IETF Logo Mail Archive

Re: [tsvwg] Update to Position Statement on ECT(1)

Sebastian Moeller <moeller0@gmx.de> Thu, 28 May 2020 10:55 UTC

Return-Path: <moeller0@gmx.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 163823A0E3F for <tsvwg@ietfa.amsl.com>; Thu, 28 May 2020 03:55:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LdBgZk8q1N97 for <tsvwg@ietfa.amsl.com>; Thu, 28 May 2020 03:55:12 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B40A63A0E26 for <tsvwg@ietf.org>; Thu, 28 May 2020 03:54:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1590663286; bh=j5FCmaGXArGTNdbwQvb+00Tv22qskhH6NXDGyn4CMtA=; h=X-UI-Sender-Class:Subject:From:In-Reply-To:Date:Cc:References:To; b=WcdMSo3Qs5ogm8bMy6EMiKfTIYBaBwJl88lFQiEnqLS6Hpu+ybSJDBSoure/aaC3C 1ooTvMylShV/XN+YdQXazHQBGXHLGEiW7KQA65zcqQcdlcEK8BCKmZZimtjWOPvgTe t84dzbvq3wwFoLmH+Of5jqESP+N3ZQcO0ia9JldU=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [10.11.12.3] ([134.76.241.253]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mnps0-1jFNwi0ur4-00pLM6; Thu, 28 May 2020 12:54:46 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <318274A2-E8D3-4CFA-B4BD-CD67EDA4A759@akamai.com>
Date: Thu, 28 May 2020 12:54:45 +0200
Cc: TSVWG <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7E25905C-37C8-401B-B50F-B3909EFAC3CE@gmx.de>
References: <BE44EAE9-5CFB-4F5D-85B8-05AFA516C151@akamai.com> <CACL_3VEbUHB-Omwp1-g5Tq3G3J-kKj9N3jPZLcfruicw3X=AsA@mail.gmail.com> <2CBBD8CD-2088-4E41-B113-EED665853D3C@akamai.com> <CAM4esxSFCBcxXjz5JJJg1z6+wwfN3mTrtJ8bKiBsj2TeOmmFSw@mail.gmail.com> <93331803-e7db-95dc-a4ae-052c347c3c86@bobbriscoe.net> <MN2PR19MB4045568B4A794F1DCE6974BB83B90@MN2PR19MB4045.namprd19.prod.outlook.com> <42234fd1-6ee8-cbcc-408c-1ea2b2554f2b@bobbriscoe.net> <9539CFBB-5F07-4104-B30D-BFE323F20352@akamai.com> <CACL_3VG3xwP=XLdzpdH2BMiFgb7a4aBNnp-SWkMSm+0=GbibXQ@mail.gmail.com> <5CD259C9-FA69-42C5-A879-1A85BB57343D@akamai.com> <B32AB94B-ECAA-4B76-80E3-510E4D071C51@gmx.de> <318274A2-E8D3-4CFA-B4BD-CD67EDA4A759@akamai.com>
To: "Holland, Jake" <jholland@akamai.com>
X-Mailer: Apple Mail (2.3445.104.14)
X-Provags-ID: V03:K1:cFyssiDJ8y605+/u8J6LXl5O2d3/snVpLOTLneehgSDBV9ev9A7 No0wKJBZeWsKGx2kqvlOSAoWNYtHZ2WUWdYkrrtZoKD961MrSiey10JjXK8QXX4i1tMFCxZ 59f6/+9GXgtb4xziLiPt8gFkID+dXBM0nyOzVTOB6yD/JHM0Wh3+ybvwZ0Gl/VTbJNS/cHH 56HhJP6HqJxMmRy+hOgEA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:wC4znvL24Pw=:fHLP8zp9xoAKe2rJ/5yWpT IhrHw9zCJRHNmkpyYixPDPnwNX5QyJQMh6QKpY6l41CanSmXWDopLYS7XimPf3ZQZOUDaGp7r 85nfCpFU/bcg/4t881M/LzDS5UVGcEGFQl5YUGxmjBjCerPsQgDTQt09pKb7pwbIJTOtjLHln W8Nqbpin17KH/ATGaylkpFi12jFPPWxJ6NHzD4lZBWMWJylA9/3gh6couEirxhbGThjEH73k4 40Mn4tbFQITbm9srIQtMu6D+wiaEDxAK5EWZcNSEB01rCrTwDZO1yYbp2JDXu0Oo2zbOxTqLv DBy87gBAMuXwVCCTEEmXXAYKzrsIydSXXagRrdAD508BqbzRvGNgAp2v0nCgPSgv27WsPM+lw zi3PytFmURWK/WVm5LGJi/haX0GUCJpwJreEisRPKqgbZmnnG2xh7iMKL0r8OQeAOo94pP8Ll NNmoX6WPrxl06tccj+Zizrw2TQUEW7PRf0hg5gUdLc9K/vLEnxupRa4GdPWF3zUOdnc/05ofW t5prKhAoNHE5Mnx6OH/H7ZhJY2dWrocPat035W6G6sjaAJhYZH5ONNPkeB1ymPbDv9iyHM+Go MZfzXrY9V5EoPt/iLF9odmX/p2Az618ZukNzuBaah9zYbByCr4iRZDiEfg2wzW6p1xBXVhCai Xq5q1LQrZrNgzyjEWdLv1+cbLF3unKEJXQC7y1nSbj39vPxU0wlFzqUF3Jzpo6lrzvMmQ6J7K m28E4/r2dm6BY1iiTUBfcHBH8HyjpH5pOtoibcTh7IJsUJ+NanhzSWijheOyfREF8kUwapAUh 45/dtBPODnBvj1+NXgMI4jZMtDstV3+WaBM7obYcxlHs76HRDdmnNk3KrGBaJnlWv5JilNREo /s5BJ5Hu7wwqQr8ctc1cPikkhs9TqCNpe9iO/0Jczw7Tfb9W/wBdGPA67I5V4SrGx5K+UZ1OQ qoimboWTJ0/gaYRchmm4gM4H3HCJ5R3fbtVhCgcN6SfCvh4arI9qCTTknIf3AueDvAlC+UYrk YE2Gb1u0U4uMUsoqlK4vBJ6i5yf3rpYmjynnFahNJ21HU9GU5lizHokLw8Cr876iEnLr9+ZAP hvzzN3PyReXX7yvBxuAktDJ8JWnas34bfEqKFy0Uwv31NQ9dvSJ21eGKGBHLDj/H1ShbxycMR YUeMcBiaHu7TLv6bBoH9PVEW4sl13Ebf7NHrvy//DintnPPjYeb4CzuWt7ieIwvZmPYU0ZUcx EkGmfkL/71INpAT9p
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/TbDGJyVLE8rjAENhH-4VFqpyXE8>
Subject: Re: [tsvwg] Update to Position Statement on ECT(1)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 10:55:18 -0000

Hi Jake,

thanks for the information. Indeed a case of the perfect being an enemy of the good.
From rfc3168:
"The presence of a copy of the ECN field in the inner header of an IP
   tunnel mode packet provides an opportunity for detection of
   unauthorized modifications to the ECN field in the outer header."

This in a nutshell was an original sin, of being clever when KISS could have carried the day. Now, at the time that was probably a reasonable choice, but I wonder whether that design decision is not worth revisiting?

I would humbly ask, whether it is possible to get rid of that requirement and get back to the simple strict copy regime and leave the tampering detection to the endpoints? As the current L4S tunneling discussion indicates, that intent of being cautious back then now is a burden.

I note that according to https://tools.ietf.org/html/rfc4301 tunnel entry already does the simple copy inner to outer, it is really ony the decapsulation side that needs special care...


> On May 28, 2020, at 10:21, Holland, Jake <jholland@akamai.com> wrote:
> 
> Hi Sebastian,
> 
> On 5/28/20, 12:57 AM, "Sebastian Moeller" <moeller0@gmx.de> wrote:
>> I have a question regarding tunneling, that IMHO is left unanswered
>> so far. Why is the rule for ECN and tunneling not simply: copy the
>> inner to outer on encapsulation and the outer to inner on
>> decapsulation. Period.
> 
> Please see RFC 6040.  Section 7 gives the design principles,
> and Section 4 describes the current standard rules.  The Intro
> also reviews some of the other considerations that went into it.

	[SM] Thanks.


> 
> Of course there are some important considerations toward ensuring
> that CE is not erased on the inner or outer packet, regardless
> of whatever network condition led to that occurring, if it
> occurs, which seemed to get a bit more attention than the ECT(1)
> overwriting.  But as far as I can tell, the overall reasoning is
> more or less laid out there.

	[SM] So what puzzles me is that these rules all give tunneled traffic additional ECN sanity checking that non-encapsulated packets traveling over the same path and hence the same AQMs do not enjoy?


> 
> If you're looking for a deeper "why", I guess there's also the
> comments in the writeup and final reviews:
> https://datatracker.ietf.org/doc/rfc6040/writeup/
> https://datatracker.ietf.org/doc/rfc6040/ballot/

	[SM] Thanks a lot, short but helpful.

> 
> Probably also there's some discussion in the list archives around
> that time if you care to search for it.
> 
> But it seems the consensus at the time landed on a copy of outer
> to inner for ECT(1) overwriting ECT(0) on decapsulation, but not
> for ECT(0) overwriting ECT(1) (which I think is the only change I'd
> want in order to enable the 2-signal proposal, to the extent it
> seems possibly worth doing).  To me it's an understandable decision,
> especially considering RFC 6660, which seems essentially "SCE but
> only applicable inside DSCP", and would prefer not to lose that pre-
> congestion signal if something weird happens while it's tunneled.

	[SM] But again that same pre-congestion signal would be lost for non tunneled packets encountering the same path, no? The only additional step would e the tunnel decap, but we need that to work reliable anyway, as otherwise nothing is guaranteed anymore?

> 
> As an aside, I think it's a fair claim that Bob made, that he's the
> one who has been trying to fit this jigsaw together for over a decade.

	[SM] Sure, that is quite some work and time invested in all of this.

> Not to endorse his conclusion that the best choice today is to do
> something that seems to break regular ECN, but between his authorship
> of those specs and his long list of other publications on the topic,
> it's a good bet that Bob has given the whole space a larger quantity
> of thought than anyone else alive, which is certainly worth something.

	[SM] Sure, the sign that I propose simplistic solutions, is probably a cause of Kruger-Dunning and nit fully appreciation the intricacies of the problem space and what kind of unfortunate behavior already exists in the wild and needs to be dealt with.

	That said, "working best" with the current breed of tunnels is not the only sane criterion, especially if we are talking about longer term evolution of the network.

Best Regards & Thanks
	Sebastian



> 
> Best regards,
> Jake
> 
>

v2.23.0 | Report a Bug | By Email