IETF Logo Mail Archive

Re: [tcpm] FW: Review of draft-bagnulo-tcpm-generalized-ecn (David Black)

Bob Briscoe <ietf@bobbriscoe.net> Tue, 18 April 2017 09:40 UTC

Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9A16129A91 for <tcpm@ietfa.amsl.com>; Tue, 18 Apr 2017 02:40:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id raB1Vz7p7fbi for <tcpm@ietfa.amsl.com>; Tue, 18 Apr 2017 02:40:54 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CE54129A9B for <tcpm@ietf.org>; Tue, 18 Apr 2017 02:40:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:Cc:References:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=oab7e+t0iJTpcrUZWJO7IL9U7oqqI7IhE8Sdc6ime68=; b=8nkP7YSrgCzZdZdFB3BMXHkZF prM57EgLNREaK4J0HLxQ0T/ofjZN7fLNTYI0/F1urIY0cHUEAvAZFdmhpKaBkn7iOBPNfuxsYQwr6 pMncfDNufrIOBe3pHNzR6RzpwrNrlqBtyAWrV8lJa8BXqoHoCL+RWIBxLjtfda0vUQo3DJW34F+Km WR651qUgRigbZnIAOOkZBfUKQiDJPvyuI8ihKqqwg5kJaK9MlBCm6W51+oFCfLIM71Z9i+aloxQOU U0tENYawCdDU00UorDTVaPK3Wv1ftBTKeMpcgHUSUj3nanp47yYqeIiL8MuK9ch0WDk76LHz8rzPZ oWErMJcQg==;
Received: from 188.6.208.46.dyn.plus.net ([46.208.6.188]:44628 helo=[192.168.0.2]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <ietf@bobbriscoe.net>) id 1d0Pcx-0006XZ-Dm; Tue, 18 Apr 2017 10:40:51 +0100
To: "Black, David" <David.Black@dell.com>, "tcpm@ietf.org" <tcpm@ietf.org>, Mirja Kuehlewind <mirja.kuehlewind@tik.ee.ethz.ch>
References: <CE03DB3D7B45C245BCA0D243277949362F9B2DB4@MX307CL04.corp.emc.com> <3d53f6a4-697b-0c7a-8c71-524890312beb@bobbriscoe.net> <CE03DB3D7B45C245BCA0D243277949362F9B3960@MX307CL04.corp.emc.com> <5a4e46a0-bde7-8de5-f6a3-354f06fd9058@bobbriscoe.net> <94ff22d6-69b3-164a-8bdb-07149f3e58b3@bobbriscoe.net>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <9796d961-292e-e257-a2d8-c0321f61b31a@bobbriscoe.net>
Date: Tue, 18 Apr 2017 10:40:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <94ff22d6-69b3-164a-8bdb-07149f3e58b3@bobbriscoe.net>
Content-Type: multipart/alternative; boundary="------------E7B35680930C707647B26088"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/1Ghh7ElhBta47jzsKT0qVJWXPvQ>
Subject: Re: [tcpm] FW: Review of draft-bagnulo-tcpm-generalized-ecn (David Black)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 09:40:57 -0000

David, Mirja, list,

Thanks again for your reviews of the -00. I've been busy over the w/e 
after thinking more deeply about some of your comments and after 
realizing that RFC3168 contained an assumption that a single pure ACK 
implies that all other packets in that direction are pure ACKs, which is 
not true in general.

We've produced another rev (draft-bagnulo-tcpm-generalized-ecn-02 
<https://tools.ietf.org/html/draft-bagnulo-tcpm-generalized-ecn-02>).

This is a general invitation for anyone on the list, including you two, 
to review this again, so we can ask for an informed adoption call.

We need people with the following expertise:
* TCP hijacking and DoS/flooding attacks
* Specific TCP implementations (Linux, FreeBSD, iOS, Windows, etc).
* All the common variants of TCP

We have identified clearly where decisions are needed.
As well as where more measurements are needed.

Main changes:
* Moved more discursive text from S.3 (Spec) to S.5 (Arguments against 
RFCs)
* Major changes to Pure ACK sections and the reliability argument, to 
address Mirja's arguments better, and to separately address cwnd 
response (required) and ACK-rate response (optional but not required).
* Referred to Network Behaviour in ecn-experimentation, rather than 
repeating it.
* Fixed description of window probe.
* Recommended RFC 5961, which gives much stronger packet validity checks 
for retransmissions, RSTs & FINs.

Cheers


Bob


On 14/04/17 02:13, Bob Briscoe wrote:
> David,
>
> I hope you will find that I have addressed all your concerns - so at 
> least you will be able to understand it now.
> The draft is now unexpired.
>
> I have also addressed all the points in Mirja's review (some 
> intersecting with your points).
>
> You will see that it's actually turned into quite a major re-write. 
> The diff is nearly total, mainly cos I was turning Spanglish into 
> English as I went (Marcelo, it was quite understandable, but just not 
> quite how a native English speaker would say it).
>
> However, I have changed technical points in a few places too - the 
> more one thinks about this, the more depth one finds.
>
> I just noticed I missed one of your nits (shortening the definition of 
> Retransmission), which I have already fixed in my local copy of the 
> xml for the next rev.
>
>
>
> Bob
>
>
> On 08/04/17 01:11, Bob Briscoe wrote:
>> David,
>>
>> On 2) I intend to replace the whole of "3.1 Network behaviour" with 
>> the following, which calls out the cases explicitly:
>>
>> Previously RFC3168 required the sender to set not-ECT on certain TCP 
>> control packets. Some readers might have erroneously interpreted this 
>> aspect of RFC3168 as a requirement for firewalls, intrusion detection 
>> systems, etc. to check and enforce this behaviour. Now that the 
>> present experimental specification allows TCP senders to set ECT on 
>> all TCP packets (control and data), it needs to be clear that a 
>> firewall (or any network node) SHOULD NOT treat any ECT packet 
>> differently dependent on what type of TCP packet it is.
>>
>> One potential exception is envisaged, otherwise the previous sentence 
>> could have said "MUST NOT" rather than "SHOULD NOT". The exception 
>> allows a security function that has detected an ongoing attack to 
>> drop more ECT marked SYNs than not-ECT marked SYNs. Such a policy 
>> SHOULD NOT be applied routinely. It SHOULD only be applied if an 
>> attack is detected, and then only if it is determined that the ECT 
>> capability is intensifying the attack.
>>
>>
>> Bob
>>
>> On 07/04/17 23:33, Black, David wrote:
>>> Bob,
>>>
>>> Two comments:
>>>
>>> 1) I'll wait for new text before commenting further on Accurate ECN 
>>> vs. vanilla RFC 3168 ECN.  The current text left me somewhat 
>>> confused, and the summary of changes from RFC 3168 will almost 
>>> certainly help.
>>>
>>> 2) On network node treatment of ECT, RFC 3168 is brief, e.g. 
>>> (Section 5, top of p.7):
>>>
>>>     The CE codepoint '11' is set by a router to indicate congestion to
>>>     the end nodes.
>>>
>>> One wants to avoid text that could be read as modifying that 
>>> sentence by adding possible exceptions for TCP control packets 
>>> and/or retransmissions.
>>>
>>>> [BB] Unfortunately, RFC3168 does not specify anything about network 
>>>> node
>>>> forwarding behaviour wrt ECT. So some firewall policies could have
>>>> decided to block any TCP control packets that contravene RFC3168. 
>>>> That's
>>>> why we wrote this section.
>>> If "firewalls" is what was meant, use that word ;-) ... or as you 
>>> write ...
>>>
>>>> However I admit that, by not explaining that DPI was the problem we 
>>>> were
>>>> trying to solve, rather than removing any ambiguity that might have 
>>>> been
>>>> interpreted as a need for DPI. We'll fix this.
>>> In doing so, please keep in mind that in this draft, discussion of 
>>> forwarding  and dropping behavior is implicitly about router queue 
>>> management, not middlebox access control (e.g., based on DPI), so 
>>> access control has to be called out explicitly when that is what is 
>>> meant.
>>>
>>> Thanks, --David
>>>
>>
>>
>

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email