Re: [tcpm] FW: Review of draft-bagnulo-tcpm-generalized-ecn (David Black)
Bob Briscoe <ietf@bobbriscoe.net> Sat, 08 April 2017 00:12 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECBF71279EB for <tcpm@ietfa.amsl.com>; Fri, 7 Apr 2017 17:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8p9d9PqhLpMH for <tcpm@ietfa.amsl.com>; Fri, 7 Apr 2017 17:12:04 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F3E129451 for <tcpm@ietf.org>; Fri, 7 Apr 2017 17:11:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UCXanAcx60VSK/pwRCGvWbb7aUCLGda+WdeJjWjex4w=; b=7g+N39a6yhzhzP0Rj85IPSQR3S HBvOLXH0nHMWwTHQiIpUvlPZBCx38QzXQ57jBaCYiS37tGSOaS1N2In7oP2RIGsbSZNYqV363gLGC aPc8X7/++ywNo9h9Lk1D+JHnZVzQU3fHWzCbCmPmilkMd/sVJbIAThcIxU3FmXLLOF5VwzZZe+mxl QNbZ7sdNjE7vMINTTAm0ek2OLrQpvpWaWwFKQd9o54fyrYFmC7tjTE81FEd3R0fCafH1q6jG5XNjJ IZGRlvA5SCHJSXBcb4GVxSsuhZXD92m2qZe15vpvVoEG41ypWQ7htJc24BlWAkDX3PaCENU+UVXuj mttsFT+w==;
Received: from 203.6.208.46.dyn.plus.net ([46.208.6.203]:52346 helo=[192.168.0.3]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.88) (envelope-from <ietf@bobbriscoe.net>) id 1cwdyr-00030v-9g; Sat, 08 Apr 2017 01:11:53 +0100
To: "Black, David" <David.Black@dell.com>
References: <CE03DB3D7B45C245BCA0D243277949362F9B2DB4@MX307CL04.corp.emc.com> <3d53f6a4-697b-0c7a-8c71-524890312beb@bobbriscoe.net> <CE03DB3D7B45C245BCA0D243277949362F9B3960@MX307CL04.corp.emc.com>
Cc: "tcpm@ietf.org" <tcpm@ietf.org>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <5a4e46a0-bde7-8de5-f6a3-354f06fd9058@bobbriscoe.net>
Date: Sat, 08 Apr 2017 01:11:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949362F9B3960@MX307CL04.corp.emc.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/2ShvRJZh36dvdWRspzTtoKHBqIM>
Subject: Re: [tcpm] FW: Review of draft-bagnulo-tcpm-generalized-ecn (David Black)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2017 00:12:09 -0000
David, On 2) I intend to replace the whole of "3.1 Network behaviour" with the following, which calls out the cases explicitly: Previously RFC3168 required the sender to set not-ECT on certain TCP control packets. Some readers might have erroneously interpreted this aspect of RFC3168 as a requirement for firewalls, intrusion detection systems, etc. to check and enforce this behaviour. Now that the present experimental specification allows TCP senders to set ECT on all TCP packets (control and data), it needs to be clear that a firewall (or any network node) SHOULD NOT treat any ECT packet differently dependent on what type of TCP packet it is. One potential exception is envisaged, otherwise the previous sentence could have said "MUST NOT" rather than "SHOULD NOT". The exception allows a security function that has detected an ongoing attack to drop more ECT marked SYNs than not-ECT marked SYNs. Such a policy SHOULD NOT be applied routinely. It SHOULD only be applied if an attack is detected, and then only if it is determined that the ECT capability is intensifying the attack. Bob On 07/04/17 23:33, Black, David wrote: > Bob, > > Two comments: > > 1) I'll wait for new text before commenting further on Accurate ECN vs. vanilla RFC 3168 ECN. The current text left me somewhat confused, and the summary of changes from RFC 3168 will almost certainly help. > > 2) On network node treatment of ECT, RFC 3168 is brief, e.g. (Section 5, top of p.7): > > The CE codepoint '11' is set by a router to indicate congestion to > the end nodes. > > One wants to avoid text that could be read as modifying that sentence by adding possible exceptions for TCP control packets and/or retransmissions. > >> [BB] Unfortunately, RFC3168 does not specify anything about network node >> forwarding behaviour wrt ECT. So some firewall policies could have >> decided to block any TCP control packets that contravene RFC3168. That's >> why we wrote this section. > If "firewalls" is what was meant, use that word ;-) ... or as you write ... > >> However I admit that, by not explaining that DPI was the problem we were >> trying to solve, rather than removing any ambiguity that might have been >> interpreted as a need for DPI. We'll fix this. > In doing so, please keep in mind that in this draft, discussion of forwarding and dropping behavior is implicitly about router queue management, not middlebox access control (e.g., based on DPI), so access control has to be called out explicitly when that is what is meant. > > Thanks, --David > -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Bob Briscoe
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Black, David
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Bob Briscoe
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Bob Briscoe
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Mirja Kühlewind
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Bob Briscoe
- Re: [tcpm] Review of draft-bagnulo-tcpm-generaliz… Mirja Kühlewind
- Re: [tcpm] FW: Review of draft-bagnulo-tcpm-gener… Bob Briscoe
- Re: [tcpm] Review of draft-bagnulo-tcpm-generaliz… Bob Briscoe
- [tcpm] FW: Review of draft-bagnulo-tcpm-generaliz… Black, David