Re: [tsvwg] New rev of draft-ietf-tsvwg-ecn-l4s-id-17

[Bob Briscoe <ietf@bobbriscoe.net>]

David,

On 25/05/2021 21:22, Black, David wrote:
>
> Two comments:
>
> [1] This VPN discussion appears to be assuming a remote access VPN, so 
> it does not align well with site-to-site VPNs:
>
> > This particular path divergence occurs iff an ECT0 flow is CE-marked 
> /prior/ to the VPN ingress:
> > * In general where the VPN ingress is on the end-system (transport 
> mode) that doesn't happen.
> > * There is however a chance that CE could be introduced before a 
> 'bump in the wire' VPN ingress (tunnel mode).
>
> For site-to-site VPNs, the last line above is a significant 
> understatement.  A scenario that helps to understand this is ROBO, 
> specifically a sizeable remote office or branch office such as a large 
> retail store, where the remote or branch VPN gateway is a potential 
> bottleneck node for outbound traffic courtesy of fan-in from multiple 
> end systems and the LAN having more bandwidth than the (purchased) VPN 
> bandwidth.
>

[BB] Wouldn't that particular bottleneck apply marking at the egress of 
the VPN gateway after encap?

> [2] I think the whole approach of parallel SAs is not a good idea – it 
> would be better to recommend larger replay windows, perhaps much 
> larger, and/or use DSCPs to direct traffic to parallel SAs (which 
> would disambiguate CE across L4S and non-L4S traffic).
>

[BB] You haven't given any reasons.


Bob

> Thanks, --David
>
> *From:* Bob Briscoe <ietf@bobbriscoe.net>
> *Sent:* Sunday, May 23, 2021 6:00 PM
> *To:* Black, David; Gorry Fairhurst; Wesley Eddy
> *Cc:* tsvwg@ietf.org
> *Subject:* Re: [tsvwg] New rev of draft-ietf-tsvwg-ecn-l4s-id-17
>
> [EXTERNAL EMAIL]
>
> David,
> See inline, tagged [BB]...
>
> On 21/05/2021 23:02, Black, David wrote:
>
>         section 6.2 with its, "use two SAs, one for ECT(1) and one for the rest" seems a bit limited
>
>     The situation is more severe than that, and it's problematic if there's any non-L4S TCP traffic that uses ECN involved.  The two SAs are actually for 2 ECN values each:
>
>         To avoid this limitation, a VPN ingress participating in the L4S
>
>         experiment SHOULD map packets onto two parallel SAs indexed by the
>
>         lowest significant bit of the IP-ECN field.
>
>     That indexing puts Not-ECT [00b] and ECT(0) [10b] packets into one SA, and puts ECT(1) [01b] and CE [11b] packets into another.  Non-L4S TCP uses ECT(0) and CE, hence a flow that carries any congestion indications is split across those two SAs.  ECMP based on SPI (deployed technology) that puts those parallel SAs on different network paths is not assured to preserve packet order across those SAs, and packet reordering is not a good thing to do to a non-L4S TCP flow.
>
>
> [BB] Yes, this would be a potential problem.
>
> This particular path divergence occurs iff an ECT0 flow is CE-marked 
> /prior/ to the VPN ingress:
> * In general where the VPN ingress is on the end-system (transport 
> mode) that doesn't happen.
> * There is however a chance that CE could be introduced before a 'bump 
> in the wire' VPN ingress (tunnel mode).
>
> For a VPN participating in the L4S experiment with two SAs, if there 
> was any CE before the ingress, we did think carefully about which way 
> to classify it:
> * If CE goes with ECT0, then if a subsequent L4S node gives ECT0 more 
> queue delay than CE, the VPN anti-replay function could discard some 
> ECT0 packets.
> * If CE goes with ECT1, it avoids anti-replay discard completely. We 
> had tried to think of possible problems with splitting Classic flows 
> across SAs,  but we hadn't thought of your point where ECMP on the SPI 
> makes CE and ECT0 from the same flow taking different paths.
>
> I believe it is still best to classify CE with ECT1, based on the 
> following reasoning. I think the scenario would occur with very low 
> probability {Note 1}, and if it did, the CE might either arrive a 
> little earlier or a little later than data packets around them.
> * If earlier, the benefit of ECN would not be lost, but there would be 
> an extremely small chance (p_s * p_r * p_N) of an occasional spurious 
> re-xmt {Note 2}.
> * If later, the chance that a delayed CE would be mistaken for a drop 
> and trigger a spurious re-xmt and a congestion response would probably 
> be higher, but still very small (p_s * p_r * p_l) {Note 3}. That would 
> lose the benefit of ECN but, at least for Classic flows, a single CE 
> is meant to trigger a large congestion response as if it was a loss 
> anyway.
>
> I don't want to belittle the point you've made, because this is 
> certainly a new problem. However, I do think the probabilities need to 
> be put in perspective.
>
> I suspect the ECMP problem with any ECN (3168 or L4S) is likely to be 
> a greater concern. You might recall that João Taveira from Fastly 
> pointed this out during a tsvwg discussion on ECN back in 2017. This 
> link should jump to 14:25 mins into a 2017 NANOG talk from Lorenzo 
> Saino of Fastly about how they had to disable ECN negotiation when 
> Apple clients started to request ECN in 2015 - because a number of 
> different ECMP vendors still hash on the ToS byte for ECMP and load 
> balancing, so the data would have been routed to a different server 
> from the handshake:
> https://youtu.be/ciClZdwHelU?t=805 [youtu.be] 
> <https://urldefense.com/v3/__https:/youtu.be/ciClZdwHelU?t=805__;!!LpKI!y0AavGemYqNsy2Urub76LQ2eIuIinYWTadbh2ddv0r80YQabjQCK8HywtmUFhVbc$>
>
> Regards
>
>
>
> Bob
>
> {Note 1}: Reasoning for scenario occurring with low probability (we'll 
> call it p_s):
> Usually, an institution provides a tunnel-mode VPN between physically 
> secured networks (e.g. between their intranet and an employee's home 
> laptop). AQM deployment would be unusual in the interior of corporate 
> and institutional intranets, because the bottleneck is more likely 
> elsewhere (e.g. in the access link between the site and the Internet). 
> However, there are bound to be some cases of tunnel-mode VPNs where 
> the traffic arriving could have already been ECN-marked (for instance 
> Jonathan Morton's example of gamers providing a VPN end-point on the 
> public Internet to hide their own IP address).
> Then, to experience this problem, there also has to be some load 
> balancing or ECMP after the VPN ingress but before the egress. I'm 
> sure that will occur sometime somewhere (let's say with probability 
> p_r). The likelihood of the scenario occurring will then be p_s * p_r.
>
> {Note 2}:
> * N packets in a row within a Classic flow have to be CE-marked for 
> early CE packets to result in a spurious re-xmt, let's say that 
> happens with probability p_N. As already explained in Appx B of 
> ecn-l4s-id, N was traditionally 3, but RACK is making it larger. And 
> the main sources of ECN marking for Classic flows are FQ_CoDel and 
> CAKE, both of which take great care not to mark multiple packets in a 
> row. So p_N is going to be tiny.
> And the probability of a spurious re-xmt with early reordering will be 
> the vanishingly small product (p_s * p_r * p_N).
>
> {Note 3}:
> * Let's say p_l (for late) is the probability that the reordering 
> between the two SAs is sufficient to make each CE packet arrive late 
> enough  to be deemed a loss. p_l is unlikely to be as small as p_N, 
> but the overall probability of this occurring is still reduced because 
> the probability that CE marking precedes that VPN (p_s), and that 
> there's routing keyed on flow IDs and SPIs (p_r). So the overall 
> probability of a spurious rexmt due to late reordering is (p_s * p_r * 
> p_l).
>
>
>
> Bob
>
>
>     Thanks, --David
>
>     -----Original Message-----
>
>     From: Sebastian Moeller<moeller0@gmx.de>  <mailto:moeller0@gmx.de>  
>
>     Sent: Friday, May 21, 2021 5:27 PM
>
>     To: Bob Briscoe
>
>     Cc: Gorry Fairhurst; Black, David; Wesley Eddy;tsvwg@ietf.org  <mailto:tsvwg@ietf.org>
>
>     Subject: Re: [tsvwg] New rev of draft-ietf-tsvwg-ecn-l4s-id-17
>
>     [EXTERNAL EMAIL]
>
>     Bob, chairs,
>
>     section 6.2 with its, "use two SAs, one for ECT(1) and one for the rest" seems a bit limited since it ignores that VPNs might propagate both DSCPs and ECN bits between the layers, so IMHO a better approach might be to recommend to treat DSCP+ECN bits as one aggregate byte (let's cal it TOS ;) ) as the extra ECT(1)-SA seems to be required for all SAs that already exist to deal with multiple supported DSCPs. So in a sense the recommendation would be to double the number of SAs.
>
>
> [BB] Yes, we ought to reword it to say that the VPN ingress should use 
> two SAs indexed on the LSB of the ECN field, and, if it was also 
> classifying on DSCPs, it could also consider classifying any low 
> latency DSCP(s) with the L4S packets. To avoid the anti-replay 
> problem, there would only need to be one SA configured per each degree 
> of queuing delay, not one for every ECN x DSCP combination.
>
>
>     Also:
>
>     "and the current draft of DTLS 1.3 says "The receiver
>
>           SHOULD pick a window large enough to handle any plausible reordering,
>
>           which depends on the data rate."  However, in practice, the size of
>
>           the VPN's anti-replay window is not always scaled appropriately."
>
>     L4S on a 10 ms path under load can introduce re-ordering in the range of 50 ms (roughly twice the difference between the L- and C-queue delay targets), re-ordering tolerance 5 times of the path RTT seems to be a bit on the high side to expect, no?
>
>
> [BB] The above text that I quoted from the DTLS spec. is reasonable, 
> both practically (see below) and in terms of taking responsibility for 
> the problem. Beyond its window, the anti-replay function presumes a 
> packet is guilty of a replay attack with no evidence, purely because 
> it chooses not to hold that amount of evidence. Therefore it's proper 
> that it holds a sufficient window of evidence for any plausible 
> reordering.
>
> BTW, the C-queue target has never been 25ms. I noticed JM said that 
> incorrectly as well recently.
> * A default C queue delay target of 15ms has always been recommended 
> in aqm-dualq-coupled. That results in PI2 Qdelay of about 25ms at the 
> 99%ile or 30ms at the 99.9%ile. We have been considering whether to 
> change the default target to 10ms for some time, but not done so yet.
> * Low Latency DOCSIS specifies a default C queue delay target of 10ms.
>
> So a replay window allowing for 30ms of packets at the interface rate 
> would be sufficient.
> At 1Gb/s (say) using 1500B packets, that's a replay window of 2500 
> packets.
>
> Quoting Pete Heist's info here 
> https://github.com/heistp/l4s-tests/#dropped-packets-for-tunnels-with-replay-protection-enabled 
> [github.com] 
> <https://urldefense.com/v3/__https:/github.com/heistp/l4s-tests/*dropped-packets-for-tunnels-with-replay-protection-enabled__;Iw!!LpKI!y0AavGemYqNsy2Urub76LQ2eIuIinYWTadbh2ddv0r80YQabjQCK8Hywtt-9Grg1$> 
> :
>
>     "Modern Linux kernels have a default maximum replay window size of
>     4096 (|XFRMA_REPLAY_ESN_MAX| in xfrm.h [elixir.bootlin.com]
>     <https://urldefense.com/v3/__https:/elixir.bootlin.com/linux/latest/source/include/uapi/linux/xfrm.h__;!!LpKI!y0AavGemYqNsy2Urub76LQ2eIuIinYWTadbh2ddv0r80YQabjQCK8Hywtu2jvbJy$>).
>     Wireguard uses a hardcoded value of 8192 with no option for
>     runtime configuration, increased from 2048 in May 2020 by this
>     commit [git.zx2c4.com]
>     <https://urldefense.com/v3/__https:/git.zx2c4.com/wireguard-linux/commit/drivers/net/wireguard?id=c78a0b4a78839d572d8a80f6a62221c0d7843135__;!!LpKI!y0AavGemYqNsy2Urub76LQ2eIuIinYWTadbh2ddv0r80YQabjQCK8HywtrpY39m8$>."
>
> Regards
>
>
>
> Bob
>
>
>     Regards
>
>        Sebastian
>
>         On May 21, 2021, at 11:21, Bob Briscoe<ietf@bobbriscoe.net>  <mailto:ietf@bobbriscoe.net>  wrote:
>
>         Chairs, list,
>
>         We've posted a new rev of draft-ietf-tsvwg-ecn-l4s-id-17 attempting to address all the discussion since the last posting just before the interim. In particular:
>
>         * review comments on a careful read from Gorry and the chairs
>
>         * the VPN anti-replay problem
>
>         * added an out-of-band test for an RFC3168 ECN AQM in a shared queue.
>
>         There are a couple of outstanding discussions, which I'm sure will continue on the list, e.g. the role of RFC4774 and whether to remove any of Appx C. But it was considered better to get the queued up changes out, to re-base the discussions.
>
>         This is quite an extensive set of changes, so pls check and pass any comments to the list.
>
>         Thanks for everyone who is contributing, and particularly to the chairs for continuing to referee this all. We've added appropriate thanks in the Acks section.
>
>         Bob
>
>         On 21/05/2021 10:09,internet-drafts@ietf.org  <mailto:internet-drafts@ietf.org>  wrote:
>
>             A New Internet-Draft is available from the on-line Internet-Drafts directories.
>
>             This draft is a work item of the Transport Area Working Group WG of the IETF.
>
>                      Title           : Explicit Congestion Notification (ECN) Protocol for Very Low Queuing Delay (L4S)
>
>                      Authors         : Koen De Schepper
>
>                                        Bob Briscoe
>
>               Filename        : draft-ietf-tsvwg-ecn-l4s-id-17.txt
>
>               Pages           : 57
>
>               Date            : 2021-05-21
>
>             Abstract:
>
>                 This specification defines the protocol to be used for a new network
>
>                 service called low latency, low loss and scalable throughput (L4S).
>
>                 L4S uses an Explicit Congestion Notification (ECN) scheme at the IP
>
>                 layer that is similar to the original (or 'Classic') ECN approach,
>
>                 except as specified within.  L4S uses 'scalable' congestion control,
>
>                 which induces much more frequent control signals from the network and
>
>                 it responds to them with much more fine-grained adjustments, so that
>
>                 very low (typically sub-millisecond on average) and consistently low
>
>                 queuing delay becomes possible for L4S traffic without compromising
>
>                 link utilization.  Thus even capacity-seeking (TCP-like) traffic can
>
>                 have high bandwidth and very low delay at the same time, even during
>
>                 periods of high traffic load.
>
>                 The L4S identifier defined in this document distinguishes L4S from
>
>                 'Classic' (e.g. TCP-Reno-friendly) traffic.  It gives an incremental
>
>                 migration path so that suitably modified network bottlenecks can
>
>                 distinguish and isolate existing traffic that still follows the
>
>                 Classic behaviour, to prevent it degrading the low queuing delay and
>
>                 low loss of L4S traffic.  This specification defines the rules that
>
>                 L4S transports and network elements need to follow with the intention
>
>                 that L4S flows neither harm each other's performance nor that of
>
>                 Classic traffic.  Examples of new active queue management (AQM)
>
>                 marking algorithms and examples of new transports (whether TCP-like
>
>                 or real-time) are specified separately.
>
>             The IETF datatracker status page for this draft is:
>
>             https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-tsvwg-ecn-l4s-id/__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9qj70HfR$  <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-tsvwg-ecn-l4s-id/__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9qj70HfR$>  [datatracker[.]ietf[.]org]
>
>             There is also an htmlized version available at:
>
>             https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-17__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9vC50L2Y$  <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-17__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9vC50L2Y$>  [datatracker[.]ietf[.]org]
>
>             A diff from the previous version is available at:
>
>             https://urldefense.com/v3/__https://www.ietf.org/rfcdiff?url2=draft-ietf-tsvwg-ecn-l4s-id-17__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9oZoDRib$  <https://urldefense.com/v3/__https:/www.ietf.org/rfcdiff?url2=draft-ietf-tsvwg-ecn-l4s-id-17__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9oZoDRib$>  [ietf[.]org]
>
>             Internet-Drafts are also available by anonymous FTP at:
>
>             https://urldefense.com/v3/__ftp://ftp.ietf.org/internet-drafts/__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9rKXcwvA$  <https://urldefense.com/v3/__ftp:/ftp.ietf.org/internet-drafts/__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9rKXcwvA$>  [ftp[.]ietf[.]org]
>
>         -- 
>
>         ________________________________________________________________
>
>         Bob Briscoehttps://urldefense.com/v3/__http://bobbriscoe.net/__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9gj_uPXC$  <https://urldefense.com/v3/__http:/bobbriscoe.net/__;!!LpKI!xeGDaVTRL33QRdX3Tos2AURXirtYtZXHcEP8W5a6OO_m4gWSHU68p06V9gj_uPXC$>  [bobbriscoe[.]net]
>
>
>
> -- 
> ________________________________________________________________
> Bob Briscoehttp://bobbriscoe.net/ [bobbriscoe.net]  <https://urldefense.com/v3/__http:/bobbriscoe.net/__;!!LpKI!y0AavGemYqNsy2Urub76LQ2eIuIinYWTadbh2ddv0r80YQabjQCK8HywtoRgTac-$>

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/