[PCN] PCN encoding options and tunnelling
Bob Briscoe <rbriscoe@jungle.bt.co.uk> Mon, 10 March 2008 15:16 UTC
Return-Path: <pcn-bounces@ietf.org>
X-Original-To: ietfarch-pcn-archive@core3.amsl.com
Delivered-To: ietfarch-pcn-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E84328D0BE; Mon, 10 Mar 2008 08:16:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.939
X-Spam-Level:
X-Spam-Status: No, score=-98.939 tagged_above=-999 required=5 tests=[AWL=-1.402, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_57=0.6, MANGLED_TOOL=2.3, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRE0YzWqxc1p; Mon, 10 Mar 2008 08:16:56 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC00528DB39; Mon, 10 Mar 2008 07:56:21 -0700 (PDT)
X-Original-To: pcn@core3.amsl.com
Delivered-To: pcn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A040028D140 for <pcn@core3.amsl.com>; Mon, 10 Mar 2008 07:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DC+TualEUtt for <pcn@core3.amsl.com>; Mon, 10 Mar 2008 07:56:14 -0700 (PDT)
Received: from smtp1.smtp.bt.com (smtp1.smtp.bt.com [217.32.164.137]) by core3.amsl.com (Postfix) with ESMTP id BDC4F2932EC for <pcn@ietf.org>; Mon, 10 Mar 2008 04:56:22 -0700 (PDT)
Received: from i2kc06-ukbr.domain1.systemhost.net ([193.113.197.70]) by smtp1.smtp.bt.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 10 Mar 2008 11:54:00 +0000
Received: from cbibipnt05.iuser.iroot.adidom.com ([147.149.196.177]) by i2kc06-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(6.0.3790.1830); Mon, 10 Mar 2008 11:54:01 +0000
Received: From bagheera.jungle.bt.co.uk ([132.146.168.158]) by cbibipnt05.iuser.iroot.adidom.com (WebShield SMTP v4.5 MR1a P0803.399); id 120515003976; Mon, 10 Mar 2008 11:53:59 +0000
Received: from mut.jungle.bt.co.uk ([10.73.145.122]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id m2ABrpBW004972; Mon, 10 Mar 2008 11:53:55 GMT
Message-Id: <200803101153.m2ABrpBW004972@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 10 Mar 2008 11:53:42 +0000
To: "CHAN, Kwok Ho" <khchan@nortel.com>, Georgios Karagiannis <karagian@cs.utwente.nl>, "MONCASTER, Toby" <toby.moncaster@bt.com>, Michael Menth <menth@informatik.uni-wuerzburg.de>
From: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
X-OriginalArrivalTime: 10 Mar 2008 11:54:01.0078 (UTC) FILETIME=[6E3D3960:01C882A5]
Cc: PCN IETF list <pcn@ietf.org>
Subject: [PCN] PCN encoding options and tunnelling
X-BeenThere: pcn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: PCN WG list <pcn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pcn>, <mailto:pcn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/pcn>
List-Post: <mailto:pcn@ietf.org>
List-Help: <mailto:pcn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcn>, <mailto:pcn-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: pcn-bounces@ietf.org
Errors-To: pcn-bounces@ietf.org
Kwok, George, Toby, Michael, I believe tunneling represents the greatest constraint on the choice of codepoints in the ECN field, so it nearly decides this issue for us... First I believe we have to allow for the likely possibility of a tunnel starting and ending within a PCN region (as in S.5.7 of the PCN arch I-D). For example, a multi-site VPN that is one big PCN region under one operator's control joined together over the public Internet by IPSec VPNs. If the customer-sites are part of the PCN region they could have typical paths across the VPN like this: Sender > PCN_ingress > IPSec_encap > IPSec_decap > PCN_egress > Receiver Then I suggest the following requirement sentence in S.2.2.7 of PCN encoding Comparision about tunnels: ============================================================================= "Tunnel endpoints, whether encapsulators or decapsulators, should not require any new behaviour to handle PCN-capable packets. Expecting vendors of all IPSec and all IP in IP tunnel endpoints to cater specifically for PCN would be unrealistic, and require complex backward compatibility rules for tunnels prior to PCN. If tunnels did require PCN-specific behaviour, the resulting patchy and error-prone deployment would probably cause PCN to suffer byzantine feature interactions with poorly implemented tunnels. Tunnel endpoints should not have to detect that a packet's DSCP is PCN and implement special PCN-specific encapsulating or decapsulating behaviour. The rules that already exist for tunnel endpoints to handle both the Diffserv field and the ECN field should 'just work' when handling packets with a PCN Diffserv codepoint." ============================================================================= That sounds reasonable, but it puts strong further constraints on our PCN encoding options. Decapsulation in both RFC3168 'full functionality [tunnelling] mode' and the old and new RFC4301 IPSec architecture discards all ECN codepoints in the outer header except 11, forwarding the inner header unchanged. If we find this leaves us with no PCN encoding options, we might have to require all tunnel decapsulators within a PCN region to be changed (as currently implied in S.5.7 of the PCN architecture), but let's see whether we have to first... With this constraint, it seems that none of 00, 01 or 10 of the ECN field can be used for encoding AM (admission marked) or TM (termination marked), without risking losing markings on decapsulation that were added to the outer header due to congestion in the middle of the tunnel. Further, 00 cannot be used for the unmarked (UM) state, because a tunnel decapsulator will drop a packet if the inner header is marked 00 and the outer anything but 11. That leaves only 01 or 10 for UM. So far, if we use the ECN field at all, we're left with 01 or 10 for the unmarked state and only 11 for anything else. Further, if either of 01 or 10 were used for UM, there would be a risk of losing the UM meaning if a tunnel straddled the PCN ingress but not the PCN egress, because the inner header is forwarded and the outer header discarded if the outer is 01 or 10. I think it would be reasonable for PCN standards to mandate that tunnel decapsulators take special account of PCN encodings if the encapsulator is not also in the region. We also now have to work around RFC5129 recently standardising ECN in MPLS (with discussion of PCN in an appendix). I don't think that constrains us further, but I'll check. I'll also check I can still do the anti-cheating trick I'm proposing if we re-charter for multiple domains (I suspect this will be hard now). Diffserv code points -------------------- For PCN to work at all, we would have to mandate that all tunnel decapsulators within a PCN region used the uniform model of RFC2983 (copying outer DSCP to inner). The disadvantage of using /only/ DSCPs to encode PCN are as follows: a) If an operator wants to have multiple PCN PHBs (e.g. for data plane as well as signalled precedence for emergency traffic), it has to use 1 more DSCP to /each/ PHB in order to add termination and 1 more /each/ to add admission marking. Whereas using 11 in the ECN field for AM or TM requires only 1 DSCP per PHB. If an operator wants AM and TM, and data plane precedence it seems to have no choice but to use up multiple DSCPs, but at least it can use 11 in the ECN field for one of the markings. b) If the operator uses equal cost multipath (ECMP) routing within the PCN region, and the vendor's ECMP algorithm depends on the DSCP in each packet, ideally we don't want to admission mark by changing DSCPs because this will throw some packets of each flow onto different routes, causing re-ordering. Ideally we don't want termination marking to change DSCPs either, but given all the constraints we might have to live with some packet re-ordering in all flows until some have been terminated, as this is becoming a bit of a corner case. In summary ---------- It looks like we have two main option families left: 1/ use only the DSCP field for all PCN marking and the PCN ingress would have to set the ECN field to 01 or 10. No PCN interior nodes would change the ECN field. 2/ Use 01 or 10 in the ECN field for UM. Use 11 in the ECN field for AM. Use an extra DSCP for TM. Option 2/ seems a slightly better compromise because of a) & b) above. In either case, use another DSCP for affected marking if it is required at all (but see next email). If there's one lesson from this,... -------------------------------- ...it's that encoding into a tightly constrained field should be standardised very very carefully. Most of our problems come from all the changes of mind concerning ECN that have happened over the years, leaving us no space to manoeuvre between all the backward compatibility constraints. That doesn't mean we should standardise slowly. But it does mean we should get a design team of experts to focus on this one issue, all locked in a room until they are all happy. That means now. On this issue. For instance, I believe Option 1/ would be better if we want to allow for end-to-end ECN as well. But I haven't thought that all through. And I also strongly believe that we shouldn't allow adaptive codecs to use PCN unless they explicitly signal that they are going to. Otherwise all PCN's admission control assurances break. If endpoints explicitly signal they want to be adaptive, I think we can manage forwarding ECN markings properly. Further reading? ---------------- All the background to why ECN tunneling is like it is, and how it will need to change in the future, is explained in the draft I did for tsvwg on tunneling congestion notification, which I highlighted to the PCN list at the time. Bruce Davie & David Black have been helping with it and may become co-authors. TSVWG and the area directors agreed to put that I-D on hold until the PCN w-g had got closer to a decision on encodings, but it was written to help PCN in that task. It recently expired, because we didn't think PCN encodings would take this long! You can still access an archived copy from my publications page: <http://www.cs.ucl.ac.uk/staff/B.Briscoe/pubs.html#ecn-tunnel> To save time you can cut to S.5 and onwards, if you just want to know the encap/decap behaviours and the variants that you have to be backward compatible with. Earlier sections explain why. Appendix A specifically discusses PCN tunneling, but I hadn't thought the encoding constrints through like I just did above. Essentially, discarding 00, 01 & 10 from the outer header was unfortunately necessary in RFC3168 and RFC4301 for backward compatibility with the first experimental RFC2481 ECN, which satisfied possible concerns at the time about the ECN field being abused as a covert channel from the public Internet into an IPSec tunnel. Since then the security area has decided these concerns were unwarranted and the risk can be managed. In the PCN sessions this week, I can repeat some of the slides from the summary presentation of this I gave to the tsvwg last Jun: <http://www.cs.ucl.ac.uk/staff/B.Briscoe/present.html#0707ecn-tunnel> but I believe Toby will now be covering this in his slides anyway. Bob ____________________________________________________________________________ Bob Briscoe, <bob.briscoe@bt.com> Networks Research Centre, BT Research B54/77 Adastral Park,Martlesham Heath,Ipswich,IP5 3RE,UK. +44 1473 645196 _______________________________________________ PCN mailing list PCN@ietf.org https://www.ietf.org/mailman/listinfo/pcn
- Re: [PCN] PCN encoding options and tunnelling Geib, Ruediger
- Re: [PCN] PCN encoding options and tunnelling Kwok-Ho Chan
- [PCN] PCN encoding options and tunnelling Bob Briscoe
- Re: [PCN] PCN encoding options and tunnelling Steven Blake
- Re: [PCN] PCN encoding options and tunnelling philip.eardley
- Re: [PCN] PCN encoding options and tunnelling ken carlberg
- Re: [PCN] PCN encoding options and tunnelling Kwok-Ho Chan
- Re: [PCN] PCN encoding options and tunnelling Georgios Karagiannis
- Re: [PCN] PCN encoding options and tunnelling Bob Briscoe
- Re: [PCN] PCN encoding options and tunnelling Geib, Ruediger
- Re: [PCN] PCN encoding options and tunnelling Michael Menth
- Re: [PCN] PCN encoding options and tunnelling Georgios Karagiannis
- Re: [PCN] PCN encoding options and tunnelling Bob Briscoe