Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
Bob Briscoe <ietf@bobbriscoe.net> Sat, 16 March 2019 11:38 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3848B1277C9 for <tcpm@ietfa.amsl.com>; Sat, 16 Mar 2019 04:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmlfJwY-k_QA for <tcpm@ietfa.amsl.com>; Sat, 16 Mar 2019 04:38:25 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49396127887 for <tcpm@ietf.org>; Sat, 16 Mar 2019 04:38:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:References:Cc:To:From:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LEY/8gzvA2t4zNrgueyJQIXSzazIu0s2lGrtdaANW+w=; b=BU/WArjBbgrFHF28K2BCeaKRO 3kR980jQEgQOi3wFvh7S16Z2pIYsO/EW4rMpcvxE9AFO/HwRSClqxsamBK10FD12ac2VKhuKlvupF gF8Pzo/jBp35H+da9FrR+h0VwXgFCuJNbUiLFbC6BJ0WDp29NLWi73ApkA1ylQo/4m3GBbmLNc3Zn dfmX9t71DCXudNmDF6pNUX2rQvp9ri8KFSt8QOFApI/ghhod2aWwb+L31TDJtztnIExaly8sYkvGk xNuxzpkxk5RSbZ0AxtBCONAkI2uhA/dBfPo3lRIajBNg3Xc+7uV7hwMn//dgKGXL5d8JRubl6U6JD +bEhEwc8g==;
Received: from [31.185.135.153] (port=51446 helo=[192.168.0.7]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.91) (envelope-from <ietf@bobbriscoe.net>) id 1h57du-0001HG-8V; Sat, 16 Mar 2019 11:38:22 +0000
From: Bob Briscoe <ietf@bobbriscoe.net>
To: tcpm IETF list <tcpm@ietf.org>
References: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net>
Message-ID: <c89b32b8-0865-e422-a554-539f731a9c55@bobbriscoe.net>
Date: Sat, 16 Mar 2019 11:38:20 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <dd09c257-42df-38bc-14b9-e8e0850ce739@bobbriscoe.net>
Content-Type: multipart/alternative; boundary="------------91DB4DEA282342225DD913A5"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/uqEhIIm3BMG0ynowhbFM_XdTk0k>
Subject: Re: [tcpm] Does this fix sufficiently de-ossify overstrict ECN negotiation by Linux TCP servers?
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2019 11:38:29 -0000
Folks,
After offline discussion with the Linux maintainers, we have agreed on
option #2, which is to make overstrict ECN test more specific to RFC3168
by only disabling ECN if a SYN has a non-zero IP-ECN field and the first
six TCP flags in the main header are 0b000011.
This will be a simple 1-line patch that maximizes the likelihood that it
will be back-ported as far back as possible, hopefully back to the
introduction of the over-strict test in May 2012. This should fix a
large proportion of the installed base of Linux servers reasonably quickly.
==Logging==
Separately we will submit a patch to add logging of each event that
disables ECN, but only for future kernel versions, not for back-porting.
However, there is resistance to any logging, so this might not be
accepted. The proposal is
* at default logging level, increment an SNMP count when ECN disabled
for a connection due to a protocol violation
* at increased logging level, on each event also write rate-limited
kernel messages that record the client IP.
Then, if a sysadmin wants to, they can get any network mangling fixed.
Bob
On 20/01/2019 23:31, Bob Briscoe wrote:
> TCPM folks,
>
> RFC8311 and draft-ietf-tcpm-generalized-ecn enable ECN-capable SYNs.
> However, if a client sends an ECN-capable SYN, existing Linux servers
> disable ECN for the rest of the connection.
>
> To fix as many existing Linux servers as possible, as soon as
> possible, I would recommend short-term solution #2 (see 'Three Fixes'
> below). An alternative would be short-term solution #3.
>
> Anyone got a better fix? Anyone disagree with recommending #2? If not,
> pls confirm your agreement.
>
>
> Summary of Pros and Cons
>
> #2 pro: No longer ossifies non-ECN SYN
> #2 pro: If a path does "unbleach" IP-ECN, protects the connection by
> disabling ECN
> #2 con: A residual degree of ossification remains
>
> #3 pro: No longer ossifies non-ECN SYN
> #3 pro: No ossification at all
> #3 con: If a path does "unbleach" IP-ECN, connection still attempts to
> use ECN even though the path is mangling the ECN field.
>
> #1 is the full solution, but it should proceed in parallel as a
> solution for the future, not to fix the past.
>
>
> Background
>
> To negotiate ECN for a connection the client sets flag bits 8-9 in the
> TCP header to 11 [RFC3168 Section 6.1.1]
> <https://tools.ietf.org/html/rfc3168#section-6.1.1>. For your
> convenience, I've included a picture of the TCP header flags at the end.
>
> In 2012 an additional test was patched into Linux servers. It disables
> ECN for the connection unless the IP-ECN field of the SYN is also zero
> (I'll call this the "overstrict ECN test").
>
> This was because Section 6.1.1. of RFC3168 also said "A host MUST NOT
> set ECT on SYN or SYN-ACK packets." Unfortunately, the overstrict ECN
> test ossifies this requirement into TCP.
>
> The Linux patch was intended to protect a connection against the
> network mangling the IP-ECN field to a non-zero value. Unfortunately,
> it also disables ECN completely if a client tries to set ECT in the
> IP-ECN field of the SYN.
>
> RFC8311 has now updated RFC3168 to allow ECT on a SYN, in conjunction
> with the ECN++ experiment. But few developers are going to set ECT on
> a SYN if it causes about 84% of servers to completely disable ECN (see
> Section 4.2.2. of the ECN++ draft
> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2>
> for further details and the source of these numbers).
>
>
> Three Fixes
>
> I can think of three ways to fix existing Linux servers:
>
> 1. Deploy Accurate ECN
> <https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> on
> existing Linux servers.
> * AccECN inherently replaces the overstrict ECN test with a pair
> of proper two-ended tests for network mangling, in which each
> end feeds back the arriving IP ECN field in its TCP feedback.
> In contrast, the overstrict ECN test is one-ended, with the
> server only assuming what the client set.
> * Altho AccECN will solve the problem, it should not be relied
> on to fix the last six years of Linux server deployment.
> AccECN is a non-trivial update so it is unlikely to get
> back-ported and auto-deployed to most existing Linux servers
> any time soon.
> 2. Make the overstrict ECN test more specific to RFC3168, and add
> logging.
> * Currently, the only proposal for allowing ECT on a SYN
> requires the client to also request Accurate ECN feedback,
> which requires TCP header bits 7-9 to be 111.
> * Therefore, the overstrict ECN test in a Linux server could be
> altered to solely apply if bits 7-9 == 011 (rather than just
> testing if bits 8-9 == 11).
> * However, I am concerned that this ossifies around the solution
> based on ECN++ and AccECN. What if ECN++ needs to be
> superseded by some future protocol that allows ECT on a SYN
> when some other field is different (e.g. one of TCP's three
> remaining reserved flags, or a new TCP option)?
> * Unfortunately, we cannot test for the absence of a
> yet-to-be-invented TCP option. Nonetheless, I suggest *the
> overstrict ECN test in a Linux server should at least be
> altered to solely apply if TCP header bits 4-9 == 000011*.
> * I suggest Linux also *logs whenever it disables ECN due to
> this test*, so that broken paths can be identified and fixed.
> * An extremely simple patch like this would be much more likely
> than #1 (AccECN) to be back-ported and deployed to most
> existing servers via regular Linux auto-updates.
> 3. As #2, but do not disable ECN when the test fails, just log those
> paths suspected of mangling ECN.
> * Our most recent measurements of millions of Internet paths
> found no occurrences where zero IP-ECN on a SYN was changed to
> non-zero ("unbleaching"). So we could just remove the test.
> * However, no occurrences found does not mean none exist. Altho
> we tested millions of paths, we only tested from a few dozen
> vantage points, albeit we did test both mobile and fixed
> networks (see Section 4.2.2. of the ECN++ draft
> <https://tools.ietf.org/html/draft-ietf-tcpm-generalized-ecn-03#section-4.2.2.2>
> for summary of tests).
> * If the number of problematic paths is small, it would still
> make sense to run the ECN test as proposed under item #2, but
> not disable ECN if it fails. Instead, just log any negative
> results, so the broken network elements can be identified and
> fixed.
>
> Cheers
>
>
> Bob
>
> PS. For convenience, here's the TCP header flags (assuming the
> experimental AccECN protocol is approved as RFC):
> 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
> +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
> | | | A | C | E | U | A | P | R | S | F |
> | Header Length | Reserved | E | W | C | R | C | S | S | Y | I |
> | | | | R | E | G | K | H | T | N | N |
> +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
>
>
> --
> ________________________________________________________________
> Bob Briscoehttp://bobbriscoe.net/
--
________________________________________________________________
Bob Briscoe http://bobbriscoe.net/
- [tcpm] Does this fix sufficiently de-ossify overs… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Brian Trammell (IETF)
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe
- Re: [tcpm] Does this fix sufficiently de-ossify o… Bob Briscoe