[tsvwg] Case for ECN-capable TCP control packets: draft-bagnulo-tsvwg-generalized-ecn
Bob Briscoe <ietf@bobbriscoe.net> Fri, 15 July 2016 18:31 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37AE112D18A; Fri, 15 Jul 2016 11:31:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpyBoKu20JQI; Fri, 15 Jul 2016 11:31:11 -0700 (PDT)
Received: from server.dnsblock1.com (server.dnsblock1.com [85.13.236.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AE0F12D107; Fri, 15 Jul 2016 11:31:11 -0700 (PDT)
Received: from port-87-193-195-240.static.qsc.de ([87.193.195.240]:45828 helo=[10.199.166.47]) by server.dnsblock1.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from <ietf@bobbriscoe.net>) id 1bO7tE-0005NX-Il; Fri, 15 Jul 2016 19:31:08 +0100
From: Bob Briscoe <ietf@bobbriscoe.net>
To: "Black, David" <david.black@emc.com>, tsvwg IETF list <tsvwg@ietf.org>, tcpm IETF list <tcpm@ietf.org>
References: <CE03DB3D7B45C245BCA0D243277949362F5D88C0@MX307CL04.corp.emc.com>
Message-ID: <57892BE9.4020309@bobbriscoe.net>
Date: Fri, 15 Jul 2016 19:31:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949362F5D88C0@MX307CL04.corp.emc.com>
Content-Type: multipart/alternative; boundary="------------000802040001040706000000"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server.dnsblock1.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: server.dnsblock1.com: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: server.dnsblock1.com: in@bobbriscoe.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/2tdzQSmS0j_V4fkTAB9bppoaN6g>
Cc: "draft-bagnulo-tsvwg-generalized-ecn@ietf.org" <draft-bagnulo-tsvwg-generalized-ecn@ietf.org>
Subject: [tsvwg] Case for ECN-capable TCP control packets: draft-bagnulo-tsvwg-generalized-ecn
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2016 18:31:14 -0000
David, [re-sending to include tsvwg & tcpm, which is what I had intended
to do first time.]
Here's a heads-up for tsvwg, plus cross-posting to tcpm as suggested,
And for a fast read, there's a summary of every argument below.
Pls bash the arguments.
Summary:
The ECN spec [RFC 3168] says various TCP control packets must not be ECN
capable.
This draft lays out each argument given in the RFCs, and articulates a
rebuttal against each one:
draft-bagnulo-tsvwg-generalized-ecn
<https://tools.ietf.org/html/draft-bagnulo-tsvwg-generalized-ecn>
Subject to some more experiments, we think this knocks down every reason
given, so that all these packets could safely be ECN-capable.
Pls read the draft for more details (preferably before responding).
Enumeration of arguments about each type of control packet follows,
starting with some arguments common to many:
___________________________________________________________________________________________
*Common arguments against ECT*
1. Unreliable congestion notification delivery
2. DoS Attacks
Common rebuttals (respectively):
1. No worse than undetectable loss of Not-ECT control packet, and
better performance
2. Mandating Not-ECT does not stop attackers using ECT for flooding.
Nonetheless, it would allow firewalls to discard control packets not
meant to be ECT., however this would negate the benefit of ECT for
compliant transports and seems unnecessary for the following reason.
RFC3168 (Sec.7) and RFC7567 (Sec.4.2.1) say an AQM MUST turn off ECN
support if under persistent overload. This makes it hard for
flooding packets to gain from ECT, but more experiments needed to
see how much might be gained by an attacker flying "just under the
radar".
*SYN/ACK**
*ECT on SYN/ACK already justified in RFC5562
*SYN**
*Arguments against ECT:
1. Unknown ECN capability at the responder (may discard ECT SYN or RST
connection)
2. Loss of congestion notification due to lack of support for feeding
back CE on SYN at the responder.
3. DoS attacks.
Rebuttals (respectively):
1. No RFC mandates these responder behaviours, but 0.6% - 0.8% of Alexa
top 1M Web sites (or their network paths) exhibit this. Could
retransmit the SYN without ECT, and cache this knowledge to avoid 1
RTT delay in future
2. Support for CE feedback in SYN needed in the TCP wire protocol.
Solution proposed in AccECN
<https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> draft: if
SYN/ACK shows lack of support for feeding back CE on SYN (i.e. no
support for AccECN) IW MUST be reduced conservatively as if CE on
SYN (no need to be as conservative as drop of SYN - cannot be severe
congestion as packet got through). Could cache this knowledge.
3. See common DoS Attack rebuttal
*Pure ACK**
*Arguments against ECT:
1. Unreliable congestion notification delivery
2. No means to feed back congestion notifications (no ACKs of ACKs)
Rebuttals (respectively):
1. See common unreliability rebuttal
2. No worse than drop of Pure ACK, and better performance
*Retransmission**
*Arguments against ECT:
1. Unreliable congestion notification delivery
2. DoS attacks
3. Over-reacting to congestion.
Rebuttals (respectively):
1. See common unreliability rebuttal
2. See common DoS Attack rebuttal, complemented by recommendation to
ignore CE on out of window packets
3. Correct to react twice to congestion in different RTTs
*Window Probe**
*
Arguments against ECT:
1. Unreliable congestion notification delivery
Rebuttal:
1. See common unreliability rebuttal
*FIN**
*
No arguments against using ECT in RFCs.
To be discussed in next rev of draft.
*RST**
*
No arguments against using ECT in RFCs
To be discussed in next rev of draft.
Cheers
Bob & Marcelo
On 11/07/16 21:28, Black, David wrote:
> Marcelo and Bob,
>
> Interesting draft - I need to read it in more detail ... in my "copious spare time" this week ;-).
>
> While it is of interest to TSVWG, as general ECN work happens here, I suspect
> that as a proposed modification to TCP it would be in the domain of the TCPM WG,
> as was the case for RFC 5562.
>
> Thanks, --David
> ----------------------------------------------------
> David L. Black, Distinguished Engineer
> EMC, 176 South St., Hopkinton, MA 01748
> +1 (508) 293-7953 Cell: +1 (978) 394-7754
> david.black@emc.com
> ---------------------------------------------------
>
> --
> ________________________________________________________________
> Bob Briscoehttp://bobbriscoe.net/
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… Bob Briscoe
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… Praveen Balasubramanian
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… David Schinazi
- Re: [tsvwg] Case for ECN-capable TCP control pack… Aaron Falk
- Re: [tsvwg] Case for ECN-capable TCP control pack… Brian Trammell
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… Michael Welzl
- [tsvwg] Case for ECN-capable TCP control packets:… Bob Briscoe