IETF Logo Mail Archive

Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

"Black, David" <David.Black@dell.com> Tue, 11 May 2021 18:21 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71BB93A2159 for <tsvwg@ietfa.amsl.com>; Tue, 11 May 2021 11:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hJ34zQNvEPYN for <tsvwg@ietfa.amsl.com>; Tue, 11 May 2021 11:21:42 -0700 (PDT)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D95D13A2158 for <tsvwg@ietf.org>; Tue, 11 May 2021 11:21:42 -0700 (PDT)
Received: from pps.filterd (m0170391.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14BIDH4L019658; Tue, 11 May 2021 14:21:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=gajZRCnfXe/tAiLsz6Jy+t5WdL3agu0y5XJaXOymWro=; b=IDc1h/qLZPM9D4tghYQPexD2QloYUd3f4qLLhaGYtZ6SZsoxR9qiVC+th5kILaCjxGaW diOxh4eiz3o1fU+qzUPWc/hFk5AvmsKACkIhD0sARe2ANzn12mZoPk+XKgek3r8uD/7n jlhMk/uNtRDAVqI/RFRWlXHrLOUwN1r71AX4EWejUNUwhUEWQlKFGsEpv+BYvretuyif x4GAibZhYbwG2Jlw4QDqfHzgj/xhPLmQpaiknP2n3cl3ZF9zXvwSQmcbgne/n0oza2JK Pchr16aRDZGYeVuwqOtMMr1jL43HdI3yj68ulHjVV50Rq+JRVxtQTGfoUVhi7dSZ++ac yg==
Received: from mx0a-00154901.pphosted.com (mx0a-00154901.pphosted.com [67.231.149.39]) by mx0a-00154904.pphosted.com with ESMTP id 38f5uansww-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 11 May 2021 14:21:41 -0400
Received: from pps.filterd (m0142693.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14BIEbFd165217; Tue, 11 May 2021 14:21:41 -0400
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2108.outbound.protection.outlook.com [104.47.58.108]) by mx0a-00154901.pphosted.com with ESMTP id 38fg475h17-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 11 May 2021 14:21:41 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YYVVeEACRh3E96UqX9JOX++T4nHYTYWsETA05NMdrMKZ4EhzTWpkyCHv7ILjFlvgX1iiaMMmD6kXf9xgAjK840nb6hbRawSzD7ER/iQ83cVdiLYxNYys1hN1s7WR1Iasht95x86tlCqM3ISMynTt230qT6cf9b5G06ZgS3IWZ2MMJAyIa765lPdRW1LzEQiMaAPYSZL81FdkvpZoT6/z6AaZ0azc6sq1TizvGYtfJSgB2LRg1P0aFkyiuVAFBw1rZTapWFcd+PbliQVLTUAm0Is85EWjtPMo3JNWs1lLJYP8AuVXw0vxWhf0Nwr3VqDQ2pOMrurmtvttBth7op7mjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gajZRCnfXe/tAiLsz6Jy+t5WdL3agu0y5XJaXOymWro=; b=awhu6asZwlZ8cxog+YVG5OFungiP9HKcfps4Uh/hU+miOiAFIGh/2W908T/s8IxFGSUfLMkc2C9fkD2lyb9mxiYWSuLv8HnUQ7Rq++d6l4COqJ4L7rWkzePFG7tjeIiA5ujkzuZhcjDea+ZBMaePID4qYAMnZDtnl8C4zKnWcpXUOJFjvAfC6/Utckh1mD3NZQ+OMGIg/3hTG86J/OscI+sYppiyYWG9DBvu6zAFPZb/Q3mqE87HiyCgOPu6wnTzGEuE+5Hsww8RBJaglAknbnzWe33xOW8ZlQcD3hBcgK5WEUr5ELbUC9BTLL8ia16Rq+++lpYXIm5ACs9qu7Gepg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB3821.namprd19.prod.outlook.com (2603:10b6:208:1ed::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25; Tue, 11 May 2021 18:21:39 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6%8]) with mapi id 15.20.4129.025; Tue, 11 May 2021 18:21:39 +0000
From: "Black, David" <David.Black@dell.com>
To: Dave Taht <dave.taht@gmail.com>
CC: "tsvwg@ietf.org" <tsvwg@ietf.org>, "Black, David" <David.Black@dell.com>
Thread-Topic: [tsvwg] L4S & VPN anti-replay interaction: Explanation
Thread-Index: AddGbSzrba/1b13cRB2WCtt4aI1NaAAD+lmAAAJ7kAA=
Date: Tue, 11 May 2021 18:21:39 +0000
Message-ID: <MN2PR19MB4045289FB335DA556D3D11D683539@MN2PR19MB4045.namprd19.prod.outlook.com>
References: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com> <CAA93jw5O_R1ro6rbMs2-FfeRuNyimsEMdXKgOX1Y-yF7hXHNHA@mail.gmail.com>
In-Reply-To: <CAA93jw5O_R1ro6rbMs2-FfeRuNyimsEMdXKgOX1Y-yF7hXHNHA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2021-05-11T16:59:47.8888503Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_ActionId=aae6db99-d66b-49b3-b8d6-cfb38868cc83; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=dell.com;
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c9e61d7e-15ac-4926-d71d-08d914a99edb
x-ms-traffictypediagnostic: MN2PR19MB3821:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR19MB38219A80DE55B5FB800E984C83539@MN2PR19MB3821.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6Ce2Dr7g16Xeq0QAsXfpFH7fqvcxL4RMESTVjWWbMUifAfwm9bPjqUkGtjP8zEuogDz321cnSK+5WSGd8qJHYmZMZTLstTnNdKXyLrMNL3R8T7NBIB8VYGo8/44/x9LPFuko+z0Ec37nmRtWAvMKcVvNHeZfIY2ZLK63hrZkhmtkOzo0gUx6r7rM/TEi8OcBfysNhTPJvVcRFEqpl+i3kU7X1LQ+uKfX59A2bL4UTEa9bxVbrSqacrwzXhzk1kCTrqSKkKvN5EwvYD1LtACVX+ySctofPBcvp+NI2Fmi82aMxBsXXuRVJgEKGc5u1qZg31v1/pht7OjLX51Ywc5Ciig1In0C2HaCYLOxG6pWx/H+g/w9BMHvMonuHbwhspKlH5bfTEWIsHBOKOz0nlzLaAaFutt9LpWhC5HS+6pDWSUTdwKHg9W07Y6d8PG2iTzUqlGnM2focDLhpurTqKzSbgiXkGfUw8xWOOSJJ281sjJtDSHJWslrXYiyjdT2mBvHnSvUS5yAZzz9lM9NtPJ6HZ01Bf2iPe46zbOZlo6s1k2MjYGUWcf7XKHrRnKzGe3c6DtuK+1mIfVCedMHQtdSL4/2iWVIX6d/J10s+s83+cPaT/rwS+tXdnLj7tqhW4BzSUULUPmg1gptyudT/vlTuBgSPeUhCQb3b2y19XB9dFwHUAZhvjvICQeQZLY9vWzX
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(366004)(346002)(39860400002)(376002)(186003)(55016002)(83380400001)(5660300002)(52536014)(9686003)(6506007)(8936002)(8676002)(107886003)(2906002)(64756008)(71200400001)(86362001)(66946007)(54906003)(4326008)(66476007)(38100700002)(786003)(122000001)(33656002)(316002)(53546011)(478600001)(7696005)(6916009)(966005)(26005)(66446008)(76116006)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: jbVP/BA9+vA1mkuG27BrDaBmWpZ35qexLcJUbzPJELA+CujGThnp9vE79Nn1xu39e/nSIgLw87j6YfDCBVU9rJitkyDQVL0FojxPpPeftKH5hQIPilbYm1o4JRhIxiGqoJ2wh8Ai4dQBPxDxmBr+XL15Myy2D5MuA5IuADdMQQ0zgFXiOOfN5RET7CUcBvFo8FIRU293cgzhRLBvXwFJGvHVn4uWeNkDzBBPfULm0bQeiyC49sQWhJTNGkDpombpQhgzCNq8SzwLTWFUr3Ys2cgl0XIXes/sC2A6zfNFYnojGtng3dkYRqSh75TBnAiPdHEcv7e6ywWp45ZYk8GbMOuX8e6ExMsjI37m/hDYRN4nazqkU+8uPqtcILtkxnD935rsSxXjoZduoIm4vmwNj70A2HxgwQnMeKRe2Lbo3QxrvJ+/F9CnyH23CRYk626Sc42a94Q7VlS73BIy9uBMbpkpgswQdEQERRTGnDJ9fKEcZnv4S0gLeyu1eDuhwZCuXvipWIqnTD7SXnw/jbC9bAZF9qTToiedX0fOkHvwMVzO8jgZglp+I4z24+5seA+oY8/e9h94GX5PwlEAaMZQFcpYeyPDutTd/tSz67r4jVi04F1Ys75rdT2x4Gbz+QjRo/sYwkdN2gdGR9ExtMcm9XmBT3K6GyhDIzfLUWdApy3/F1fTO+71ttMguJ1bYfcNnhBB8wKJUqWDRGSwPItC3U+QSU6c1wl+SHR4+eeo/HzEfaVvgNmM9gBEeX1tdrjvZoNGZf5no5DXocuTaapWFGc3L1xOZ5nsFswx7DwyUrYQd4yhxhgKScEAaGmru/gpCCXQZDvyxn7YEPmBbZlb/RjGXe8d6EeFp9/Np4yCtGVuBsIhw4H4ZmvvRYvyInSOFTucMSGL1LR6VcT8ayttNQ2KfHhIPzqtHguq4yeFBjIMYsLTL15EQoq+KCGg9oPEBawZ0rhwSCXWNZbViAIGb7FAYGa4/rUsmFvQWCILEvQcZARhgBANTUcn2/KhAGukNa6OqYgz3koTZWEE5mmSD5eiDsZQWlJcz0eNm0U6Cq2emR0iJM+Zbo4hf8NdNC+q2xC5LOg0UStRGL6wsZMOvBEwG4iMnP2jXJVHjUMjkez0POOjThztCiOBxnqahTNBZTIEhOjLyLK0w2a6nXvXgXqBRp0v9JDnHk6ep8pDDr0N6teOZ3sieEZxRf1bdsdrtGQ2/ykV+d3hoVPse8nDcy3ZpAYsaGul2160VNWmmlCJpg6YCMGhzn7/NHZYeTF/765/JsrjYHASWSIFqjXIeeQbc6zT2fL56nqym+yWS1F967qVk5BjVy4sfT9WYcXf
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR19MB4045.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c9e61d7e-15ac-4926-d71d-08d914a99edb
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 May 2021 18:21:39.5627 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pttxR2PX4aBR/ZamYBKVmIG984hO6hxAHmwM8l3P1zY45sk0AIYFAmX8Sr0uCHYpS0CzEUyLTJYivYhIKTkPSw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB3821
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-11_04:2021-05-11, 2021-05-11 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 adultscore=0 impostorscore=0 suspectscore=0 mlxscore=0 clxscore=1011 lowpriorityscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105110123
X-Proofpoint-GUID: GTaId3U52UGnuWU64n3pXYOExnfCpcee
X-Proofpoint-ORIG-GUID: GTaId3U52UGnuWU64n3pXYOExnfCpcee
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 spamscore=0 malwarescore=0 bulkscore=0 mlxscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105110123
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/hA4SCfBUAwsuyBP7VX9MB3zy-RA>
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 18:21:48 -0000

Dave,

Thanks - I have one clarification on the third item in your message:

> 3) Exposing different diffserv codepoints in a single flow ...

For clarity, that's not part of the scenario here.  Each transport flow would use a single DSCP, which differs for L4S vs. Classic flows so that a Diffserv classifier can direct L4S and Classic traffic to different IPsec SAs.  FWIW, Transport protocols such as TCP have a history of not working well with multiple DSCPs in the same flow - see RFC 7657 for details (https://datatracker.ietf.org/doc/rfc7657/).

In contrast to the ECN field, a VPN sender for an IPsec tunnel-mode VPN is allowed to change the DSCP as part of tunnel encapsulation - an example described in earlier list discussion always clears the outer DSCP to zero.

Thanks, --David

-----Original Message-----
From: Dave Taht <dave.taht@gmail.com> 
Sent: Tuesday, May 11, 2021 11:48 AM
To: Black, David
Cc: tsvwg@ietf.org
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation


[EXTERNAL EMAIL] 

Dear David:

This was an extremely clear discussion of what can go wrong with
reordering in a vpn tunnel.
I, like many other linux devs, have switched to wireguard and not
looked back, as we made site-site vpns like ipsec and that work
beautifully with fq_codel also on that bottleneck link, and userspace
vpns like openvpn have severe bufferbloat problems whether run

I've long meant to get on top of openvpn to have it manage its
internal queues better.

In reading your description I ultimately have 3 points to make.

1) I was reminded of how hard it was to diagnose and fix a similar but
different crypto/reordering interaction problem over wifi we
encountered in early versions of the "ending the anomaly" codebase,
which I'd written up, as amusingly as possible, over here:

http://blog.cerowrt.org/post/crypto_fq_bug/

I am curious what other tools, besides tsde as used there, exist to
detect persistent re-ordering issues, as a plugin to wireshark, or so
on?

2)

I don't know a lot about userspace p2p vpns nowadays, but after a
difficult encounter with
one corp that shall remain nameless's universal per employee vpn tech,
I plan to go take a hard look at

http://www.infradead.org/openconnect/ to see what they do as to
encapsulating dscp and ecn markings. Not having sources to many other
ostensibly secure vpn technologies kind of bothers me... I guess I
should go look hard at ssh also.

3)

Exposing different diffserv codepoints in a single flow to a wifi
stack will end up dropping
it into different wifi AC classes, which have dramatically different
media access properties.
The maximum number of packets that can fit into each of the 4 classes
each is 64k or 42 packets on 802.11n, I think it is 96 or higher (and
4Mbytes) on 802.11ac, and I'm about to go review the now final ax spec
to see if they were paying attention to how vpns might behave over it.

v2.23.0 | Report a Bug | By Email