IETF Logo Mail Archive

Re: [tcpm] FW: Review of draft-bagnulo-tcpm-generalized-ecn (David Black)

Bob Briscoe <ietf@bobbriscoe.net> Fri, 14 April 2017 01:14 UTC

Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B13A81242EA for <tcpm@ietfa.amsl.com>; Thu, 13 Apr 2017 18:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0JXfgiMjMTm for <tcpm@ietfa.amsl.com>; Thu, 13 Apr 2017 18:14:03 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F5B127599 for <tcpm@ietf.org>; Thu, 13 Apr 2017 18:14:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gc7MeMQpYj4jvmTaWHujPbMjUcY/P8vvFWDBY5BqSRc=; b=snBN3eT7d9i9cPeOmYvtDgxiN8 Cs5xm9DdEmqTjw4sMgrfUe5FiHu5vbwBrcSLeloJRWoT9IKG3Nbi40nMJdklP12yzHPWVhnQv5S3I 1kJ50f38r3QLCmF5yMIfAGWUkrVL57b2Yf8eBtIaQxHy4HHQ1tYBhz4tGeykVlKf0Qy8ua9P7rRjI G8sgtRgaT5ZB3j2yOIysxlRHta+F8ffeJZXcHrvt4Ts1F4Bmij2SxoS9RldSX9HRGfT+VDGCfBtSP ItQKGWfrnqs+9yfrbsB9i2Pvc9Jbp+JWLpG8fbikBV75oJOHje5lrVTK2sWS/JQeNKqYPA9f5X1mw W2VMgGSg==;
Received: from 203.6.208.46.dyn.plus.net ([46.208.6.203]:38728 helo=[192.168.0.3]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.88) (envelope-from <ietf@bobbriscoe.net>) id 1cypoF-0000l3-Jt; Fri, 14 Apr 2017 02:13:59 +0100
To: "Black, David" <David.Black@dell.com>
References: <CE03DB3D7B45C245BCA0D243277949362F9B2DB4@MX307CL04.corp.emc.com> <3d53f6a4-697b-0c7a-8c71-524890312beb@bobbriscoe.net> <CE03DB3D7B45C245BCA0D243277949362F9B3960@MX307CL04.corp.emc.com> <5a4e46a0-bde7-8de5-f6a3-354f06fd9058@bobbriscoe.net>
Cc: "tcpm@ietf.org" <tcpm@ietf.org>, marcelo bagnulo braun <marcelo@it.uc3m.es>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <94ff22d6-69b3-164a-8bdb-07149f3e58b3@bobbriscoe.net>
Date: Fri, 14 Apr 2017 02:13:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <5a4e46a0-bde7-8de5-f6a3-354f06fd9058@bobbriscoe.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/mXLmNEzQ6ntwdAUfqqdSeAym4dc>
Subject: Re: [tcpm] FW: Review of draft-bagnulo-tcpm-generalized-ecn (David Black)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2017 01:14:06 -0000

David,

I hope you will find that I have addressed all your concerns - so at 
least you will be able to understand it now.
The draft is now unexpired.

I have also addressed all the points in Mirja's review (some 
intersecting with your points).

You will see that it's actually turned into quite a major re-write. The 
diff is nearly total, mainly cos I was turning Spanglish into English as 
I went (Marcelo, it was quite understandable, but just not quite how a 
native English speaker would say it).

However, I have changed technical points in a few places too - the more 
one thinks about this, the more depth one finds.

I just noticed I missed one of your nits (shortening the definition of 
Retransmission), which I have already fixed in my local copy of the xml 
for the next rev.



Bob


On 08/04/17 01:11, Bob Briscoe wrote:
> David,
>
> On 2) I intend to replace the whole of "3.1 Network behaviour" with 
> the following, which calls out the cases explicitly:
>
> Previously RFC3168 required the sender to set not-ECT on certain TCP 
> control packets. Some readers might have erroneously interpreted this 
> aspect of RFC3168 as a requirement for firewalls, intrusion detection 
> systems, etc. to check and enforce this behaviour. Now that the 
> present experimental specification allows TCP senders to set ECT on 
> all TCP packets (control and data), it needs to be clear that a 
> firewall (or any network node) SHOULD NOT treat any ECT packet 
> differently dependent on what type of TCP packet it is.
>
> One potential exception is envisaged, otherwise the previous sentence 
> could have said "MUST NOT" rather than "SHOULD NOT". The exception 
> allows a security function that has detected an ongoing attack to drop 
> more ECT marked SYNs than not-ECT marked SYNs. Such a policy SHOULD 
> NOT be applied routinely. It SHOULD only be applied if an attack is 
> detected, and then only if it is determined that the ECT capability is 
> intensifying the attack.
>
>
> Bob
>
> On 07/04/17 23:33, Black, David wrote:
>> Bob,
>>
>> Two comments:
>>
>> 1) I'll wait for new text before commenting further on Accurate ECN 
>> vs. vanilla RFC 3168 ECN.  The current text left me somewhat 
>> confused, and the summary of changes from RFC 3168 will almost 
>> certainly help.
>>
>> 2) On network node treatment of ECT, RFC 3168 is brief, e.g. (Section 
>> 5, top of p.7):
>>
>>     The CE codepoint '11' is set by a router to indicate congestion to
>>     the end nodes.
>>
>> One wants to avoid text that could be read as modifying that sentence 
>> by adding possible exceptions for TCP control packets and/or 
>> retransmissions.
>>
>>> [BB] Unfortunately, RFC3168 does not specify anything about network 
>>> node
>>> forwarding behaviour wrt ECT. So some firewall policies could have
>>> decided to block any TCP control packets that contravene RFC3168. 
>>> That's
>>> why we wrote this section.
>> If "firewalls" is what was meant, use that word ;-) ... or as you 
>> write ...
>>
>>> However I admit that, by not explaining that DPI was the problem we 
>>> were
>>> trying to solve, rather than removing any ambiguity that might have 
>>> been
>>> interpreted as a need for DPI. We'll fix this.
>> In doing so, please keep in mind that in this draft, discussion of 
>> forwarding  and dropping behavior is implicitly about router queue 
>> management, not middlebox access control (e.g., based on DPI), so 
>> access control has to be called out explicitly when that is what is 
>> meant.
>>
>> Thanks, --David
>>
>
>

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email