Re: ECN in QUIC connection migration

[Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>]

I don’t know enough about ECN to have a qualified opinion, but I mean that,
for example, someone on the path might make a false impression of the
available bandwidth. It may be a general ECN discussion but I’d like to
know how it affects security of QUIC if made mandatory, just like there are
other sections in QUIC transport on potential attacks to be aware of.

http://web.cs.ucla.edu/~todd/research/sigcomm11.pdf
http://ieeexplore.ieee.org/document/6993126/


Kind Regards,
Mikkel Fahnøe Jørgensen


On 12 February 2018 at 16.43.43, Mirja Kühlewind (
mirja.kuehlewind@tik.ee.ethz.ch) wrote:

What do you mean by abuse scenarios? However, I would guess again that this
is not a quic specific discussion and should probably rather happen in
tsvwg which is the group that is maintain ECN in general.

Mirja


> Am 12.02.2018 um 16:42 schrieb Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>:

>
> I haven’t followed the ECN discussion very closely, but I miss a
discussion of possible abuse scenarios and how to avoid them.
>
> On 12 February 2018 at 16.26.32, Mirja Kühlewind (
mirja.kuehlewind@tik.ee.ethz.ch) wrote:
>
>> Hi Ingemar,
>>
>> two points.
>>
>> I think it would be good to be as explicit as possible here, therefore I
would prefer if an endpoint that knows that it can not access the ECN IP
bits indicates this directly in the handshake. In this case no further
testing is needed.
>>
>> Further, the path testing itself is independent of QUIC and can be used
for any protocol. Moreover, it’s more complicated than just testing ECT. I
guess the general advice here is to remember which codepoints were send and
compare this to the feedback provided. If discrepancies are observed that
indicate that a middlebox has changed these bits, all packets should be
marked as no-ECT (while additional testing MAY be performed at any later
point in time). However, how exactly this testing should look like, should
not be specified in this doc (but more generally).
>>
>> Mirja
>>
>>
>> > Am 09.02.2018 um 08:34 schrieb Ingemar Johansson S <
ingemar.s.johansson@ericsson.com>:
>> >
>> > Hi Eric, Koen + others
>> >
>> > Thanks for the comments and the update. A question to the rest of the
audience, does the presented text explain sufficiently enough how ECN works
with connection migration ?
>> >
https://github.com/quicwg/base-drafts/wiki/ECN-in-QUIC#transport-draft-connection-migration
>> >
>> >
>> > /Ingemar
>> >
>> >
>> > From: De Schepper, Koen (Nokia - BE/Antwerp) [mailto:
koen.de_schepper@nokia-bell-labs.com]
>> > Sent: den 2 februari 2018 15:44
>> > To: ekinnear@apple.com; Ingemar Johansson S <
ingemar.s.johansson@ericsson.com>
>> > Cc: QUIC WG <quic@ietf.org>; Ian Swett <ianswett@google.com>;
Lubashev, Igor <ilubashe@akamai.com>; Christian Huitema <huitema@huitema.net>

>> > Subject: RE: ECN in QUIC connection migration
>> >
>> > Hi Ingemar,
>> >
>> > I also read again through the document, and had following comments:
>> >
>> > I replaced:
>> > “The ACK_ECN frame is used to convey ACKs when the ECN capability
exchange concludes that ECN should be used for the given connection.”
>> > Originally it sounds as if the counters are not echoed anymore if the
ECN capability check fails. I assume this was not the intention, but if it
is: First, we don’t have a protocol or decision point defined when that
condition is met (sender should let the receiver know in the next packet),
and second, I would always send the echo, as we might “try again later
(with another ECT?)”, or might decide to use the ECN bits differently
later.
>> >
>> > I also changed the text around the connection migration, I think
before Eric reviewed it. I made it such that every new path creates a new
connection state with an initialized congestion control state and ECN
counters (at least ECN counters reset to 0s). Not sure if this matches with
the other sections in the QUIC draft.
>> >
>> > I also had the thought whether it was really needed to have the 2
cases. I agree we should simplify, by just starting over and doing the
check unconditionally whether it was successful or not in a previous path.
>> >
>> > Regards,
>> > Koen.
>> >
>> > From: ekinnear@apple.com [mailto:ekinnear@apple.com]
>> > Sent: Friday, February 2, 2018 12:02 AM
>> > To: Ingemar Johansson S <ingemar.s.johansson@ericsson.com>
>> > Cc: QUIC WG <quic@ietf.org>; Ian Swett <ianswett@google.com>;
Lubashev, Igor <ilubashe@akamai.com>; Christian Huitema <huitema@huitema.net>;
De Schepper, Koen (Nokia - BE/Antwerp) <koen.de_schepper@nokia-bell-labs.com>

>> > Subject: Re: ECN in QUIC connection migration
>> >
>> > Hi Ingemar,
>> >
>> > This generally looks good to me!
>> > A few questions and observations:
>> >
>> > There are two unique cases:
>> >
>> > • ECN capability check successful at initial connection setup
>> > • ECN capability check failed at initial connection setup
>> >
>> > Are these actually any different in terms of action taken by an
endpoint?
>> > It seems like on the new network path the endpoint would go through
the same process of: (a) verify ECN capability and if successful to
whatever degree then (b) run the rest of the ECN machinery as appropriate.
>> >
>> > In other words, as long as you allow people to start using ECN upon
migration (in other words, to allow starting it after the initial
connection establishment), then the specifics for ECN with migration is
essentially one statement, which is “do the ECN process on each new network
path that you use”.
>> >
>> > Connection migration has impact on the number of reported CE marked
packets. A new connection state with new congestion control state and ECN
counters is instantiated at the sender and receiver. The ECN counters MUST
start from zero again.
>> >
>> > This seems fine to me, it’s inline with the rest of the congestion
control/loss recovery state that also needs to be reset for the new path.
>> >
>> > Given that each migration requires at least one exchange of packets at
the beginning (at the very least for address validation from the side of
the endpoint that didn’t migrate), it seems like that’s an excellent moment
to mark the packets and perform the ECN capability detection. Those packets
are also likely padded, etc. similar to initial packets since they’re on a
previously unused network path.
>> >
>> > I think the current proposed requirement of just using the “first”
packets and marking those is sufficient (and good to avoid any requirement
as to which frames are contained in those packets), since we are always
exchanging packets in both directions immediately after migration.
>> >
>> > This has the added benefit such that any endpoint “probing” possible
network paths could include the bits necessary to detect ECN capability on
the path being probed, so it could even know before migrating whether or
not it would be able to use ECN on that new path.
>> >
>> > Thanks,
>> > Eric
>> >
>> >
>> >
>> >
>> > On Feb 1, 2018, at 3:07 AM, Ingemar Johansson S <
ingemar.s.johansson@ericsson.com> wrote:
>> >
>> > Hi
>> > I have written up different aspects of connection migration and how it
plays with ECN.
>> >
https://github.com/quicwg/base-drafts/wiki/ECN-in-QUIC#transport-draft-connection-migration
>> >
>> > A caveat.. I am a bit unsure about the definition of connection
migration . My interpretation is that a client moves to a new IP address
due to e.g. a NAT rebind or switch from WiFi to cellular, right ?. Is a new
connection instantiated at a connection migration ?
>> >
>> > /Ingemar
>> >
>> > ==================================
>> > Ingemar Johansson M.Sc.
>> > Master Researcher
>> >
>> > Ericsson Research
>> > Network Protocols & E2E Performance
>> > Labratoriegränd 11
>> > 971 28, Luleå, Sweden
>> > Phone +46-1071 43042
>> > SMS/MMS +46-73 078 3289
>> > ingemar.s.johansson@ericsson.com
>> > www.ericsson.com
>> >
>> > You can't start a fire
>> > Worrying 'bout your little world falling apart
>> > Bruce Springsteen
>> > ==================================