Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
Bob Briscoe <ietf@bobbriscoe.net> Sat, 16 March 2019 11:38 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3848B1277C9 for <tcpm@ietfa.amsl.com>; Sat, 16 Mar 2019 04:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmlfJwY-k_QA for <tcpm@ietfa.amsl.com>; Sat, 16 Mar 2019 04:38:25 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49396127887 for <tcpm@ietf.org>; Sat, 16 Mar 2019 04:38:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:References:Cc:To:From:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LEY/8gzvA2t4zNrgueyJQIXSzazIu0s2lGrtdaANW+w=; b=BU/WArjBbgrFHF28K2BCeaKRO 3kR980jQEgQOi3wFvh7S16Z2pIYsO/EW4rMpcvxE9AFO/HwRSClqxsamBK10FD12ac2VKhuKlvupF gF8Pzo/jBp35H+da9FrR+h0VwXgFCuJNbUiLFbC6BJ0WDp29NLWi73ApkA1ylQo/4m3GBbmLNc3Zn dfmX9t71DCXudNmDF6pNUX2rQvp9ri8KFSt8QOFApI/ghhod2aWwb+L31TDJtztnIExaly8sYkvGk xNuxzpkxk5RSbZ0AxtBCONAkI2uhA/dBfPo3lRIajBNg3Xc+7uV7hwMn//dgKGXL5d8JRubl6U6JD +bEhEwc8g==;
Received: from [31.185.135.153] (port=51446 helo=[192.168.0.7]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <ietf@bobbriscoe.net>) id 1h57du-0001HG-8V; Sat, 16 Mar 2019 11:38:22 +0000
From: Bob Briscoe <ietf@bobbriscoe.net>
To: tcpm IETF list <tcpm@ietf.org>
References: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net>
Message-ID: <c89b32b8-0865-e422-a554-539f731a9c55@bobbriscoe.net>
Date: Sat, 16 Mar 2019 11:38:20 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net>
Content-Type: multipart/alternative; boundary="------------91DB4DEA282342225DD913A5"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/uqEhIIm3BMG0ynowhbFM_XdTk0k>
Subject: Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2019 11:38:29 -0000
Folks, After offline discussion with the Linux maintainers, we have agreed on option #2, which is to make overstrict ECN test more specific to RFC3168 by only disabling ECN if a SYN has a non-zero IP-ECN field and the first six TCP flags in the main header are 0b000011. This will be a simple 1-line patch that maximizes the likelihood that it will be back-ported as far back as possible, hopefully back to the introduction of the over-strict test in May 2012. This should fix a large proportion of the installed base of Linux servers reasonably quickly. ==Logging== Separately we will submit a patch to add logging of each event that disables ECN, but only for future kernel versions, not for back-porting. However, there is resistance to any logging, so this might not be accepted. The proposal is * at default logging level, increment an SNMP count when ECN disabled for a connection due to a protocol violation * at increased logging level, on each event also write rate-limited kernel messages that record the client IP. Then, if a sysadmin wants to, they can get any network mangling fixed. Bob On 20/01/2019 23:31, Bob Briscoe wrote: > TCPM folks, > > RFC8311 and draft-ietf-tcpm-generalized-ecn enable ECN-capable SYNs. > However, if a client sends an ECN-capable SYN, existing Linux servers > disable ECN for the rest of the connection. > > To fix as many existing Linux servers as possible, as soon as > possible, I would recommend short-term solution #2 (see 'Three Fixes' > below). An alternative would be short-term solution #3. > > Anyone got a better fix? Anyone disagree with recommending #2? If not, > pls confirm your agreement. > > > Summary of Pros and Cons > > #2 pro: No longer ossifies non-ECN SYN > #2 pro: If a path does "unbleach" IP-ECN, protects the connection by > disabling ECN > #2 con: A residual degree of ossification remains > > #3 pro: No longer ossifies non-ECN SYN > #3 pro: No ossification at all > #3 con: If a path does "unbleach" IP-ECN, connection still attempts to > use ECN even though the path is mangling the ECN field. > > #1 is the full solution, but it should proceed in parallel as a > solution for the future, not to fix the past. > > > Background > > To negotiate ECN for a connection the client sets flag bits 8-9 in the > TCP header to 11 [RFC3168 Section 6.1.1] > <https://tools.ietf.org/html/rfc3168#section-6.1.1>. For your > convenience, I've included a picture of the TCP header flags at the end. > > In 2012 an additional test was patched into Linux servers. It disables > ECN for the connection unless the IP-ECN field of the SYN is also zero > (I'll call this the "overstrict ECN test"). > > This was because Section 6.1.1. of RFC3168 also said "A host MUST NOT > set ECT on SYN or SYN-ACK packets." Unfortunately, the overstrict ECN > test ossifies this requirement into TCP. > > The Linux patch was intended to protect a connection against the > network mangling the IP-ECN field to a non-zero value. Unfortunately, > it also disables ECN completely if a client tries to set ECT in the > IP-ECN field of the SYN. > > RFC8311 has now updated RFC3168 to allow ECT on a SYN, in conjunction > with the ECN++ experiment. But few developers are going to set ECT on > a SYN if it causes about 84% of servers to completely disable ECN (see > Section 4.2.2. of the ECN++ draft > <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> > for further details and the source of these numbers). > > > Three Fixes > > I can think of three ways to fix existing Linux servers: > > 1. Deploy Accurate ECN > <https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> on > existing Linux servers. > * AccECN inherently replaces the overstrict ECN test with a pair > of proper two-ended tests for network mangling, in which each > end feeds back the arriving IP ECN field in its TCP feedback. > In contrast, the overstrict ECN test is one-ended, with the > server only assuming what the client set. > * Altho AccECN will solve the problem, it should not be relied > on to fix the last six years of Linux server deployment. > AccECN is a non-trivial update so it is unlikely to get > back-ported and auto-deployed to most existing Linux servers > any time soon. > 2. Make the overstrict ECN test more specific to RFC3168, and add > logging. > * Currently, the only proposal for allowing ECT on a SYN > requires the client to also request Accurate ECN feedback, > which requires TCP header bits 7-9 to be 111. > * Therefore, the overstrict ECN test in a Linux server could be > altered to solely apply if bits 7-9 == 011 (rather than just > testing if bits 8-9 == 11). > * However, I am concerned that this ossifies around the solution > based on ECN++ and AccECN. What if ECN++ needs to be > superseded by some future protocol that allows ECT on a SYN > when some other field is different (e.g. one of TCP's three > remaining reserved flags, or a new TCP option)? > * Unfortunately, we cannot test for the absence of a > yet-to-be-invented TCP option. Nonetheless, I suggest *the > overstrict ECN test in a Linux server should at least be > altered to solely apply if TCP header bits 4-9 == 000011*. > * I suggest Linux also *logs whenever it disables ECN due to > this test*, so that broken paths can be identified and fixed. > * An extremely simple patch like this would be much more likely > than #1 (AccECN) to be back-ported and deployed to most > existing servers via regular Linux auto-updates. > 3. As #2, but do not disable ECN when the test fails, just log those > paths suspected of mangling ECN. > * Our most recent measurements of millions of Internet paths > found no occurrences where zero IP-ECN on a SYN was changed to > non-zero ("unbleaching"). So we could just remove the test. > * However, no occurrences found does not mean none exist. Altho > we tested millions of paths, we only tested from a few dozen > vantage points, albeit we did test both mobile and fixed > networks (see Section 4.2.2. of the ECN++ draft > <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2> > for summary of tests). > * If the number of problematic paths is small, it would still > make sense to run the ECN test as proposed under item #2, but > not disable ECN if it fails. Instead, just log any negative > results, so the broken network elements can be identified and > fixed. > > Cheers > > > Bob > > PS. For convenience, here's the TCP header flags (assuming the > experimental AccECN protocol is approved as RFC): > 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 > +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ > | | | A | C | E | U | A | P | R | S | F | > | Header Length | Reserved | E | W | C | R | C | S | S | Y | I | > | | | | R | E | G | K | H | T | N | N | > +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+ > > > -- > ________________________________________________________________ > Bob Briscoehttp://bobbriscoe.net/ -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- [tcpm] Does this fix sufficiently de-ossify overs… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Brian Trammell (IETF)
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe