IETF Logo Mail Archive

Re: [tsvwg] Network feedback and security (was: New Version Notification for draft-huang-tsvwg-transport-challenges-00.txt)

Sebastian Moeller <moeller0@gmx.de> Fri, 20 October 2023 08:11 UTC

Return-Path: <moeller0@gmx.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52606C151067 for <tsvwg@ietfa.amsl.com>; Fri, 20 Oct 2023 01:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.854
X-Spam-Level:
X-Spam-Status: No, score=-6.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m5UOcMbP3gq8 for <tsvwg@ietfa.amsl.com>; Fri, 20 Oct 2023 01:11:31 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8DEBC14CE5F for <tsvwg@ietf.org>; Fri, 20 Oct 2023 01:11:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1697789484; x=1698394284; i=moeller0@gmx.de; bh=oEHUz2tMhcFeZXzqw71L9Bb+GPabkypFKW8hm8cbcng=; h=X-UI-Sender-Class:Subject:From:In-Reply-To:Date:Cc:References: To; b=krnxOYyDSTqiMeJUweJzaGKMAwuaoocKp1KRIElP2VUWquhY18aftBc6J2R03u2i Rr3iaVijKuqnKeBTHQmw1KVlyQeanuMMsoy03oE/eyKs12zhqwVr8n05NDf2PWgps d7JzUrzRTclS4MAhXIbHFYnnLYLzT5cwvdzFpNrmfauSeqEJVqupBEOiz40bz9APA kYPtGxe/zj0JbZcC7G7b54J2p0R3OcSKxfqKXTe5gyl+5AZjsefmdO484EwRvLt3i M9eQgUHMhA7h+xx0qKAT5Wfa+ds2hLMyBUmAqq5aBPSr7+rAO/tE0GznRRkpocdC1 sMptUeTprobQg5Dv8Q==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from smtpclient.apple ([134.76.241.253]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1N7i8O-1rWx383Sde-014nl3; Fri, 20 Oct 2023 10:11:24 +0200
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <CALx6S377dbng6+zPofALiYwf5NKR_WkowhDXmqfAGMy=qGT0vA@mail.gmail.com>
Date: Fri, 20 Oct 2023 10:11:23 +0200
Cc: Christian Huitema <huitema@huitema.net>, tsvwg <tsvwg@ietf.org>, Ingemar Johansson S <ingemar.s.johansson@ericsson.com>, Ruediger.Geib@telekom.de
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF9AEE37-7667-43FE-8421-05660D44565E@gmx.de>
References: <8c04c73ed6424da7a8c0a560ba673f63@huawei.com> <AM8PR07MB8137064565A08222EF49D6FFC2D6A@AM8PR07MB8137.eurprd07.prod.outlook.com> <FR2P281MB152725788020368B2BB483A39CD6A@FR2P281MB1527.DEUP281.PROD.OUTLOOK.COM> <2A095262-F757-4995-9A30-38E915E92021@gmx.de> <FR2P281MB15270FF6D523A75427CDE6419CD6A@FR2P281MB1527.DEUP281.PROD.OUTLOOK.COM> <7B7D6B62-F78E-4400-81EB-31DFB8445E17@gmx.de> <2c4d3b5f-8b4d-e427-8095-6de26f91f543@huitema.net> <AM8PR07MB81375DF357842B489143C12DC2D4A@AM8PR07MB8137.eurprd07.prod.outlook.com> <3D78AEBB-9475-4C5C-9E33-B639C50BEAE5@gmx.de> <CALx6S34-Pawq+4Eng=5hmk9gPTz=DVxowb52gZi+_8tY1Gw+Lg@mail.gmail.com> <978FCA81-FCE9-48CA-B4C5-86631DC03106@gmx.de> <CALx6S377dbng6+zPofALiYwf5NKR_WkowhDXmqfAGMy=qGT0vA@mail.gmail.com>
To: Tom Herbert <tom@herbertland.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
X-Provags-ID: V03:K1:UvMLBWqj8B9dxKNlkHsvXCiDfPYnC5tZlVP4s4LriWEz8Y5LW7y DbOw7bTaj9+fDY+YeA7P+GPosONmJ5q3pWU0+Wb9wgQpX3Q0CGbz9p7zZY/leFnbKmU+tT2 iOUXk7kmNGwkRU2r14KGP68EbbY1Ubghl+PL7Xk14UKAaxQFGZv6cMkoAkB/6XqxcDZUUqB We60Mxu0zndyMXzWqfGFg==
UI-OutboundReport: notjunk:1;M01:P0:wrTKQcaCDxA=;Dme+87HQBYb0IXVW6SPoxuwrOup xxjLlsht0a4JUVhC/nJwmmHlVqwfSuw+e5MYg3JtEg7HoupEtQ6ZQdqA/XOFzB9GOy7nZNZcU od7NsX1BoWoekYYDpl9NmhtlSaR2/4HDemjx/Mk+PAp3zC0P5fOwH7YDI8qxrgbm7ku3SJn+4 7WFLCEiZKJhVm1uMZPiC4TdVXvZ4HdZyvX7ViwcD6+7lYzK2T/6EiJVsDAwUQ0HteVGGh8xON 4DjeKXHxIfTdaKz03GdfGn6w4gmW/J7VbU0VH2IbtTAVO2+2BJZaHCrU/ppvjwIlyybM4/pz8 2czT3fh496FE4LgdfLyvIoL12zg8eWbZq6/0sxNxuufKYI0bQMQBDjk7AIhGF6G5oMyAMllfu Uo4gXaTGV9+dk6krKVePTWZUDDiQ+OgZFnLPYWh0Furk0M80nt2iyh322WhdQY52N4+T1pYk+ l6CMm6Tu4XnO4eyTOnMSlO6B+YB493i9ckcttlhmmJ43ZY42IUXnJdDAbQewgPlDL3d+8wQSP kr0uVxMBweNxUUKKjj91bKYOz0JlXMqHexKcdwhvyam5tLOf+T4PAETAp9nDxhmXJ2XXqerET rEA5RlbjeIQGBHDgW4Oyw3kPYVP9M1xcZCgBeztdAAzhh46sglBKgYPrNiGPMqh2BO1+XkiDH nzus8P6denUAMi1usYjfQYW2WboZ032lv5mi5ColYnNR7/BGo6XcijmTkitK9EioRh7laAlpN opRGAbEMiDuWlfL7Zuuw6QicndOEznKG4GOcrKFR3dG9E/ws9YSny11DMnS4P8QKJUn0P4iy7 6kavMSRw5C0v1xUDq97p6BIc8wzvEVA2Gfz0hqAMwloi5dNbsuOwoGLClxB0o2Y+92QTOyQFn PFHlLaqjEEgMmYNnUKyI/NLEeUA3j0vs0pR1X4qF8nnxH4MvP12s96pqO1BBtyJ59kvwXKpVf vrk5De5J/ftn7nWPDi2qz3ejyrU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/WXOnZtwAI63SRQoJvzth4XlMDdg>
Subject: Re: [tsvwg] Network feedback and security (was: New Version Notification for draft-huang-tsvwg-transport-challenges-00.txt)
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Oct 2023 08:11:36 -0000

Hi Tom,


> On Oct 20, 2023, at 01:13, Tom Herbert <tom@herbertland.com> wrote:
> 
> On Thu, Oct 19, 2023, 7:56 AM Sebastian Moeller <moeller0@gmx.de> wrote:
>> 
>> Hi Tom,
>> 
>> 
>>> On Oct 19, 2023, at 16:41, Tom Herbert <tom@herbertland.com> wrote:
>>> 
>>> On Thu, Oct 19, 2023 at 12:28 AM Sebastian Moeller <moeller0@gmx.de> wrote:
>>>> 
>>>> Hi Ingemar,
>>>> 
>>>> On 19 October 2023 07:19:40 CEST, Ingemar Johansson S <ingemar.s.johansson@ericsson.com> wrote:
>>>>> Hi
>>>>> 
>>>>> I have followed this discussi a bit. I focus only on the congestion indication and the discussion around the multi-bit congestion signaling.
>>>>> 
>>>>> L4S is just recently standardized and we have just starated to get the community onboard to implement and evaluate it on a larger scale.
>>>>> We should give it some time and get more data before we jump on the next big thing.
>>>>> 
>>>>> It is of course possible for IETF to start working on the next big thing with multi-bit congestion indication. But as I see it, we currently have more than enough tasks on the table with L4S.
>>>> 
>>>> [SM] Respectfully, that task is clearly on the proponents of L4S and IMHO should have been done before granting RFC status. L4S already hindered one higher resolution ECN approach (SCE) without actual evidence of superiority, let's leave it at that one victim please.
>>>> In my opinion L4S is too little too late, as we already know multi-bit per packet information is superior, so we arguably should focus on that.
>>> 
>>> Sebastian,
>>> 
>>> There's a fundamental problem with mulit-bit per packet information:
>>> there's no place in packets to put the data that will work across the
>>> Internet! (other than the eight bit TOS/Priority field).
>> 
>>        [SM2] Yes, I agree. The most fitting place would be in the IP header, but there we are out of (re-)usable bits...
>> 
>> 
>>> The correct
>>> mechanism for network to hosts signaling is Hop-by-Hop options but
>>> those currently see a 99% drop rate.
>> 
>>        [SM] Again I agree, for IPv6 any of the extension headers would seems the next best place. It should be one that exists along the full path, and is visible by the end points, if Hop-byHop fits that bill, great. Or not so great, 1% passage is sobering even for a glass half full kind of person.
>> 
>> 
>>> There are proposed alternatives
>>> like putting information in transport payload, TCP and now UDP
>>> options, overloading flow label or IPv6 addresses; but all of these
>>> have drawbacks that will preclude widescale deployment (these are
>>> discussed in section 5 of draft-herbert-host2netsig).
>> 
>>        [SM] Yes deployment of any of these including IP6 extension headers is going to be an uphill battle, as the network will only gain little by this, so deployment likely will start in environments where "little" already is worth it, and that I agree is likely not the wider internet. But darn it, it would be great if having to access a service over a congested link that would result in lowish throughput but with acceptable latency, as compared t today's low throughput and high latency and jitter. That might be a way of pitching this, if this allows more graceful operation at/close to saturation this might be interesting for infrastructure folks ()
>> 
>>> Since network to
>>> host signaling modifies data in flight limits the solution space even
>>> more, for instance it might be okay for a switch to read a transport
>>> payload like QUIC spin bit, but writing data in the transport payload
>>> risks systematic data corruption.
>> 
>>        [SM] Well, all handling of packets involved reading and writing memory already, and also changes in header fields is performed routinely, TTL/Hop limit come to mind, as does NATP... so there is ample precedence even if we exclude ECN, no?
>> 
>> 
>>> I agree that multi-bit data should facilitate more precise congestion
>>> control with faster reaction time, but I also think we need that more
>>> in the data center than over the Internet and the problem of defining
>>> a multi-bit packet field for the data is solvable in a limited domain.
>> 
>>        [SM] I respectfully disagree, I do not run a data center, but I do run a home network and use the internet, I think this is a case where all domains would profit. Realistically though I expect this to come to fruition in limited domains/data centers first. Would be sad if it would stay there however.
> 
> 
> Sebastian,
> 
> There may be another option. Fortunately, the definition of a limited
> domain is rather loose. For instance, a provider network could deploy
> switches that support multi-bit congestion signals in HBH options
> could be considered a limited domain. So if a host connects to a
> server in the provider's domain, like a hosted YT server for instance,
> then the signal is viable end-to-end. The provider network could be
> quite large and it could partner with connected networks to extend the
> limited domain. Conceivably, over time the "limited domain" could
> encompass a significant portion of the Internet. This is part of the
> plan to extend the reach FAST.

	[SM2] OK, "starting from a limited domain" seems viable then.


> 
> There's a problem with this though: the signal is only viable in the
> limited domain. For instance, if a packet with HBH options leaves the
> limited domain then there's a high probability the packet will be
> dropped. There's no easy means for a host to determine if it's sending
> within a limited domain, so the sending hosts can't decide on using
> EH.

	[SM2] I respectfully disagree, the signal clearly should be end2end and be part of the negotiation then, so endpoints check whether the signal passes between the endpoints and disale its usage if they do not.


> The solution we're proposing is to remove the bits when packets
> leave the limited domain at an egress router.

	[SM2] That I disagree with, this needs to be end2end, unless your proposal entails the end points being informed about that removal.


> as described in
> draft-herbert-eh-inflight-removal. This also has some nice security
> properties and coincides with existing network firewalls.

	[SM2] Will need to read that, when I find time.

Regards
	Sebastian


> 
> Tom
> 
>> 
>> 
>> 
>>> 
>>> Tom
>>> 
>>>> 
>>>> Regards
>>>>        Sebastian
>>>> 
>>>> 
>>>>> 
>>>>> /Ingemar
>>>>> 
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: tsvwg <tsvwg-bounces@ietf.org> On Behalf Of Christian Huitema
>>>>>> Sent: Tuesday, 17 October 2023 17:28
>>>>>> To: Sebastian Moeller <moeller0@gmx.de>; Ruediger.Geib@telekom.de
>>>>>> Cc: tsvwg@ietf.org
>>>>>> Subject: [tsvwg] Network feedback and security (was: New Version
>>>>>> Notification for draft-huang-tsvwg-transport-challenges-00.txt)
>>>>>> 
>>>>>> 
>>>>>> On 10/17/2023 3:17 AM, Sebastian Moeller wrote:
>>>>>>> Personally, ever since I read Arslan, Serhat, and Nick McKeown.
>>>>>> ‘Switches Know the Exact Amount of Congestion’. In Proceedings of the
>>>>>> 2019 Workshop on Buffer Sizing, 1–6, 2019. I came to the prediction that
>>>>>> something like max(bufferoccupancy) over a network path in either
>>>>>> predicted sojourntime or percentual buffer filling could really improve
>>>>>> congestion control if included in all packets. That paper and follow ups
>>>>>> on that idea are to my quite convincing. I see no real security concern
>>>>>> as the network node adding this information might as well have dropped
>>>>>> the packet if it wanted to harm that flow, so little increase in attack
>>>>>> surface in that direction. What I hope something like this might allow
>>>>>> is a gentler exist from slow start (assuming one can measure and compare
>>>>>> the dynamics of the congestion indicator with those of the slow-starting
>>>>>> flow to predict when to exist slow start without first having to dump ~2
>>>>>> too much data into the network in one RTT). The network could indirectly
>>>>>> profit if end-points use this information to better reign in congestion
>>>>>> pro-actively, but that clearly is not guaranteed, especially over the
>>>>>> open internet.
>>>>>> 
>>>>>> Yes, network feedback is useful. You mention "max(bufferoccupancy) over
>>>>>> a network path" as a signal, but I would argue that ECN is pretty much a
>>>>>> 1 bit version of exactly that. So your argument is really for "more ECN
>>>>>> bits". That's plausible, but the whole "L4S/Prague" effort seems to
>>>>>> indicate that 1 bit is enough, because you can observe that bit on many
>>>>>> consecutive packets. The conservative side of me would say we should
>>>>>> first deploy the 1 bit version, and then study whether we really need
>>>>>> many more bits.
>>>>>> 
>>>>>> The "gentler exit from slow start" issue is largely addressed by
>>>>>> Hystart, which uses the variations of the RTT as a signal. And yes,
>>>>>> Hystart can be improved by also monitoring the ECN bits, not just the
>>>>>> RTT.
>>>>>> 
>>>>>> But there are in fact security concerns. We already know about ICMP
>>>>>> attacks in which attackers spoof the network feedback and inject fake
>>>>>> ICMP packets, for example to disrupt PMTU discovery. "Man on the side"
>>>>>> attackers can easily send a second copy of a packet with modified header
>>>>>> bits and race it to the destination. If transports accept that copy as
>>>>>> genuine, they will heed the faked congestion signals and the attacker
>>>>>> will succeed in disrupting the connection.
>>>>>> 
>>>>>> -- Christian Huitema
>>>> 
>>>> --
>>>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>>>> 
>>

v2.23.0 | Report a Bug | By Email