Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
Martin Duke <martin.h.duke@gmail.com> Sat, 13 August 2022 03:58 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831FEC15DD4F; Fri, 12 Aug 2022 20:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y78H1nPBdIlH; Fri, 12 Aug 2022 20:58:42 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2CCC14CF09; Fri, 12 Aug 2022 20:58:42 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id h4so2140092qtj.11; Fri, 12 Aug 2022 20:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=jUirFxD2Kb+fABW8b8ALeY0XK8VeLiS58sfx2TKFUZU=; b=T8knccXjg5yVJmDzu8FEwWzQQHbVfZCJS0K+pqhJj6Te2L7IFVD0T4PZb6n6OZpY47 xrte8lxM+2DiFRpR8jz2fZLND4dKqpDgYH47QBWAfgGzRW2QiXQ6gv8rmUNztA7NZr42 bNDnR1cb6liW9KVoUuFokiSyoZrJCMg4WzWbc12MxPKNWkjVt4Pd+gQr58Q8JR8TuCW+ 0Auw8O8R7ClafARDqA4pTcMRgk9F7OGDw4S0iSnTqg8OhMQlKC0ZhQL/t7piPe+3xTxE CGqYvgTdFbSvAxjZtK3NKCZwBYdvQvB0jFR+0gWrVxR3ufvfvL4faCEdJNR0qRgwfoAR eFXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=jUirFxD2Kb+fABW8b8ALeY0XK8VeLiS58sfx2TKFUZU=; b=M1Q/g79CKQhBiXy9jIQtJsaEvvkGV7irHQLBhkNXPkTRhblXqOQ9phG1F1uPLYqxAT nLoMvk2nW53NxdnGDviLej1r8ONdElJZF2vsgNHPEkT7YZ9orxfQDOE1plkscW0wn4jT 39L1q2whN7MkghUe+7s/mzc9Btxc3scRcE777nKicHRYkcsLZH9mlsG0FxiRZkPFH+tx OC7DmdKf1wkkh9D8FunwIRbhqI4jjrtA1yp0msq9uRuEYxZAIvAT1Y9EbD/F+AN5ys7P EZxqk2ehw69oINUSs93e2l7Sk+I4Rvncgogj6bQvpjMpHfLT7BS10641mZ5OuXy/myBr Hv2g==
X-Gm-Message-State: ACgBeo3rgGrB2tC075TKHKWj37iaLcKYaDQSaa/lkB2K8KUrpTZomdBI 3EpOC675Ms5lu5RTsMyeo989tuZBfqsNgNnITx0=
X-Google-Smtp-Source: AA6agR5v08kKbl9gLG0WVnMYvRAiZ/thbA2yt41p7vmusKBEOLBTDQ0yrDQiQ/xa0/j9M29WVSpYtbZ7X+5jc0Aw9LQ=
X-Received: by 2002:ac8:574e:0:b0:31f:28c3:43d6 with SMTP id 14-20020ac8574e000000b0031f28c343d6mr6016459qtx.200.1660363121341; Fri, 12 Aug 2022 20:58:41 -0700 (PDT)
MIME-Version: 1.0
References: <165973261426.54808.11128651982166539913@ietfa.amsl.com> <051401d8ab20$28b98660$7a2c9320$@elvis.ru> <CAM4esxR182_=Y+F6MC8Kk9czUvjepAQQAAFTjNZ1nsG955Yw+Q@mail.gmail.com> <068e01d8ac92$ad49b080$07dd1180$@elvis.ru> <CAM4esxRQG0rPna81pbhDSAYEZp_yAJ2sN2VNncc++8K23xJvTw@mail.gmail.com>
In-Reply-To: <CAM4esxRQG0rPna81pbhDSAYEZp_yAJ2sN2VNncc++8K23xJvTw@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 12 Aug 2022 20:58:28 -0700
Message-ID: <CAM4esxTOM_9LkwB8-viOj19T0B3UzD2mQgOaxAPSNauOMdj1WQ@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-rfc8229bis@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
Content-Type: multipart/alternative; boundary="0000000000000bb90405e6176a3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Cdwy_mU1LTv-qUkSU9a1PtGxmE4>
Subject: Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 03:58:44 -0000
Re: the ECN rules for aggregated packets, I got intrigued by this problem and wrote a draft. The rules I proposed earlier are, unsurprisingly, not the whole story. On Wed, Aug 10, 2022 at 7:05 AM Martin Duke <martin.h.duke@gmail.com> wrote: > Sounds good to me, we're all set modulo the thread with Joe. > > On Wed, Aug 10, 2022, 01:25 Valery Smyslov <svan@elvis.ru> wrote: > >> Hi Martin, >> >> >> >> please see inline. >> >> >> >> On Mon, Aug 8, 2022 at 5:12 AM Valery Smyslov <svan@elvis.ru> wrote: >> >> > >> > (Sec 9.1) >> > "TCP-in-TCP can also lead to "TCP meltdown", where stacked instances >> > of TCP can result in significant impacts to performance >> > [TCP-MELTDOWN]. For the case in this document, such meltdown can >> > occur when the window size of the outer TCP connection is smaller >> > than the window sizes of the inner TCP connections. The resulting >> > interactions can lead to packets backing up in the outer TCP >> > connection's send buffers. In order to limit this effect, the outer >> > TCP connection should have limits on its send buffer size and on the >> > rate at which it reduces its window size." >> > >> > Which "window" are you referring to? Receive window, congestion window, >> > or the >> > send buffer? My reading of [TCP-MELTDOWN] is that the tunnel ingress >> > should set >> > its send buffer size to the BDP of the tunnel, which is easier said >> than done. >> > It appears you are using "window" and "send buffer" interchangeably >> here in a >> > way that is confusing. >> >> This text was suggested by Joe Touch ( >> https://mailarchive.ietf.org/arch/msg/ipsec/eD85hixrzfqwg4UhwRZ8WL5PkDA/) >> If you think it is unclear, can you please suggest how it can be improved? >> >> >> >> OK, I'll start a separate thread with Joe and you. >> >> >> >> OK, thank you. >> >> >> >> >> > (9.5) >> > Implementations SHOULD follow the ECN compatibility mode for tunnel >> > ingress as described in [RFC6040]. In compatibility mode, the outer >> > tunnel TCP connection marks its packet headers as not ECN-capable. >> > If upon egress, the arriving outer header is marked with CE, the >> > implementation will drop the inner packet, since there is not a >> > distinct inner packet header onto which to translate the ECN >> > markings. >> > >> > This is not an accurate summary of compatibility mode. In compatibility >> mode, >> > the outer packet is marked Not-ECT, which means it will not be marked >> CE. In >> > normal mode, the outer packet is marked as the inner, and this might >> result in >> > an outer CE marking. >> >> Can you please, clarify why the description is inaccurate? >> >> According to RFC 6040 in compatibility mode outer packet are marked as >> not ECN-capable >> (Not-ECT). On the other hand, since using compatibility mode is SHOULD >> here >> and currently it is assumed that IPsec tunnels are used with normal mode >> (RFC 4301, RFC 6040), then some >> additional guidelines are given what to do if peer still uses normal mode. >> >> Am I missing something? >> >> >> >> I think my confusion here was that I read the second sentence ("If upon >> egress...") as also describing RFC6040, >> >> which I see now it does not. My apologies; perhaps splitting it into two >> paragraphs would help. However, the need >> >> for this text is related to difficulty mapping outer to inner; see also >> below. >> >> >> >> I moved this sentence to a new paragraph. >> >> >> >> >> > It's a shame that there is no attempt to figure out a mapping between >> inner >> > and >> > outer that would make normal mode work, as this reviewer is optimistic >> that >> > ECN >> > marks will become increasingly important. But regardless, this section >> should >> > be clear and make correct statements. >> >> I'm not sure this is generally possible given that one outer TCP tunnel >> can include many inner TCP tunnels, so you have to decide which >> of them to inform. The things get worse if AggFrag mechanism >> is in use (draft-ietf-ipsecme-iptfs-13, in IESG evaluation). >> >> >> >> This isn't a DISCUSS, so you can choose to ignore this advice or not. >> However, my concern is that IPSec is going to miss >> >> out on the low-latency services operators are now enabling through ECN. >> >> >> >> Not exactly :-) Note, that TCP is not a default transport for >> IPsec >> >> and in case ESP is sent over IP or UDP, all the modern ECN >> >> techniques must work well (I guess you mean L4S networks?). >> >> TCP is a backup transport in case no other is available and >> >> due to the inherent problems (TCP-in-TCP) we don't expect >> >> to get good performance in this case, so there is no point >> >> to complicate the protocol. TCP encapsulation is for those cases >> >> when you need things to work somehow, not in the best way. >> >> >> >> If it were me I would design it this way: >> >> >> >> 1) Encapsulators SHOULD NOT mix ECT(0), Not-ECT, and ECT(1) inner packets >> in the same outer packet. >> >> 2) If they do, the outer packet MUST be marked Not-ECT. >> >> 3) If all packets are marked CE, mark the outer packet CE. >> >> 4) If CE packets are mixed with "something else", mark it "something >> else". >> >> 5) Decapsulators follow Figure 4 in RFC6040, except they SHOULD NOT log >> an event or raise an alarm when >> >> the outer packet is ECT(1) and one of the inner packets is CE. >> >> >> >> Per 3168, if an inner packet is fragmented, any CE applied to a fragment >> is applied to the reassembled packet. >> >> >> >> This might work, but please, see above. >> >> >> >> >> > (Appendix A) Why not provide an in-band way to determine TLS support? >> > There >> > could be another port number, or different magic bytes to indicate that >> TLS >> > handshake messages follow. >> >> Actually, with this draft in-band switching to TLS is really a downgrade, >> rather than an upgrade (surprise?). >> The reason is that actual protection of the traffic is provided by IPsec >> and both TCP and TLS >> are only used as transport mechanisms that allow IPsec to work in >> environments where it cannot >> be used otherwise. And TLS is worse, since it requires more resources and >> has bigger overhead. >> So, once you get through using plain TCP there is no sense to switch to >> TLS. >> >> >> >> Thanks for the info. It might be good to explicitly state this in >> Appendix A, but feel free to ignore that suggestion. >> >> >> >> Thank you! >> >> Valery. >> >> >> >> >> Regards, >> Valery. >> >>
- [IPsec] Martin Duke's No Objection on draft-ietf-… Martin Duke via Datatracker
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Martin Duke
- Re: [IPsec] Martin Duke's No Objection on draft-i… Valery Smyslov