.  However, since ESP protects only fields after
>>>>>> the ESP
>>>>>> >>>>>     header, it generally may be desirable to place the
>>>>>> destination
>>>>>> >>>>>     options header(s) after the ESP header.
>>>>>> >>>>> "
>>>>>> >>>> Thanks. Wasn't able to find this sentence!
>>>>>> >>>>
>>>>>> >>>>> Also see the IPv6 spec on "Extension Header Order":
>>>>>> >>>>> <http://tools.ietf.org/html/rfc2460#section-4.1>
>>>>>> >>>>>
>>>>>> >>>>> I believe one reason there are two places for the dest opt is
>>>>>> because if
>>>>>> >>>>> ESP is encrypting everything for the destination, it will
>>>>>> normally be
>>>>>> >>>>> expected that the dest opts need to be encrypted too. But this
>>>>>> wouldn't
>>>>>> >>>>> work if you have multiple destinations on the path in the
>>>>>> routing header
>>>>>> >>>>> (that probably don't hold the relevant key).  Fortunately, this
>>>>>> >>>>> exception is also needed for ConEx.
>>>>>> >>>>>
>>>>>> >>>>>> If so, I can simply add one sentence to the first paragraph of
>>>>>> >>>>>> section 4:
>>>>>> >>>>>> "The CDO MUST be placed in the destination option before
>>>>>> routing
>>>>>> >>>>>> header such that it does not get encrypted and can be read by
>>>>>> >>>>>> immediate ConEx-aware nodes."
>>>>>> >>>>>> And then remove the first paragraph of the IPSec section (and
>>>>>> probably
>>>>>> >>>>>> move the other paragraph somewhere else so that the section is
>>>>>> removed
>>>>>> >>>>>> completely)...?
>>>>>> >>>>> I've lost track of all the proposed changes to the IPsec
>>>>>> section. But I
>>>>>> >>>>> think there is value in spelling out exactly how ConEx and
>>>>>> IPsec
>>>>>> >>>>> interact, so I wouldn't remove the section completely, even
>>>>>> if it
>>>>>> >>>>> repeats info elsewhere.
>>>>>> >>>> Okay I just realized that we recommend to to use TPSec for
>>>>>> >>>> authentication but I believe if the ConEx option should not be
>>>>>> >>>> encrypted by using the respective header, it will also not be
>>>>>> >>>> authenticated...? So you can have either one of the two...? I
>>>>>> believe
>>>>>> >>>> we still need the IPSec section but right now I'm not sure
>>>>>> what to
>>>>>> >>>> right in there...? Any proposal?
>>>>>> >>> * How to do ConEx when IPsec is also required (tunnel & transport
>>>>>> modes,
>>>>>> >>> and what to count). This may all be obvious now, but (IMO) it
>>>>>> would still
>>>>>> >>> be worth spelling out obvious things.
>>>>>> >>> * How to use IPsec to protect the integrity of CDO.
>>>>>> >> Okay, this is the text now:
>>>>>> >>
>>>>>> >> "Compatibility with use of IPsec
>>>>>> >>
>>>>>> >> In IPv6 there are two possible position of a
>>>>>> >> Destination Option header, either before the
>>>>>> >> Routing header or after the Encapsulating Security Payload (ESP)
>>>>>> header.
>>>>>> >          BETTER?:
>>>>>> > In IPv6 a Destination Option header can be placed
>>>>>> > in two possible position in the order of possible
>>>>>> > headers, either before the Routing header or
>>>>>> > after the Encapsulating Security Payload (ESP) header.
>>>>>> >          REASONING:
>>>>>> > We are talking about the positions where these
>>>>>> > headers /would/ be if they were there - they might not actually be
>>>>>> present.
>>>>>> >
>>>>>> >> If the packet is encrypted using IPSec tunnel
>>>>>> >> mode, the CDO MUST be placed in the destination
>>>>>> >> option before the Routing header such that it
>>>>>> >> does not get encrypted and can be read by immediate ConEx-aware
>>>>>> nodes.
>>>>>> >          BETTER?:
>>>>>> > CDO MUST always be placed in a destination option
>>>>>> > header placed before where the routing header
>>>>>> > would be. Otherwise, if CDO were placed in the
>>>>>> > latter position and an ESP header were used, the CDO would be
>>>>>> encrypt the
>>>>>> >          REASONING:
>>>>>> > (There is no need for it to ever be in the later
>>>>>> > position and it's best to always be in the same place.)
>>>>>> >
>>>>>> >
>>>>>> >> Note as the Authentication Header (AH) also only
>>>>>> >> protects fields after the AH header, the CDO is not authenticated
>>>>>> in this case.
>>>>>> > Need to say the encapsulator copies CDO from the
>>>>>> > inner IPv6 CDO before encrypting the inner.
>>>>>> >
>>>>>> > s/read by immediate/read by/
>>>>>> >
>>>>>> > AH integrity protects the IPv6 header that encapsulates it. ESP
>>>>>> does
>>>>>> not.
>>>>>> >
>>>>>> >
>>>>>> >> In IPSec transport mode both destination option
>>>>>> >> headers can be used, as the CDO is in both cases
>>>>>> >> visible to the network. If the transport network
>>>>>> >> can not be trusted, the Destination Option
>>>>>> >> header after the ESP header SHOULD be used to
>>>>>> >> ensure integrity of the ConEx information. If an
>>>>>> >> attacker would be able to remove the ConEx
>>>>>> >> marks, this could        cause an audit device
>>>>>> >> to penalize the respective connection, while the
>>>>>> >> sender cannot easily detect that ConEx information is missing."
>>>>>> >>
>>>>>> >> Does this seem to be right now?
>>>>>> > Sorry, this is all wrong. One cannot use ESP to
>>>>>> > authenticate or protect the integrity of CDO by
>>>>>> > putting CDO after ESP, because ESP would then
>>>>>> > encrypt CDO so ConEx-aware nodes would not be
>>>>>> > able to read it. CDO always has to precede ESP,
>>>>>> > which is why I said CDO MUST always be in the first destopt
>>>>>> position.
>>>>>> >
>>>>>> > If the CDO header needs to be authenticated, AH
>>>>>> > can be used as in the second example below. AH
>>>>>> > protects the integrity of the whole IPv6 datagram
>>>>>> > it is encapsulated by (except non-predictable
>>>>>> > mutable fields). AH coverage includes the IPv6
>>>>>> > header and extension headers before the AH
>>>>>> > header, and everything after the AH header too.
>>>> Sorry that's my fault; I thought, (similar to
>>>> ESP) the authentication header would only
>>>> authenticate headers after the AH. (Checked now with rfc4302 that I
>>>> was wrong.)
>>>>
>>>>>> >
>>>>>> > I think it would be worth listing the two or
>>>>>> > three example header sequences in the draft, as
>>>>>> > below. Headers in [] need not be present. Headers in {} are
>>>>>> encrypted.
>>>>>> >
>>>>>> > Transport mode without the integrity of CDO protected:
>>>>>> >    IPv6
>>>>>> >    [Hop-by-Hop]
>>>>>> >    [Routing]
>>>>>> >    Destopt(CDO[,...])
>>>>>> >    [Fragment]
>>>>>> >    ESP{
>>>>>> >      [Destopt]
>>>>>> >      Upper-Layer
>>>>>> >    }
>>>>>> >
>>>>>> > Transport mode with the integrity of CDO protected:
>>>>>> >    IPv6
>>>>>> >    [Hop-by-Hop]
>>>>>> >    [Routing]
>>>>>> >    Destopt(CDO[,...])
>>>>>> >    [Fragment]
>>>>>> >    AH
>>>>>> >    ESP{
>>>>>> >      [Destopt]
>>>>>> >      Upper-Layer
>>>>>> >    }
>>>>>> >
>>>>>> >
>>>>>> > Tunnel mode:
>>>>>> >    IPv6
>>>>>> >    [Hop-by-Hop]
>>>>>> >    [Routing]
>>>>>> >    Destopt(CDO-copy[,...])
>>>>>> >    [Fragment]
>>>>>> >    ESP{
>>>>>> >      IPv6
>>>>>> >      Destopt(CDO[,...])
>>>>>> >      Transport Payload
>>>>>> >    }
>>>>>> >
>>>>>> > For ESP in tunnel mode, as already stated in the
>>>>>> > draft, the tunnel ingress MUST copy the CDO from
>>>>>> > the destopt in the inner, then write a copy of
>>>>>> > the CDO header into a destopt header in the outer.
>>>>>> >
>>>>>> > I think this updates RFC2406. However, it is
>>>>>> > possible that 2406 already requires an ESP
>>>>>> > ingress to copy any extension headers, up to and
>>>>>> > including Fragmentation, to the outer. Because
>>>>>> > all these headers are designed to be visible to
>>>>>> > nodes on the path. Suresh may know this.
>>>>>
>>>>> I checked overnight and copying extension headers is contrary to the
>>>>> IPSec architecture.
>>>>>
>>>>> <http://tools.ietf.org/html/rfc2401#section-5.1.2.2> "IPv6 -- Header
>>>>> Construction for Tunnel Mode" says:
>>>>>          "Extension headers  never copied"
>>>>>
>>>>> On reflection, I don't think we should update RFC2401 for ConEx. If I
>>>>> were on the IESG, I would not approve that. IPsec needs to have simple
>>>>> rules without exceptions.
>>>>>
>>>>> When we chose destopt as the mechanism for ConEx, we knew it wasn't
>>>>> going to interact well with tunnels. I think the best approach is
>>>>> to say,
>>>>>          "Currently, the IPv6 protocol architecture does not provide a
>>>>> mechanism for new extension headers to be copied to the outer.
>>>>> Therefore
>>>>> ConEx functions will have to search for the CDO option within inner
>>>>> headers, and ConEx will not work at all over the extent of an ESP
>>>>> tunnel".
>>>>
>>>> So all in all, this simplifies thing to
>>>> basically "CDO MUST be placed in the destination
>>>> option header before the AH and/or EPS (if present)."
>>>>
>>>> (+ our text just above on not interacting with tunnel mode)
>>>>
>>>> Right?
>>>>
>>>> Mirja
>>>>
>>>>>
>>>>>
>>>>> Bob
>>>>>
>>>>>
>>>>>> >
>>>>>> > To protect the integrity of the outer IPv6
>>>>>> > datagram, including protecting the copy of CDO,
>>>>>> > an AH header (not shown) could be added before ESP.
>>>>>> >
>>>>>> > [A worse alternative (no need to mention this):
>>>>>> > If the integrity of CDO but not other headers
>>>>>> > needed to be protected, ESP with authentication
>>>>>> > enabled could be used, which causes
>>>>>> > authentication data to be added at the end of the
>>>>>> > payload (not shown). Then, before decapsulation,
>>>>>> > the tunnel egress would have to record the value
>>>>>> > of CDO-copy. Having decrypted the inner, it could
>>>>>> > then check that CDO-copy matched the CDO in the
>>>>>> > inner.  However, that would require another
>>>>>> > update to RFC2406, so using AH would be
>>>>>> > preferable, given we don't want to make ConEx
>>>>>> > depend on updating both ends of an ESP tunnel - one end is bad
>>>>>> enough.]
>>>>>> >
>>>>>> > HTH
>>>>>> > Sorry for taking so long - I wrote most of this
>>>>>> > on a plane on Thu, but left some fact checking
>>>>>> > for when I got online, and this is the first chance I've had to get
>>>>>> back to it.
>>>>>> >
>>>>>> > Cheers
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Bob
>>>>>> >
>>>>>> >>>>>>>>> Moreover, isn't this here the same case than with
>>>>>> tunneling in
>>>>>> >>>>>>>>> general.
>>>>>> >>>>>>>>> Only if the node that does the encapsulation is ConEx-aware
>>>>>> it can
>>>>>> >>>>>>>>> copy
>>>>>> >>>>>>>>> the CDO, otherwise it will be not visible anymore.
>>>>>> >>>>>>>>>
>>>>>> >>>>>>>>> So this should either be a should, or we have to say
>>>>>> something
>>>>>> >>>>>>>>> like: if
>>>>>> >>>>>>>>> the node is ConEx-aware is MUST copy the CDO...?
>>>>>> >>>>>>>> And then we can the same thing for tunneling in general...?
>>>>>> >>>>>>> That's surely a circular argument. What would make a tunnel
>>>>>> endpoint
>>>>>> >>>>>>> into a ConEx-aware tunnel endpoint, so that it would have to
>>>>>> copy the
>>>>>> >>>>>>> CDO? It would only become ConEx-aware if it had code added to
>>>>>> look for
>>>>>> >>>>>>> the CDO, and why would it have that code added unless it was
>>>>>> going
>>>>>> >>>>>>> to do
>>>>>> >>>>>>> something with CDO? That's why I think my 'MAY copy as a
>>>>>> performance
>>>>>> >>>>>>> optimisation' formula is the best we can do.
>>>>>> >>>>>> What you say above is the point. If the node does not know
>>>>>> anything
>>>>>> >>>>>> about ConEx, it simple cannot copy the option, which is the
>>>>>> case for
>>>>>> >>>>>> all currently existent nodes. So we cannot say MUST in
>>>>>> general.
>>>>>> But if
>>>>>> >>>>>> the node does know that ConEx exists for any reason, it really
>>>>>> must
>>>>>> >>>>>> copy the CDO...? But you right that is a little pathologic.
>>>>>> I'm
>>>>>> will
>>>>>> >>>>>> to change if that helps understanding/is less confusing.
>>>>>> >>>>> I think we're talking past each other. Given we cannot copy CDO
>>>>>> to the
>>>>>> >>>>> outer everywhere, for consistency I don't think that copying
>>>>>> CDO
>>>>>> to the
>>>>>> >>>>> outer at all is a good idea, UNLESS it's done deliberately as
>>>>>> part of an
>>>>>> >>>>> operator's whole approach to handling ConEx. Ie. tunnel
>>>>>> endpoints SHOULD
>>>>>> >>>>> NOT copy CDO to the outer by default, but they MAY copy CDO to
>>>>>> the outer
>>>>>> >>>>> for a specific purpose (e.g. optimisation for ConEx functions
>>>>>> elsewhere
>>>>>> >>>>> in the same operator's network).
>>>>>> >>>> Now understood.
>>>>>> >>>>
>>>>>> >>>> I've tried to make this point a little more clear, not sure if I
>>>>>> >>>> succeeded:
>>>>>> >>>> "As with any destination option, an ingress tunnel endpoint
>>>>>> will not
>>>>>> >>>> natively copy the CDO when adding an encapsulating outer IP
>>>>>> header. In
>>>>>> >>>> general an ingress tunnel SHOULD not copy the CDO to the outer
>>>>>> header
>>>>>> >>>> as this would changed the number of bytes that would be
>>>>>> accounted.
>>>>>> >>>> However, it MAY copy the CDO to the outer in order to facilitate
>>>>>> >>>> visibility by subsequent on-path ConEx functions if the tunnel
>>>>>> ingree
>>>>>> >>>> is aware of these nodes and theses nodes are aware of the
>>>>>> tunneling.
>>>>>> >>>> This trades off the performance of ConEx functions against
>>>>>> that of
>>>>>> >>>> tunnel processing. "
>>>>>> >>> OK. Rather than implying that equipment has evolved conscious
>>>>>> awareness,
>>>>>> >>> a better formulation would be something like:
>>>>>> >>> "..the configuration of the tunnel ingress and the ConEx nodes is
>>>>>> >>> co-ordinated."
>>>>>> >>>
>>>>>> >>> Nits:
>>>>>> >>> s/SHOULD not/SHOULD NOT/
>>>>>> >>> s/accounted/counted/
>>>>>> >>>    (in English, accounted is not a transitive verb, it has to
>>>>>> have
>>>>>> 'for'
>>>>>> >>> after it)
>>>>>> >>> s/ingree/ingress/
>>>>>> >>> s/theses/these/
>>>>>> >> Done.
>>>>>> >>
>>>>>> >>
>>>>>> >>> We're getting there!
>>>>>> >> Yes...!
>>>>>> >>
>>>>>> >> Mirja
>>>>>> >>
>>>>>> >>
>>>>>> >>> But we really do need Suresh's expert eye on this.
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> Cheers
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> Bob
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>> Mirja
>>>>>> >>>>
>>>>>> >>>>> HTH
>>>>>> >>>>> (Delayed 'cos it was a public holday in the UK yesterday.)
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>> Bob
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>
>>>>>> >>>>>>> Bob
>>>>>> >>>>>>>
>>>>>> >>>>>>>
>>>>>> >>>>>>>> Mirja
>>>>>> >>>>>>>>
>>>>>> >>>>>>>>
>>>>>> >>>>>>>>>>>> ==Security Considerations==
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>> * Added lots, all pointers to where security issues are
>>>>>> >>>>>>>>>>>> discussed in
>>>>>> >>>>>>>>>>>> other places (which is what security directorate
>>>>>> reviewers need).
>>>>>> >>>>>>>>>>> Okay I can add that if you think it's necessary (I would
>>>>>> say it's
>>>>>> >>>>>>>>>>> just
>>>>>> >>>>>>>>>>> redundant, but you be might right that it just helps the
>>>>>> sec dir).
>>>>>> >>>>>>>>>> It's not always obvious which aspects relate to security.
>>>>>> >>>>>>>>>> Especially
>>>>>> >>>>>>>>>> when the security is structural rather than crypto. So
>>>>>> I think
>>>>>> >>>>>>>>>> these
>>>>>> >>>>>>>>>> sentences are useful to sec dir.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>>>> ==IANA==
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>> * I think the act bits need to be 00 not 10 to avoid
>>>>>> ConEx
>>>>>> >>>>>>>>>>>> packets
>>>>>> >>>>>>>>>>>> being dropped by non-ConEx nodes (including by non-ConEx
>>>>>> >>>>>>>>>>>> receivers)?
>>>>>> >>>>>>>>>>>> But I'm willing to be corrected.
>>>>>> >>>>>>>>>>> I agree; Will ask Suresh why he has put a 10 though.
>>>>>> >>>>>>>>>> Yes, he's the right guy to check with.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> Bob
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>>> Thanks,
>>>>>> >>>>>>>>>>> Mirja
>>>>>> >>>>>>>>>>>
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>> Regards
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>>
>>>>>> >>>>>>>>>>>> Bob
>>>>>> >>>>>>>>>> {Note 1}
>>>>>> >>>>>>>>>> For anyone watching on the list, the tentative idea that
>>>>>> Mirja has
>>>>>> >>>>>>>>>> reminded me of is documented in 11.3.1 of my PhD thesis
>>>>>> entitled
>>>>>> >>>>>>>>>> "Covert
>>>>>> >>>>>>>>>> Markings as a Policer Signal".
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> The potential problem: A ConEx policer punishes
>>>>>> punishment.
>>>>>> If a
>>>>>> >>>>>>>>>> congestion policer starts dropping packets because the
>>>>>> user
>>>>>> has
>>>>>> >>>>>>>>>> contributed excessively to congestion, in subsequent
>>>>>> rounds
>>>>>> the
>>>>>> >>>>>>>>>> user
>>>>>> >>>>>>>>>> has
>>>>>> >>>>>>>>>> to re-echo 'L' markings for the policer drops as well.
>>>>>> This
>>>>>> can
>>>>>> >>>>>>>>>> drive
>>>>>> >>>>>>>>>> the policer further into 'debit'. This might make it
>>>>>> difficult for
>>>>>> >>>>>>>>>> the
>>>>>> >>>>>>>>>> user to get out of trouble once she's started getting into
>>>>>> trouble.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> The basic idea was that when a congestion policer drops
>>>>>> packets
>>>>>> >>>>>>>>>> (because
>>>>>> >>>>>>>>>> the user is causing more congestion than her
>>>>>> allowance), it
>>>>>> will
>>>>>> >>>>>>>>>> also
>>>>>> >>>>>>>>>> remove ConEx markings. Then (if there is some way for the
>>>>>> >>>>>>>>>> receiver to
>>>>>> >>>>>>>>>> feed this back), the sender knows not to send more
>>>>>> ConEx marks
>>>>>> >>>>>>>>>> because
>>>>>> >>>>>>>>>> these aren't congestion drops, they are policer drops.
>>>>>> >>>>>>>>>>
>>>>>> >>>>>>>>>> We didn't that double punishment made it hard to get
>>>>>> out of
>>>>>> >>>>>>>>>> trouble in
>>>>>> >>>>>>>>>> any policer experiments so far, so let's not allow for a
>>>>>> possible
>>>>>> >>>>>>>>>> solution to a problem that we probably don't even have.
>>>>>> The
>>>>>> current
>>>>>> >>>>>>>>>> crop
>>>>>> >>>>>>>>>> of ConEx drafts are experimental anyway. If this
>>>>>> problem does
>>>>>> >>>>>>>>>> surface,
>>>>>> >>>>>>>>>> then we can reconsider.
>>>>>> >>>>>>>>>>
>>>>>> ________________________________________________________________
>>>>>> >>>>>>>>>> Bob
>>>>>> Briscoe,                                                  BT
>>>>>> >>>>>>>> --
>>>>>> >>>>>>>> ------------------------------------------
>>>>>> >>>>>>>> Dipl.-Ing. Mirja Kühlewind
>>>>>> >>>>>>>> Communication Systems Group
>>>>>> >>>>>>>> Institute TIK, ETH Zürich
>>>>>> >>>>>>>> Gloriastrasse 35, 8092 Zürich, Switzerland
>>>>>> >>>>>>>>
>>>>>> >>>>>>>> Room ETZ G93
>>>>>> >>>>>>>> phone: +41 44 63 26932
>>>>>> >>>>>>>> email: mirja.kuehlewind@tik.ee.ethz.ch
>>>>>> >>>>>>>> ------------------------------------------
>>>>>> >>>>>>>
>>>>>> ________________________________________________________________
>>>>>> >>>>>>> Bob
>>>>>> Briscoe,                                                  BT
>>>>>> >>>>>> --
>>>>>> >>>>>> ------------------------------------------
>>>>>> >>>>>> Dipl.-Ing. Mirja Kühlewind
>>>>>> >>>>>> Communication Systems Group
>>>>>> >>>>>> Institute TIK, ETH Zürich
>>>>>> >>>>>> Gloriastrasse 35, 8092 Zürich, Switzerland
>>>>>> >>>>>>
>>>>>> >>>>>> Room ETZ G93
>>>>>> >>>>>> phone: +41 44 63 26932
>>>>>> >>>>>> email: mirja.kuehlewind@tik.ee.ethz.ch
>>>>>> >>>>>> ------------------------------------------
>>>>>> >>>>>
>>>>>> ________________________________________________________________
>>>>>> >>>>> Bob
>>>>>> Briscoe,                                                  BT
>>>>>> >>>> --
>>>>>> >>>> ------------------------------------------
>>>>>> >>>> Dipl.-Ing. Mirja Kühlewind
>>>>>> >>>> Communication Systems Group
>>>>>> >>>> Institute TIK, ETH Zürich
>>>>>> >>>> Gloriastrasse 35, 8092 Zürich, Switzerland
>>>>>> >>>>
>>>>>> >>>> Room ETZ G93
>>>>>> >>>> phone: +41 44 63 26932
>>>>>> >>>> email: mirja.kuehlewind@tik.ee.ethz.ch
>>>>>> >>>> ------------------------------------------
>>>>>> >>> ________________________________________________________________
>>>>>> >>> Bob Briscoe,                                                  BT
>>>>>> >> --
>>>>>> >> ------------------------------------------
>>>>>> >> Dipl.-Ing. Mirja Kühlewind
>>>>>> >> Communication Systems Group
>>>>>> >> Institute TIK, ETH Zürich
>>>>>> >> Gloriastrasse 35, 8092 Zürich, Switzerland
>>>>>> >>
>>>>>> >> Room ETZ G93
>>>>>> >> phone: +41 44 63 26932
>>>>>> >> email: mirja.kuehlewind@tik.ee.ethz.ch
>>>>>> >> ------------------------------------------
>>>>>> > ________________________________________________________________
>>>>>> > Bob Briscoe,                                                  BT
>>>>>> >
>>>>>> >
>>>>>
>>>>> ________________________________________________________________
>>>>> Bob Briscoe,                                                  BT
>>>>
>>>> --
>>>> ------------------------------------------
>>>> Dipl.-Ing. Mirja Kühlewind
>>>> Communication Systems Group
>>>> Institute TIK, ETH Zürich
>>>> Gloriastrasse 35, 8092 Zürich, Switzerland
>>>>
>>>> Room ETZ G93
>>>> phone: +41 44 63 26932
>>>> email: mirja.kuehlewind@tik.ee.ethz.ch
>>>> ------------------------------------------
>>>
>>> ________________________________________________________________
>>> Bob Briscoe,                                                  BT
>>
>> --
>> ------------------------------------------
>> Dipl.-Ing. Mirja Kühlewind
>> Communication Systems Group
>> Institute TIK, ETH Zürich
>> Gloriastrasse 35, 8092 Zürich, Switzerland
>>
>> Room ETZ G93
>> phone: +41 44 63 26932
>> email: mirja.kuehlewind@tik.ee.ethz.ch
>> ------------------------------------------
>
> ________________________________________________________________
> Bob Briscoe,                                                  BT
>

-- 
------------------------------------------
Dipl.-Ing. Mirja Kühlewind
Communication Systems Group
Institute TIK, ETH Zürich
Gloriastrasse 35, 8092 Zürich, Switzerland

Room ETZ G93
phone: +41 44 63 26932
email: mirja.kuehlewind@tik.ee.ethz.ch
------------------------------------------