Re: [tsvwg] FQ & VPNs

Bob Briscoe <> Sat, 20 February 2021 00:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CFE273A0B17 for <>; Fri, 19 Feb 2021 16:57:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.567
X-Spam-Level: ***
X-Spam-Status: No, score=3.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_SUMOF=5, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id et4Fh3DLV8Qa for <>; Fri, 19 Feb 2021 16:57:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C02A3A0B12 for <>; Fri, 19 Feb 2021 16:57:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:References:Cc:To:From:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Zt8785cZukCcOJCeyGD8jcuk6XY4YYqJ91jXPsQlaAw=; b=3tEXFbYIAWlwJ2qLPlyqdT8qN xaNwNONDkKp9G4gr5OVw7OkObZk0+44/6EtjgZzakijVL5LyeyKCj6WsZE54Wa+LfXUdfBU3Fxind qqgCCmWWIivgf3OnZL2atb4s2/GKFluUCg9/U/UoApNrjYHltRbIg2GyDjca2c2n7wucxeWRxTtJ9 O6dLT3e3UbvTJSsSh/PFqwi+4whiFqUGNa37NePQAoYwEZofYp+8fLE5Gq6TB8rtyXFgxygXvWCJ+ K7zb2hm1O4WuqqQAYZqoq/WVVMvNIEF7lV5ghjNzucmgUXXFEX0miDDrg/klc5tkWnwystTUDUlJC dY03pIDaQ==;
Received: from ([]:40688 helo=[]) by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <>) id 1lDGal-0008Uc-Jr; Sat, 20 Feb 2021 00:57:51 +0000
From: Bob Briscoe <>
To: Jonathan Morton <>
Cc: Pete Heist <>, TSVWG <>
References: <> <> <> <> <> <> <>
Message-ID: <>
Date: Sat, 20 Feb 2021 00:57:51 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------992546D9982029680B8CA552"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
Archived-At: <>
Subject: Re: [tsvwg] FQ & VPNs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 20 Feb 2021 00:57:57 -0000


On 19/02/2021 23:26, Bob Briscoe wrote:
> Jonathan,
> On 19/02/2021 22:11, Jonathan Morton wrote:
>>> On 19 Feb, 2021, at 11:54 pm, Bob Briscoe <> wrote:
>>>> However, I would remind you that neither SFQ nor fq_codel can 
>>>> distinguish between flows carried inside an encrypted tunnel, so 
>>>> this cannot be relied upon alone to make L4S safe.  Pete's data 
>>>> shows significant tunnelled traffic, much of which is probably due 
>>>> to people working from home and using VPNs to access a corporate 
>>>> network.
>>> [BB] So would you not advise this ISP to remove the FQ on their 
>>> backhaul, given they are serving large amounts of tunnelled VPN 
>>> traffic?
>> No, of course not.  Max-min fairness is the gold standard, after all, 
>> and that is what FQ is designed to provide at a saturated 
>> bottleneck.  I honestly don't understand why you keep arguing, in 
>> effect, for RTT-fairness while promoting a specification which 
>> mandates working to eliminate it.
>> At a bottleneck which is *not* persistently saturated, FQ serves to 
>> insulate latency-sensitive flows from bursty ones, and sparse flows 
>> from spurious AQM activity sparked by transient saturating loads.  
>> Are these not good things, even absent any rigorous notion of 
>> "fairness"?
> [BB] On a highly aggregated backhaul link that is only seeing 
> transient queuing (probably of the order of 10 or 100 us), there's 
> little need for an AQM at all.
> But if this backhaul link is capable of being saturated by the sum of 
> the access links (i.e. it's theoretically overbooked but relying on 
> average usage patterns to remain under-utilized), it would be 
> preferable to deploy a FIFO AQM there. With an FQ AQM, if a large 
> proportion of the traffic is in VPNs, just when the AQM is most 
> needed, it would makes matters worse (i.e. all the flows within the 
> VPNs would get a focused hit on their throughput, so they would 
> collectively cause massive queues within each per-flow-queue being 
> used by each VPN). 

Here is an algorithm to find the truth. Take one of your emails, and do 
a diff with the previous email in the thread. Then the other person's 
text that you silently deleted (as above) will invariably be the truth.


Bob Briscoe