Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
Bob Briscoe <ietf@bobbriscoe.net> Sun, 17 March 2019 02:05 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B90F1288BD for <tcpm@ietfa.amsl.com>; Sat, 16 Mar 2019 19:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHvygOT3eCSZ for <tcpm@ietfa.amsl.com>; Sat, 16 Mar 2019 19:05:31 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D620012796A for <tcpm@ietf.org>; Sat, 16 Mar 2019 19:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=7F2w4NlFAbM9sPCkDX6tjs+pmc+/VroOvGjSndebkXc=; b=FqliBlh7D5LyQy/0saLNoH21m OASR0GAHBbmuaToPqNwj2zaCh5bWs9hwXoZId7uUgUFoSj5ahLriiBPr9OUNy08O9Ve81hZfYPNo2 KmLrRNjKCerTLVpXG1eotOK579/NQ5mTxwpbG4f5BhCkkBxuEkpyvqRzP/rylMuxM/pIOtQf5oZMa GjHblEI9T3XpZwlHOc7FNoA0zpf+tmSlZ0ErODPn/VFgC947K+8LQQAMA0LpsHnXtBvCSRxT9rHkg Bq3/UBJWlutG4fHD2epKqVjVO/IhVhgPK/ixyzRcBuA2oQN1Z9B+rTsZQtIfLyRfVdOrhlldAPCMo QH6oYJioA==;
Received: from [31.185.135.153] (port=35588 helo=[192.168.0.7]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <ietf@bobbriscoe.net>) id 1h5LB1-0002SV-Ru; Sun, 17 Mar 2019 02:05:28 +0000
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: tcpm IETF list <tcpm@ietf.org>
References: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net> <c89b32b8-0865-e422-a554-539f731a9c55@bobbriscoe.net> <B2B58B47-D0C2-4593-B735-87C91298D13E@trammell.ch>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <6fa5db15-fc49-a662-6a33-ac11c97a30a6@bobbriscoe.net>
Date: Sun, 17 Mar 2019 02:05:27 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <B2B58B47-D0C2-4593-B735-87C91298D13E@trammell.ch>
Content-Type: multipart/alternative; boundary="------------F8AAB23B2497378D1A7E64E3"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/9RmOoVAKGM1mMeQhcN7FjQYI6ho>
Subject: Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2019 02:05:35 -0000
Brian, I've asked - I'll let you know once I hear. Bob On 16/03/2019 14:32, Brian Trammell (IETF) wrote: > Hi Bob, > > This seems eminently reasonable. I’m curious, would there be > equivalent pushback on _only_ adding the SNMP counter? One could > always use observation to debug once the counter starts going up... > > Cheers, > > Brian > > Sent from my iPhone > > On 16 Mar 2019, at 12:38, Bob Briscoe <ietf@bobbriscoe.net > <mailto:ietf@bobbriscoe.net>> wrote: > >> Folks, >> >> After offline discussion with the Linux maintainers, we have agreed >> on option #2, which is to make overstrict ECN test more specific to >> RFC3168 by only disabling ECN if a SYN has a non-zero IP-ECN field >> and the first six TCP flags in the main header are 0b000011. >> >> This will be a simple 1-line patch that maximizes the likelihood that >> it will be back-ported as far back as possible, hopefully back to the >> introduction of the over-strict test in May 2012. This should fix a >> large proportion of the installed base of Linux servers reasonably >> quickly. >> >> ==Logging== >> Separately we will submit a patch to add logging of each event that >> disables ECN, but only for future kernel versions, not for >> back-porting. However, there is resistance to any logging, so this >> might not be accepted. The proposal is >> * at default logging level, increment an SNMP count when ECN disabled >> for a connection due to a protocol violation >> * at increased logging level, on each event also write rate-limited >> kernel messages that record the client IP. >> >> Then, if a sysadmin wants to, they can get any network mangling fixed. >> >> >> Bob >> >> On 20/01/2019 23:31, Bob Briscoe wrote: >>> TCPM folks, >>> >>> RFC8311 and draft-ietf-tcpm-generalized-ecn enable ECN-capable SYNs. >>> However, if a client sends an ECN-capable SYN, existing Linux >>> servers disable ECN for the rest of the connection. >>> >>> To fix as many existing Linux servers as possible, as soon as >>> possible, I would recommend short-term solution #2 (see 'Three >>> Fixes' below). An alternative would be short-term solution #3. >>> >>> Anyone got a better fix? Anyone disagree with recommending #2? If >>> not, pls confirm your agreement. >>> >>> >>> Summary of Pros and Cons >>> >>> #2 pro: No longer ossifies non-ECN SYN >>> #2 pro: If a path does "unbleach" IP-ECN, protects the connection by >>> disabling ECN >>> #2 con: A residual degree of ossification remains >>> >>> #3 pro: No longer ossifies non-ECN SYN >>> #3 pro: No ossification at all >>> #3 con: If a path does "unbleach" IP-ECN, connection still attempts >>> to use ECN even though the path is mangling the ECN field. >>> >>> #1 is the full solution, but it should proceed in parallel as a >>> solution for the future, not to fix the past. >>> >>> >>> Background >>> >>> To negotiate ECN for a connection the client sets flag bits 8-9 in >>> the TCP header to 11 [RFC3168 Section 6.1.1] >>> <https://tools.ietf.org/html/rfc3168#section-6.1.1>. For your >>> convenience, I've included a picture of the TCP header flags at the end. >>> >>> In 2012 an additional test was patched into Linux servers. It >>> disables ECN for the connection unless the IP-ECN field of the SYN >>> is also zero (I'll call this the "overstrict ECN test"). >>> >>> This was because Section 6.1.1. of RFC3168 also said "A host MUST >>> NOT set ECT on SYN or SYN-ACK packets." Unfortunately, the >>> overstrict ECN test ossifies this requirement into TCP. >>> >>> The Linux patch was intended to protect a connection against the >>> network mangling the IP-ECN field to a non-zero value. >>> Unfortunately, it also disables ECN completely if a client tries to >>> set ECT in the IP-ECN field of the SYN. >>> >>> RFC8311 has now updated RFC3168 to allow ECT on a SYN, in >>> conjunction with the ECN++ experiment. But few developers are going >>> to set ECT on a SYN if it causes about 84% of servers to completely >>> disable ECN (see Section 4.2.2. of the ECN++ draft >>> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> >>> for further details and the source of these numbers). >>> >>> >>> Three Fixes >>> >>> I can think of three ways to fix existing Linux servers: >>> >>> 1. Deploy Accurate ECN >>> <https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> on >>> existing Linux servers. >>> * AccECN inherently replaces the overstrict ECN test with a >>> pair of proper two-ended tests for network mangling, in >>> which each end feeds back the arriving IP ECN field in its >>> TCP feedback. In contrast, the overstrict ECN test is >>> one-ended, with the server only assuming what the client set. >>> * Altho AccECN will solve the problem, it should not be relied >>> on to fix the last six years of Linux server deployment. >>> AccECN is a non-trivial update so it is unlikely to get >>> back-ported and auto-deployed to most existing Linux servers >>> any time soon. >>> 2. Make the overstrict ECN test more specific to RFC3168, and add >>> logging. >>> * Currently, the only proposal for allowing ECT on a SYN >>> requires the client to also request Accurate ECN feedback, >>> which requires TCP header bits 7-9 to be 111. >>> * Therefore, the overstrict ECN test in a Linux server could >>> be altered to solely apply if bits 7-9 == 011 (rather than >>> just testing if bits 8-9 == 11). >>> * However, I am concerned that this ossifies around the >>> solution based on ECN++ and AccECN. What if ECN++ needs to >>> be superseded by some future protocol that allows ECT on a >>> SYN when some other field is different (e.g. one of TCP's >>> three remaining reserved flags, or a new TCP option)? >>> * Unfortunately, we cannot test for the absence of a >>> yet-to-be-invented TCP option. Nonetheless, I suggest *the >>> overstrict ECN test in a Linux server should at least be >>> altered to solely apply if TCP header bits 4-9 == 000011*. >>> * I suggest Linux also *logs whenever it disables ECN due to >>> this test*, so that broken paths can be identified and fixed. >>> * An extremely simple patch like this would be much more >>> likely than #1 (AccECN) to be back-ported and deployed to >>> most existing servers via regular Linux auto-updates. >>> 3. As #2, but do not disable ECN when the test fails, just log >>> those paths suspected of mangling ECN. >>> * Our most recent measurements of millions of Internet paths >>> found no occurrences where zero IP-ECN on a SYN was changed >>> to non-zero ("unbleaching"). So we could just remove the test. >>> * However, no occurrences found does not mean none exist. >>> Altho we tested millions of paths, we only tested from a few >>> dozen vantage points, albeit we did test both mobile and >>> fixed networks (see Section 4.2.2. of the ECN++ draft >>> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> >>> for summary of tests). >>> * If the number of problematic paths is small, it would still >>> make sense to run the ECN test as proposed under item #2, >>> but not disable ECN if it fails. Instead, just log any >>> negative results, so the broken network elements can be >>> identified and fixed. >>> >>> Cheers >>> >>> >>> Bob >>> >>> PS. For convenience, here's the TCP header flags (assuming the >>> experimental AccECN protocol is approved as RFC): >>> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 >>> +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ >>> | | | A | C | E | U | A | P | R | S | F | >>> | Header Length | Reserved | E | W | C | R | C | S | S | Y | I | >>> | | | | R | E | G | K | H | T | N | N | >>> +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ >>> >>> >>> -- >>> ________________________________________________________________ >>> Bob Briscoehttp://bobbriscoe.net/ >> >> -- >> ________________________________________________________________ >> Bob Briscoehttp://bobbriscoe.net/ >> _______________________________________________ >> tcpm mailing list >> tcpm@ietf.org <mailto:tcpm@ietf.org> >> https://www.ietf.org/mailman/listinfo/tcpm -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- [tcpm] Does this fix sufficiently de-ossify overs… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Brian Trammell (IETF)
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe