IETF Logo Mail Archive

Re: [tsvwg] draft-ietf-udp-options issues from IETF 104

"C. M. Heard" <heard@pobox.com> Wed, 17 July 2019 00:43 UTC

Return-Path: <heard@pobox.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A12B412013B for <tsvwg@ietfa.amsl.com>; Tue, 16 Jul 2019 17:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pobox.com; domainkeys=pass (1024-bit key) header.from=heard@pobox.com header.d=pobox.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMfjmleXE7XX for <tsvwg@ietfa.amsl.com>; Tue, 16 Jul 2019 17:43:01 -0700 (PDT)
Received: from pb-smtp20.pobox.com (pb-smtp20.pobox.com [173.228.157.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 101EF120110 for <tsvwg@ietf.org>; Tue, 16 Jul 2019 17:43:00 -0700 (PDT)
Received: from pb-smtp20.pobox.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id 1172D8DBB1 for <tsvwg@ietf.org>; Tue, 16 Jul 2019 20:43:00 -0400 (EDT) (envelope-from heard@pobox.com)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type:content-transfer-encoding; s=sasl; bh=2d4O3O93uUgE yLDdohjz0Fhk47U=; b=rkEWgHUegbD5PS9T0TLHV+yZb+/q4AOU5wlmQWAJEWNA AV8jPnOBhLjbO8q8R0/tKVKWyjvWfnutNG1cDDcutpmG1Bs+Is0Y6wshaDyHJB46 etO4dDMGJQ6X/Z0lH4kOFa4IX5KRa4/0d5slQ03knDyBo5oVOpa/L5oyGZqEi4A=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=mime-version :references:in-reply-to:from:date:message-id:subject:to:cc :content-type:content-transfer-encoding; q=dns; s=sasl; b=OGA/3P Qe+SdhC/ZwIwAaiIdXuhJAEaNDWvsNi54G4IdGYdz1112WUrrT288lDjfKWnhv/1 IByt1msyDLTeNPiDHrP+25XMGqTcxfNq6BKC3IyqAdHFnIr6yN/QgoY2p5QgHtuG 8yQaAWhoY/a5JGLfxqYNnKrC1Af3b+vtmsJJU=
Received: from pb-smtp20.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp20.pobox.com (Postfix) with ESMTP id F2B088DBB0 for <tsvwg@ietf.org>; Tue, 16 Jul 2019 20:42:59 -0400 (EDT) (envelope-from heard@pobox.com)
Received: from mail-io1-f44.google.com (unknown [209.85.166.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pb-smtp20.pobox.com (Postfix) with ESMTPSA id 960818DBAC for <tsvwg@ietf.org>; Tue, 16 Jul 2019 20:42:57 -0400 (EDT) (envelope-from heard@pobox.com)
Received: by mail-io1-f44.google.com with SMTP id j5so38841153ioj.8 for <tsvwg@ietf.org>; Tue, 16 Jul 2019 17:42:57 -0700 (PDT)
X-Gm-Message-State: APjAAAVwU6rpJhwKqmMFB5OqE2niUh5tRD7nCXELjTgbxyAzva6/dsRA BBxZJ02HtgVdRTqz38DLoqbVuul40uk8XWXy1DU=
X-Google-Smtp-Source: APXvYqz+49trse1BvWWFJc1Q1hq0/FRefNTnp4RibMZzIqXWRqzt3M8NfkRU/NFew/m0a9hH8ai+cOOco5zs/jVRJY8=
X-Received: by 2002:a02:862b:: with SMTP id e40mr10759196jai.7.1563324176428; Tue, 16 Jul 2019 17:42:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAPDqMeq9GjEQKukH1pZOTdE50e_rc3U6gpdxT-5qrS5phD0RGw@mail.gmail.com> <646D45AD-D79B-4BD2-A084-7DA97CE2C415@strayalpha.com> <7EC37B50-45D5-4CF1-B113-205E55BF244E@strayalpha.com> <CALx6S34s7L7xo+26bt5Cdaqi4Es5Aci42GHk1WNKzugr5st-Gw@mail.gmail.com> <B525BF50-EFCC-44A5-A604-6CDDA914A1CB@strayalpha.com> <CAPDqMep3R6z9PRKkHyOvrh6sV9n5Sc0B++-zVz0FYJCwE6swrQ@mail.gmail.com> <E42A2AE2-F499-465E-BDE6-5EFC0AB20042@strayalpha.com> <CE03DB3D7B45C245BCA0D24327794936306138E9@MX307CL04.corp.emc.com> <CAPDqMeoyNb7vQTdqxLpZpnKb9S7QKeDJNLyQJBmq95yXhB+xfQ@mail.gmail.com> <7D365770-64FE-40BC-901D-B4D7DF6B484B@strayalpha.com> <20190713182554.GB39770@clarinet.employees.org> <CALx6S36mH2M6SYnRSecWXa7k_d1u8O43+CXE-=KqeO0x2e5+qw@mail.gmail.com> <82FF6486-FABF-4D2C-B5E2-178779C720A4@strayalpha.com> <30c17e9c174f6b0da3ecc6b503a8cb17@strayalpha.com> <CACL_3VGs7j+y5vFNT3OL9OKX8ue4rv-Cxi467KR-vbhnMdx86g@mail.gmail.com> <2f71a292f924a9b8de4227c4bbc2f809@strayalpha.com> <CACL_3VGrF5UnbVsSzZZoy1i57WKiQKBX2T3a16UyEVHY=Kr3XA@mail.gmail.com> <CE03DB3D7B45C245BCA0D243277949363061EF7A@MX307CL04.corp.emc.com>
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949363061EF7A@MX307CL04.corp.emc.com>
From: "C. M. Heard" <heard@pobox.com>
Date: Tue, 16 Jul 2019 17:42:44 -0700
X-Gmail-Original-Message-ID: <CACL_3VE7+3WD3Uzubf8X9uQX9ZYPnZVhXjheUOuL9EfjT1JkGQ@mail.gmail.com>
Message-ID: <CACL_3VE7+3WD3Uzubf8X9uQX9ZYPnZVhXjheUOuL9EfjT1JkGQ@mail.gmail.com>
To: "Black, David" <David.Black@dell.com>
Cc: Joe Touch <touch@strayalpha.com>, tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Pobox-Relay-ID: D2441164-A82B-11E9-8F17-B0405B776F7B-06080547!pb-smtp20.pobox.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/WPa_clJD4zWDdCHvq0NlYuWEW00>
Subject: Re: [tsvwg] draft-ietf-udp-options issues from IETF 104
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 00:43:04 -0000

On Tue, Jul 16, 2019 at 2:33 PM Black, David wrote:
> In other words the receiver does one of two things:
>
> - If UDP CS != 0, expect to find that OCS !=0.  If OCS == 0, something
>   is wrong. (MUST check OCS).
>
> - If UDP CS == 0, don’t bother doing anything with OCS, even if OCS is
>   non-zero. (I think “don’t bother” winds up being: SHOULD ignore OCS).

What I intended to say might be more accurately expressed by saying
that the default receive behavior is:

- If UDP CS != 0, perform the UDP checksum validation and discard the
  entire packet if the validation fails. In addition, if a surplus area
  is present, perform the OCS validation, and discard the surplus area
  if the validation fails.

- If UDP CS == 0, do not perform either of those checks. Accept or
  discard the UDP datagram and its surplus area depending on whether
  UDP CS == 0 is or is not allowed for the socket in question.

Implementations MAY, but need not, support the following configuration
options: (a) disable checking of OCS when UDP CS != 0 and (b) enable
checking of OCS when UDP CS == 0.

That is more liberal than David's suggestion, which does not allow (a),
and turns (b) from MAY into SHOULD NOT. I could live with either.

I do have an issue with the "expect to find" language because I
explicitly do not want to levy a requirement on an implementation
to have to look around in the trailer to see if an OCS option is
present before doing the surplus area checksum validation. Looping
through the option TLVs is best done AFTER the OCS is validated.

That may be less of a concern if OCS changes from an option to a 16-bit
word at a fixed offset and we gauge the presence/absence of OCS by whether
it is zero or non-zero. However, having OCS at a fixed offset relative to
the beginning of the surplus area interacts badly with LITE as currently
specified, as LITE is required to come first. And if that fixed offset is
relative to end of the surplus area, then in IPv6 we'd be relying on the
IP Payload Length, which owing to the lack of an IPv6 header checksum has
no error checking apart from that provided by the OCS.

> The UDP CS == 0 case is subtle, even if the receiver SHOULD ignore OCS
> as indicated above.  The reason is that OCS increases the likelihood of
> packet delivery, leading to Tom advocating that OCS MUST be used in this
> case.  As noted earlier, I’m ok with a “SHOULD use OCS” requirement here
> based on increased likelihood of packet delivery, but not a “MUST” even
> with a “receiver SHOULD ignore OCS” requirement.

I was aware from slides-103-maprg-a-tale-of-two-checksums-tom-jones-00 of
dramatic improvements in packet delivery with OCS (there called CCO), from
around 50% delivery rate to over 90% (this is based in the results for paths
to HTTP servers, where the tests look for an ICMP error message and so do not
depend upon getting an answer from the application layer). Those measurements
involved packets with a correct UDP checksum and options. I was not aware
that there was evidence that use of OCS/CCO increases the rate of packet
delivery when UDP CS == 0 is combined with options. Can you point to where
I might find that evidence? I am asking because it's counter-intuitive that
OCS/CCO over the options area would make a difference in that case. It is
constructed to make packet delivery possible through middleboxes that do
either UDP Length Checksum, UDP length Pseudoheader
or Full Payload Checksum, IP length Pseudoheader.

FWIW, one of the authors of that work, Raffaele Zullo, recently did some
measurements for UDP CS=0 over IPv6 with and without options, which he
generously shared with me and gave me permission to share with TSVWG. They
are attached below. I do not know whether the options included CCO, but
apart from that, you'll find a fairly complete explanation of the methodology
near the tail of the thread. The short version is that numbers for case B1
represent the chance that a packet with CS=0 will get to the router one hop
away from the destination. The most recent results show a success rate of
between 62% and 75% without options and between 61% and 65% with options.
That's not very good.

Mike Heard


On Tue, Jul 2, 2019 at 5:25 PM Raffaele Zullo wrote:
>
> Hello Mike,
> Sorry for the very late reply.
>
> There was no problem citing those results, I hope you have been in touch
> with Gorry about this.
>
>
> I actually had only one concern since the measurements I provided were
> related to IPv6 UDP CS=0 only and not UDPO.
> AFAICR the discussion at the time was about the general traversal
> chances of UDP CS=0 with IPv6 and not restricted to UDPO.
>
> However I've run the same measurements including UDPO.
> The meaning of A, B and B1 is the same as before, the second column
> reports the cases in which A,B and B1 happen for both UDP CS=0 and UDPO
> CS=0.
>
> The results are not so different: the drop, more visible for DNS, is due
> to paths that are OK with CS=0 but not with UDP Options.
>
> DNS
>       UDP   UDPO
> A)    2%     1%
> B)   88%    72%
> B1)  75%    65%
>
> HTTP
>       UDP   UDPO
> A)   18%    18%
> B)   76%    74%
> B1)  62%    61%
>
>
> Hope this helps.
> (I haven't had yet the chance to follow the most recent discussion on
> TSVWG).
>
>
> Cheers,
> Raffaele Zullo
>
>
> PS
> Please note a 1-2% difference with the results provided in April: I have
> used the same list of addresses but 3-4% of them did not reply in the
> last measurements.
>
>
>
> On 2019-06-23 15:04, C. M. Heard wrote:
> > Raffaele,
> >
> > I am preparing to make some comments to the TSVWG list regarding the
> > use of UDP CS=0 as a means to get packets with UDP options to traverse
> > middleboxes. I would like to cite your B1 figures as showing that
> > 26%-26% of paths in your measurements block IPv6 packets with UDP
> > CS=0; in fact I'd actually like to forward the trailing message to the
> > list with me comments, if you don't mind. Would that be OK?
> >
> > Mike Heard
> >
> > On Sat, Apr 20, 2019 at 2:49 AM Raffaele Zullo
> > <raffaele@erg.abdn.ac.uk> wrote:
> >
> > > Hello Mike,
> > > Hello Gorry,
> > >
> > > You made quite curious about the traversal of IPv6 UDP CS=0, so I
> > > run
> > > the traceroute measurements from my own host only for this case.
> > > These are the results:
> > > A)  paths working end-to-end (as explained in a previous email)
> > > B)  paths in which last discovered router is the same for UDP with
> > > correct CS and UDP with CS=0
> > > B1) paths in which last discovered router is the same for UDP with
> > > correct CS and UDP with CS=0 and it's 1 TTL from the destination
> > > server
> > >
> > > DNS
> > > A)   2%
> > > B)  87%
> > > B1) 74%
> > >
> > > HTTP
> > > A)  16%
> > > B)  77%
> > > B1) 64%
> > >
> > > Obviously this is not enough to say that these paths are compatible
> > > with
> > > v6 CS=0 but it still suggests that its traversal chances are higher
> > > than
> > > the bare end-to-end percentage.
> > >
> > > Happy Easter,
> > > Raffaele Zullo
...
> > > > On Sun, Apr 7, 2019 at 6:25 AM Raffaele Zullo wrote:
> > > > >
> > > > > Hello Gorry,
> > > > > Hello Mike,
> > > > >
> > > > > Sorry for the late reply.
> > > > > I've got lost in a few other things (basically job hunting is a job).
> > > > >
> > > > > Anyway I finally got my VPN access to the lab network restored so I
> > > > > could retrieve measurements data.
> > > > >
> > > > >
> > > > > We tested a limited number of (paths to) IPv6 servers, obtained from
> > > > > Alexa top-1m:
> > > > > 17110 authoritative DNS servers
> > > > > and
> > > > > 12184 HTTP servers.
> > > > >
> > > > > DNS servers were tested with well-crafted DNS queries.
> > > > > The first packet was a regular UDP packet with correct CS.
> > > > > If the server replied to the query then it was tested with CS=0,
> > > > > Options, etc.
> > > > >
> > > > > Paths to HTTP servers were instead tested with padded packets sent to
> > > > > UDP port 80.
> > > > > The first packet was again a regular UDP packet with correct CS.
> > > > > If the server replied with ICMP Port Unreachable, then it was tested
> > > > > with CS=0, Options, etc.
> > > > >
> > > > > Out of 17110 DNS servers
> > > > > 1.75% replied to UDP CS=0
> > > > > 1.43% replied to UDP+Opt CS=0
> > > > >
> > > > > Out of 12184 HTTP servers
> > > > > 17.21% replied to UDP CS=0
> > > > > 16.67% replied to UDP+Opt CS=0
> > > > >
> > > > >
> > > > > These are the raw data.
> > > > >
> > > > >
> > > > > I would add that the portion of paths OK with IPv6 UDP CS=0 can be
> > > > > underestimated.
> > > > > Since we are measuring paths to servers, the server itself can affect
> > > > > the measurement,
> > > > > for instance if the path is clean but the server's stack discards
> > > > > IPv6 with UDP CS=0, the outcome of the measurement will be negative.
> > > > >
> > > > >
> > > > > Cheers,
> > > > > Raffaele
> > > >
> > >
> >
>

v2.23.0 | Report a Bug | By Email