Re: [re-ECN] Preferential Dropping
"McCann Peter-A001034" <pete.mccann@motorola.com> Thu, 27 May 2010 21:13 UTC
Return-Path: <pete.mccann@motorola.com>
X-Original-To: re-ecn@core3.amsl.com
Delivered-To: re-ecn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D62F83A69A3 for <re-ecn@core3.amsl.com>; Thu, 27 May 2010 14:13:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0ATYisHLcn5 for <re-ecn@core3.amsl.com>; Thu, 27 May 2010 14:13:15 -0700 (PDT)
Received: from mail55.messagelabs.com (mail55.messagelabs.com [216.82.241.163]) by core3.amsl.com (Postfix) with ESMTP id DF1C93A6992 for <re-ecn@ietf.org>; Thu, 27 May 2010 14:13:14 -0700 (PDT)
X-VirusChecked: Checked
X-Env-Sender: pete.mccann@motorola.com
X-Msg-Ref: server-7.tower-55.messagelabs.com!1274994783!100727487!1
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [129.188.136.8]
Received: (qmail 10678 invoked from network); 27 May 2010 21:13:04 -0000
Received: from motgate8.mot.com (HELO motgate8.mot.com) (129.188.136.8) by server-7.tower-55.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 27 May 2010 21:13:04 -0000
Received: from il06exr03.mot.com (il06exr03.mot.com [129.188.137.133]) by motgate8.mot.com (8.14.3/8.14.3) with ESMTP id o4RLD3jM029236 for <re-ecn@ietf.org>; Thu, 27 May 2010 14:13:03 -0700 (MST)
Received: from il06vts04.mot.com (il06vts04.mot.com [129.188.137.144]) by il06exr03.mot.com (8.13.1/Vontu) with SMTP id o4RLD3bx016858 for <re-ecn@ietf.org>; Thu, 27 May 2010 16:13:03 -0500 (CDT)
Received: from de01exm70.ds.mot.com (de01exm70.am.mot.com [10.176.8.26]) by il06exr03.mot.com (8.13.1/8.13.0) with ESMTP id o4RLD30f016854 for <re-ecn@ietf.org>; Thu, 27 May 2010 16:13:03 -0500 (CDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 27 May 2010 17:12:42 -0400
Message-ID: <274D46DDEB9F2244B2F1EA66B3FF54BC06CB0EAC@de01exm70.ds.mot.com>
In-Reply-To: <201005201720.o4KHKipS013825@bagheera.jungle.bt.co.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [re-ECN] Preferential Dropping
Thread-Index: Acr4QMz+m0ZW3VZTSGqbLaT2hSR8jwFcWHWw
References: <20100517143717.GF2670@verdi> <274D46DDEB9F2244B2F1EA66B3FF54BC06B2F753@de01exm70.ds.mot.com> <20100517162109.GH2670@verdi> <201005171741.o4HHf4fM001778@bagheera.jungle.bt.co.uk> <274D46DDEB9F2244B2F1EA66B3FF54BC06B2FA2F@de01exm70.ds.mot.com> <201005201720.o4KHKipS013825@bagheera.jungle.bt.co.uk>
From: McCann Peter-A001034 <pete.mccann@motorola.com>
To: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
X-CFilter-Loop: Reflected
Cc: re-ecn@ietf.org
Subject: Re: [re-ECN] Preferential Dropping
X-BeenThere: re-ecn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: re-inserted explicit congestion notification <re-ecn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/re-ecn>, <mailto:re-ecn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/re-ecn>
List-Post: <mailto:re-ecn@ietf.org>
List-Help: <mailto:re-ecn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/re-ecn>, <mailto:re-ecn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2010 21:13:17 -0000
Hi, Bob, Bob Briscoe wrote: > Pete, > > Still off the topic of chartering... Indeed. Thanks for the discussion, it is helping me wrap my brain around this problem space. > At 21:11 17/05/2010, McCann Peter-A001034 wrote: >> Hi, Bob, >> >> Thanks for the explanation. >> >> Bob Briscoe wrote: >>> The analysis I did on this showed that re-ECN can raise the bar >>> against DDoS so that the army has to be N times bigger to achieve >>> the same *sustained* attack force, where N=1/p and p is the 'normal' >>> level of congestion in the network. E.g. if normal congestion is >>> 0.001%, a sustained attack against a re-ECN internetwork has to be >>> 100,000 times bigger to cause the same damage as it could against a >>> network without re-ECN. >>> >>> Obviously, there are assumptions and details, but that was the >>> take-home message. If anyone wants more details, just ask. >> >> I'm curious about your definition of "damage". Was it just "causing >> a given loss probability on a particular target link"? > > Correct Based on the statement above and reading the paper you point to below, it seems you are making an assumption about the token bucket parameters of the ingress policing and their relationship to the access network link speed and the link speed of the congested, target link. If you take the 'normal' level of congestion as a setpoint for the ingress policer, your example above seems to imply that the token bucket rate would be .001% of line rate for a given customer. As for the depth of the token bucket, I have no intuition about how to pick a good value. If we consider operating regions where the token bucket is fast and deep, the access link speed is high, and the target congested link is very bandwidth constrained, we could have a situation where the link remains near 100% congestion for a long period of time or even in steady state, when senders are marking exactly at their token bucket rate, even when N isn't inordinately large. Even with preferential drop we might be forced to start discarding packets with positive worth. Perhaps this is an example of a link that was poorly dimensioned for the expected load, but that kind of argument seems to be a variant of the "just overprovision all the links" point of view. > I think you mean "less able to contribute to congestion..." Yes, thanks. I guess the effectiveness of this attack depends on the relative depth of the token buckets. > IMHO it is not unreasonable for the system to throttle down 2 & 3 the > same, at least by default. They may have different intent > (selfishness as opposed to malice), but they have the same outward > effect on everyone else. Regardless of intent, I wonder if a better outcome could be achieved if the owner of the congested resource made a per-flow admission control policy decision instead of lumping all the flows together in one statistical drop bucket. Especially for inelastic flows, it would be better to time-shift in units of whole flows rather than start dropping a fraction of the traffic across all flows. The use of Re-ECN marking to resolve contention for a congested link is kind of like a game of chicken. If N is sufficiently large, and all parties are willing and able to mark up to 100% of their flows, then no one gets out of the way and the system collapses in overload. Undoubtedly, Re-ECN would make this situation (possibly much) less likely due to the damping effect of the ingress policers. However, it still wouldn't be entirely safe to put a mission critical resource behind a low-bandwidth link (e.g., a 56kbps modem) exposed to the Internet. That situation still seems to require some sort of security gateway in front of the link to discard unauthorized traffic, and a signaling protocol to establish state in that gateway. > I can't imagine how an OOB solution would allow the data plane to > discriminate attack traffic, but... > > <RANT> <!--not against you--> > We cannot know whether an OOB per-flow signalling solution support > any feature, because it's currently vapourware. Agreed; I am just trying to figure out whether Re-ECN completely eliminates the need for protocols like RSVP or NSIS (or even non-e2e IKE, to the extent that IPSec gateways are used to prevent DoS) or whether a signaling protocol would still be needed to establish per-flow state in middleboxes for the purpose of DoS prevention and congestion control in general. The case of a link that is a few orders of magnitude slower than the average access link still seems to require this. Perhaps such a protocol could be tweaked to work in concert with Re-ECN; for example, you could directly carry the path congestion metric p in the signaling, maybe eliminating the need to fight over the evil bit. This would allow for policing on ingress as well as auditing on egress. On the other hand, you would lose the ability to do inter-domain settlement and preferential dropping without keeping per-flow state. You would also have to invent some way to tie the signaling to the bearer flow (robust against spoofed headers). It might be desirable in some circumstances to interact with your first-hop policer; e.g., to request a token bucket upgrade in the event of an emergency. If the congestion is near the receiver, then it might be good to give that receiver some input into which flows get admitted. Do you see co-existence between Re-ECN and NSIS? Or is the signaling just a big can of worms that isn't justified given the lower effectiveness of DoS in a Re-ECN enabled network? -Pete
- [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question bmanning
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question bmanning
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question Woundy, Richard
- Re: [re-ECN] Charter Question Stewart Bryant
- Re: [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question Woundy, Richard
- Re: [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question bmanning
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question Bob Briscoe
- Re: [re-ECN] Charter Question David Harrington
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question McCann Peter-A001034
- [re-ECN] Preferential Dropping John Leslie
- Re: [re-ECN] Charter Question Bob Briscoe
- Re: [re-ECN] Preferential Dropping McCann Peter-A001034
- Re: [re-ECN] Preferential Dropping John Leslie
- Re: [re-ECN] Preferential Dropping Bob Briscoe
- Re: [re-ECN] Preferential Dropping McCann Peter-A001034
- Re: [re-ECN] Preferential Dropping Bob Briscoe
- Re: [re-ECN] Preferential Dropping McCann Peter-A001034