Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Thu, 24 October 2019 15:53 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B092912011C for <tsvwg@ietfa.amsl.com>; Thu, 24 Oct 2019 08:53:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IvR47ZUuqd8E for <tsvwg@ietfa.amsl.com>; Thu, 24 Oct 2019 08:53:47 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130073.outbound.protection.outlook.com [40.107.13.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 274421200D8 for <tsvwg@ietf.org>; Thu, 24 Oct 2019 08:53:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d0ncQF0v8YCiFTe7zKDMRtsm4G5+vnbot+1Op0X6EDIaDG0FyEVbUWUqoUrvRNwZwUF2zWEr7wIsm3C2ULtGylPGjdcf2CAA6KkrVyATgBd980AVim6pDCMKVPelwa89ggx88ZI3RyksKqyoIclrHWIYdXOowVMkoFWVzPuNvVDqtf9nVb+o+nC0mTt/tehXuP0mLlwJrhw5yyzQ280hcbmwOerzWZHRV7qvPouYh4RoQ5kiLWvrEkvVPFlwqL2K3CQvk2UGJ9k2ZLYroegdv3urC2dLg5Dgx6kSqUjoQlwyQkEYvDPMvOIeQXa/Admd5YxZXrdgBpqDywSvTQi9dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktTXUC+jIEMOuhYM8eg8T544KjwMi+i9LlEpOIKDVDQ=; b=G6kzAiNlLPw4I4LUjxQMALqqn6qF7La5ioiSaQ+BXsbu15JXFNUNXfQevZoNJu7ylPC7qgi7sGuYLQERByN0X3ED+iRTAznXRJ7I0WvK3zEE2t+ylLRtG31aYQRYIqQb+jB03B1wvB6i3XpiatV+WhRBwWeIF2qZbkHRSDnhl2gQ0RJMFdUGdyH44KFsfdiyJNTO5mAQWWgZL6ooXrWDKL/2CxXOfkvElSHTyperkqV1L6VB+YXrZcuDDdl74dfaVorVCXieK4hzHX+YFpF28Wwq+qzFxgGkfuCz4+i+9UU8k0xdgR//VhfCotlTtZwGJroRUzTG0staXi6nJ31XWg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ktTXUC+jIEMOuhYM8eg8T544KjwMi+i9LlEpOIKDVDQ=; b=lLvPa48bqO5RzMsPJdXvzdG+lMpMsGu45N1MmUhVzHoEG2H7gE2ThbM1IlVQP58NqoGF4xRFU+EU+kjVOoQyLWSvbSpmuBlQ2sWWG6NGpGstMCmApIhnJ5xbfWKV+KbJBHRTaVlagJ0/GHeYnHPDp8G5wtDR6B3rHKwNK8WtcM4=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB4564.eurprd07.prod.outlook.com (52.135.152.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.14; Thu, 24 Oct 2019 15:53:44 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4573:6a4c:8bb5:1456]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4573:6a4c:8bb5:1456%5]) with mapi id 15.20.2387.021; Thu, 24 Oct 2019 15:53:44 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: "philip.eardley@bt.com" <philip.eardley@bt.com>, "Nicolas.Kuhn@cnes.fr" <Nicolas.Kuhn@cnes.fr>, "huitema@huitema.net" <huitema@huitema.net>, "tom@herbertland.com" <tom@herbertland.com>, "ilubashe@akamai.com" <ilubashe@akamai.com>
CC: "touch@strayalpha.com" <touch@strayalpha.com>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
Thread-Index: AQHVfq5vB1DdzboInEawIUyO4LVPkKdSYS0AgATOJQCABRNfAIAAHq4AgAF4WwCAAAnvgIAGqCgAgACvPICAAD/fgIAEMNcAgABINICAADacgA==
Date: Thu, 24 Oct 2019 15:53:44 +0000
Message-ID: <9D2A73F0-93B7-4778-8044-2852D0FCB71A@ericsson.com>
References: <CE03DB3D7B45C245BCA0D2432779493630766752@MX307CL04.corp.emc.com> <e8c30f3f-606f-0c0d-a7dd-b2bb6f31a9fd@huitema.net> <A2F184BB-E352-4AE6-B7A0-FDF6D8851DFB@strayalpha.com> <CALx6S36VYt+LVxWM_ZRos7VK6GArNbenpFD3yaPdqedvkoHpoQ@mail.gmail.com> <9c7df6fe717c43739454a91f8080cffa@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S361-wmgGWcTQHNsXnJEPkdCbvOhSCGwd5a9R0RQ_E=CCg@mail.gmail.com> <8543343a39a04d5baca64ce2a3085ac9@ustx2ex-dag1mb6.msg.corp.akamai.com> <CALx6S36FonVeU25YJEq_7PaNrfvX4ABLFv5VLbb6QKE==G5Xfg@mail.gmail.com> <00cf55e3462e44be8bcb908c453c3eef@ustx2ex-dag1mb5.msg.corp.akamai.com> <CALx6S34aQOUwqd5a2EJK10noUwW4qJQaEfsL4i-2VFpUU5=ytA@mail.gmail.com> <e5679768-6d59-8c5e-3f96-1f89fd8a21af@huitema.net> <F3B0A07CFD358240926B78A680E166FF1ECD586B@TW-MBX-P03.cnesnet.ad.cnes.fr> <CWLP123MB257982F95FE59290A4B6AA94EB6A0@CWLP123MB2579.GBRP123.PROD.OUTLOOK.COM>
In-Reply-To: <CWLP123MB257982F95FE59290A4B6AA94EB6A0@CWLP123MB2579.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [2001:16b8:2c9a:6a00:609d:b214:5c61:c49d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3fa7445c-5992-432d-ee1d-08d7589a5963
x-ms-traffictypediagnostic: AM0PR07MB4564:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <AM0PR07MB456464964D917CFD75084F35F46A0@AM0PR07MB4564.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0200DDA8BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(39860400002)(396003)(136003)(346002)(51444003)(199004)(189003)(54896002)(6246003)(33656002)(71200400001)(2501003)(229853002)(236005)(71190400001)(6486002)(36756003)(76116006)(486006)(81166006)(6512007)(8676002)(2201001)(8936002)(66476007)(6306002)(81156014)(86362001)(64756008)(256004)(66446008)(2906002)(66556008)(790700001)(186003)(6116002)(76176011)(966005)(66946007)(4326008)(2616005)(46003)(6436002)(5660300002)(478600001)(606006)(44832011)(476003)(110136005)(316002)(11346002)(102836004)(53546011)(66574012)(7736002)(14454004)(25786009)(99286004)(54906003)(446003)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4564; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1VkjYnwm7wwIw9ExB7GuwmbR+WAEGgNtCX1ae+TPhttW3oTNln/qPnqwLqKRCh249qGtsD1+5iryJ2d9CMb4JxtauLOmffkXbD93xKzKNG3Gp30Jomg4yGtjmDUIHOZAnbHhtsCFsS/BgukTGkhYBzHOdzmxkFzWM0IeqxKS4k5ruO71R1MIJRXzrGlpn9ZbByTq+DVAFaRzMlpnAacWzvv6WT+oqFyoiYjqtmYt/Kw7mgZFIGgNEL39YTnj2dCtWNn5SLgtIp7F5gUDXFxvDBVFHHM40rh41kRG2/MpJ22Q98BpygennzAv/s5eok+0MzLYgiwOmWm8a5b0C3wV51/HilXf/j/7EF/1wCMdFoD2c+7pnVqfmMlozfOie9ozJ/3LezQScoQ4TgelpPk5pcfRejdR+eu4EWBHs7/vFqd0ZRJoIQlpffrvT+DitY495ZrdECvXaXYuRbeK/q0S6hX9TFgXH5Y+5k6npCwr3Kw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9D2A73F093B7477880442852D0FCB71Aericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3fa7445c-5992-432d-ee1d-08d7589a5963
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 15:53:44.2914 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Jm+1Uib9bDzJZ50aDmt+TSnr2sd+Ptgsh2J/Jgwdl3wLET5jb02ou2EnP4xaiuOE0ttvJNHb1k+QFnzyBJJYYtK4mMRxEdLQi6ai1o7eYk4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4564
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/21DVUDnuzfTHUnyQlXCJFpzKiFg>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 15:53:52 -0000

In ConEx, we also get upstream congestion by subtracting the ECN CE marks form the ConEx ECN marks, or count TCP seq# holes and subtract that number from the ConEx Loss marks. Of course the latter is not possible with QUIC and you would need something like the Q bit instead which however is basically Alternate-marking as defined in RFC8321.


From: tsvwg <tsvwg-bounces@ietf.org> on behalf of "philip.eardley@bt.com" <philip.eardley@bt.com>
Date: Thursday, 24. October 2019 at 16:38
To: "Nicolas.Kuhn@cnes.fr" <Nicolas.Kuhn@cnes.fr>fr>, "huitema@huitema.net" <huitema@huitema.net>et>, "tom@herbertland.com" <tom@herbertland.com>om>, "ilubashe@akamai.com" <ilubashe@akamai.com>
Cc: "touch@strayalpha.com" <touch@strayalpha.com>om>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Nico,

Please can you explain your comment about the L bit: “only Q bit (upstream loss) is doable (L bit must be sent by sender for end-to-end loss evaluation)” Surely both the Q & the L bit are set by the sender?

I’d prefer a generic solution rather than one for one transport protocol.

I think it’s worth looking at https://tools.ietf.org/html/rfc7837    This defined an IPv6<https://tools.ietf.org/html/rfc7837%20This%20defined%20an%20IPv6> destination option for carrying ConEx markings in IPv6 datagrams. I think its L bit is identical to your L bit. RFC7837 also has 4 reserved bits so a bis would have plenty of room for Q bit.

https://tools.ietf.org/html/rfc7837#section-3  discusses why the WG chose a destination option.

There seems to me a lot of similarity between the Conex work and this work, both in objectives & method. The Q bit is new since conex, and seems to offer some advantage of a clearer signal about upstream loss, under some assumptions.

Best wishes,
phil

From: tsvwg [mailto:tsvwg-bounces@ietf.org] On Behalf Of Kuhn Nicolas
Sent: 24 October 2019 11:20
To: 'Christian Huitema' <huitema@huitema.net>et>; Tom Herbert <tom@herbertland.com>om>; Lubashev, Igor <ilubashe@akamai.com>
Cc: Joe Touch <touch@strayalpha.com>om>; tsvwg@ietf.org
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Hi,

As far as I can see, there are different ways of signaling losses that are being discussed.
Here is an attempt of discussing advantages and drawbacks of each approach.
I believe that going for : short-term QUIC-bits and long-term TSVWG-bits is a good way forward. Moreover, this does not prevent from also having layer IP solutions.

-              Using IP level bits
Advantage : long term solution that is compatible for any upper-layer protocol
Drawback : compatibility with L2 tunnel solutions, problems in making it for IPv4 and IPv6 and only Q bit (upstream loss) is doable (L bit must be sent by sender for end-to-end loss evaluation)
-              Using new QUIC bits
Advantage : quick deployment of the solution and simple solution
Drawback : specific to QUIC
-              Generic transport solution
Advantage : standard solution for any transport
Drawback : “time-to-market” and only Q bit (upstream loss) is doable (L bit must be sent by sender for end-to-end loss evaluation)
-              Using OAM information
Advantage : management plane focusing on management functions – clearer interfaces between control, data and management planes
Drawback : need for standard interfaces between the different equipment that may follow other standard (IEEE, 3GPP) and management of “old” network still in operation

The privacy issues that are said to be specific to QUIC solution are inherent to any solution IMHO.

My 2cts,

Nico


De : tsvwg <tsvwg-bounces@ietf.org<mailto:tsvwg-bounces@ietf.org>> De la part de Christian Huitema
Envoyé : lundi 21 octobre 2019 20:20
À : Tom Herbert <tom@herbertland.com<mailto:tom@herbertland.com>>; Lubashev, Igor <ilubashe@akamai.com<mailto:ilubashe@akamai.com>>
Cc : Joe Touch <touch@strayalpha.com<mailto:touch@strayalpha.com>>; tsvwg@ietf.org<mailto:tsvwg@ietf.org>
Objet : Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019



On 10/21/2019 7:31 AM, Tom Herbert wrote:
Igor,

That misses the point of the statement. There are many protocols that don't have ubiquitous support over the Internet-- EH, IP fragmentation, any transport protocol other than TCP and sometimes UDP, and even IPv6. If "ubiquitous support" is required for deployment then we can never deploy new protocols or any protocol that is atypical to intermediate devices. So, unless we're planning on never doing anything new on the Internet, we need to address this.


The goal of any "for the network" signal is improved QoS.  Hence, if there is a non-trivial chance that inclusion of such signal will actually degrade QoS (by causing packets with the signal to be dropped), no sender will include such signals (and "happy eyeballs" style code is too complex and risky for the benefit).

As architecturally "ugly" as it sounds, I can only see the QUIC header and the most significant TTL bits as viable alternatives to be deployable widely on the Internet for IPv4.  For IPv6, even HBH and Dest Options are still too "risky" for packets, but that is likely to be improving.

You forgot to mention efforts to encode information in IP addresses, overload bits in the flow label, or other DPI parsing of UDP payload (like tunnels over UDP), and other creative ways to "find" bits that can be repuposed. There're all hacks! IP is designed to be an extensible protocol without the need for these. Pursuing such hacks, instead of using the defined mechanisms of extensibility, ostensibly solves some short term problems, but in the long run perpetuates protocol ossification and stifles evolution of the Internet.



If we want to not rely on hacks, I believe that we have to somehow change the network protocol. I have followed the development of the spin bit in QUIC, and the attempts to use more bits and provide for example indications of packet losses. There are typically two issues: privacy and practicality. Let's not discuss privacy here, except by assuming that privacy-sensitive deployments will find a need to "bleach" the signals. The signals are still useful for connection management as long as a large enough fraction of the connections are not bleached.

I think that solving the "practicality" issue requires moving the signal to the IP layer. The experiments by Orange show that you only need a small number of bits to monitor latency and loss rate from within the network - 2 or maybe 3 bits would do. If these bits are in the transport header, the network monitor has first to find out what transport protocol is in use, and possibly what version. With encrypted transports, that could soon become a daunting task. On the other hand, if the bits are at some fixed position in the IP header, monitoring becomes much simpler.

My personal preference would be to associate these bits with an IPv6 "flow" label, or for IPv4 the five-tuple. Latency is associated with routing and with applications, and in theory all packets in a flow share the same routing and the same kind of end-to-end processing. Of course, there are deployment issues, bleaching issues, etc. But the logic remains: associating latency and loss measurement with a packet flow makes the most sense. Moving that to the IP header also makes sense -- after all, it is very similar to ECN signals. The broad line of the solution would thus be:

1) Steal a couple of end to end bits, or maybe just 4 to 8 Diffserv code points

2) Use these bits to encode the "spin" and "loss" indications, and distinguish them from the "bleached" signal

3) Compute the "spin" and "loss" indications per end-to-end flow, and make that part of the spec.

There are obvious deployment issue, bleaching paths and all that. But at the same time, the information is meant to benefit network management, so there will be a strong incentive for network managers to ensure that it flows freely. Thus, it is not hopeless.

-- Christian Huitema