Re: [tsvwg] Related to "Non-L4S traffic abusing the L-queue" discussion during the interim

[Bob Briscoe <in@bobbriscoe.net>]

Sebastian,

On 27/02/2022 19:44, Sebastian Moeller wrote:
> Dear Koen,
>
> I have not spent the time to verify that I understand your claims an that I agree with them, (I have a hard time understanding how dropping packets that the head of a queue can be called "taildrop" with a straight face and hence am not willing to give you the benefit of the doubt, sorry).
> 	But on a purely logical level, how can a real attack vector for CoDel you might or might not have detected remedy the fact that DualQ essentially established a new fast-lane for unresponsive paced flows that manage to stay below L4S weighted schedulers L4S capacity?

[BB] Because Jonathan's claim in his write-up that this is a new 
fast-lane is false.
Also, in the heading, Jonathan says "This bonus is easily exploited by 
unscrupulous senders _without_ disabling congestion control."
But clearly, the flow's congestion control is not responding to the ECN 
markings coupled across from the C queue. So this statement must also be 
false.

Reasoning:
By deliberate design, the DualQ treats an unresponsive flow the same as 
a FIFO AQM (like PIE) would. If Jonathan ran a similar experiment but 
classified that unresponsive flow into the C queue, whether it was 
ECN-capable or not, it would have also got 40Mb/s.

So, there is no new fast-lane.  There is no new throughput bonus. This 
is just the same 40Mb/s that any unresponsive 40Mb/s flow has always got 
in a single queue (AQM or not, ECN or not).

This is the oft-stated deliberate design intent of the DualQ. Per-flow 
rate policing (and/or per-flow latency policing) can be added as an 
optional extra, but only if the operator wants it. The vast majority of 
the Internet currently works fine without per-flow policing.


So far, I am solely focusing on Jonathan's scenario (40Mb/s in a 50Mb/s 
link). Koen's experiments show CoDel falls down when unresponsive 
flow(s) send more than the link capacity, but I want to take this one 
scenario at a time.


Bob

>
>
>> On Feb 27, 2022, at 18:57, De Schepper, Koen (Nokia - BE/Antwerp)<koen.de_schepper@nokia-bell-labs.com>  wrote:
>>
>> Hi Sebastian,
>>
>> The important plots to check are the throughput plots in figure 1, where PIE and DualPI2 have very similar throughput profiles (confirming a coupled DualQ works like a single Q),
> 	As I said that is not enough, the whole premise of DualQ is that L4S and traditional traffic can not be mixed, so regressing to single queue behavior indicates that DualQ fails to meet its promise...
>
>
>> and figure 3 where PIE and DualPI2 have a queue latency at the target. This can only be achieved if the drop and marks are correctly set by the AQM.
> 	But is this actually showing more than the known fact that PIE and CoDel have different strictness when interpreting the reference target parameter? To me this looks not really unexpected.
>
>> Only in the CoDel case the ECT(0) non-responding UDP flow takes practically all the link capacity (99.9% when sending unresponsive UDP-ECT(0) at 100Mbps, and really 100% when sending at the higher 140 and 200Mbps rates, probably killing "all" not-ECT traffic; see other mail to Dave Taht).
>> These results speak undeniably for themselves.
> 	That is, as always, a contingent upon interpretation; I am not convinced that your interpretation is necessarily the best objective one available.
>
>> Your hunch and the issue which is now mentioned in the interim slides and the shepherd's writeup is just wrong.
> 	Excuse me, there is no data indicating that a faked ECT(1) unresponsive-to-CE flow (especially one staying below the L-queues capacity share) will get the same amount of actual drops in the L-queue as it would in a singe-queue CoDel or FIFO. I might not be seeing the forrest for the trees here, so please explain how the existing data shows that my hunch is wrong. But with the additional information about figure 8, I object to your claim, my "hunch [...] is just wrong". The data confirms what I described as my hunch, for cases when when the "illegitimate" flow stays below the L4S AQM's L-queue capacity.
> 	As I implied before this situation is not as exotic as you might think, given that most access links are << than core links, and L4S apparently is targeted for deployment on core links, no? So no, my flow might not noticeably affect the L-2-C "fairness at a congested L4S AQM but I might still be able to gain an unfair and undeserved throughput advantage over other flows at that link that runs counter to the L4S claims of rough equitable sharing between flows.
>
>
>> This non-issue should just be removed from the writeup and I suggest you make it an issue for the CoDel/FQ-CoDel RFCs instead. There we detected a "real" attack vector!
> 	Yeah, you essentially demonstrated that CoDel in itself is not as DOS resilient as it would be desirable. As Dave already mentioned fq_codel partly takes the sting out of this by restricting the fall-out mostly to the hash-bucket housing the offending flow. Also note how the stress-dropper takes care to find the largest queue (which will house the DOS flow) so even batch-emergency dropping does mostly the right thing. A sufficiently motivated attacker obviously will spoof/randomize at least SRC ports or addresses causing more problems for FQ, but my concern really is not so much DOS resistance but simple ways to gain fast-lane access for actual useful data transfer and there address spoofing will make things much harder, than just rate-limiting and fake-ECT(1) marking a flow...
> As I see it if I would simply fake ECT(1) mark capacity-seeking non-ECN-honoring flows L4S will grant me a priority lane for data as long as I a) pace packets sufficiently well and b) stay below the L4S bottlenecks L-queue capacity.
>
>
>> Koen.
>>
>> BTW:
>>>> the highly interesting drops for Not-ECT UDP (for CoDel) seem to be missing (generally the labeling for figure 8 is imprecise, e.g. showing Drops ECT(1)-UDP in the first set PIE with ECT(0)-UDP)
>> These results are not missing, only the legend is indeed missing
> 	Which for someone not intimately familiar with the data boils down to the same consequence, thanks for clearing this up.
>
>
>> the brown colored "Drop Not-ECT" label, but the plots show these values (in brown). Also ECT(1) label in the legend should say ECT(0/1)
> 	I had figured that out from context ;)
>
>> which depends on whether ECT(0/1) is used in the experiment (as in the labels under the results).
> 	Ah, okay with that additional information figure 8 now confirms my hunch just perfectly, no drops for unresponsive UDP in L-queue versus drops in C-queue as long as it stays below L-queue capacity. That is in direct conflict with your argument above that my "hunch [...] is just wrong", no?
>
>
>
>> -----Original Message-----
>> From: Sebastian Moeller<moeller0@gmx.de>  
>> Sent: Friday, February 25, 2022 11:32 PM
>> To: De Schepper, Koen (Nokia - BE/Antwerp)<koen.de_schepper@nokia-bell-labs.com>
>> Cc: Black, David<David.Black@dell.com>; Neal Cardwell<ncardwell@google.com>; tsvwg IETF list<tsvwg@ietf.org>; Bob Briscoe<in@bobbriscoe.net>
>> Subject: Re: [tsvwg] Related to "Non-L4S traffic abusing the L-queue" discussion during the interim
>>
>> Hi Koen,
>>
>> from your link:
>>
>> "Only when non-responsive traffic is below the link capacity it can fully use that share, making the responsive flows share the rest of the capacity (as usual for any AQM on the Internet on a shared queue)."
>>
>>
>> This pretty much confirms what I predicted, except the drop plots look incomplete, the highly interesting drops for Not-ECT UDP (for CoDel) seem to be missing (generally the labeling for figure 8 is imprecise, e.g. showing Drops ECT(1)-UDP in the first set PIE with ECT(0)-UDP). My hunch is that comparing drops ECT(1)-UDP in DualPi2 with the missing drops Not-ECT UDP in Codel, that in the latter we see much more drops than in the former, et voila, exploitable way to gain more throughput by marking traffic ECT(1)... as long as that traffic is reasonably paced and does not exceed the capacity of the L4S AQM (not an unlikely scenario even for capacity seeking traffic, my measly 100Mbps access link will not saturate the BNG uplink of my ISP or the link to the DSLAM)
>>
>> Regards
>> 	Sebastian
>>
>>
>>> On Feb 25, 2022, at 19:30, De Schepper, Koen (Nokia - BE/Antwerp)<koen.de_schepper@nokia-bell-labs.com>  wrote:
>>>
>>> Hi David,
>>>
>>> To be sure, we re-did the overload tests recently, confirming the
>>> previous overload results. These results are available at: Overload
>>> results caused by non-responsive UDP traffic for PIE, DualPI2 and
>>> CoDel AQMs | l4steam.github.io
>>>
>>> Specifically look at figure 8 at the end which shows that L4S traffic gets marks, up to 100% and appropriate drop if it reaches and exceeds the link capacity.
>>>
>>> The test case of Jonathan is approximated by the 70Mbps non-responsive ECT(1) UDP traffic on a 100Mbps link on a DualPI2 (Prague+Cubic) test case. In Jonathan's case it was 40Mbps on a 50Mbps link. We also evaluated in extreme when sending at 100Mbps non-responsive ECT(1) UDP traffic on a 100Mbps link, and even exceeding at 140Mbps and 200Mbps. You will see the results are as if it is on a Single Q PIE AQM. Note also that CoDel which never drops ECT packets, causes actually close to starvation and high tail-drop delay results as shown in figure 1, even with ECT(0). So I guess all the concerns about FQ_CoDel and tunnels/Hash-collisions are equally severe and not related to L4S alone (can just be exploited by ECT(0) traffic today already!!).
>>>
>>> Koen.
>>>
>>> From: Black, David<David.Black@dell.com>
>>> Sent: Friday, February 25, 2022 7:04 PM
>>> To: Neal Cardwell<ncardwell@google.com>
>>> Cc: De Schepper, Koen (Nokia - BE/Antwerp)
>>> <koen.de_schepper@nokia-bell-labs.com>; tsvwg IETF list
>>> <tsvwg@ietf.org>; Jonathan Morton<chromatix99@gmail.com>; Bob Briscoe
>>> <in@bobbriscoe.net>; Black, David<David.Black@dell.com>
>>> Subject: RE: [tsvwg] Related to "Non-L4S traffic abusing the L-queue"
>>> discussion during the interim
>>>
>>> Hi Neal,
>>>
>>> So, I saw that explanation - could someone check the "running code" to make sure that the coupling and marking occur even when the L queue is always empty?
>>>
>>> Thanks, --David
>>>
>>> From: Neal Cardwell<ncardwell@google.com>
>>> Sent: Friday, February 25, 2022 12:58 PM
>>> To: Black, David
>>> Cc: De Schepper, Koen (Nokia - BE/Antwerp); tsvwg IETF list; Jonathan
>>> Morton; Bob Briscoe
>>> Subject: Re: [tsvwg] Related to "Non-L4S traffic abusing the L-queue"
>>> discussion during the interim
>>>
>>> [EXTERNAL EMAIL]
>>>
>>>
>>>
>>> On Fri, Feb 25, 2022 at 11:56 AM Black, David<David.Black@dell.com>  wrote:
>>> Koen,
>>>
>>> I'll observe that "traffic that is not responding at all to CE marks"
>>> is not necessary to achieve the reported results if the experimental
>>> setup "prevents the L queue from seeing any
>>>
>>> need to apply congestion signals, because it is always empty" as there would be no CE marks for the traffic in the L queue to respond to.
>>>
>>> I think the key part here is "if". :-) The assertion "prevents the L queue from seeing any need to apply congestion signals, because it is always empty" is from:
>>>   https://sce.dnsmgr.net/downloads/L4S-WGLC2-objection-details.pdf  
>>> [sce.dnsmgr.net] That assertion is inconsistent with the functioning of the Dual-Q algorithm, as described in:
>>>   https://www.ietf.org/id/draft-ietf-tsvwg-aqm-dualq-coupled-21.html  
>>> [ietf.org]
>>>
>>> As Bob noted: "in the scenario shown, although the L queue is indeed always empty, it will see a high level of congestion signals (~10% in this case) via the coupling."
>>> Here's Bob's e-mail for more context/details:
>>>
>>> https://mailarchive.ietf.org/arch/msg/tsvwg/joFr3sfOrxxkYhWdYrO2rLlCNU
>>> w/ [mailarchive.ietf.org]
>>>
>>> thanks,
>>> neal
>>>
>>>
>>>
>>> Please give that further consideration.
>>>
>>> Thanks, --David (as an individual)
>>>
>>> From: tsvwg<tsvwg-bounces@ietf.org>  On Behalf Of De Schepper, Koen
>>> (Nokia - BE/Antwerp)
>>> Sent: Friday, February 25, 2022 4:29 AM
>>> To: tsvwg IETF list; Jonathan Morton
>>> Subject: Re: [tsvwg] Related to "Non-L4S traffic abusing the L-queue"
>>> discussion during the interim
>>>
>>> [EXTERNAL EMAIL]
>>>
>>> Hi Jonathan,
>>>
>>> Can you confirm that this test is done with "Cubic" traffic that is not responding at all to CE marks? So it is just like any other non-responding traffic (like UDP CBR). We don't see any other way to explain your results.
>>>
>>> If so, we can/should remove this "issue" from the shepherd's write-up, as such unresponsive flows will get the same throughput on any single-Q bottleneck with or without AQM (taildrop/PI2/PIE/CoDel/STEP/RED/...) with a latency that matches the AQM strategy.
>>>
>>> Koen.
>>>
>>>
>>> From: tsvwg<tsvwg-bounces@ietf.org>  On Behalf Of De Schepper, Koen
>>> (Nokia - BE/Antwerp)
>>> Sent: Thursday, February 17, 2022 7:01 PM
>>> To: tsvwg IETF list<tsvwg@ietf.org>; Jonathan Morton
>>> <chromatix99@gmail.com>
>>> Subject: [tsvwg] Related to "Non-L4S traffic abusing the L-queue"
>>> discussion during the interim
>>>
>>> Hi Jonathan,
>>>
>>> It seems that the following open issue identified by the chairs:
>>>
>>> Non-L4S traffic abusing the L-queue
>>> * 'DualQ gives a large throughput bonus to L queue traffic, ie. a "fast lane"'
>>> * Is this a matter specific for DualQ that can be left for experimentation?
>>>
>>> is based on the following experiment you performed:
>>>
>>>>             simple two-flow competition test on a standard dumbbell
>>>> topology,
>>>>             with the bottleneck running a DualQ qdisc into a 50Mbps shaper.
>>>>             Both flows were configured to use CUBIC congestion
>>>> control with
>>>>             ECN negotiated, but one was additionally tweaked to set
>>>> ECT(1)
>>>>             instead of ECT(0) on all data segments, and to pace its
>>>> output at
>>>>             40Mbps. This latter measure prevents the L queue from
>>>> seeing any
>>>>             need to apply congestion signals, because it is always
>>>> empty.  These
>>>>             tweaks allowed that flow to use 80% of the link
>>>> capacity, gaining a
>>>>             fourfold advantage over its competitor,
>>>
>>> If there is capacity seeking traffic in the Classic queue, then it is even desired that the L4S queue does not add extra marks. The L4S marks should come only from the Classic coupling.
>>> Before diving into details, can you first explain why in your experiment the coupling from the Classic Q has no effect on your paced and ECT(1) labeled Cubic flow?
>>>
>>> I would expect that this ECT(1) labeled Cubic flow would get even less throughput than the Classic Cubic flow, as the first gets the doubled coupled CE marking probability (eg 2*10% = 20%) for L4S flows instead of the squared CE marking probability (10%^2 = 1%) which ECT(0) traffic would get.
>>>
>>> Thanks,
>>> Koen.

-- 
________________________________________________________________
Bob Briscoehttp://bobbriscoe.net/