Re: [tsvwg] Traffic protection as a hard requirement for NQB

Bob Briscoe <> Thu, 05 September 2019 21:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3D66C120B5A for <>; Thu, 5 Sep 2019 14:46:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r2jvfAP1Nl5G for <>; Thu, 5 Sep 2019 14:46:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 79AAD120B2F for <>; Thu, 5 Sep 2019 14:46:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8mlE/puMq648u/vE3Zn4KM7+SsmSS8k4IJvY+tubVGM=; b=H8ti8i/lMhxMwzd4XvePwS5qy2 RqInMvhlX68cHZJhb99kNwkfIZK98f5XCrFiT7e+LZbDgpOCQ+5tHsVAaER8In337vvp9KqtPqNVd +uXOJHt3dkW7hYggHzxSJQsYpTAAEb/07scRHVEcv29Y0wN78NeAa3zYmCCr1YM2sjUkLuPOHN3K+ y3B+MmrsFia6sV/JVb7PhMf5pOymZs80pcFaHQLObUCAeurWLKjPVSC4rFGA2O7KVeTfpjQ4njSGm wNPXBq57VUKOSQRdv3wvvs9VcYZ38hmtAeegSC+RRfpAAgihqJClRPGwmwOuD+0CcHp+K0ChoSV6E CcPOd4/w==;
Received: from [] (port=42142 helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <>) id 1i5zaG-0002mV-B7; Thu, 05 Sep 2019 22:46:28 +0100
To: Sebastian Moeller <>
Cc: "" <>
References: <> <> <>
From: Bob Briscoe <>
Message-ID: <>
Date: Thu, 5 Sep 2019 22:46:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
Archived-At: <>
Subject: Re: [tsvwg] Traffic protection as a hard requirement for NQB
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Sep 2019 21:46:42 -0000

Sebastian, (sorry, I mis-spelled your name previously), inline...

On 03/09/2019 10:14, Sebastian Moeller wrote:
> Dear Bob,
> allow me to chime in.
>> On Sep 2, 2019, at 16:47, Bob Briscoe <> wrote:
>> David,
>> Thanks for your closing remarks on the NQB adoption call.
>> You say your last point is open for discussion, so I will dive straight in to start that discussion.
>> On 30/08/2019 16:40, Black, David wrote:
>>> 	• [snip]
>>> 	• The criticisms on this list of the “queue protection” requirement in the draft are largely accurate.   The draft needs at least an Editor’s Note that this material will be revised, as while the DOCSIS mechanism is an example of how to do queue protection, it is not appropriate to require implementation of that mechanism.   A plausible plan that I have discussed with the authors is to write a set of functional/behavioral requirements for NQB “traffic protection” that can be satisfied by a “queue protection” mechanism such as the DOCSIS mechanism, or by a suitably configured FQ AQM implementation. [snip]
>>> In addition, related to item 2), my expectation (which is open to further discussion) that “traffic protection” will be a “MUST” requirement, perhaps with some well-specified exceptions (including explanations of why the exceptions are ok).   This is because “traffic protection” (e.g., “queue protection” or a suitably configured FQ AQM) appears to be necessary in general to keep queue-building traffic out of the NQB traffic aggregate, as allowing such traffic degrades the properties of the NQB PHB.
>> I think we should be wary of making traffic protection a hard requirement at such an early stage in our knowledge of the NQB behaviour. I believe this is a case where the market, not the IETF, ought to decide whether protection is required.
> 	[SM] The draft says "... it is worthwhile to note that the NQB designation and marking would be intended to convey verifiable traffic behavior, not needs or wants." in the light of this requirement it seems obvious that a hop willing to honor that DSCP should/must actually verify the traffic behavior, no? Requiring behavior to according to a set of requirements but not enforcing these requirements seems very very optimistic.
[BB] Just because the behaviour is verifiable does not mean it always 
has to be verified. For instance, if someone claims a car is 17 years 
old, you might trust it is likely to be truthful because the speaker 
knows you could verify it. But it doesn't mean you have to actually look 
up the engine and chassis serial numbers to check the date of manufacture.

In the case of NQB, there is less need to verify behaviour because 
applications or users have no incentive to mismark - they would be worse 

However, there is still the risk of accidents or malice. Nonetheless, 
the harm from any accidental or malicious NQB mismarking will be 
confined to other applications of the same customer {Note 1}.

Given there's no incentive to mismark, and the effect of accidents or 
malice are contained, an operator might decide that traffic protection 
is unnecessary - more cost than benefit.

The point about verifiability is merely that, if an operator does choose 
to protect flows from each other, an implementation can objectively 
determine which flows are out of compliance, because NQB behaviour is 
verifiable. Objective verifiability is neutral, which is important in 
jurisdictions with net neutrality legislation.

{Note 1}: The draft says NQB is targeted at access links. That implies 
NQB scheduling is between the classes of one customer and that a higher 
level in the network scheduling hierarchy isolates customers from each 

>> The draft claims incentives can be aligned by an implementation being arranged to ensure that NQB traffic benefits from NQB marking and QB traffic benefits from QB marking. Incentives are hard to guess, so that may or may not be true. However, I don't think we (the tsvwg/IETF) can state categorically that it is not true.
> 	[SM] I would have thought it would be on those claiming a laxer enforcement model to proof that that model is sufficient?
[BB] See previous email to you and David Black.
>> The draft makes the point that, even if incentives are aligned, queue-building traffic could be mismarked as NQB, either accidentally or maliciously. That's a sound reason for an implementer to include traffic protection, but I don't think it's a good reason for us (the tsvwg/IETF) to require them to.
>> While there is no operational experience of NQB deployments, I think the market (i.e. most early-adopting operators) will want the warm feeling of some form of traffic protection. But as we get more experience we might find incentives really are aligned. And we might find accidents and malice are not a significant problem.
> 	[SM] @ the chairs, how hard would it be to retroactively change from a SHOULD to  a MUST? If it is easy I agree with Bob that a SHOULD would be nice, but if it is hard I would vote for a MUST as that seems to be the safer option.
>> So I think the current 'SHOULD' is the right call. It could be beefed up with warnings on the risks of not providing protection - not least the risk no early adopter will want to use such an implementation.
>> As an analogy, when TCP congestion control was first developed, it was known that end-systems could run a subverted TCP algorithm or just use unresponsive UDP. At that time, the view could have been taken that per-flow scheduling would have to be a 'MUST' requirement for all Internet bottlenecks.
>> As it has turned out, the Internet does have /per-user/ scheduling at bottlenecks,
> 	[SM] Question is this universally true? I am not 100% sure. My access link is limited by my contracted rate, but due to oversubscription there is no guarantee that on a congested link between my home and my ISP's traffic-shaper/the wider internet I get a share that reflects my "per-user" fraction of the shared capacity.
> 	I fail to see any scheduler beyond my ISPs traffic shaper that has a wholistic-enough view to classify traffic based on "user" (think NATed IPv4 address, but variable length IPv6 prefixes, plus a router's ipv6/64), could you elaborate please?
[BB] In DSL, DOCSIS, mobile or satellite access networks, a scheduler 
both limits a customer to their contracted access rate and shares out 
the capacity during over-subscription periods. How these schedulers 
actually do that is secret sauce in many cases {Note 2}, but they all do 
it somehow.

If another link deeper into the network becomes the bottleneck (e.g. a 
core or peering link), then there is typically no scheduler arbitrating 
between Internet customers {Note 3}. Then it's down to TCP between 
flows, regardless of which customer they are from. However, a core 
bottleneck rarely happens by design - usually it would be due to a screw up.

The main exception is campus networks (e.g. Universities, corporates), 
where the access link with the Internet doesn't usually schedule between 
users. Solutions range from a simple FIFO (i.e. the transport layers 
will be determining shares per flow, not per user) to complex often 
DPI-based prioritization solutions that might recognize users and/or 

{Note 2}: When I worked for BT, we described BT's wholesale solution here:
(it had already been published elsewhere, due to the regulatory need for 
transparency in the UK market).

{Note 3}: But one customer cannot get a huge share of the core capacity 
by opening loads of TCP flows, because each customer is still capped by 
their access scheduler as well.

>> but there has been little need for /per-flow/ scheduling for capacity sharing (yes, FQ exists, but it's not needed for capacity sharing).
>> In the TCP case, it turned out that a delicate balance of incentives proved sufficient to allow most Internet equipment to be simpler and cheaper. There is a poorly understood balance of incentives in the NQB case. So let's not require equipment to be more complex than it might need to be, at least not yet.
> 	[SM] I believe for malicious actors NQB will be a attractive DSCP as it promised to allow doing harm even at low bandwidth (just send a low average rate in lumpy bursts and I would expect an NQB-honoring L4S scheduler to get into trouble*, without requiring a large offensive traffic load, keeping it cheap and hard to detect yet sufficiently disruptive to rob the low latency queue of its intended functionality).
[BB] Yes, if a malicious actor could get control of either end, it would 
be fairly easy for them to cause more queuing. On the other hand it 
would be confined within one customer's service, so not a particularly 
high profile attack for a script kiddie to boast about.

As I said in my other mail to you & David, I'm not saying there's not a 
risk. I'm saying it's not the IETF's place to mandate that implementers 
MUST protect against this risk. It's not a standards matter. 
Implementers will provide protection if operators want it. And if some 
operators don't want it, there will be a market for lower cost solutions 
without protection. Implementers are perfectly able to make these 
decisions themselves. The IETF has no mandate to meddle in this market.

> *) This is a hypothesis I have not confirmed in any way, but it seems to be in line with how I understand dual queue aqm to work (so it might be more of a reflection of my level of understanding and not so much of dual queue aqm). Please correct me if this seems wrong.


>> u
>> Bob
>>> Thanks, --David (TSVWG co-chair, will be shepherd for NQB draft).
>>> ----------------------------------------------------------------
>>> David L. Black, Senior Distinguished Engineer
>>> Dell EMC, 176 South St., Hopkinton, MA  01748
>>> +1 (774) 350-9323 New    Mobile: +1 (978) 394-7754
>>> ----------------------------------------------------------------
>> -- 
>> ________________________________________________________________
>> Bob Briscoe

Bob Briscoe