[conex] Preferential Drop
Mirja Kühlewind <mirja.kuehlewind@ikr.uni-stuttgart.de> Wed, 12 February 2014 11:39 UTC
Return-Path: <mirja.kuehlewind@ikr.uni-stuttgart.de>
X-Original-To: conex@ietfa.amsl.com
Delivered-To: conex@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 820ED1A095E for <conex@ietfa.amsl.com>; Wed, 12 Feb 2014 03:39:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Level:
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3ZqEFNv2zGa for <conex@ietfa.amsl.com>; Wed, 12 Feb 2014 03:39:24 -0800 (PST)
Received: from mailsrv.ikr.uni-stuttgart.de (mailsrv.ikr.uni-stuttgart.de [129.69.170.2]) by ietfa.amsl.com (Postfix) with ESMTP id 0EEF11A0969 for <conex@ietf.org>; Wed, 12 Feb 2014 03:39:23 -0800 (PST)
Received: from netsrv1.ikr.uni-stuttgart.de (netsrv1-c [10.11.12.12]) by mailsrv.ikr.uni-stuttgart.de (Postfix) with ESMTP id 504A160247; Wed, 12 Feb 2014 12:39:21 +0100 (CET)
Received: from vpn-2-cl195 (vpn-2-cl195 [10.41.21.195]) by netsrv1.ikr.uni-stuttgart.de (Postfix) with ESMTP id 4D2DA60246; Wed, 12 Feb 2014 12:39:21 +0100 (CET)
From: Mirja Kühlewind <mirja.kuehlewind@ikr.uni-stuttgart.de>
To: conex@ietf.org
Date: Wed, 12 Feb 2014 12:39:21 +0100
User-Agent: KMail/1.9.10 (enterprise35 0.20101217.1207316)
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <201402121239.21145.mirja.kuehlewind@ikr.uni-stuttgart.de>
Subject: [conex] Preferential Drop
X-BeenThere: conex@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Congestion Exposure working group discussion list <conex.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/conex>, <mailto:conex-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/conex/>
List-Post: <mailto:conex@ietf.org>
List-Help: <mailto:conex-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/conex>, <mailto:conex-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 11:39:26 -0000
Hi group, I'm currently integrating text from the re-ECN documents on preferential drop into the IPv6 CDO draft. Find the references from the re-ECN drafts here: http://tools.ietf.org/html/draft-briscoe-conex-re-ecn-tcp-02#section-5.3 http://tools.ietf.org/html/draft-briscoe-conex-re-ecn-motiv-02#section-5.1 Here is my current text: "7. DDoS mitigation by using preferential drop If a router queue experiences very high load so that it has to drop arriving packets, it MAY preferentially drop packets within the same Diffserv PHB using the preference order given in Table 1 (1 means drop first). Additionally, if a router implements preferential drop it SHOULD also support ECN-marking. Preferential dropping can be difficult to implement on some hardware, but if feasible it would discriminate against attack traffic if done as part of the overall policing framework as described in [RFC6789]. If nowhere else, routers at the egress of a network SHOULD implement preferential drop (stronger than the MAY above). +----------------------+------------+ | | Preference | +----------------------+------------+ | Not-ConEx or no CDO | 1 | | X (but not L,E or C) | 2 | | X and L,E or C | 3 | +----------------------+------------+ Table 1: Drop preference for ConEx packets A flooding attack is inherently about congestion of a resource. As load focuses on a victim, upstream queues grow, requiring honest sources to pre-load packets with a higher fraction of ConEx-marks. If ECN marking is supported by the downstream queues preferential dropping provides the most benefits because if the queue is so congested that it drops traffic, it will be CE-marking 100% of the forwarded traffic. Honest sources will therefore be sending 100% ConEx E-marked packets (and therefore being rate-limited at an ingress policer). Senders under malicious control can either do the same as honest sources, and be rate-limited at ingress, or they can understate congestion. If the preferential drop ranking is implemented on queues, these queues will preserve E/L-marked traffic until last. So, the traffic from malicious sources will all be automatically dropped first. Either way, the malicious sources cannot send more than honest sources." The text in the re-ECN drafts assumes that a ConEx/re-ECN-capable router will automatically also support ECN. The preferential drop works best if the router uses ECN, because such a router will mark all packets before anything gets dropped. If the router is not ECN-capable, it still might help but not that much. Thus I added the following sentence: "if a router implements preferential drop it SHOULD also support ECN-marking" Not sure if I should write something like this because requiring to support ECN might stop people from implementing the preferential drop. On the otherhand ECN support would be helpful for ConEx anyway. But without a deployed accurate ECN it's kind of useless.... Any thoughts? Mirja
- [conex] Preferential Drop Mirja Kühlewind
- Re: [conex] Preferential Drop Dirk Kutscher
- Re: [conex] Preferential Drop Mirja Kuehlewind