IETF Logo Mail Archive

Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 18 May 2021 15:16 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 750C33A16BC for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 08:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ER0j7l4jNipe for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 08:16:28 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140050.outbound.protection.outlook.com [40.107.14.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9543A16A4 for <tsvwg@ietf.org>; Tue, 18 May 2021 08:16:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VS+v4jvsy4AJMGuqMaPi2ToGr/kb2zTN1mx81VHHB+lasDO7aKmWoY2mgi7qbxKCZCY7mx8YFYECGOh1xFJVfFJOM17A1B1SN3w7Y8PtPuKK2Ka+eb9FRFDLxF+e/LWeq187Nzvd1uC0xy/Qd909ecOk9wkm1Zzal3LKUvl0sbyTiKURNKhxloVtln+0MA9X9OKwL61pSOEVztgQO96395df71hxvx1XbEje+lpMnwgm7AvMPo3CD7ytxiBxQDyyZvoW3xHYrKSOFPKhN+dZd5RLohS3SbLUD+GU3VWPA0+ln+k9Z8gpYXhdTz+E9Bq8mPlUXmFfVIwKwNVMx5jv1Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Q85z+KEMoNvRWFRljuyDlbH45H41SKKjIOccUNTeck=; b=LI3VUOHNxZdDqg5WyZDajPMqmJKSV/eqH6xBVq67/iMmDGlD8gJNtDxR9UOhctY/tSjtPMitqOQ5oaaVHsxEjeoh1/RgyQz4cDdxiYQ7E0SMvFcx8CzhtsBFzZWizkAFejB88ILJqvO61iL/Wx3ptddVB5oH4csHb9HS1zO5Crz6Y8mBo+xS9zaRNFAMPKVZatbdQiK8r98ePR3qLYSKD6ewQZY4H4K8OsvztBKk1OVBphrt6bT0GvCehgV0hF7VnXvec9px9DPcyno0k52MLnL0L0nv0/1Dzcv7oX6HlS3sstO31DSXsqKTc5mSTTzoHzexpvMZF0aJ0YPUdxRv9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4Q85z+KEMoNvRWFRljuyDlbH45H41SKKjIOccUNTeck=; b=ay+LRExxUdm2T2PUQlb+Cv6FhGB1rQu25ZklgslmVyTUYTnAzfcMwkFwFXuD1gB/4cSJZ7ugDbk6HiAxpXB78B6RBd7NpN5k9lgt+yn9oRcto52aKUPkLnw0rJErENqKrLEi0cWWa+qD8LaeWnTk4BCN6LfK1krsilNwCmmWaNk=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2458.eurprd07.prod.outlook.com (2603:10a6:3:71::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.11; Tue, 18 May 2021 15:16:25 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::2c37:7e2b:9176:c0d1]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::2c37:7e2b:9176:c0d1%5]) with mapi id 15.20.4150.019; Tue, 18 May 2021 15:16:25 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "tsvwg@ietf.org" <tsvwg@ietf.org>, "David.Black@dell.com" <David.Black@dell.com>
Thread-Topic: [tsvwg] L4S & VPN anti-replay interaction: Explanation
Thread-Index: AddGbSzrba/1b13cRB2WCtt4aI1NaAFdM6WAAALuJCAAAsPKgA==
Date: Tue, 18 May 2021 15:16:24 +0000
Message-ID: <87c0c5e2ccf1408ff005f10a57f6a51248ac9ef2.camel@ericsson.com>
References: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com> <7e30e959539920a2b0f188b051375ad958cd1383.camel@ericsson.com> <MN2PR19MB404558275B8D72BA5D2D67F7832C9@MN2PR19MB4045.namprd19.prod.outlook.com>
In-Reply-To: <MN2PR19MB404558275B8D72BA5D2D67F7832C9@MN2PR19MB4045.namprd19.prod.outlook.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.104.155]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 70ce25ba-ebb5-47bc-042d-08d91a0fe6f1
x-ms-traffictypediagnostic: HE1PR0701MB2458:
x-microsoft-antispam-prvs: <HE1PR0701MB2458FED2A468DFF1035BE755952C9@HE1PR0701MB2458.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tMo7BNjZbquLQaF08pV2JtBgBLe6oWlQeYjQVXdOJ9DwYFrmPNUsGja5t+mL3w0dSMvlUHVkxLrN9f4+Ed/SoD/WlnJD8nC7Otzxjb5Ve0TQQOdsHamMgenSMDECZuI3/6cpJb54Mt5x6Pd4qIJ8aa0tOzMqzR98VxgHHEZO5h17K99I1rN7YYwqgug2kFZ0ITJ6nd5tI4EVP7y3qN0q89W5w/CvhxpO8DyBmdoY//Yfh8VuajUbmDYCvsgts688UqbI8102FVP6oetu3Xxzdqv+eAkAfhnGer4SwlJjrC2s9g2CSaw2R+ejg0zaXMOa7waxhB9jRNszGpfFSOU68Foa7R112E7k+ljKGmG3W8EX6KTU27LhmGsMfw2nh4e+jVNCpcmWs+aE7m+LeVuZoGipHPL/xbELpEbPRlgqvLsG5yZspbmPQYoLcQB6JmlY7vQAuo3NFHPLg4Ovi4vTdjLlNzoD+R+ZodcDMfQ9dkFyJLW4VcKIUBThGFsb57MIhSKE9JvXkPKCsv6CcyZ4iTxWgEgDXq0eLY79Y9qfqBPO8YKUEYtyNlDhToltZrzZTg5FnkXQ6+W+oVccJxcM5JuaHbdaJYp1wakhQAR4HgVMp//X7rGHcYG2JeDTtErEHcL8+y3ojDcUjrV3IsUaBhtzGgLZzSwvEdrV4+CwkXJP7oZmfhgD8rjhEp9qdPbXRw8YjH9HIN6CImuQK2AJFONph1SxkKzqb5AcAR3k6ZjlpbLdhW95SYssI6mAqzvOHTZvF08zAG22k0aMPKluLQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(376002)(136003)(366004)(39860400002)(83380400001)(76116006)(6486002)(91956017)(122000001)(66446008)(64756008)(66556008)(66476007)(66616009)(38100700002)(6506007)(66946007)(2906002)(44832011)(6512007)(110136005)(478600001)(53546011)(36756003)(86362001)(2616005)(8676002)(186003)(316002)(5660300002)(71200400001)(26005)(8936002)(966005)(99936003)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: r7EUmhsWljb2f0yO06Ele0c74SrpcywF/uWM+m2mIjpPDa03gi9u0s29t3q3km1SKBQz+DgNVhIZ73pUMF7QegJdyjAqqr0KZ1GSHpYWHLkhYBrExFNvGF2Z+EdZIWhTpanWUTovP/dbzUERs2n3Kyd/nH/ZHW4BsWPP5e8FUMXiPVlQdkUjVIVT8fZle/tJ/gmxrSKOG4kLu5eq6Q7fGDibng5NKKCcAiKdWjdJCrdkkpABz90kgrRfqTg3no0S2dqONqtMpoKbOVg7EAY+MBb/Ls0pPrlR6lM3yEr5Mtc2OaEH087E1tYXejwSAjDQg8dgh42Zvm+jHDNECMLYjFBgg7upTWvf4ntpB3GjBcJ7MCm27Kmb3cd9ljC4XdjCoIZeN/oHJv1NFeMihJf09SwdhBIlb4E0aHr1O4j8g2v2cOmyZgPPtP28PQxsnesW/rZ6A0iu2fw37/OwYm3ul6pmqgh4iAjj1XQZEAqNDWzsonHMEIBm1VHWcJRzlog3wSRb3vsOGDdEcg+ScL9XtUgb4k7NDUnDFMkOyP/oucbYSvA3RkNlfdWmuBKlZHekldTrJXCYCNt1KpVgFPLZJ/mFJ6RlNMtM2A9aQ8RF3IXAzMYArgYzjbdgvCumqszxTHPJ8CVbk/wQ5ncyLLZQDe4wWeDwsONFp4lHxpBI1zKwvXO1wa0pE/g851udjtdiZcST6uvNVnULkysy3N4auEhom8bkjNI7BisgNqzvq5rkGbEtmTF1yz+VOIOqVri7vkLqbYNRt2bWth6lMygOnaWfZ8zihoZ0nPosakjzK1osFggt/xdjHg3qo+B5EiAOVAWl8Et4mMZSWUDEp6AOcD61EkSMGK7gVAUl3Cupsp97j9xiJ1SLWDnYlWZXx9AcJcawCWbJ6cQ44zaOQCWI2cMuOFiyzWkP/VhSUKaiDWnkoo3fV+Hv7yRpt7RbD6S9VA+qEB2BCvRul5FLEVyZPMUUJoVjjaaFr68lPbfSprrMnktWgZPirVrnM8ZGHUrmRH5z8lcANAgpF7NBOgJg7Z41JCnqDJ/F+VphFKxYMjfnCA1xIy/vXA85Tgq2ALa2LNY8R04YEFxxPkZSG6Kcsp7ztCtILHBTyoVJc0t5PDouScVwVFrhqe04pqqaL661htKTaRhHG/OFK0NwtMmuRq+ssQAQZafCmssYAHOPvDlIfF+uEuR2swXWIMgLPlwniWAA0nLBIFcHl5qBvVH0pUhArK17IOkhm1SQSSJBxl6MOK+5CXohO2062FtqfkFooDTV7qI56mElkJ21t2BER4ez8GOwOiAQ2F+5qFf94P6A3flvfZCJx8eVzv0vd305isSTDV2zHOyl8l3ZAj1asw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-z14sP25a/aRc87BhZ2/Q"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 70ce25ba-ebb5-47bc-042d-08d91a0fe6f1
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2021 15:16:24.9483 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GZn96ncr/PlfQ1AP0GcLbKMZXfR7gJxDdswsj7lXWYOc2lUAfoZ4rBu96Lk58ipNpev95qqb/SEjkYKyjlnP84Zo01R6IcMsLo/GHl4wx8g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2458
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/XSdEKFc0Ae1twwXEHuy9X_55w9o>
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 15:16:34 -0000

On Tue, 2021-05-18 at 14:01 +0000, Black, David wrote:
> I'm sorry Magnus, but I'm going to be blunt.
> 
> For IPsec tunnels, there appears to be both "rough consensus" (RFC 4301) and
> "running code" (e.g., strongSwan VPN) to address this problem for DSCP-caused
> reordering.
> 
> The message below appears to regard both as irrelevant.  I don't understand
> why - would you please explain?

Okay, I must have expressed myself poorly. That you should arrive at the above
interpretation was definitely not my intention. 

My intention was to state that the same approach of addressing the issue for L4S
ECN as for DSCP appear to be appropriate. However, to me that appear to mean
that L4S would document the issue and point to similar approaches of handling or
mitiagation like for DSCP. To my undestanding, the better approach of using two
SAs after L4S aware subflow classifyier in tunnel ingress, alternatively to
downgrade the pipe segment the tunnel represents to not enable L4S treatment and
recover the L4S on egress from the inner ECN markings. But, it does imply that
tunnel implementations have some work to do. I recognize that guard DSCP would
simplify that process to likely just a configuration change for implementation
already capable of using sets of DSCP to SA mappings. 

I think a third way of dealing with this issue is adaptive scaling of the replay
protection window in the egress side of the tunnels. This maybe anyway is needed
based on the increase bandwidth, the changes in what lower layers are and how
they behave and on what level they preserve order. 

I think the core of my thinking is that this type of tunnels that has the
properties that I expressed are going to be impacted by any change in forwarding
behaviors that impacts packet priority or path when being forwarded through the
network. L4S do redefine in some sense what the flow selectors are when
forwarding packets. This, has to no surprise some cross area impact. The WG have
been discussing these impacts and there cost and severity for a while now. I
think describing this one and its handling appear fairly straightforward. So I
suggest that we continue on writing up the issue and its handling. The severity
and impact discussion can go on in parallel. I do want to arrive at the point
where the L4S related specifications are in good enough state that we can
actually see where the IETF wide consensus on this really stands. 

Cheers

Magnus


> 
> Thanks, --David
> 
> -----Original Message-----
> From: Magnus Westerlund <magnus.westerlund@ericsson.com> 
> Sent: Tuesday, May 18, 2021 8:33 AM
> To: tsvwg@ietf.org; Black, David
> Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
> 
> Hi,
> 
> I think I have read through all the relevant discussion of this issue. I have
> to
> agree with Bob Briscoe that this is a general issue for tunneling protocols
> that
> have several properties:
> 
>  - Any form of replay protection with a window shorter than produced
> reordering 
>    (e.g. IPsec) or have a reordering restoring functionality (e.g. L2TP).
>  - Marks through ECN and/or DSCP.
>  - Aggregate multiple sub-flows
> 
> These tunnels will exhibit issues either resulting in packet loss (replay
> protection) or additional delay (to cancel out the reordering) when the tunnel
> flow are going through some type of queue that will cause reordering, i.e.
> when
> sufficiently loaded to have any queue buildup to reorder around. 
> 
> Any forwarding impacting technologhy that would cause subflows to be subject
> to
> improved performance compared to other flows will trip over this issue. That
> is
> clear based on the significant discussion of this related to diffserv in IPsec
> RFC 4301, and Section 4.1 in RFC 2983 (
> https://datatracker.ietf.org/doc/html/rfc2983#section-4.1).
> 
> From my perspective we can't halt progress towards improved performance based
> on
> this general problem. We should mitigate and inform about the issue. However,
> I
> think part of the burden here long term will need to be put on the tunnels
> that
> exhibit the above properties. They need to track development in network
> technologies to stay current. It is clear that tunnels that handles this by
> correctly classifying the subflows before aggregation and put them in tunnels
> with same type of forwarding performance will not suffer. The alternative
> solution is to avoid the mark through seperation and loose the potential
> benefit
> if encountering a queue where differentation could have been done. But that
> requires the pipe style handling on egress to correctly preserve the ECN
> information for L4S, just as it does for DSCP field. And thirdly, if ones
> replay
> protection is reasonably scaled with experienced jitter and tunnel throughput
> rates this would also not be a significant issue. 
> 
> Thus my opinion is that in the L4S context we need to document this impact.
> Link
> to solutions or mitigations that can be applied and potential push for updates
> on important affected specifications, like IPsec. 
> 
> Cheers
> 
> Magnus Westerlund
> 
>

v2.23.0 | Report a Bug | By Email