IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

Greg White <g.white@CableLabs.com> Mon, 03 May 2021 17:36 UTC

Return-Path: <g.white@CableLabs.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574243A1DB8 for <tsvwg@ietfa.amsl.com>; Mon, 3 May 2021 10:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cablelabs.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q2AJF56Kl5MZ for <tsvwg@ietfa.amsl.com>; Mon, 3 May 2021 10:35:55 -0700 (PDT)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2101.outbound.protection.outlook.com [40.107.237.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A28363A1DB7 for <tsvwg@ietf.org>; Mon, 3 May 2021 10:35:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FMxWNZsFUDkmcPsd/V0s6Z1JQoZvD73GBWaXpL8RQW0MbniheAboFF67XFoGSNsK7UQohaTtjtEBXIXBEtyhivF2+zYsh+6gfnEPcxHikpLV5u672VNqsFPc+zQAF6qVluzJn+udla4oDVC7wazcSZAfZS8snMYASB6iYqdvqD20AzxM0wgdxtTOjN6D5rOdeHoyGSwqnFqcSNf6XHuurOgFcL8QW4G0i22ONLfPFfj3KIfddULkgXjv4CJinNavz73khpf1JLtp7SS3fEy8c2249DcHsa7CdFwOqXEBjaZnYLkAbJig5AOkzEw/4fQ3yU24nu+lRYt1Bp5XJLXGmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lVrc3qlW6f9EU1PuM9+hsFa3nfVL3DPauGaOGb3ci/g=; b=Fz2TJpizPl1OsKWIagPn53/Wu88TkaxVW8GZ+khiZnSKLXoHW0qYa8dNY8/DyXUvTLyew1TUAdy0AREd39hP2+Wg/9MHCLQE9nty1HBWRLWGbepE6XrsIadh5nEhLBnxQ77jnDPlQ+fdTR/qQePTM9FSOTILjhfU6M2IiyQnr5S7wbSD2IW6M6KOOy6lToaUjRkFvQpQIL77ySDB1kt9/j1U0nlHngtr2EHH61yJMG4EH0JgqZTnhkVmt2AqG+TYKLztbMibokZ/t+Xx5cCEQS9tIwByBSwQBdGb74w7z/BWy0W90j7NeKg1UiwJ9DlF+d4kK3gYWiHiI0VZLMAFBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cablelabs.com; dmarc=pass action=none header.from=cablelabs.com; dkim=pass header.d=cablelabs.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cablelabs.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lVrc3qlW6f9EU1PuM9+hsFa3nfVL3DPauGaOGb3ci/g=; b=ngjdKDdMWE8yrVdgpoeANdXm/ZGQdqIt/bXs6Kw9R6WMBQHDhnhOf73Kw7POvksjBYeBNB/xjO+SbnxbSf/eFOSkB4e/Aak12IeyRrKB74l2kC50kqACfAPAPx4IlCu24t91A8rje84qtxN7Pem2/i5Af0PMrYKRA73HpsN9vpad7hKu3TcaXvRoL9w6DRHI1btM9iarXnoAHBYVzcD9IkJejTLLChKRG4sWOWrxSeu7SI2IWnqE3D5N6M62IW6uJ95AL/RQlEbAXQGmLT8E/5TrZSUm7JrWjtaYYIxCaXXCLOjRvVWaD0ExQItBmcWRXC2HXUXFvxYjf5inCFL5yQ==
Received: from CY4PR06MB2821.namprd06.prod.outlook.com (2603:10b6:903:130::11) by CY4PR06MB2343.namprd06.prod.outlook.com (2603:10b6:903:12::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4087.25; Mon, 3 May 2021 17:35:54 +0000
Received: from CY4PR06MB2821.namprd06.prod.outlook.com ([fe80::8161:6d07:dea0:8696]) by CY4PR06MB2821.namprd06.prod.outlook.com ([fe80::8161:6d07:dea0:8696%8]) with mapi id 15.20.4087.043; Mon, 3 May 2021 17:35:54 +0000
From: Greg White <g.white@CableLabs.com>
To: Sebastian Moeller <moeller0@gmx.de>, TSVWG <tsvwg@ietf.org>
Thread-Topic: [tsvwg] L4S dual-queue re-ordering and VPNs
Thread-Index: AQHXQELEO/txP1SwwEWhinU9UI/E/A==
Date: Mon, 03 May 2021 17:35:53 +0000
Message-ID: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.44.20121301
authentication-results: gmx.de; dkim=none (message not signed) header.d=none;gmx.de; dmarc=none action=none header.from=CableLabs.com;
x-originating-ip: [73.243.9.160]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 402b45d9-1161-4538-42bd-08d90e59e707
x-ms-traffictypediagnostic: CY4PR06MB2343:
x-microsoft-antispam-prvs: <CY4PR06MB2343FF24BE909EE44FAE982EEE5B9@CY4PR06MB2343.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sQVGxvmHaN0QPQomQYm8bsBcB4QA8c4WUhN6ssJ2RP2Soo9e+pGU2h38sp+U+H5IwXFrS3qD6BvuJThHYoYA0XLt4UWq6GUOQYO2ptg12Snw55ZhEvy5xxPRrzrb1RNfsqCG7hD8cBc8gY3NYqfX9VbEB0DH9Y0OoHUe5t5lAINSEFM/OtDWgIrIHrStdPTjoB3QiU2jKU1HspA85vz5nI/FKYHxfLqSdnl/x4ncNuY42whbuasHh1U4B2sIdO/MSIA5U9ErmQdRoP/TXuODkxxarQxJas4GLD+oCQOYSYXrnVzhKWSRNv8VBuWCYzRNkvlaIu3hE1j39uzUm7fX7/oRfRQq8kRe4e+Nac/yyJYzZbDqXf3TnnUWoClYWMbqXz/IBLSIpX1vBGKamd94L0GK1/inmWgG/aKB8/zLpZOyh87AKDr6Ftflc4Y3gx7eLtqTu/O7Sms/a3S+SF4Ghtfey9pZQTM5Wiljs2QOwzHiZX/05da3rld3knh9Rt6LfGMf8tCL75UU0jfkqRVJSJ7MMv0QxffFJeQY9AWGbu76lRHXxuHgji09gddG2F0WFXF9tYNGKD6idskYGWZyfrOuFLcGkj0iRzzIn4oEdBlaSpXRhN6aEXJQeQdXTvyINK4Q85sP37LGcXPQv4jwIYvu6Rwybn0mgMovT+weWD1JYOMKW7Qo/Mmp/vFbyBZxcogffD+R1nd0IhHUQBRw3rsHYNaEMWcyMWfFkZN0d3bWRO9vz81MSG0CazcoksUanMlxCpE0s3Sh3Ww2u1HvRw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR06MB2821.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(136003)(39850400004)(346002)(396003)(6512007)(2906002)(6506007)(316002)(8936002)(2616005)(71200400001)(122000001)(36756003)(8676002)(38100700002)(6486002)(33656002)(83380400001)(478600001)(66556008)(66446008)(64756008)(86362001)(5660300002)(966005)(186003)(26005)(66476007)(110136005)(76116006)(66946007)(45980500001)(85282002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: g3P0rH8oOq4km3v5WkBLaDT0qRmtkEdZqJBz1VnNq3pI3ni837Ek4bclarxl/ku11Bs7oXs/33djKHa8gy/Y/sSewAwsMROl/oNx98ZmGeqrQersz1G5SRlcQGncWLbdoYWtx5ogIN3TOwTv0GiWg2KtRdlt2rUB+oUY5dYxStTy/6Q8IPyWLWACVKyoZNI2MjsXt+5r1bkqKOJ3t0BwOQFK4NOM8/W2KSlj1VbG2Il7kH9i3NY2J5eRXCWBJoILi1W57b+mInVNIuWhvc1pwNbTYHBChfFLU0PYKkYOevC+htu5L61nogwzDLOkF09er7crLq9tSHxDjm4Fl2sFIoSpAQOvCDPHTzo7KPnuor7hWWHsLQEc9JX8AclfXAHQSvB65vs7irX93xaH/m6K1NwLYxDcpYVi1hfcxE4I+z6A6fy6VGbflked87zZaVqdC2HYDgJibuSHrFJlMiRecFsIhQJTS/ITiG4nujiZ74en6wXvF0JdPDh/y+00adAS0xzkArRPPbWMDerHot8b/TR9C3AjjM+F1YQaUlHK3GHtojC98mBHoRDo877g9qDe2Ln96+C4cF23jRTJkoe99AdSxUBHDKzqrFUXXe0H6bKZMo3T8KzpIXMi9Kn1Yx5sF6Ncq2zu6hl9miA9cC1CT3SxL3120AYih9cNGB4+b7iU/i6wWWCIotggyLL2XNUyYM8fFQIRfcxug301XcMwJG/V3vdCdn25puidkvgXCsyZkAdCuNL1801zY0AeXFTQ7dkcdsoXHYwCImqjXDhzS0WqhWkZaRFc7Ic7RkWqI8h7uqwxvDGv3bZG9WavEEAkfW8wmY+pni+lyF/bP+CcGTwxG1jmwxQhYvGcq62kVNbmop51HcYg6HhMZIyaVS9n0Rzw5bYUg/3iwIAb/lqMc+02xvUDQOcPqCRCnAlVOmXuXL8Xv2q+4/SQEWNq6yaIuPdYNMUY92mR2IonwVeNV9uDbP+zthjqFWQc1JF/hfrB9wjiSa8ASkVcgOMrbGFBgmVlYi141g0mlZ5KiyWjVWgH6Bl0hmYhscipCmsia3mtjNRVwT3B0LGkyPazAJbIkz+ptA1HxZpk9IE+YCVZk1c36kSr9ZZF8SK3CB7MqDIW3fIroDdjoNmJb/PDTe0Fkvq8+4KAYfl7HmN7++DyxAv/opyEKpiX3e4lGenwgEzJalo40MAMQvqtbPO0P9pIAVXUjwcg3iwb/rZN9+IMxYy+um29la0NF7OrukRLBp8tMH9fJLY/MU+okyrezEW99iCZLZCMawDX7X/RADumdnenSb7mFcqHmWqsIoihJNSfpffLHNS/t79y1/68frI/
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <060454694A75A74C9870517832D49655@namprd06.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cablelabs.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR06MB2821.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 402b45d9-1161-4538-42bd-08d90e59e707
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2021 17:35:53.9217 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ce4fbcd1-1d81-4af0-ad0b-2998c441e160
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xRT3BURt3BPR7RhYsBEckygOBMZ97c53jdu7JdFmyB3b18B5B095mAn8ysp4CiIM0ea5KDfmfDELRcWR6Ydn9A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR06MB2343
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Vq3s_6C4LPOQQe0DKUGhDEHPdME>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2021 17:36:01 -0000

I'm not familiar with the replay attack mitigations used by VPNs, so can't comment on whether this would indeed be an issue for some VPN implementations.  A quick search revealed (https://www.wireguard.com/protocol/ ) that Wireguard apparently has a window of about 2000 packets, so perhaps it isn't an immediate issue for that VPN software?

But, if it is an issue for a particular algorithm, perhaps another solution to address condition b would be to use a different "head of window" for ECT1 packets compared to ECT(0)/NotECT packets?  

In your 100 Gbps case, I guess you are assuming that A) the bottleneck between the two tunnel endpoints is 100 Gbps, B) a single VPN tunnel is consuming the entirety of that 100 Gbps link, and C) that there is a PI2 AQM targeting 20ms of buffering delay in that 100 Gbps link?  If so, I'm not sure that I agree that this is likely in the near term.  But, in any case, it seems to me that protocols that need to be robust to out-of-order delivery would need to consider being robust to re-ordering in time units anyway, and so would naturally need to scale that functionality as packet rates increase.

I'm happy to include text in the L4Sops draft on this if the WG agrees it is useful to include it, and someone provides text that would fit the bill.

-Greg


On 5/3/21, 1:44 AM, "tsvwg on behalf of Sebastian Moeller" <tsvwg-bounces@ietf.org on behalf of moeller0@gmx.de> wrote:

    Dear All,

    we had a few discussions in the past about L4S' dual queue design and the consequences of packets of a single flow being accidentally steered into the wrong queue.
    So far we mostly discussed the consequence of steering all packets marked CE into the LL-queue (and https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-14#appendix-B.1 Risk of reordering Classic CE packets: only discusses this point); there the argument is, that this condition should be rare and should also be relative benign, as an occasional packet to early should not trigger the 3 DupACK mechanism. While I would liked to see hard data confirming the two hypothesis, let's accept that argument for the time being.

    BUT, there is a traffic class that is actually sensitive to packets arriving out-of-order and too early: VPNs. Most VPNs try to secure against replay attacks by maintaining a replay window and only accept packets that fall within that window. Now, as far as I can see, most replay window algorithms use a bounded window and use the highest received sequence number to set the "head" of the window and hence will trigger replay attack mitigation, if the too-early-packets move the replay window forward such that "in-order-packets" from the shorter queue fall behind the replay window.

    Wireguard is an example of a modern VPN affected by this issue, since it supports ECN and propagates ECN bits between inner and outer headers on en- and decapsulation. 

    I can see two conditions that trigger this:
    a) the arguably relatively rare case of an already CE-marked packet hitting an L4S AQM (but we have no real number on the likelihood of that happening)
    b) the arguably more and more common situation (if L4S actually succeeds in the field) of an ECT(1) sub-flow zipping past ECT(0)/NotECT sub-flows (all within the same tunnel outer flow)

    I note that neither single-queue rfc3168 or FQ AQMs (rfc3168 or not) are affected by that issue since they do not cause similar re-ordering.


    QUESTIONS @ALL:

    1)  Are we all happy with that and do we consider this to be acceptable collateral damage?

    2) If yes, should the L4S OPs draft contain text to recommend end-points how to cope with that new situation? 
    	If yes, how? Available options are IMHO to eschew the use of ECN on tunnels, or to recommend increased replay window sizes, but with a Gigabit link and L4S classic target of around 20ms, we would need to recommend a repay window of:
    >= ((1000^3 [b/s]) / (1538 [B/packet] * 8 [b/B])) * (20[ms]/1000[ms]) = 1625.48764629 [packets]
    or with a power of two algorithm 2048, which is quite a bit larger than the old default of 64...
    	But what if the L4s AQM is located on a back-bone link with considerably higher bandwidth, like 10 Gbps or even 100 Gbps? IMHO a replay window of 1625 * 100 = 162500 seems a bit excessive


    Also the following text in https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-14#appendix-A.1.7

    "  Should work in tunnels:  Unlike Diffserv, ECN is defined to always
          work across tunnels.  This scheme works within a tunnel that
          propagates the ECN field in any of the variant ways it has been
          defined, from the year 2001 [RFC3168] onwards.  However, it is
          likely that some tunnels still do not implement ECN propagation at
          all."

    Seems like it could need additions to reflect the just described new issue.



    Best Regards
    	Sebastian

v2.23.0 | Report a Bug | By Email