Re: [tsvwg] [tcpm] Case for ECN-capable TCP control packets: draft-bagnulo-tsvwg-generalized-ecn
David Schinazi <dschinazi@apple.com> Sat, 16 July 2016 10:08 UTC
Return-Path: <dschinazi@apple.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B91F12D848 for <tsvwg@ietfa.amsl.com>; Sat, 16 Jul 2016 03:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.607
X-Spam-Level:
X-Spam-Status: No, score=-5.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IEQu5i4UvcK for <tsvwg@ietfa.amsl.com>; Sat, 16 Jul 2016 03:08:30 -0700 (PDT)
Received: from mail-in3.euro.apple.com (mail-in3.euro.apple.com [17.72.148.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2BCA12B075 for <tsvwg@ietf.org>; Sat, 16 Jul 2016 03:08:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1468663707; x=2332577307; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-version:Content-type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Ue18vvcW2XyFJKBa3GuMTrQ1kQHt/nMuuxjX60F6w3k=; b=BGmO3caeGnfEtAUNZFRyZFU9IpGlhxPO1JoXht+Ue826AXqPnJ22abNBEtGtx1pB OF3ENn634WJ9OUgB5PIBL51uD46FYJt+FwdI9ZDxaahxHVxrxAWyjINqM03O0wH6 Qobzvalpf8rmCcaxD7tAHAXVRFonI0IEKJjIFE0nAwBFy0+ERnCvogoylByZjQap 7MF3pfvGf+/vpaYoAThgtDuZz1XylpQ53guAdvUfzL4ROtfPzGbJzNbV9xOEFTl3 HJcB1o1pSq3Hze8b/slv6pc5LNFaK/yb8d0eN9mFMf8upiOMZ/p//oYINdT5zkyj ilAvIBKUFem6D61Je06t7w==;
Received: from relay2.euro.apple.com ( [17.66.55.12]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail-in3.euro.apple.com (Symantec Mail Security) with SMTP id EB.8F.16926.B970A875; Sat, 16 Jul 2016 11:08:27 +0100 (BST)
X-AuditID: 1148940d-f791b6d00000421e-40-578a079bf4a8
Received: from phonehome1 ( [17.72.133.81]) (using TLS with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay2.euro.apple.com (Symantec Mail Security) with SMTP id B9.2D.22244.B970A875; Sat, 16 Jul 2016 11:08:27 +0100 (BST)
Received: from uklon5-asavpn-l2tp-17-78-215-26.euro.apple.com (uklon5-asavpn-l2tp-17-78-215-26.euro.apple.com [17.78.215.26]) by phonehome1.euro.apple.com (Oracle Communications Messaging Server 7.0.5.37.0 64bit (built Nov 11 2015)) with ESMTPSA id <0OAE00MQ7K5Q9W60@phonehome1.euro.apple.com>; Sat, 16 Jul 2016 11:08:27 +0100 (IST)
Sender: dschinazi@apple.com
Content-type: multipart/alternative; boundary="Apple-Mail=_0F233442-F59F-4024-AF87-145E0F529CB9"
MIME-version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: David Schinazi <dschinazi@apple.com>
In-reply-to: <57892BE9.4020309@bobbriscoe.net>
Date: Sat, 16 Jul 2016 12:08:13 +0200
Message-id: <0EE6E830-0364-40C4-AC62-A7CBA660CE42@apple.com>
References: <CE03DB3D7B45C245BCA0D243277949362F5D88C0@MX307CL04.corp.emc.com> <57892BE9.4020309@bobbriscoe.net>
To: Bob Briscoe <ietf@bobbriscoe.net>
X-Mailer: Apple Mail (2.3124)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHLMWRmVeSWpSXmKPExsUi6GTOozubvSvc4PFqHYsFjROZLLadnM9k cezNXTYHZo8lS34yBTBGcdmkpOZklqUW6dslcGU8vtjFVLAhr2LxpXlsDYyTIroYOTkkBEwk Tp2+zg5hi0lcuLeerYuRi0NIYCaTxOPLD5hhig4d62SBSPQySSw4eJURwrnGJPG/p58VpEpY QFqi68JdMJtZIEmi++odNhCbV0BPYvLRBjaImmSJ218mA03l4GAT0JI4sMYIJMwJVLK84zEb SJhFQFXi4hUukPHMAmcZJY6dXMAIMcZGYmvjLrAxQgKFEv1bL7OA1IsA1a9sV4G4U1biyclF YHdKCGxhk7j/6hT7BEbhWUgumoXkIoi4tsSyha+ZZwGNYhbQkZi8kBEiLC+x/e0cZpiSj+eP MC1gZFvFKJ6bmJmjm5lnrJdaWpSvl1hQkJOql5yfu4kRFCseU3h3MF4/aHiIUYCDUYmHN+5X Z7gQa2JZcWXuIUYJDmYlEd4fLF3hQrwpiZVVqUX58UWlOanFhxilOViUxHkbDhWFCwmkJ5ak ZqemFqQWwWSZODilGhiXrmzZNPW4e6+6trhgfvDUH0Ycv90Mj1aY7pRY817eoGbxh5C8E9Nm iqkJ7Om5dDMvdMl5swzXXjVh6x8sig16r+T3PFzvEHl5EltpafW0Td17hDcE6VTr5HILW276 tP2Vp9ukab9yooOZUjbvnLjks9hl3y96IuWBjlu/q0t/uPuLwUftYosSS3FGoqEWc1FxIgCZ I4F4kQIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUi6NEaqDubvSvcYMMHBYsFjROZLLadnM9k cezNXTYHZo8lS34yBTBGcdmkpOZklqUW6dslcGU8vtjFVLAhr2LxpXlsDYyTIroYOTkkBEwk Dh3rZIGwxSQu3FvP1sXIxSEk0MskseDgVUYI5xqTxP+eflaQKmEBaYmuC3fBbGaBJInuq3fY QGxeAT2JyUcb2CBqkiVuf5nM3MXIwcEmoCVxYI0RSJgTqGR5x2M2kDCLgKrExStcIOOZBc4y Shw7uYARYoyNxNbGXWBjhAQKJfq3XmYBqRcBql/ZrgJxp6zEk5OLWCYwCsxCcsQsJEdAxLUl li18zTwLqJtZQEdi8kJGiLC8xPa3c5hhSj6eP8K0gJFtFaNoUWpOYqWRXmppUb5eYkFBTqpe cn7uJkZQaDuZ8+xgfHXQ8BCjAAejEg/vv5+d4UKsiWXFlbmHGCU4mJVEeH+wdIUL8aYkVlal FuXHF5XmpBYfYpTmYFES5/U7oB0uJJCeWJKanZpakFoEk2Xi4JRqYJzrMv1q38eyI4+eW3ju X/azw28B36vATvMqU7Oq899SvjlOeD0t+HiCx/yNU197l+40jygrOpqWaDrnxsN39ds+cL/4 UFn3PvfWdcmeU1e3StWtP/OqYs9x9ll/asw7OPxnn9nYW3Lr3d8rjJNvcCf0nMoM6s+U37Yv Mqp878+lxpW1S9/K+FQosRRnJBpqMRcVJwIA7CsNSmkCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/5N4gYbcOXU2VE7aWd2UtTHpRN9U>
Cc: tcpm IETF list <tcpm@ietf.org>, tsvwg IETF list <tsvwg@ietf.org>, "draft-bagnulo-tsvwg-generalized-ecn@ietf.org" <draft-bagnulo-tsvwg-generalized-ecn@ietf.org>
Subject: Re: [tsvwg] [tcpm] Case for ECN-capable TCP control packets: draft-bagnulo-tsvwg-generalized-ecn
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2016 10:08:32 -0000
Bob, This is interesting and promising work. It looks like it's scheduled in tcpm if time permits; let's hope time does permit! David > On Jul 15, 2016, at 20:31, Bob Briscoe <ietf@bobbriscoe.net> wrote: > > David, [re-sending to include tsvwg & tcpm, which is what I had intended to do first time.] > > Here's a heads-up for tsvwg, plus cross-posting to tcpm as suggested, > And for a fast read, there's a summary of every argument below. > Pls bash the arguments. > > Summary: > The ECN spec [RFC 3168] says various TCP control packets must not be ECN capable. > This draft lays out each argument given in the RFCs, and articulates a rebuttal against each one: > draft-bagnulo-tsvwg-generalized-ecn <https://tools.ietf.org/html/draft-bagnulo-tsvwg-generalized-ecn> > Subject to some more experiments, we think this knocks down every reason given, so that all these packets could safely be ECN-capable. > > Pls read the draft for more details (preferably before responding). > > Enumeration of arguments about each type of control packet follows, starting with some arguments common to many: > ___________________________________________________________________________________________ > > Common arguments against ECT > Unreliable congestion notification delivery > DoS Attacks > Common rebuttals (respectively): > No worse than undetectable loss of Not-ECT control packet, and better performance > Mandating Not-ECT does not stop attackers using ECT for flooding. Nonetheless, it would allow firewalls to discard control packets not meant to be ECT., however this would negate the benefit of ECT for compliant transports and seems unnecessary for the following reason. > RFC3168 (Sec.7) and RFC7567 (Sec.4.2.1) say an AQM MUST turn off ECN support if under persistent overload. This makes it hard for flooding packets to gain from ECT, but more experiments needed to see how much might be gained by an attacker flying "just under the radar". > > SYN/ACK > ECT on SYN/ACK already justified in RFC5562 > > SYN > Arguments against ECT: > Unknown ECN capability at the responder (may discard ECT SYN or RST connection) > Loss of congestion notification due to lack of support for feeding back CE on SYN at the responder. > DoS attacks. > Rebuttals (respectively): > No RFC mandates these responder behaviours, but 0.6% - 0.8% of Alexa top 1M Web sites (or their network paths) exhibit this. Could retransmit the SYN without ECT, and cache this knowledge to avoid 1 RTT delay in future > Support for CE feedback in SYN needed in the TCP wire protocol. Solution proposed in AccECN <https://tools.ietf.org/html/draft-ietf-tcpm-accurate-ecn> draft: if SYN/ACK shows lack of support for feeding back CE on SYN (i.e. no support for AccECN) IW MUST be reduced conservatively as if CE on SYN (no need to be as conservative as drop of SYN - cannot be severe congestion as packet got through). Could cache this knowledge. > See common DoS Attack rebuttal > > Pure ACK > Arguments against ECT: > Unreliable congestion notification delivery > No means to feed back congestion notifications (no ACKs of ACKs) > Rebuttals (respectively): > See common unreliability rebuttal > No worse than drop of Pure ACK, and better performance > > Retransmission > Arguments against ECT: > Unreliable congestion notification delivery > DoS attacks > Over-reacting to congestion. > Rebuttals (respectively): > See common unreliability rebuttal > See common DoS Attack rebuttal, complemented by recommendation to ignore CE on out of window packets > Correct to react twice to congestion in different RTTs > > Window Probe > > Arguments against ECT: > Unreliable congestion notification delivery > Rebuttal: > See common unreliability rebuttal > FIN > > No arguments against using ECT in RFCs. > To be discussed in next rev of draft. > > RST > > No arguments against using ECT in RFCs > To be discussed in next rev of draft. > > Cheers > > > Bob & Marcelo > > > On 11/07/16 21:28, Black, David wrote: >> Marcelo and Bob, >> >> Interesting draft - I need to read it in more detail ... in my "copious spare time" this week ;-). >> >> While it is of interest to TSVWG, as general ECN work happens here, I suspect >> that as a proposed modification to TCP it would be in the domain of the TCPM WG, >> as was the case for RFC 5562. >> >> Thanks, --David >> ---------------------------------------------------- >> David L. Black, Distinguished Engineer >> EMC, 176 South St., Hopkinton, MA 01748 >> +1 (508) 293-7953 Cell: +1 (978) 394-7754 >> david.black@emc.com <mailto:david.black@emc.com> >> --------------------------------------------------- >> >> -- >> ________________________________________________________________ >> Bob Briscoe http://bobbriscoe.net/ <http://bobbriscoe.net/>_______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… Bob Briscoe
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… Praveen Balasubramanian
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… David Schinazi
- Re: [tsvwg] Case for ECN-capable TCP control pack… Aaron Falk
- Re: [tsvwg] Case for ECN-capable TCP control pack… Brian Trammell
- Re: [tsvwg] [tcpm] Case for ECN-capable TCP contr… Michael Welzl
- [tsvwg] Case for ECN-capable TCP control packets:… Bob Briscoe