IETF Logo Mail Archive

Re: [PCN] PCN encoding options and tunnelling

"Kwok-Ho Chan" <khchan@nortel.com> Mon, 10 March 2008 15:13 UTC

Return-Path: <pcn-bounces@ietf.org>
X-Original-To: ietfarch-pcn-archive@core3.amsl.com
Delivered-To: ietfarch-pcn-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD6B628E338; Mon, 10 Mar 2008 08:13:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.428
X-Spam-Level:
X-Spam-Status: No, score=-98.428 tagged_above=-999 required=5 tests=[AWL=-0.891, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_57=0.6, MANGLED_TOOL=2.3, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dId6Bn7-wxfW; Mon, 10 Mar 2008 08:13:37 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07BD328E3D1; Mon, 10 Mar 2008 07:52:05 -0700 (PDT)
X-Original-To: pcn@core3.amsl.com
Delivered-To: pcn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3154328C7A1 for <pcn@core3.amsl.com>; Mon, 10 Mar 2008 07:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqiiOUtTEvAr for <pcn@core3.amsl.com>; Mon, 10 Mar 2008 07:52:02 -0700 (PDT)
Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by core3.amsl.com (Postfix) with ESMTP id 6B7D4293907 for <pcn@ietf.org>; Mon, 10 Mar 2008 05:59:30 -0700 (PDT)
Received: from zrtphxm1.corp.nortel.com (zrtphxm1.corp.nortel.com [47.140.202.50]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id m2ACukP21561; Mon, 10 Mar 2008 12:56:46 GMT
Received: from KCHAN-2K3.nortel.com ([47.16.102.92] RDNS failed) by zrtphxm1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 10 Mar 2008 08:56:38 -0400
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 10 Mar 2008 08:56:37 -0400
To: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
From: Kwok-Ho Chan <khchan@nortel.com>
In-Reply-To: <200803101153.m2ABrpBW004972@bagheera.jungle.bt.co.uk>
References: <200803101153.m2ABrpBW004972@bagheera.jungle.bt.co.uk>
Mime-Version: 1.0
Message-ID: <ZRTPHXM1XvpFVjCRGry00000287@zrtphxm1.corp.nortel.com>
X-OriginalArrivalTime: 10 Mar 2008 12:56:38.0908 (UTC) FILETIME=[2E1493C0:01C882AE]
Cc: PCN IETF list <pcn@ietf.org>
Subject: Re: [PCN] PCN encoding options and tunnelling
X-BeenThere: pcn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PCN WG list <pcn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pcn>, <mailto:pcn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/pcn>
List-Post: <mailto:pcn@ietf.org>
List-Help: <mailto:pcn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcn>, <mailto:pcn-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: pcn-bounces@ietf.org
Errors-To: pcn-bounces@ietf.org

Bob, all:
Why can't we consider the use of PCN as establishing a PCN VPN?
This view goes well with the use of DSCP to differentiate PCN 
packets/traffic from all other
packets/traffic.  With the definition of the PCN PHB as the behavior 
for such a PCN VPN.
In essences, the PCN packets/traffic travels in a VPN "tunnel" defined for it.
This view allows clear definitions of:
1. PCN VPN support on a per domain basis.
2. SLAs for interfacing the PCN VPN between different domains.
3. How such a PCN VPN may be extended through multiple domains, 
possibly end to end.

With the PCN VPN thinking, the other non PCN packets/traffic can be 
viewed as being packets
in VPNs/tunnels different from the PCN VPN/tunnel.  Then the PCN 
domain is the world inside
the PCN VPN.

With such a PCN VPN in mind, I would like to ask:
1. How does the VPNs in use today need to consider the ECN bits?
2. How does the VPNs in use today need to worry about mixing of each 
VPNs' packets/traffic
     together and separating them?
3. Does the VPNs in use today have to worry about other VPNs/tunnels:
     a. Starting the ingress end of one (or more) of the other 
VPN/tunnel inside its VPN?
     b. Endng the egress end of one (or more) of the other VPN/tunnel 
inside its VPN?
     c. Have both the ingress and egress endw of one (or more) of the 
other VPN/tunnel inside its VPN?
     If yes to any of the above, how are they being solved and can 
PCN adopt the same solution?
4. Can SLAs be written to handle both the DSCP and ECN bits so they 
are clearly defined
     in the PCN VPN ingress and egress points (PCN domain edges)?

I have the PCN VPN thinking in mind from the beginning and this is 
the reason I support the
use of DiffServ and DSCP to separate the PCN packets/traffic from the 
other packets/traffic.
Hopefully allowing many of the problems to be understood, solved, or 
worked arounded.

Section 2.2.7 on page 11 of
http://www.ietf.org/internet-drafts/draft-chan-pcn-encoding-comparison-03.txt
have that thinking in mind and started putting some of the packet 
"leakage" issues
as exceptions rather then the norm.

Thanks!
-- Kwok --


At 07:53 AM 3/10/2008, Bob Briscoe wrote:
>Kwok, George, Toby, Michael,
>
>I believe tunneling represents the greatest constraint on the choice 
>of codepoints in the ECN field, so it nearly decides this issue for us...
>
>First I believe we have to allow for the likely possibility of a 
>tunnel starting and ending within a PCN region (as in S.5.7 of the 
>PCN arch I-D). For example, a multi-site VPN that is one big PCN 
>region under one operator's control joined together over the public 
>Internet by IPSec VPNs. If the customer-sites are part of the PCN 
>region they could have typical paths across the VPN like this:
>Sender > PCN_ingress > IPSec_encap > IPSec_decap > PCN_egress > Receiver
>
>Then I suggest the following requirement sentence in S.2.2.7 of PCN 
>encoding Comparision about tunnels:
>=============================================================================
>"Tunnel endpoints, whether encapsulators or decapsulators, should 
>not require any new behaviour to handle PCN-capable packets. 
>Expecting vendors of all IPSec and all IP in IP tunnel endpoints to 
>cater specifically for PCN would be unrealistic, and require complex 
>backward compatibility rules for tunnels prior to PCN. If tunnels 
>did require PCN-specific behaviour, the resulting patchy and 
>error-prone deployment would probably cause PCN to suffer byzantine 
>feature interactions with poorly implemented tunnels.
>
>Tunnel endpoints should not have to detect that a packet's DSCP is 
>PCN and implement special PCN-specific encapsulating or 
>decapsulating behaviour. The rules that already exist for tunnel 
>endpoints to handle both the Diffserv field and the ECN field should 
>'just work' when handling packets with a PCN Diffserv codepoint."
>=============================================================================
>
>That sounds reasonable, but it puts strong further constraints on 
>our PCN encoding options. Decapsulation in both RFC3168 'full 
>functionality [tunnelling] mode' and the old and new RFC4301 IPSec 
>architecture discards all ECN codepoints in the outer header except 
>11, forwarding the inner header unchanged.
>
>If we find this leaves us with no PCN encoding options, we might 
>have to require all tunnel decapsulators within a PCN region to be 
>changed (as currently implied in S.5.7 of the PCN architecture), but 
>let's see whether we have to first...
>
>With this constraint, it seems that none of 00, 01 or 10 of the ECN 
>field can be used for encoding AM (admission marked) or TM 
>(termination marked), without risking losing markings on 
>decapsulation that were added to the outer header due to congestion 
>in the middle of the tunnel.
>
>Further, 00 cannot be used for the unmarked (UM) state, because a 
>tunnel decapsulator will drop a packet if the inner header is marked 
>00 and the outer anything but 11. That leaves only 01 or 10 for UM.
>
>So far, if we use the ECN field at all, we're left with 01 or 10 for 
>the unmarked state and only 11 for anything else.
>
>Further, if either of 01 or 10 were used for UM, there would be a 
>risk of losing the UM meaning if a tunnel straddled the PCN ingress 
>but not the PCN egress, because the inner header is forwarded and 
>the outer header discarded if the outer is 01 or 10. I think it 
>would be reasonable for PCN standards to mandate that tunnel 
>decapsulators take special account of PCN encodings if the 
>encapsulator is not also in the region.
>
>We also now have to work around RFC5129 recently standardising ECN 
>in MPLS (with discussion of PCN in an appendix). I don't think that 
>constrains us further, but I'll check. I'll also check I can still 
>do the anti-cheating trick I'm proposing if we re-charter for 
>multiple domains (I suspect this will be hard now).
>
>Diffserv code points
>--------------------
>For PCN to work at all, we would have to mandate that all tunnel 
>decapsulators within a PCN region used the uniform model of RFC2983 
>(copying outer DSCP to inner).
>
>The disadvantage of using /only/ DSCPs to encode PCN are as follows:
>
>a) If an operator wants to have multiple PCN PHBs (e.g. for data 
>plane as well as signalled precedence for emergency traffic), it has 
>to use 1 more DSCP to /each/ PHB in order to add termination and 1 
>more /each/ to add admission marking. Whereas using 11 in the ECN 
>field for AM or TM requires only 1 DSCP per PHB. If an operator 
>wants AM and TM, and data plane precedence it seems to have no 
>choice but to use up multiple DSCPs, but at least it can use 11 in 
>the ECN field for one of the markings.
>
>b) If the operator uses equal cost multipath (ECMP) routing within 
>the PCN region, and the vendor's ECMP algorithm depends on the DSCP 
>in each packet, ideally we don't want to admission mark by changing 
>DSCPs because this will throw some packets of each flow onto 
>different routes, causing re-ordering. Ideally we don't want 
>termination marking to change DSCPs either, but given all the 
>constraints we might have to live with some packet re-ordering in 
>all flows until some have been terminated, as this is becoming a bit 
>of a corner case.
>
>In summary
>----------
>It looks like we have two main option families left:
>1/ use only the DSCP field for all PCN marking and the PCN ingress 
>would have to set the ECN field to 01 or 10. No PCN interior nodes 
>would change the ECN field.
>2/ Use 01 or 10 in the ECN field for UM. Use 11 in the ECN field for 
>AM. Use an extra DSCP for TM.
>
>Option 2/ seems a slightly better compromise because of a) & b) above.
>
>In either case, use another DSCP for affected marking if it is 
>required at all (but see next email).
>
>If there's one lesson from this,...
>--------------------------------
>...it's that encoding into a tightly constrained field should be 
>standardised very very carefully. Most of our problems come from all 
>the changes of mind concerning ECN that have happened over the 
>years, leaving us no space to manoeuvre between all the backward 
>compatibility constraints.
>
>That doesn't mean we should standardise slowly. But it does mean we 
>should get a design team of experts to focus on this one issue, all 
>locked in a room until they are all happy. That means now. On this issue.
>
>For instance, I believe Option 1/ would be better if we want to 
>allow for end-to-end ECN as well. But I haven't thought that all 
>through. And I also strongly believe that we shouldn't allow 
>adaptive codecs to use PCN unless they explicitly signal that they 
>are going to. Otherwise all PCN's admission control assurances 
>break. If endpoints explicitly signal they want to be adaptive, I 
>think we can manage forwarding ECN markings properly.
>
>Further reading?
>----------------
>All the background to why ECN tunneling is like it is, and how it 
>will need to change in the future, is explained in the draft I did 
>for tsvwg on tunneling congestion notification, which I highlighted 
>to the PCN list at the time. Bruce Davie & David Black have been 
>helping with it and may become co-authors.
>
>TSVWG and the area directors agreed to put that I-D on hold until 
>the PCN w-g had got closer to a decision on encodings, but it was 
>written to help PCN in that task. It recently expired, because we 
>didn't think PCN encodings would take this long! You can still 
>access an archived copy from my publications page:
><http://www.cs.ucl.ac.uk/staff/B.Briscoe/pubs.html#ecn-tunnel>
>
>To save time you can cut to S.5 and onwards, if you just want to 
>know the encap/decap behaviours and the variants that you have to be 
>backward compatible with. Earlier sections explain why. Appendix A 
>specifically discusses PCN tunneling, but I hadn't thought the 
>encoding constrints through like I just did above.
>
>Essentially, discarding 00, 01 & 10 from the outer header was 
>unfortunately necessary in RFC3168 and RFC4301 for backward 
>compatibility with the first experimental RFC2481 ECN, which 
>satisfied possible concerns at the time about the ECN field being 
>abused as a covert channel from the public Internet into an IPSec 
>tunnel. Since then the security area has decided these concerns were 
>unwarranted and the risk can be managed.
>
>In the PCN sessions this week, I can repeat some of the slides from 
>the summary presentation of this I gave to the tsvwg last Jun:
><http://www.cs.ucl.ac.uk/staff/B.Briscoe/present.html#0707ecn-tunnel>
>but I believe Toby will now be covering this in his slides anyway.
>
>
>Bob
>
>
>____________________________________________________________________________
>Bob Briscoe, <bob.briscoe@bt.com>      Networks Research Centre, BT Research
>B54/77 Adastral Park,Martlesham Heath,Ipswich,IP5 3RE,UK.    +44 1473 645196

_______________________________________________
PCN mailing list
PCN@ietf.org
https://www.ietf.org/mailman/listinfo/pcn

v2.23.0 | Report a Bug | By Email