Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
Bob Briscoe <ietf@bobbriscoe.net> Mon, 18 March 2019 00:17 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6944A12F18C for <tcpm@ietfa.amsl.com>; Sun, 17 Mar 2019 17:17:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dQe6OUxzbhXA for <tcpm@ietfa.amsl.com>; Sun, 17 Mar 2019 17:16:57 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FC11128B14 for <tcpm@ietf.org>; Sun, 17 Mar 2019 17:16:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:References:Cc:To:From:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gZBP/MP0+EeM6+sqky67jl3ybzt2/JlfD9ibrb3wvFM=; b=JnY9TX++10+Yif+GsS9fOBobu N3VXi+mnWDWsBhvypt6Q67p2dsnznROcgyUtA7UxlKbjd6L0TnDYC7RZ7hkoSTmPE7a+rK9SM5yi6 eayyZNuprh60GpKENeXxl+/BOaKeuEEFQEvNXthcgOLW/6WVk1J1XeBJAHOrnEyaQht46rYZLpRJ+ dVlTEalwEpKuTjHPNtwIC719wnxJwI/7XKA00JAY/bKx7wIwn/99f86sLrcweKvsgFFzPWtdHnKeW aZ/k3UiXeyQFehyaxzbL1JL1Ul5JdRvhpD+KS5KPn73iyvCKB5bvLlg34XT9V0or7sn1ySEReSqDQ 5XW+dQEWg==;
Received: from [31.185.135.153] (port=37604 helo=[192.168.0.7]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <ietf@bobbriscoe.net>) id 1h5fxV-0003LQ-NZ; Mon, 18 Mar 2019 00:16:54 +0000
From: Bob Briscoe <ietf@bobbriscoe.net>
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: tcpm IETF list <tcpm@ietf.org>
References: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net> <c89b32b8-0865-e422-a554-539f731a9c55@bobbriscoe.net> <B2B58B47-D0C2-4593-B735-87C91298D13E@trammell.ch> <6fa5db15-fc49-a662-6a33-ac11c97a30a6@bobbriscoe.net>
Message-ID: <887403fc-59a3-c23f-ca5e-8a3cd4a69c65@bobbriscoe.net>
Date: Mon, 18 Mar 2019 00:16:53 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <6fa5db15-fc49-a662-6a33-ac11c97a30a6@bobbriscoe.net>
Content-Type: multipart/alternative; boundary="------------0A27312D6001F581A28799D5"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/tJXF6tu3Y8QNUWIEFzSqS1mBgKM>
Subject: Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2019 00:17:02 -0000
Brian, Looks like adding only an SNMP counter could be acceptable. We'll submit a patch for net-next on that basis (as well as a patch without logging for net-stable). Bob On 17/03/2019 02:05, Bob Briscoe wrote: > Brian, > I've asked - I'll let you know once I hear. > > Bob > > On 16/03/2019 14:32, Brian Trammell (IETF) wrote: >> Hi Bob, >> >> This seems eminently reasonable. I’m curious, would there be >> equivalent pushback on _only_ adding the SNMP counter? One could >> always use observation to debug once the counter starts going up... >> >> Cheers, >> >> Brian >> >> Sent from my iPhone >> >> On 16 Mar 2019, at 12:38, Bob Briscoe <ietf@bobbriscoe.net >> <mailto:ietf@bobbriscoe.net>> wrote: >> >>> Folks, >>> >>> After offline discussion with the Linux maintainers, we have agreed >>> on option #2, which is to make overstrict ECN test more specific to >>> RFC3168 by only disabling ECN if a SYN has a non-zero IP-ECN field >>> and the first six TCP flags in the main header are 0b000011. >>> >>> This will be a simple 1-line patch that maximizes the likelihood >>> that it will be back-ported as far back as possible, hopefully back >>> to the introduction of the over-strict test in May 2012. This should >>> fix a large proportion of the installed base of Linux servers >>> reasonably quickly. >>> >>> ==Logging== >>> Separately we will submit a patch to add logging of each event that >>> disables ECN, but only for future kernel versions, not for >>> back-porting. However, there is resistance to any logging, so this >>> might not be accepted. The proposal is >>> * at default logging level, increment an SNMP count when ECN >>> disabled for a connection due to a protocol violation >>> * at increased logging level, on each event also write rate-limited >>> kernel messages that record the client IP. >>> >>> Then, if a sysadmin wants to, they can get any network mangling fixed. >>> >>> >>> Bob >>> >>> On 20/01/2019 23:31, Bob Briscoe wrote: >>>> TCPM folks, >>>> >>>> RFC8311 and draft-ietf-tcpm-generalized-ecn enable ECN-capable >>>> SYNs. However, if a client sends an ECN-capable SYN, existing Linux >>>> servers disable ECN for the rest of the connection. >>>> >>>> To fix as many existing Linux servers as possible, as soon as >>>> possible, I would recommend short-term solution #2 (see 'Three >>>> Fixes' below). An alternative would be short-term solution #3. >>>> >>>> Anyone got a better fix? Anyone disagree with recommending #2? If >>>> not, pls confirm your agreement. >>>> >>>> >>>> Summary of Pros and Cons >>>> >>>> #2 pro: No longer ossifies non-ECN SYN >>>> #2 pro: If a path does "unbleach" IP-ECN, protects the connection >>>> by disabling ECN >>>> #2 con: A residual degree of ossification remains >>>> >>>> #3 pro: No longer ossifies non-ECN SYN >>>> #3 pro: No ossification at all >>>> #3 con: If a path does "unbleach" IP-ECN, connection still attempts >>>> to use ECN even though the path is mangling the ECN field. >>>> >>>> #1 is the full solution, but it should proceed in parallel as a >>>> solution for the future, not to fix the past. >>>> >>>> >>>> Background >>>> >>>> To negotiate ECN for a connection the client sets flag bits 8-9 in >>>> the TCP header to 11 [RFC3168 Section 6.1.1] >>>> <https://tools.ietf.org/html/rfc3168#section-6.1.1>. For your >>>> convenience, I've included a picture of the TCP header flags at the >>>> end. >>>> >>>> In 2012 an additional test was patched into Linux servers. It >>>> disables ECN for the connection unless the IP-ECN field of the SYN >>>> is also zero (I'll call this the "overstrict ECN test"). >>>> >>>> This was because Section 6.1.1. of RFC3168 also said "A host MUST >>>> NOT set ECT on SYN or SYN-ACK packets." Unfortunately, the >>>> overstrict ECN test ossifies this requirement into TCP. >>>> >>>> The Linux patch was intended to protect a connection against the >>>> network mangling the IP-ECN field to a non-zero value. >>>> Unfortunately, it also disables ECN completely if a client tries to >>>> set ECT in the IP-ECN field of the SYN. >>>> >>>> RFC8311 has now updated RFC3168 to allow ECT on a SYN, in >>>> conjunction with the ECN++ experiment. But few developers are going >>>> to set ECT on a SYN if it causes about 84% of servers to completely >>>> disable ECN (see Section 4.2.2. of the ECN++ draft >>>> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> >>>> for further details and the source of these numbers). >>>> >>>> >>>> Three Fixes >>>> >>>> I can think of three ways to fix existing Linux servers: >>>> >>>> 1. Deploy Accurate ECN >>>> <https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> on >>>> existing Linux servers. >>>> * AccECN inherently replaces the overstrict ECN test with a >>>> pair of proper two-ended tests for network mangling, in >>>> which each end feeds back the arriving IP ECN field in its >>>> TCP feedback. In contrast, the overstrict ECN test is >>>> one-ended, with the server only assuming what the client set. >>>> * Altho AccECN will solve the problem, it should not be >>>> relied on to fix the last six years of Linux server >>>> deployment. AccECN is a non-trivial update so it is >>>> unlikely to get back-ported and auto-deployed to most >>>> existing Linux servers any time soon. >>>> 2. Make the overstrict ECN test more specific to RFC3168, and add >>>> logging. >>>> * Currently, the only proposal for allowing ECT on a SYN >>>> requires the client to also request Accurate ECN feedback, >>>> which requires TCP header bits 7-9 to be 111. >>>> * Therefore, the overstrict ECN test in a Linux server could >>>> be altered to solely apply if bits 7-9 == 011 (rather than >>>> just testing if bits 8-9 == 11). >>>> * However, I am concerned that this ossifies around the >>>> solution based on ECN++ and AccECN. What if ECN++ needs to >>>> be superseded by some future protocol that allows ECT on a >>>> SYN when some other field is different (e.g. one of TCP's >>>> three remaining reserved flags, or a new TCP option)? >>>> * Unfortunately, we cannot test for the absence of a >>>> yet-to-be-invented TCP option. Nonetheless, I suggest *the >>>> overstrict ECN test in a Linux server should at least be >>>> altered to solely apply if TCP header bits 4-9 == 000011*. >>>> * I suggest Linux also *logs whenever it disables ECN due to >>>> this test*, so that broken paths can be identified and fixed. >>>> * An extremely simple patch like this would be much more >>>> likely than #1 (AccECN) to be back-ported and deployed to >>>> most existing servers via regular Linux auto-updates. >>>> 3. As #2, but do not disable ECN when the test fails, just log >>>> those paths suspected of mangling ECN. >>>> * Our most recent measurements of millions of Internet paths >>>> found no occurrences where zero IP-ECN on a SYN was changed >>>> to non-zero ("unbleaching"). So we could just remove the test. >>>> * However, no occurrences found does not mean none exist. >>>> Altho we tested millions of paths, we only tested from a >>>> few dozen vantage points, albeit we did test both mobile >>>> and fixed networks (see Section 4.2.2. of the ECN++ draft >>>> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> >>>> for summary of tests). >>>> * If the number of problematic paths is small, it would still >>>> make sense to run the ECN test as proposed under item #2, >>>> but not disable ECN if it fails. Instead, just log any >>>> negative results, so the broken network elements can be >>>> identified and fixed. >>>> >>>> Cheers >>>> >>>> >>>> Bob >>>> >>>> PS. For convenience, here's the TCP header flags (assuming the >>>> experimental AccECN protocol is approved as RFC): >>>> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 >>>> +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ >>>> | | | A | C | E | U | A | P | R | S | F | >>>> | Header Length | Reserved | E | W | C | R | C | S | S | Y | I | >>>> | | | | R | E | G | K | H | T | N | N | >>>> +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ >>>> >>>> >>>> -- >>>> ________________________________________________________________ >>>> Bob Briscoehttp://bobbriscoe.net/ >>> >>> -- >>> ________________________________________________________________ >>> Bob Briscoehttp://bobbriscoe.net/ >>> _______________________________________________ >>> tcpm mailing list >>> tcpm@ietf.org <mailto:tcpm@ietf.org> >>> https://www.ietf.org/mailman/listinfo/tcpm > > -- > ________________________________________________________________ > Bob Briscoehttp://bobbriscoe.net/ -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- [tcpm] Does this fix sufficiently de-ossify overs… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Brian Trammell (IETF)
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe