Re: [pcp] Draft-wing-pcp-flowdata-000 Comments
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 05 February 2014 18:33 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28EA91A0138 for <pcp@ietfa.amsl.com>; Wed, 5 Feb 2014 10:33:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Izhb5lIG4IpU for <pcp@ietfa.amsl.com>; Wed, 5 Feb 2014 10:33:41 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by ietfa.amsl.com (Postfix) with ESMTP id F1C8B1A0132 for <pcp@ietf.org>; Wed, 5 Feb 2014 10:33:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7124; q=dns/txt; s=iport; t=1391625220; x=1392834820; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=5BeROcLn1/28sy0RopCHhzIk3xTsNVHdegU4NKsikqw=; b=E4mvYXeHUJ2A3ETGXB4DmEN8Loy8TFg6SQe4md1Egg85wqWIiIfS+8mw kHBe660T47lq/kF3j9sjWCNGzohxofrLItIgAZzOTzDyY5ZtbX7QOovem ELmS9odZJXXTh5KxMH2YD+UTUekAzbqGm0IO3DZ1v2QwP9gvjZoY+YWxT E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkMFAJqD8lKtJXG8/2dsb2JhbABPCoMMOFe+TIEQFnSCJQEBAQSBCwEIEQQBAQsdORQJCQEEARIIE4dqDc50F44UBQUKHINcgRQEiRGQTJBvgy2BaUE
X-IronPort-AV: E=Sophos;i="4.95,788,1384300800"; d="scan'208";a="18215611"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by alln-iport-1.cisco.com with ESMTP; 05 Feb 2014 18:33:39 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id s15IXd8U015728 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 5 Feb 2014 18:33:39 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.36]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0123.003; Wed, 5 Feb 2014 12:33:39 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Ben McCann <B.McCann@F5.com>, "pcp@ietf.org" <pcp@ietf.org>
Thread-Topic: [pcp] Draft-wing-pcp-flowdata-000 Comments
Thread-Index: Ac8ioMUrjNvuc54eQby5psLfys81zA==
Date: Wed, 05 Feb 2014 18:33:38 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A242A86F8@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.34.133]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pcp] Draft-wing-pcp-flowdata-000 Comments
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp/>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 18:33:43 -0000
Hi Ben, Thanks for the detailed review. Please see inline [TR] From: Ben McCann [mailto:B.McCann@F5.com] Sent: Wednesday, January 29, 2014 2:25 AM To: pcp@ietf.org Subject: [pcp] Draft-wing-pcp-flowdata-000 Comments Hi Dan, Reinaldo, and Tiru, I have a few comments and questions on your PCP flowdata draft. Overall, it looks good. To summarize, this PCP enhancement enables an application attached to an access network to signal its resource (bandwidth, etc) requirements to the network via a PCP server. The PCP server reserves none, some, or all of the requested resources and returns a response describing that reservation. . Section 1: Recursively forwarding PCP FlowData requests hop-by-hop through the access network is an elegant solution for reserving resources from the application to the boundary between the access network and the Internet. That said, does this introduce scaling problems ? o Are there administrative scaling challenges for large access networks with many switches and routers? Do most of them have to be configured with PCP servers for the reservation system to be effective? [TR] Not all switches and routers in large access network need to be PCP-aware. PCP server in the access network can convey the information to the SDN controller (Policy Decision Point) which in turn installs flow in network devices. For more information refer to draft http://tools.ietf.org/html/draft-penno-pcp-asdn-00 o Can upstream PCP servers handle all of the individual reservation requests arriving from multiple downstream PCP servers? Is some kind of reservation aggregation mechanism required to scale to 1000's or 10000s of reservations? . Section 3.2 & Figure 3: Does the FlowData option in a MAP request define the aggregate resource requirements for all matching inbound flows going to the application sending that MAP request or is the reservation per flow? Both options have issues: o If the reservation is for all flows, then the resource manager can easily reserve resources (bandwidth, etc) in aggregate for that application. That simplifies resource allocation but it is extremely inefficient because resources are pre-allocated for flows that may never arrive. o If the reservation is per flow, then how does the resource manager know how many resources to reserve? If the MAP request FlowData option only describes the resource requirements for one flow, then how does the resource reservation system know how many flows to expect? IMHO, both of these options are broken. Instead, the FlowData option should: o Describe the resource requirements per flow. The CGNAT/Firewall/Etc must reserve resources incrementally as clients connect to the mapped server. This provides some level of fairness across multiple servers using the MAP request. o Define the maximum number of flows that are expected. The PCP server may return a smaller number in the MAP reply if this is excessive. The CGNAT may reject inbound connections that exceed this upper bound to ensure it has resources for other mapped servers. o Define the behavior of the connection when resources (as defined in the MAP request) are unavailable. Should the CGNAT fall back to "best effort", drop the SYN packet and let the client retry, send back something in ICMP, or should it reject the connection request with a RST? (Examples are admittedly TCP-centric). In summary, FlowData should describe resources per flow, how many flows are expected, and how to handle new inbound flows when resources are unavailable. Note that the CGNAT/Firewall handles resource reservation errors autonomously because, IMHO, sending PCP packets back to the client when resources are low introduces unacceptable DoS attack vectors. [TR] Good point. The reason for supporting FLOWDATA with MAP is to use it in SIP/WebRTC calls where an endpoint with multiple interfaces (3G, Wifi etc) can use MAP with FLOWDATA on each available interface to find if any of the networks can meet the requested flow characteristics, so that the application can prioritize the host candidates accordingly based on FLOWDATA response. In this case it would be only be one flow per MAP request. The scenario you have mentioned would be typically used by servers and would use MAP for multiple flows. we will define the behavior of FLOWDATA option with MAP opcode in the next revision. . Section 6: Why do we need a separate authorization mechanism for FlowData? The client's identify is verified during PCP Authentication so why doesn't the PCP server consult a policy server at that time to determine the client's resource reservation privileges? We don't need a separate crypto-token for FlowData because the whole PCP request is signed by the PCP Authentication Tag. We should also avoid authorizing individual FlowData requests to an external server because it won't scale. [TR] PCP third party authorization is required only for some applications. For example in a scenario where access network has business agreement with Netflix, Hulu Plus etc. HTTP Adaptive Streaming client will send PCP request with access token option so that the access network can prioritize the one-way streaming content. Usage of PCP third party authorization in Mobile networks is explained http://tools.ietf.org/search/draft-penno-pcp-mobile-qos-00, where PCP requests with third party authorization will be mapped to QCI values 1 to 4 and Bandwidth Minimum value in FLOWDATA option will be mapped to Guaranteed bit rate (GBR). PCP requests without third party authorization will also be honored but mapped only to QCI values 6 to 8 (Non- GBR). . (Other) Should the FlowData option define enforcement policies for non-conformant flows that exceed their bandwidth reservation? For example, best effort, some flavor of random early discard, rate shaping, etc, etc.? The alternative is that the reservation enforcement policy is statically defined per hop and that it is unaware of the best protocol-dependent method to enforce bandwidth reservations. [TR] Yes, FlowData option should enforce policies for flows which lie or misbehave. In section 3.3 this problem is discussed <snip> A PCP server that processes the FLOWDATA option is likely to create state for that flow (e.g., for bandwidth counting so that the bandwidth is returned to the bandwidth pool when the flow lifetime expires). Because Memory and other resources limit how much state can be created, the PCP server MUST implement a policy limit so that all state is not consumed by one host. It MAY also implement other limits, such as rate limits. The PCP server can implement its own policy to remove flows from its memory, such as FIFO. If a host has exceeded its quota, the existing error USER_EX_QUOTA SHOULD be returned. </snip> Cheers, -Tiru. Ben McCann, F5 Networks
- [pcp] Draft-wing-pcp-flowdata-000 Comments Ben McCann
- Re: [pcp] Draft-wing-pcp-flowdata-000 Comments Tirumaleswar Reddy (tireddy)