Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 18 May 2021 12:33 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97AE83A0E09 for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 05:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.499
X-Spam-Level:
X-Spam-Status: No, score=-3.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LLj2-kx61a7 for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 05:33:32 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40078.outbound.protection.outlook.com [40.107.4.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C9BD3A0E03 for <tsvwg@ietf.org>; Tue, 18 May 2021 05:33:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Wjf6vdvqTOYHs0QKRSlCL2OOQ8rrfGAoWH8j0EO35X2gL8v3WopkX8O5gn6VOXnbPrddnSGruwY4o61V9XH1B0Oh9o6S2eQKeS8V1b0zJqARazNO8U4kBXWv4eCHPMTmx+GiuvcQ28wtJarjqbhxtovUALXCp7cH01Z61NXJG/ZwD+/f7ZCxd8ILpvGcXAuDc2rPMOj/gQAcmYGzsN2uyayOV5aolA7yg6CMdKKF08DvtK95ZqJaQSVKmA8Lj7uZRs4rgOEjmoZu+gBexVYAkjzyAZccGYP0RPVMi3oeYcx32l1xZDuMCY12M0c+z9sz6IGvhvhzmJZ+tozSxJZ9Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lct9JkbOFoMops0mSFVsLETwqe+J55+3gU6lr6WqQQ=; b=ksJcayn1kB4bNNaTmN/NHBiW6vU9XkKIBn0Xzww64r67QLloIkoZTy3Bx9Uz8ax9V4ehx9/vdjRr4x1QBbcKZVK0H3kdm0hTPyZSYWbOQkMkLJqERh+3Kr6zF4+YNngCEPiqcJVfueOMYf0E4xdKYDTQIYkRqvzg5qeH+6z8WJkhpnK9R7rUFsdLPtQ67FmF9YalNux8lobzeuliazuZ5XPWPJaN+S0Xc/4O36cHO+kWueWIwl7YtktuIpjUzVvCT1Im6dGrk2pqHSNXrR7GRsgjiSs4wgVhJ0eX/VKh8HZTsD90p+hw6NOjUuPf1qOm7XqfdJVaojrrZUMO7cyBYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2lct9JkbOFoMops0mSFVsLETwqe+J55+3gU6lr6WqQQ=; b=uA+/8idgiYu/JkYuXWnyddH90I9fMDL7i/fKafH7fbHqelIyqtkytWV1aJEM8k2L4R5+h/s8CYBQ9yKCNe86va4qCMY0vbDrTe2cjjEU+VGyCzHl1k69P2vwXV0ZwQf6pXX0dwu3Ya3Ed1ZbgWjgJCcAcwH+QCihSO2rorEzPPA=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB3001.eurprd07.prod.outlook.com (2603:10a6:3:52::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.12; Tue, 18 May 2021 12:33:29 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::2c37:7e2b:9176:c0d1]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::2c37:7e2b:9176:c0d1%5]) with mapi id 15.20.4150.019; Tue, 18 May 2021 12:33:29 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "tsvwg@ietf.org" <tsvwg@ietf.org>, "David.Black@dell.com" <David.Black@dell.com>
Thread-Topic: [tsvwg] L4S & VPN anti-replay interaction: Explanation
Thread-Index: AddGbSzrba/1b13cRB2WCtt4aI1NaAFdM6WA
Date: Tue, 18 May 2021 12:33:28 +0000
Message-ID: <7e30e959539920a2b0f188b051375ad958cd1383.camel@ericsson.com>
References: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com>
In-Reply-To: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.104.155]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 17e16223-6d20-48fc-b844-08d919f923f2
x-ms-traffictypediagnostic: HE1PR0701MB3001:
x-microsoft-antispam-prvs: <HE1PR0701MB300126E1BEC36247F2C24184952C9@HE1PR0701MB3001.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UVdx3U4ndBxo9AY5+5XcgLqg2YQ6F8bFXuQdcegm9zF543HDe2HNifW1upwytJA7gR1fNwzETXgLjwvfJE/qEqFtOrusF0HcXvBL7OcoNqPcNr6w8ZjFXx2CtZ4ZM06OmJuI5zykTRRmGzF9f5TyqefR8GaHgxtomkRVNJIS4Fx2f0R/jfZbpABgmi/ZhsUFiTJ5IWTx+CXMdjIPx2UkmNNEaf3piJah6gjBdKoFj9nhFy7z9dEqeWY2wVFablx/LkIEcS72VhgTFi+Tsn+zqEhO3GA0v1iIvfPgtx8OxU9Pf+ddjWbNbj0JdoGYk0JiJFPPFSB4WaX/lKL1A5NrpO/kllvr7ZykILBvbKfg85DNcfKO/Pdl3qEVkh56fJBRPjQZgARJb7R0OLmf3QDOFNqfqxfJUCjEmPhnvDwTmWT77sYwm48FOSqRrwKCXZbDN6CWZbwvgk3Beq6zfcBBtEqjkAQ/+n9lhpaANS45q3WVfIhRK41U0rT/FZRNXcWUo32Yzrcs4LmKvVDBJuavatbV6pVuJR5+nx41EQT6r99CUxFE2d2OwebyTZAuQol++YCY2SmUV7T7s/Jz1CHyVDmNA0Vt1VwwhuZVNXQqSZfa9vz8O1pqTSI9Gg6A6igHUeU6OVlNyNXMzmS0185VC1FgnbWVeJChVJ8cndkVt2mtnKvb8p8qa6FUTtfQyOc9yD+5bdkiB7Orpgz1IPNdSD8M+dT8zonWFanrO1cS6Bfj/u2JGDsC7HFG/IHWc/v8SAZEoMeByszDGU7K2E3d6A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39860400002)(366004)(396003)(346002)(136003)(99936003)(6486002)(66946007)(5660300002)(186003)(8676002)(478600001)(966005)(6506007)(38100700002)(6512007)(76116006)(122000001)(2616005)(44832011)(91956017)(8936002)(83380400001)(36756003)(110136005)(66556008)(64756008)(66446008)(316002)(2906002)(86362001)(66616009)(66476007)(71200400001)(26005)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: JeLH9k+cSjZGz38PtHRsqlF5F2a0zlXESZttC/8TEU0DnR+CGenTrz5SAE/azQceCyjmicAfO4S6sGOpfyT3eEfHJDTtnJY7PgL6LqUCA59+F31PMyT3a+XJ6Vj3E7nFA/zUEp1FcxdAGLNBXxmAS8cnF9dCgMKk9xjPWUFG/9puc0eRctp54ouo4fdikkJYR3c0CQ0hUbTFbAMALyxwvkO93MVgg8/WaZg+RGU4E6Uu8TOnu9R6Q6pGiXDKJvYtjt9ajsmgLCVOvUCWPMts0viqBbxH3OhlcJB2LUjCWv71EytVjlUEDce4b4cdFNBhiy3dNheQc0889cbomrDr9lNPG5JzvL2138H7duQmTuxY6+KBV0eMFIz36rJpbRVk4P4J94vKYR24qoW+CJDeCN5iBqRsHOnLZuRWAHfKhIfimvEnFunHizGUcalJPada7+oy2ffr4BAdqRVRv8luq4KOVfWIjKLyINxKub6T/CbuLA5FUYnYJE4tuJBQxjqRqe3ek4WJy9mXBKFfGm7JvQakzES7eFQ1iW1PSrVVT6F72cjdtfVV+268Zo3+Ldws1Dmcu4GgNRm1pywQJ/qrZK1j+/rkE3liubYi8JbFkGn/WFXYEPEXe4gjnmEQlxn6O3z5Hzh1uTCToxxx/xZsGCU3J/OGbrpcXtdVE0ODm6r5qpjTg+RnHb3LMq7A5Ooi+PAN4Gs/P2J5xNtPMoh3mdznIPKm/BNdcUFQqq5TzMCqL5FmVgdW9YPG+DMUsKpgDlyBNvEEsV9jNSNRZ5vlbD4hJPjqY7IcgWEr2OWr0nHc1Wi7ey+N1c+AKbfcgjlhA+eTkYab8CZSafgsp+heXkKe3vz1FCsoq1a1Bhvs5TVFPy45WqzGP+IAmyjcmhNc8LysJGHpq9rAcUZ/de9K1iU7j9B8WjjT+fxB+NjW1h23X1tj/I0pvT1EIycgXp53EthlobcYGGbgK7Ks51y6VouOOyxjCBrLE/qh+DyZzPSB65K/pI7s0HClfTMCb0RuUo6rZHOwUcjZvP8OW7Irk/xS2tCppR4Vw/rArPuuVFDcUM0HUJ26v/Ygrs3RTtoygW00yElUVPi3TyLh4/z4a+jHE+aS5gUrpExFki7Rh9rPXnQZS64lbiFMXJxz/Fo471ZpBTu1D4Yf9ItFQkXJbJOnYOQHgEEpgNcfrsmTrLSd3UHlrS/RPMUxqqfhXoXwQ1b9J1iQdSdWGA64V7J9FOio7lxn4NJe4JyLuM2hnvJl2PNGZG1s9y2nTPQoyoFpGRSanp+qPZFzyZtvbYDzpRcvs/IF3rx1kXAVFYRcgrRSRYU82BSTEpY+UtKJEAJ6TwhLjDbjYK0eyTTz/jH30A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-xBa6/f09d+gVnOrDNcsX"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 17e16223-6d20-48fc-b844-08d919f923f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2021 12:33:28.8497 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: prDg8ycL+oWmcRYszYel0NCVhVjPJiyPlxKvqVbfKYGyAx/HbvbVnL0Hf4wGKNQP33IyIDFzazgw2pSy9wIw4qNf+6UT5MFDY0LF8bU56XQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB3001
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/QE3C13LSFXu_ItXblwjqJqfwpM0>
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 12:33:38 -0000
Hi, I think I have read through all the relevant discussion of this issue. I have to agree with Bob Briscoe that this is a general issue for tunneling protocols that have several properties: - Any form of replay protection with a window shorter than produced reordering (e.g. IPsec) or have a reordering restoring functionality (e.g. L2TP). - Marks through ECN and/or DSCP. - Aggregate multiple sub-flows These tunnels will exhibit issues either resulting in packet loss (replay protection) or additional delay (to cancel out the reordering) when the tunnel flow are going through some type of queue that will cause reordering, i.e. when sufficiently loaded to have any queue buildup to reorder around. Any forwarding impacting technologhy that would cause subflows to be subject to improved performance compared to other flows will trip over this issue. That is clear based on the significant discussion of this related to diffserv in IPsec RFC 4301, and Section 4.1 in RFC 2983 ( https://datatracker.ietf.org/doc/html/rfc2983#section-4.1). From my perspective we can't halt progress towards improved performance based on this general problem. We should mitigate and inform about the issue. However, I think part of the burden here long term will need to be put on the tunnels that exhibit the above properties. They need to track development in network technologies to stay current. It is clear that tunnels that handles this by correctly classifying the subflows before aggregation and put them in tunnels with same type of forwarding performance will not suffer. The alternative solution is to avoid the mark through seperation and loose the potential benefit if encountering a queue where differentation could have been done. But that requires the pipe style handling on egress to correctly preserve the ECN information for L4S, just as it does for DSCP field. And thirdly, if ones replay protection is reasonably scaled with experienced jitter and tunnel throughput rates this would also not be a significant issue. Thus my opinion is that in the L4S context we need to document this impact. Link to solutions or mitigations that can be applied and potential push for updates on important affected specifications, like IPsec. Cheers Magnus Westerlund
- [tsvwg] L4S & VPN anti-replay interaction: Explan… Black, David
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Jonathan Morton
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Dave Taht
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Black, David
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Bob Briscoe
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Jonathan Morton
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Sebastian Moeller
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Magnus Westerlund
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Black, David
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Magnus Westerlund
- Re: [tsvwg] L4S & VPN anti-replay interaction: Ex… Black, David