IETF Logo Mail Archive

Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?

Bob Briscoe <ietf@bobbriscoe.net> Mon, 18 March 2019 00:17 UTC

Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6944A12F18C for <tcpm@ietfa.amsl.com>; Sun, 17 Mar 2019 17:17:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQe6OUxzbhXA for <tcpm@ietfa.amsl.com>; Sun, 17 Mar 2019 17:16:57 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FC11128B14 for <tcpm@ietf.org>; Sun, 17 Mar 2019 17:16:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:References:Cc:To:From:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gZBP/MP0+EeM6+sqky67jl3ybzt2/JlfD9ibrb3wvFM=; b=JnY9TX++10+Yif+GsS9fOBobu N3VXi+mnWDWsBhvypt6Q67p2dsnznROcgyUtA7UxlKbjd6L0TnDYC7RZ7hkoSTmPE7a+rK9SM5yi6 eayyZNuprh60GpKENeXxl+/BOaKeuEEFQEvNXthcgOLW/6WVk1J1XeBJAHOrnEyaQht46rYZLpRJ+ dVlTEalwEpKuTjHPNtwIC719wnxJwI/7XKA00JAY/bKx7wIwn/99f86sLrcweKvsgFFzPWtdHnKeW aZ/k3UiXeyQFehyaxzbL1JL1Ul5JdRvhpD+KS5KPn73iyvCKB5bvLlg34XT9V0or7sn1ySEReSqDQ 5XW+dQEWg==;
Received: from [31.185.135.153] (port=37604 helo=[192.168.0.7]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <ietf@bobbriscoe.net>) id 1h5fxV-0003LQ-NZ; Mon, 18 Mar 2019 00:16:54 +0000
From: Bob Briscoe <ietf@bobbriscoe.net>
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: tcpm IETF list <tcpm@ietf.org>
References: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net> <c89b32b8-0865-e422-a554-539f731a9c55@bobbriscoe.net> <B2B58B47-D0C2-4593-B735-87C91298D13E@trammell.ch> <6fa5db15-fc49-a662-6a33-ac11c97a30a6@bobbriscoe.net>
Message-ID: <887403fc-59a3-c23f-ca5e-8a3cd4a69c65@bobbriscoe.net>
Date: Mon, 18 Mar 2019 00:16:53 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <6fa5db15-fc49-a662-6a33-ac11c97a30a6@bobbriscoe.net>
Content-Type: multipart/alternative; boundary="------------0A27312D6001F581A28799D5"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/tJXF6tu3Y8QNUWIEFzSqS1mBgKM>
Subject: Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 00:17:02 -0000

Brian,

Looks like adding only an SNMP counter could be acceptable. We'll submit 
a patch for net-next on that basis (as well as a patch without logging 
for net-stable).


Bob

On 17/03/2019 02:05, Bob Briscoe wrote:
> Brian,
> I've asked - I'll let you know once I hear.
>
> Bob
>
> On 16/03/2019 14:32, Brian Trammell (IETF) wrote:
>> Hi Bob,
>>
>> This seems eminently reasonable. I’m curious, would there be 
>> equivalent pushback on _only_ adding the SNMP counter? One could 
>> always use observation to debug once the counter starts going up...
>>
>> Cheers,
>>
>> Brian
>>
>> Sent from my iPhone
>>
>> On 16 Mar 2019, at 12:38, Bob Briscoe <ietf@bobbriscoe.net 
>> <mailto:ietf@bobbriscoe.net>> wrote:
>>
>>> Folks,
>>>
>>> After offline discussion with the Linux maintainers, we have agreed 
>>> on option #2, which is to make overstrict ECN test more specific to 
>>> RFC3168 by only disabling ECN if a SYN has a non-zero IP-ECN field 
>>> and the first six TCP flags in the main header are 0b000011.
>>>
>>> This will be a simple 1-line patch that maximizes the likelihood 
>>> that it will be back-ported as far back as possible, hopefully back 
>>> to the introduction of the over-strict test in May 2012. This should 
>>> fix a large proportion of the installed base of Linux servers 
>>> reasonably quickly.
>>>
>>> ==Logging==
>>> Separately we will submit a patch to add logging of each event that 
>>> disables ECN, but only for future kernel versions, not for 
>>> back-porting. However, there is resistance to any logging, so this 
>>> might not be accepted. The proposal is
>>> * at default logging level, increment an SNMP count when ECN 
>>> disabled for a connection due to a protocol violation
>>> * at increased logging level, on each event also write rate-limited 
>>> kernel messages that record the client IP.
>>>
>>> Then, if a sysadmin wants to, they can get any network mangling fixed.
>>>
>>>
>>> Bob
>>>
>>> On 20/01/2019 23:31, Bob Briscoe wrote:
>>>> TCPM folks,
>>>>
>>>> RFC8311 and draft-ietf-tcpm-generalized-ecn enable ECN-capable 
>>>> SYNs. However, if a client sends an ECN-capable SYN, existing Linux 
>>>> servers disable ECN for the rest of the connection.
>>>>
>>>> To fix as many existing Linux servers as possible, as soon as 
>>>> possible, I would recommend short-term solution #2 (see 'Three 
>>>> Fixes' below). An alternative would be short-term solution #3.
>>>>
>>>> Anyone got a better fix? Anyone disagree with recommending #2? If 
>>>> not, pls confirm your agreement.
>>>>
>>>>
>>>>       Summary of Pros and Cons
>>>>
>>>> #2 pro: No longer ossifies non-ECN SYN
>>>> #2 pro: If a path does "unbleach" IP-ECN, protects the connection 
>>>> by disabling ECN
>>>> #2 con: A residual degree of ossification remains
>>>>
>>>> #3 pro: No longer ossifies non-ECN SYN
>>>> #3 pro: No ossification at all
>>>> #3 con: If a path does "unbleach" IP-ECN, connection still attempts 
>>>> to use ECN even though the path is mangling the ECN field.
>>>>
>>>> #1 is the full solution, but it should proceed in parallel as a 
>>>> solution for the future, not to fix the past.
>>>>
>>>>
>>>>       Background
>>>>
>>>> To negotiate ECN for a connection the client sets flag bits 8-9 in 
>>>> the TCP header to 11 [RFC3168 Section 6.1.1] 
>>>> <https://tools.ietf.org/html/rfc3168#section-6.1.1>. For your 
>>>> convenience, I've included a picture of the TCP header flags at the 
>>>> end.
>>>>
>>>> In 2012 an additional test was patched into Linux servers. It 
>>>> disables ECN for the connection unless the IP-ECN field of the SYN 
>>>> is also zero (I'll call this the "overstrict ECN test").
>>>>
>>>> This was because Section 6.1.1. of RFC3168 also said "A host MUST 
>>>> NOT set ECT on SYN or SYN-ACK packets." Unfortunately, the 
>>>> overstrict ECN test ossifies this requirement into TCP.
>>>>
>>>> The Linux patch was intended to protect a connection against the 
>>>> network mangling the IP-ECN field to a non-zero value. 
>>>> Unfortunately, it also disables ECN completely if a client tries to 
>>>> set ECT in the IP-ECN field of the SYN.
>>>>
>>>> RFC8311 has now updated RFC3168 to allow ECT on a SYN, in 
>>>> conjunction with the ECN++ experiment. But few developers are going 
>>>> to set ECT on a SYN if it causes about 84% of servers to completely 
>>>> disable ECN (see Section 4.2.2. of the ECN++ draft 
>>>> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> 
>>>> for further details and the source of these numbers).
>>>>
>>>>
>>>>       Three Fixes
>>>>
>>>> I can think of three ways to fix existing Linux servers:
>>>>
>>>>  1. Deploy Accurate ECN
>>>>     <https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> on
>>>>     existing Linux servers.
>>>>       * AccECN inherently replaces the overstrict ECN test with a
>>>>         pair of proper two-ended tests for network mangling, in
>>>>         which each end feeds back the arriving IP ECN field in its
>>>>         TCP feedback. In contrast, the overstrict ECN test is
>>>>         one-ended, with the server only assuming what the client set.
>>>>       * Altho AccECN will solve the problem, it should not be
>>>>         relied on to fix the last six years of Linux server
>>>>         deployment. AccECN is a non-trivial update so it is
>>>>         unlikely to get back-ported and auto-deployed to most
>>>>         existing Linux servers any time soon.
>>>>  2. Make the overstrict ECN test more specific to RFC3168, and add
>>>>     logging.
>>>>       * Currently, the only proposal for allowing ECT on a SYN
>>>>         requires the client to also request Accurate ECN feedback,
>>>>         which requires TCP header bits 7-9 to be 111.
>>>>       * Therefore, the overstrict ECN test in a Linux server could
>>>>         be altered to solely apply if bits 7-9 == 011 (rather than
>>>>         just testing if bits 8-9 == 11).
>>>>       * However, I am concerned that this ossifies around the
>>>>         solution based on ECN++ and AccECN. What if ECN++ needs to
>>>>         be superseded by some future protocol that allows ECT on a
>>>>         SYN when some other field is different (e.g. one of TCP's
>>>>         three remaining reserved flags, or a new TCP option)?
>>>>       * Unfortunately, we cannot test for the absence of a
>>>>         yet-to-be-invented TCP option. Nonetheless, I suggest *the
>>>>         overstrict ECN test in a Linux server should at least be
>>>>         altered to solely apply if TCP header bits 4-9 == 000011*.
>>>>       * I suggest Linux also *logs whenever it disables ECN due to
>>>>         this test*, so that broken paths can be identified and fixed.
>>>>       * An extremely simple patch like this would be much more
>>>>         likely than #1 (AccECN) to be back-ported and deployed to
>>>>         most existing servers via regular Linux auto-updates.
>>>>  3. As #2, but do not disable ECN when the test fails, just log
>>>>     those paths suspected of mangling ECN.
>>>>       * Our most recent measurements of millions of Internet paths
>>>>         found no occurrences where zero IP-ECN on a SYN was changed
>>>>         to non-zero ("unbleaching"). So we could just remove the test.
>>>>       * However, no occurrences found does not mean none exist.
>>>>         Altho we tested millions of paths, we only tested from a
>>>>         few dozen vantage points, albeit we did test both mobile
>>>>         and fixed networks (see Section 4.2.2. of the ECN++ draft
>>>>         <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2>
>>>>         for summary of tests).
>>>>       * If the number of problematic paths is small, it would still
>>>>         make sense to run the ECN test as proposed under item #2,
>>>>         but not disable ECN if it fails. Instead, just log any
>>>>         negative results, so the broken network elements can be
>>>>         identified and fixed.
>>>>
>>>> Cheers
>>>>
>>>>
>>>> Bob
>>>>
>>>> PS. For convenience, here's the TCP header flags (assuming the 
>>>> experimental AccECN protocol is approved as RFC):
>>>>         0   1   2   3   4   5   6   7   8   9  10  11  12  13  14  15
>>>>       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
>>>>       |               |           | A | C | E | U | A | P | R | S | F |
>>>>       | Header Length | Reserved  | E | W | C | R | C | S | S | Y | I |
>>>>       |               |           |   | R | E | G | K | H | T | N | N |
>>>>       +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
>>>>
>>>>
>>>> -- 
>>>> ________________________________________________________________
>>>> Bob Briscoehttp://bobbriscoe.net/
>>>
>>> -- 
>>> ________________________________________________________________
>>> Bob Briscoehttp://bobbriscoe.net/
>>> _______________________________________________
>>> tcpm mailing list
>>> tcpm@ietf.org <mailto:tcpm@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/tcpm
>
> -- 
> ________________________________________________________________
> Bob Briscoehttp://bobbriscoe.net/

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email