[conex] Preferential Drop

Mirja Kühlewind <mirja.kuehlewind@ikr.uni-stuttgart.de> Wed, 12 February 2014 11:39 UTC

Return-Path: <mirja.kuehlewind@ikr.uni-stuttgart.de>
X-Original-To: conex@ietfa.amsl.com
Delivered-To: conex@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 820ED1A095E for <conex@ietfa.amsl.com>; Wed, 12 Feb 2014 03:39:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.798
X-Spam-Status: No, score=-1.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.548] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id W3ZqEFNv2zGa for <conex@ietfa.amsl.com>; Wed, 12 Feb 2014 03:39:24 -0800 (PST)
Received: from mailsrv.ikr.uni-stuttgart.de (mailsrv.ikr.uni-stuttgart.de []) by ietfa.amsl.com (Postfix) with ESMTP id 0EEF11A0969 for <conex@ietf.org>; Wed, 12 Feb 2014 03:39:23 -0800 (PST)
Received: from netsrv1.ikr.uni-stuttgart.de (netsrv1-c []) by mailsrv.ikr.uni-stuttgart.de (Postfix) with ESMTP id 504A160247; Wed, 12 Feb 2014 12:39:21 +0100 (CET)
Received: from vpn-2-cl195 (vpn-2-cl195 []) by netsrv1.ikr.uni-stuttgart.de (Postfix) with ESMTP id 4D2DA60246; Wed, 12 Feb 2014 12:39:21 +0100 (CET)
From: Mirja Kühlewind <mirja.kuehlewind@ikr.uni-stuttgart.de>
To: conex@ietf.org
Date: Wed, 12 Feb 2014 12:39:21 +0100
User-Agent: KMail/1.9.10 (enterprise35 0.20101217.1207316)
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <201402121239.21145.mirja.kuehlewind@ikr.uni-stuttgart.de>
Subject: [conex] Preferential Drop
X-BeenThere: conex@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Congestion Exposure working group discussion list <conex.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/conex>, <mailto:conex-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/conex/>
List-Post: <mailto:conex@ietf.org>
List-Help: <mailto:conex-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/conex>, <mailto:conex-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 11:39:26 -0000

Hi group,

I'm currently integrating text from the re-ECN documents on preferential drop 
into the IPv6 CDO draft.

Find the references from the re-ECN drafts here:

Here is my current text:
"7.  DDoS mitigation by using preferential drop

   If a router queue experiences very high load so that it has to drop
   arriving packets, it MAY preferentially drop packets within the same
   Diffserv PHB using the preference order given in Table 1 (1 means
   drop first).  Additionally, if a router implements preferential drop
   it SHOULD also support ECN-marking.  Preferential dropping can be
   difficult to implement on some hardware, but if feasible it would
   discriminate against attack traffic if done as part of the overall
   policing framework as described in [RFC6789].  If nowhere else,
   routers at the egress of a network SHOULD implement preferential drop
   (stronger than the MAY above).

                   |                      | Preference |
                   | Not-ConEx or no CDO  |     1      |
                   | X (but not L,E or C) |     2      |
                   | X and L,E or C       |     3      |

                Table 1: Drop preference for ConEx packets

   A flooding attack is inherently about congestion of a resource.  As
   load focuses on a victim, upstream queues grow, requiring honest
   sources to pre-load packets with a higher fraction of ConEx-marks.

   If ECN marking is supported by the downstream queues preferential
   dropping provides the most benefits because if the queue is so
   congested that it drops traffic, it will be CE-marking 100% of the
   forwarded traffic.  Honest sources will therefore be sending 100%
   ConEx E-marked packets (and therefore being rate-limited at an
   ingress policer).  Senders under malicious control can either do the
   same as honest sources, and be rate-limited at ingress, or they can
   understate congestion.  If the preferential drop ranking is
   implemented on queues, these queues will preserve E/L-marked traffic
   until last.  So, the traffic from malicious sources will all be
   automatically dropped first.  Either way, the malicious sources
   cannot send more than honest sources."

The text in the re-ECN drafts assumes that a ConEx/re-ECN-capable router will 
automatically also support ECN. The preferential drop works best if the 
router uses ECN, because such a router will mark all packets before anything 
gets dropped. If the router is not ECN-capable, it still might help but not 
that much. Thus I added the following sentence:
"if a router implements preferential drop it SHOULD also support ECN-marking"

Not sure if I should write something like this because requiring to support 
ECN might stop people from implementing the preferential drop. On the 
otherhand ECN support would be helpful for ConEx anyway. But without a 
deployed accurate ECN it's kind of useless....

Any thoughts?