Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

Kuhn Nicolas <> Thu, 24 October 2019 10:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 00693120DCF for <>; Thu, 24 Oct 2019 03:21:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id x4egDW9pRdBy for <>; Thu, 24 Oct 2019 03:20:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2247C1208F7 for <>; Thu, 24 Oct 2019 03:20:56 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="5.68,224,1569283200"; d="scan'208,217"; a="30321508"
X-URL-LookUp-ScanningError: 1
From: Kuhn Nicolas <>
To: 'Christian Huitema' <>, Tom Herbert <>, "Lubashev, Igor" <>
CC: Joe Touch <>, "" <>
Thread-Topic: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
Thread-Index: AQHViDw4wHd8ujdiB0urtwF1b54/P6dpl0og
Date: Thu, 24 Oct 2019 10:19:48 +0000
Deferred-Delivery: Thu, 24 Oct 2019 10:20:48 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-tm-as-product-ver: SMEX-
x-tm-as-result: No--24.407200-0.000000-31
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_F3B0A07CFD358240926B78A680E166FF1ECD586BTWMBXP03cnesnet_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Oct 2019 10:21:01 -0000


As far as I can see, there are different ways of signaling losses that are being discussed.
Here is an attempt of discussing advantages and drawbacks of each approach.
I believe that going for : short-term QUIC-bits and long-term TSVWG-bits is a good way forward. Moreover, this does not prevent from also having layer IP solutions.

-              Using IP level bits
Advantage : long term solution that is compatible for any upper-layer protocol
Drawback : compatibility with L2 tunnel solutions, problems in making it for IPv4 and IPv6 and only Q bit (upstream loss) is doable (L bit must be sent by sender for end-to-end loss evaluation)
-              Using new QUIC bits
Advantage : quick deployment of the solution and simple solution
Drawback : specific to QUIC
-              Generic transport solution
Advantage : standard solution for any transport
Drawback : “time-to-market” and only Q bit (upstream loss) is doable (L bit must be sent by sender for end-to-end loss evaluation)
-              Using OAM information
Advantage : management plane focusing on management functions – clearer interfaces between control, data and management planes
Drawback : need for standard interfaces between the different equipment that may follow other standard (IEEE, 3GPP) and management of “old” network still in operation
The privacy issues that are said to be specific to QUIC solution are inherent to any solution IMHO.

My 2cts,


De : tsvwg <> De la part de Christian Huitema
Envoyé : lundi 21 octobre 2019 20:20
À : Tom Herbert <>om>; Lubashev, Igor <>
Cc : Joe Touch <>om>;
Objet : Re: [tsvwg] [saag] TSVWG WGLC: draft-ietf-tsvwg-transport-encrypt-08, closes 23 October 2019

On 10/21/2019 7:31 AM, Tom Herbert wrote:

That misses the point of the statement. There are many protocols that don't have ubiquitous support over the Internet-- EH, IP fragmentation, any transport protocol other than TCP and sometimes UDP, and even IPv6. If "ubiquitous support" is required for deployment then we can never deploy new protocols or any protocol that is atypical to intermediate devices. So, unless we're planning on never doing anything new on the Internet, we need to address this.

The goal of any "for the network" signal is improved QoS.  Hence, if there is a non-trivial chance that inclusion of such signal will actually degrade QoS (by causing packets with the signal to be dropped), no sender will include such signals (and "happy eyeballs" style code is too complex and risky for the benefit).

As architecturally "ugly" as it sounds, I can only see the QUIC header and the most significant TTL bits as viable alternatives to be deployable widely on the Internet for IPv4.  For IPv6, even HBH and Dest Options are still too "risky" for packets, but that is likely to be improving.

You forgot to mention efforts to encode information in IP addresses, overload bits in the flow label, or other DPI parsing of UDP payload (like tunnels over UDP), and other creative ways to "find" bits that can be repuposed. There're all hacks! IP is designed to be an extensible protocol without the need for these. Pursuing such hacks, instead of using the defined mechanisms of extensibility, ostensibly solves some short term problems, but in the long run perpetuates protocol ossification and stifles evolution of the Internet.

If we want to not rely on hacks, I believe that we have to somehow change the network protocol. I have followed the development of the spin bit in QUIC, and the attempts to use more bits and provide for example indications of packet losses. There are typically two issues: privacy and practicality. Let's not discuss privacy here, except by assuming that privacy-sensitive deployments will find a need to "bleach" the signals. The signals are still useful for connection management as long as a large enough fraction of the connections are not bleached.

I think that solving the "practicality" issue requires moving the signal to the IP layer. The experiments by Orange show that you only need a small number of bits to monitor latency and loss rate from within the network - 2 or maybe 3 bits would do. If these bits are in the transport header, the network monitor has first to find out what transport protocol is in use, and possibly what version. With encrypted transports, that could soon become a daunting task. On the other hand, if the bits are at some fixed position in the IP header, monitoring becomes much simpler.

My personal preference would be to associate these bits with an IPv6 "flow" label, or for IPv4 the five-tuple. Latency is associated with routing and with applications, and in theory all packets in a flow share the same routing and the same kind of end-to-end processing. Of course, there are deployment issues, bleaching issues, etc. But the logic remains: associating latency and loss measurement with a packet flow makes the most sense. Moving that to the IP header also makes sense -- after all, it is very similar to ECN signals. The broad line of the solution would thus be:

1) Steal a couple of end to end bits, or maybe just 4 to 8 Diffserv code points

2) Use these bits to encode the "spin" and "loss" indications, and distinguish them from the "bleached" signal

3) Compute the "spin" and "loss" indications per end-to-end flow, and make that part of the spec.

There are obvious deployment issue, bleaching paths and all that. But at the same time, the information is meant to benefit network management, so there will be a strong incentive for network managers to ensure that it flows freely. Thus, it is not hopeless.

-- Christian Huitema