IETF Logo Mail Archive

Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)

Martin Duke <martin.h.duke@gmail.com> Sat, 13 August 2022 03:58 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831FEC15DD4F; Fri, 12 Aug 2022 20:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y78H1nPBdIlH; Fri, 12 Aug 2022 20:58:42 -0700 (PDT)
Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2CCC14CF09; Fri, 12 Aug 2022 20:58:42 -0700 (PDT)
Received: by mail-qt1-x829.google.com with SMTP id h4so2140092qtj.11; Fri, 12 Aug 2022 20:58:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=jUirFxD2Kb+fABW8b8ALeY0XK8VeLiS58sfx2TKFUZU=; b=T8knccXjg5yVJmDzu8FEwWzQQHbVfZCJS0K+pqhJj6Te2L7IFVD0T4PZb6n6OZpY47 xrte8lxM+2DiFRpR8jz2fZLND4dKqpDgYH47QBWAfgGzRW2QiXQ6gv8rmUNztA7NZr42 bNDnR1cb6liW9KVoUuFokiSyoZrJCMg4WzWbc12MxPKNWkjVt4Pd+gQr58Q8JR8TuCW+ 0Auw8O8R7ClafARDqA4pTcMRgk9F7OGDw4S0iSnTqg8OhMQlKC0ZhQL/t7piPe+3xTxE CGqYvgTdFbSvAxjZtK3NKCZwBYdvQvB0jFR+0gWrVxR3ufvfvL4faCEdJNR0qRgwfoAR eFXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=jUirFxD2Kb+fABW8b8ALeY0XK8VeLiS58sfx2TKFUZU=; b=M1Q/g79CKQhBiXy9jIQtJsaEvvkGV7irHQLBhkNXPkTRhblXqOQ9phG1F1uPLYqxAT nLoMvk2nW53NxdnGDviLej1r8ONdElJZF2vsgNHPEkT7YZ9orxfQDOE1plkscW0wn4jT 39L1q2whN7MkghUe+7s/mzc9Btxc3scRcE777nKicHRYkcsLZH9mlsG0FxiRZkPFH+tx OC7DmdKf1wkkh9D8FunwIRbhqI4jjrtA1yp0msq9uRuEYxZAIvAT1Y9EbD/F+AN5ys7P EZxqk2ehw69oINUSs93e2l7Sk+I4Rvncgogj6bQvpjMpHfLT7BS10641mZ5OuXy/myBr Hv2g==
X-Gm-Message-State: ACgBeo3rgGrB2tC075TKHKWj37iaLcKYaDQSaa/lkB2K8KUrpTZomdBI 3EpOC675Ms5lu5RTsMyeo989tuZBfqsNgNnITx0=
X-Google-Smtp-Source: AA6agR5v08kKbl9gLG0WVnMYvRAiZ/thbA2yt41p7vmusKBEOLBTDQ0yrDQiQ/xa0/j9M29WVSpYtbZ7X+5jc0Aw9LQ=
X-Received: by 2002:ac8:574e:0:b0:31f:28c3:43d6 with SMTP id 14-20020ac8574e000000b0031f28c343d6mr6016459qtx.200.1660363121341; Fri, 12 Aug 2022 20:58:41 -0700 (PDT)
MIME-Version: 1.0
References: <165973261426.54808.11128651982166539913@ietfa.amsl.com> <051401d8ab20$28b98660$7a2c9320$@elvis.ru> <CAM4esxR182_=Y+F6MC8Kk9czUvjepAQQAAFTjNZ1nsG955Yw+Q@mail.gmail.com> <068e01d8ac92$ad49b080$07dd1180$@elvis.ru> <CAM4esxRQG0rPna81pbhDSAYEZp_yAJ2sN2VNncc++8K23xJvTw@mail.gmail.com>
In-Reply-To: <CAM4esxRQG0rPna81pbhDSAYEZp_yAJ2sN2VNncc++8K23xJvTw@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 12 Aug 2022 20:58:28 -0700
Message-ID: <CAM4esxTOM_9LkwB8-viOj19T0B3UzD2mQgOaxAPSNauOMdj1WQ@mail.gmail.com>
To: Valery Smyslov <svan@elvis.ru>
Cc: The IESG <iesg@ietf.org>, draft-ietf-ipsecme-rfc8229bis@ietf.org, ipsecme-chairs@ietf.org, ipsec@ietf.org, kivinen@iki.fi
Content-Type: multipart/alternative; boundary="0000000000000bb90405e6176a3c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Cdwy_mU1LTv-qUkSU9a1PtGxmE4>
Subject: Re: [IPsec] Martin Duke's No Objection on draft-ietf-ipsecme-rfc8229bis-07: (with COMMENT)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Aug 2022 03:58:44 -0000

Re: the ECN rules for aggregated packets, I got intrigued by this problem
and wrote a draft. The rules I proposed earlier are, unsurprisingly, not
the whole story.

On Wed, Aug 10, 2022 at 7:05 AM Martin Duke <martin.h.duke@gmail.com> wrote:

> Sounds good to me, we're all set modulo the thread with Joe.
>
> On Wed, Aug 10, 2022, 01:25 Valery Smyslov <svan@elvis.ru> wrote:
>
>> Hi Martin,
>>
>>
>>
>> please see inline.
>>
>>
>>
>> On Mon, Aug 8, 2022 at 5:12 AM Valery Smyslov <svan@elvis.ru> wrote:
>>
>> >
>> > (Sec 9.1)
>> > "TCP-in-TCP can also lead to "TCP meltdown", where stacked instances
>> >    of TCP can result in significant impacts to performance
>> >    [TCP-MELTDOWN].  For the case in this document, such meltdown can
>> >    occur when the window size of the outer TCP connection is smaller
>> >    than the window sizes of the inner TCP connections.  The resulting
>> >    interactions can lead to packets backing up in the outer TCP
>> >    connection's send buffers.  In order to limit this effect, the outer
>> >    TCP connection should have limits on its send buffer size and on the
>> >    rate at which it reduces its window size."
>> >
>> > Which "window" are you referring to? Receive window, congestion window,
>> > or the
>> > send buffer? My reading of [TCP-MELTDOWN] is that the tunnel ingress
>> > should set
>> > its send buffer size to the BDP of the tunnel, which is easier said
>> than done.
>> > It appears you are using "window" and "send buffer" interchangeably
>> here in a
>> > way that is confusing.
>>
>> This text was suggested by Joe Touch (
>> https://mailarchive.ietf.org/arch/msg/ipsec/eD85hixrzfqwg4UhwRZ8WL5PkDA/)
>> If you think it is unclear, can you please suggest how it can be improved?
>>
>>
>>
>> OK, I'll start a separate thread with Joe and you.
>>
>>
>>
>>           OK, thank you.
>>
>>
>>
>>
>> > (9.5)
>> > Implementations SHOULD follow the ECN compatibility mode for tunnel
>> >    ingress as described in [RFC6040].  In compatibility mode, the outer
>> >    tunnel TCP connection marks its packet headers as not ECN-capable.
>> >    If upon egress, the arriving outer header is marked with CE, the
>> >    implementation will drop the inner packet, since there is not a
>> >    distinct inner packet header onto which to translate the ECN
>> >    markings.
>> >
>> > This is not an accurate summary of compatibility mode. In compatibility
>> mode,
>> > the outer packet is marked Not-ECT, which means it will not be marked
>> CE. In
>> > normal mode, the outer packet is marked as the inner, and this might
>> result in
>> > an outer CE marking.
>>
>> Can you please, clarify why the description is inaccurate?
>>
>> According to RFC 6040 in compatibility mode outer packet are marked as
>> not ECN-capable
>> (Not-ECT). On the other hand, since using compatibility mode is SHOULD
>> here
>> and currently it is assumed that IPsec tunnels are used with normal mode
>> (RFC 4301, RFC 6040), then some
>> additional guidelines are given what to do if peer still uses normal mode.
>>
>> Am I missing something?
>>
>>
>>
>> I think my confusion here was that I read the second sentence ("If upon
>> egress...") as also describing RFC6040,
>>
>> which I see now it does not. My apologies; perhaps splitting it into two
>> paragraphs would help. However, the need
>>
>> for this text is related to difficulty mapping outer to inner; see also
>> below.
>>
>>
>>
>>           I moved this sentence to a new paragraph.
>>
>>
>>
>>
>> > It's a shame that there is no attempt to figure out a mapping between
>> inner
>> > and
>> > outer that would make normal mode work, as this reviewer is optimistic
>> that
>> > ECN
>> > marks will become increasingly important. But regardless, this section
>> should
>> > be clear and make correct statements.
>>
>> I'm not sure this is generally possible given that one outer TCP tunnel
>> can include many inner TCP tunnels, so you have to decide which
>> of them to inform. The things get worse if AggFrag mechanism
>> is in use (draft-ietf-ipsecme-iptfs-13, in IESG evaluation).
>>
>>
>>
>> This isn't a DISCUSS, so you can choose to ignore this advice or not.
>> However, my concern is that IPSec is going to miss
>>
>> out on the low-latency services operators are now enabling through ECN.
>>
>>
>>
>>           Not exactly :-) Note, that TCP is not a default transport for
>> IPsec
>>
>>           and in case ESP is sent over IP or UDP, all the modern ECN
>>
>>           techniques must work well (I guess you mean L4S networks?).
>>
>>           TCP is a backup transport in case no other is available and
>>
>>           due to the inherent problems (TCP-in-TCP) we don't expect
>>
>>           to get good performance in this case, so there is no point
>>
>>           to complicate the protocol. TCP encapsulation is for those cases
>>
>>           when you need things to work somehow, not in the best way.
>>
>>
>>
>> If it were me I would design it this way:
>>
>>
>>
>> 1) Encapsulators SHOULD NOT mix ECT(0), Not-ECT, and ECT(1) inner packets
>> in the same outer packet.
>>
>> 2) If they do, the outer packet MUST be marked Not-ECT.
>>
>> 3) If all packets are marked CE, mark the outer packet CE.
>>
>> 4) If CE packets are mixed with "something else", mark it "something
>> else".
>>
>> 5) Decapsulators follow Figure 4 in RFC6040, except they SHOULD NOT log
>> an event or raise an alarm when
>>
>> the outer packet is ECT(1) and one of the inner packets is CE.
>>
>>
>>
>> Per 3168, if an inner packet is fragmented, any CE applied to a fragment
>> is applied to the reassembled packet.
>>
>>
>>
>>           This might work, but please, see above.
>>
>>
>>
>>
>> > (Appendix A) Why not provide an in-band way to determine TLS support?
>> > There
>> > could be another port number, or different magic bytes to indicate that
>> TLS
>> > handshake messages follow.
>>
>> Actually, with this draft in-band switching to TLS is really a downgrade,
>> rather than an upgrade (surprise?).
>> The reason is that actual protection of the traffic is provided by IPsec
>> and both TCP and TLS
>> are only used as transport mechanisms that allow IPsec to work in
>> environments where it cannot
>> be used otherwise. And TLS is worse, since it requires more resources and
>> has bigger overhead.
>> So, once you get through using plain TCP there is no sense to switch to
>> TLS.
>>
>>
>>
>> Thanks for the info. It might be good to explicitly state this in
>> Appendix A, but feel free to ignore that suggestion.
>>
>>
>>
>>           Thank you!
>>
>>           Valery.
>>
>>
>>
>>
>> Regards,
>> Valery.
>>
>>

v2.23.0 | Report a Bug | By Email