IETF Logo Mail Archive

Re: [tsvwg] FQ & VPNs

Ingemar Johansson S <ingemar.s.johansson@ericsson.com> Sun, 21 February 2021 07:04 UTC

Return-Path: <ingemar.s.johansson@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D78A43A1594 for <tsvwg@ietfa.amsl.com>; Sat, 20 Feb 2021 23:04:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.669
X-Spam-Level:
X-Spam-Status: No, score=-2.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nB5ddXAeaAJ7 for <tsvwg@ietfa.amsl.com>; Sat, 20 Feb 2021 23:04:33 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80052.outbound.protection.outlook.com [40.107.8.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 537183A1593 for <tsvwg@ietf.org>; Sat, 20 Feb 2021 23:04:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BlBDPJIvXKwt0b4vY+t4HeXsbSnEk53aeAYMqT0BLGSWdF4moPLeoKioDfosHdeo6c2YhiXpZZPkEL7FBpEfir+wCitfZLkspgUpBiA1Ko72QJ0ZupjXYUtrJhvvjvuhzp+CbaY2p/pgiqh85JtULvYrqRI57VoPLHNh0tlutaAzTrTYBXqngkaVNY179OnQ8dfJQWXiuv3hMu/OiFx6cmplNL+tQB4RxIJH7BesGTStrA6Rn0MaXdKGgxDyYawFl2uxEjJtR+m1lpfpfaTMRSHuFMOLOTvrGejXRKALdo9GYhyEsslpcr/HQoWfP0/C9sXEE4/mrFNa2AG5Za2weA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WX4wxggMg2mduq2JKuLwEctEhohUdFMVOYjXCiaCf1U=; b=Q76PAkgvpmuNwVxTIgK7XEZuQpAnE+/QIEGL0FjKbwMDpykFpFAnx3/AKkEbGHhF1rzYVLC92yzQcuTvu+HrTeEuEAlDYRdsuYqkTHRRO3DwhDexaKNW3kZHxY3Cyg58j/YAfwQgLFtN6iXuGdHd0nVPagzZEb20IfZJAqVG+72pdNJa5x5aoxKUN+FbsJ+nG0tqWo9GtwNvdhJYxZ/fPikZAVMjouE41BxSbX93EwKOfoo9RqZmR6lo20F2+YN3vgp6rvqm2EAtOjlJ1CReU5Dc5WOmOKfgDseasryoCvXmbuiyUPanNytMH3pa5p2coSW16vp/u6JeXKCwpNm9Rg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WX4wxggMg2mduq2JKuLwEctEhohUdFMVOYjXCiaCf1U=; b=UyKFn0RQGuJvqHZw7Si3yr09cVIl535Eeo5udI8e5mc/8usBSGbiJcNmfx/FS8wLfk2zQLP5MykGZcPzJ/5olR8TawzUP+q+bXQFJ6aYSMUGWOcaZMrnyhM0PEZsjDgdUjd9xAv9cR5jqVlWES9FahhifBWslMP31c7IA3wMppo=
Received: from HE1PR0701MB2299.eurprd07.prod.outlook.com (2603:10a6:3:6c::8) by HE1PR0701MB2297.eurprd07.prod.outlook.com (2603:10a6:3:6e::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.11; Sun, 21 Feb 2021 07:04:27 +0000
Received: from HE1PR0701MB2299.eurprd07.prod.outlook.com ([fe80::494d:6160:61fd:5b1]) by HE1PR0701MB2299.eurprd07.prod.outlook.com ([fe80::494d:6160:61fd:5b1%9]) with mapi id 15.20.3890.009; Sun, 21 Feb 2021 07:04:27 +0000
From: Ingemar Johansson S <ingemar.s.johansson@ericsson.com>
To: Jonathan Morton <chromatix99@gmail.com>
CC: Dave Taht <dave.taht@gmail.com>, Bob Briscoe <ietf@bobbriscoe.net>, TSVWG <tsvwg@ietf.org>, Ingemar Johansson S <ingemar.s.johansson@ericsson.com>
Thread-Topic: [tsvwg] FQ & VPNs
Thread-Index: AQHXBxaqQomJ8SowS0azevj3vl+bUqpgOKaAgAAGrYCAAQ438IAAQwSAgACdhfA=
Date: Sun, 21 Feb 2021 07:04:26 +0000
Message-ID: <HE1PR0701MB22999A319816198B515234BEC2829@HE1PR0701MB2299.eurprd07.prod.outlook.com>
References: <161366419040.16138.17111583810851995947@ietfa.amsl.com> <BF0810D9-E742-4FCB-90B1-6957551B585D@heistp.net> <b222bbdf-70ae-3e5b-b122-1160299fb4e2@bobbriscoe.net> <E7CC88FA-F064-4B72-BAA9-8BE40F7AF040@gmail.com> <52cb434a-bd91-6260-7be9-85bdbd07b625@bobbriscoe.net> <BCAB7068-A10A-4FC4-9719-E300F644262C@gmail.com> <43f43fa2-69c4-bc10-3ffb-e95e41809335@bobbriscoe.net> <4835a3cd-4d88-68ac-d172-1e21bc42a150@bobbriscoe.net> <CAA93jw7_yvkqU-uxHkbHkO2g_RFmzCmJcxQhMJcBQjo=+QMh=w@mail.gmail.com> <HE1PR0701MB2299CF42CA83576C86070BB0C2839@HE1PR0701MB2299.eurprd07.prod.outlook.com> <13EBAF97-A9AF-47A1-AB71-546C31F762C2@gmail.com>
In-Reply-To: <13EBAF97-A9AF-47A1-AB71-546C31F762C2@gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.227.122.88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5ade0bc1-8855-482c-f2a9-08d8d636ed4d
x-ms-traffictypediagnostic: HE1PR0701MB2297:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR0701MB22973E4BD4A5D914E023C982C2829@HE1PR0701MB2297.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1284;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AznqA+GBPWjLZNU3riIzwV2tJGgI427INrzC4vOIq090hDCLMPL83fDcWfS3iMH4dX++p0ca4yQbax45OLV7lmK3ifHxF741azufmlerRKZbluOYKu/EAJl7RQDTAEMCUpn6+S0Is+Vw9r6+E0LPY0dFQM4y4MARhNWkKtiADDpOvju7/UYNNVixiwDslawJlT3ek+xMdSA+PgwQA7iqi9+hgnfblMLrUmzKWSeUopU82yFsbSmCAEFeauBHtAB3NQIv1OtcXw3emwADAyHkV5/xrUKmn3lHCj9oMW/STkr3CVZqSBV0wXkA+8lBBg4oYoG2y5HP/DnvAW309Jf2outHe+RmBQp07QPcWV5JSJ5o/eGqj2NeRCQguj8SDxEjn6jbmJbpYEowhfUKbrHmfGgc+kFvZ/g21tJJ5Rj7bJFpSrUcAKnF115nJeVAgzS4nSKG1zK5jLgog4oDjs034DVgUurqJYO8o3NNO+VZSYQbFyI6P05dDw7uPjLiPy8Gg31asglUHIjxzw7ZnYuSIFCbkX4Zw011+rtozTSq0dSgVc8YP2bGuC2MnKxs1QDqfmQx0BywArEXub/uVsSpFxN0rLJQboBIGlDMlzcrmNA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB2299.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39860400002)(346002)(396003)(136003)(366004)(316002)(2906002)(52536014)(54906003)(26005)(8676002)(186003)(5660300002)(8936002)(71200400001)(4326008)(966005)(9326002)(478600001)(9686003)(107886003)(55016002)(33656002)(66574015)(99936003)(166002)(83380400001)(66946007)(6916009)(66556008)(66476007)(66616009)(64756008)(66446008)(7696005)(86362001)(53546011)(6506007)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: XQKzlMBpF15UIlgj4uoIkU9d5p0qx2Aa77PG3pKtbafkbvWPfaZZ/xVLG4br+i5EJvlj85HA8sVnWi66lCR57f62IBw88pD1//GjLChrTU981dy12G+JA8jWw9/y0eRibQYUu+awa3R0kJ5xL0ZaMoAaAt9gs9tUxvGFEoEf1JIcE0XhilyCfpC8at6+b3/4was7OBgeCV1P3eGjmtH130yXLx1t3ovrdbmzRxrT0l/0r2LCsxLoxui/f8rteNpqG8f9MK2SAvaiNv1XaQIETF4ntX4u19GiobrLqYVA0eiygVtV5J1RVKwO4mL2FbFnA3Uiu+To9qZbt0oHVLZIX7wZslG1T6SahvkX4MjMPd58KZogj1ERMW+pkpAYpkhKpk//UavxaLthrDvjqC0qDeJz2CRCbbOLMNGgXW6MctY/cv32GzxYw2BmcfAFyQl/NVnjdjdXUIEfHNaIBI70jDhT+wGpTlkLB7q+vNDPnyn8keJva/cyzLgIVoBqD0eodFsNFRPwY+ZeqC4Tn4/c5r8ZxMrn4TbN3G86Ya3VqzZ+7Ps7tRfmd/PEagEerxAfioElGVrOO+AeA4eGIzkfE8bufhfsxU7ZO+vnBdZC7R1gDP60Rjzphq82H8MVbbFkxu2Gj7RGCs2/ILIIgwN1YW54m/kZ3W4WjSNY509Oqaw4NQLV1ZI0nnuQnaZqkjSgR2TzcNw1iNZS1CyCoI/uWyahwhLVkK67c1BziFgTdtfzJ3C/CgVZfh+YClxZFBwH2DB/XW6r/agKlZFZ/9fFP5n/ArEqcgMDOEgMPJn5yO2m5m8sFkc5opM98aG65yKOGKXGUawJW+ahbb1BLEJ4NQYpIpuKGCEXqdwj4s2gJDqfq6O6F+6K3Yru8N0X+URGUauVquYGtB+Am0e9fuI/bYJVCDWOKbW4M6H26dQSsalwncUQKVJCxlqP/0Xrcr8aSHHYoCPzSQe8IObDpzP30uCmQtTReubLiT70cEmcHFLHJHUeu7EMcClbaozaLQITv6hN4TE3YWuYu8GFFtUkdAG3ij64Eh0W09kvjVCH9T0jZ91SkJagkv9nf3BatH7A8RXCKADvcM1WtFENSHvGN61prxVSWZ4hFnmYHam4mXcgq0YpEtEymvFCSw4l2T0oPYXLYnO4cB278aBmPD6bW3eyNvBa9Uc03Eh5pmHF0X+u/m4s83YA2Zz+T+Ay9KNwzbfuEIZ37XGGcDzNaDRWBywze6h8E8u71Mfok/v/tekwjOc/7zgxsCcFEaGK5x/+urdVgPrX+dCnypkhUBeA20wxZAnh4zlJHN0kgRcGUfSvBjQSzttf2mFoJ8TKBO6x
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_022C_01D70828.2B54F0E0"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB2299.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5ade0bc1-8855-482c-f2a9-08d8d636ed4d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2021 07:04:26.9362 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: o95QvFOjd61zNttX5lpDtmbQmNDCqai1jWsFfWESx54i0GDG30jTd39cKGYvOSshGvd7+efFFVEySRTKVeU1i5E64cy2hq6ZTKdrmi+xPA6QJcBRl01VGr/VOEUQZmS7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2297
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Uv6KW9WX8kYS02bWjqtY1_X6bqA>
Subject: Re: [tsvwg] FQ & VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2021 07:04:36 -0000

Hi

 

Trying to summarize. Your concern is that the L4S flows starve out the non-L4S flows when they share the same VPN tunnel. 

You proposed the solution yourself below:  

“The VPN user is thus in a position to predict, understand, and possibly mitigate the effect by splitting the traffic across multiple VPN flows, if performance turns out to be more important than hiding that piece of information”. 

The same rationale can be used to put the L4S flows in a separate VPN tunnel, problem solved.

 

And then, there is always a possibility to upgrade the AQMs to support L4S as well ?. It always appear from your argumentation that fq-codel is some kind of untouchable monolith that cannot at any cost be modified, unless of course you see a possibility that VPN tunnels can somehow leak inner header information (see separate discussion around draft-ietf-tsvwg-transport-encrypt)

 

With that said.. I believe that Bob is right. It benefits the TSVWG group better that we continue this discussion off list. It is just the same old arguments over and over again, albeit packaged in different wording. 

 

/Ingemar

 

From: Jonathan Morton <chromatix99@gmail.com> 
Sent: den 20 februari 2021 22:29
To: Ingemar Johansson S <ingemar.s.johansson@ericsson.com>
Cc: Dave Taht <dave.taht@gmail.com>; Bob Briscoe <ietf@bobbriscoe.net>; TSVWG <tsvwg@ietf.org>
Subject: Re: [tsvwg] FQ & VPNs

 

On 20 Feb, 2021, at 8:42 pm, Ingemar Johansson S <ingemar.s.johansson@ericsson.com <mailto:ingemar.s.johansson@ericsson.com> > wrote:

Quoting Jonathan " However, I would remind you that neither SFQ nor fq_codel can distinguish between flows carried inside an encrypted tunnel, so this cannot be relied upon alone to make L4S safe.  Pete's data shows significant tunnelled traffic, much of which is probably due to people working from home and using VPNs to access a corporate network."

This line of reasoning makes me confused.
Section 6.2 in RFC8290 ( https://tools.ietf.org/html/rfc8290#section-6.2) clearly says that fq-codel will not deliver its intended benefits for encrypted tunnels. If ISP's still rely on fq-codel to do it´s job well even though a substantial share of the traffic is VPN, then that is of course a problem. But I see that only as an fq-codel problem.

 

I will just note here that although treating a VPN containing multiple flows as a single flow results in a reduction in throughput, when it has to compete against other traffic at a saturated bottleneck, this is a relatively minor and infrequent event at the ISP in question.  

 

The degree of impairment experienced by the VPN is also strictly bounded by the number of saturating flows carried within it.  The VPN user is thus in a position to predict, understand, and possibly mitigate the effect by splitting the traffic across multiple VPN flows, if performance turns out to be more important than hiding that piece of information.





So what I cannot at all understand.. Why should a known problem (or read design feature) in fq-codel (or SFQ) be interpreted as something that makes L4S unsafe ?. 

 

The problem is entirely due to L4S flows' harm to conventional AIMD flows when passing through the same queue and AQM instance, unless the AQM is of a type that specifically understands L4S.  This is a predictable and inevitable consequence of L4S flows responding qualitatively less (by what is effectively an Additive Decrease, despite claims to the contrary) to each CE mark than defined in either RFC-3168 or RFC-8511 (which both mandate a Multiplicative Decrease to a single CE mark).

 

Consequently, if L4S and AIMD flows share a single VPN tunnel, which passes through a conventional ECN AQM at the bottleneck, the AIMD flows will collapse to a very low throughput.  It is crucial to understand here that all existing ECN-marking AQMs deployed in the Internet today - most of which are fq_codel or similar - fall into this category.

 

I attach an example of the likely consequences.  The red trace at the top is L4S throughput; the light blue trace at the very bottom is the AIMD flow starting ten seconds later.  You may refer to previous data sets published by Pete Heist and myself for further examples.

 

 - Jonathan Morton

v2.23.0 | Report a Bug | By Email