IETF Logo Mail Archive

Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

"Black, David" <David.Black@dell.com> Tue, 18 May 2021 21:55 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065A73A1116 for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 14:55:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOV_qLb0uvo1 for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 14:55:02 -0700 (PDT)
Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB5553A10C5 for <tsvwg@ietf.org>; Tue, 18 May 2021 14:55:01 -0700 (PDT)
Received: from pps.filterd (m0170394.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14ILSkMs028878; Tue, 18 May 2021 17:54:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=PE2Lj5sWC97O+ed3pkNyHSBdE5gRtsQ+uwFdg8W71Mc=; b=q/flHhCN3ETYZjic03XgB9ZqYP3xUQgjCI7+n41SEECyMGgZ51wonKSIn+YoWkURO5QQ e78VG7XSVcteOCu4TlIJ0LanYc8WV1nbC1XBklNXsET7YdD2T00s1IJ+cgZZFGWRlYnv CRgB2WS/4Fq7h/HMpJzBS8NA5Df6xBCGiqpDhowIglYKOnOJi4vwDfCtKyI0wqfJONZ8 e9NAOFiwYkeyNwGhPTPEIaCSMoAiIwOwM/BtAjqalPT1r1pEUluxX4SuB1JwDWLJX+jt nIBO80uvjEnuGrK9RFn/WGH2LyBI1YJjTWLrInDY++tdnak840GWvqJ+9mIxBCdfnhgL hA==
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0b-00154904.pphosted.com with ESMTP id 38kpuhfd28-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 May 2021 17:54:57 -0400
Received: from pps.filterd (m0134318.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14ILPZbX146338; Tue, 18 May 2021 17:54:57 -0400
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2046.outbound.protection.outlook.com [104.47.66.46]) by mx0a-00154901.pphosted.com with ESMTP id 38kn283xek-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 18 May 2021 17:54:57 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c3h1dNsQFB33PcGrCl921pe6MBdiD2/8zyqmVIfcuqdIDLCc26m1OM2rosmzpIXeoWfsmonWFgkAI05vWgikhJynPWI4Q7oEAjWmFxxafED4K2VVKyCi8tGW/Hwhd8ZMNw+fHo1HFhdT+jE0qeXwZEzQeCqqKBCuzKiiPbnMcEVkR/KDzdL57JULwC6fLCB15l7abRaC74TofGomXyXb29SgTdp+VsJKS3z2pL86PYhuKsHuw4/iriPVNztewDHFqk3Az0GMmFKOgVnBPXeWfw9rwWyQ38I5erEX2WituhxJzvQOoFXhkYlh5PCiU+JL+5llcMT3WIRRE7rg4X3uDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PE2Lj5sWC97O+ed3pkNyHSBdE5gRtsQ+uwFdg8W71Mc=; b=PpdRP5BFBJ+JhoibTYNjxR9X1QhEplLUz0DTa3s4pa/5TfjNxe1pX6PZF31PYy73KGM3w31w0RWPi2t3T++tsbq7T3pwOGVux+3x+KeMaZOkHnfLSDttHPre9zOB2C+oSwJYuojGpWpUp2O8UInnYL8SVj1A+JkOrsqme4ReEtsY6KIPcNqs4vARZtMXUoCIiRa8S3qMGhnDJJqeHDoVGTIrZbvZ5pmqU7Q+T3/ef5rh0sCRkJzPnO10ZdVNxgglaKbYRzH44MipF6p37NCH59zn8odz3a6gdChg+tDn8bs1mJf4Hv4gIAn8Ft2ugeBDVqO6fsMYwSkN5g95rm6ZPA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by BLAPR19MB4484.namprd19.prod.outlook.com (2603:10b6:208:29c::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.25; Tue, 18 May 2021 21:54:55 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6%8]) with mapi id 15.20.4129.033; Tue, 18 May 2021 21:54:55 +0000
From: "Black, David" <David.Black@dell.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] L4S & VPN anti-replay interaction: Explanation
Thread-Index: AddGbSzrba/1b13cRB2WCtt4aI1NaAFdM6WAAALuJCAAAsPKgAALzgBQ
Date: Tue, 18 May 2021 21:54:55 +0000
Message-ID: <MN2PR19MB4045EBAD91FFC8453E65C2C9832C9@MN2PR19MB4045.namprd19.prod.outlook.com>
References: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com> <7e30e959539920a2b0f188b051375ad958cd1383.camel@ericsson.com> <MN2PR19MB404558275B8D72BA5D2D67F7832C9@MN2PR19MB4045.namprd19.prod.outlook.com> <87c0c5e2ccf1408ff005f10a57f6a51248ac9ef2.camel@ericsson.com>
In-Reply-To: <87c0c5e2ccf1408ff005f10a57f6a51248ac9ef2.camel@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2021-05-18T21:00:26.3576974Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_ActionId=bb1018ae-4d80-4a5f-883c-f7f0bfb1efe3; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=dell.com;
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 96cf4dd2-f55e-434a-fa5c-08d91a479278
x-ms-traffictypediagnostic: BLAPR19MB4484:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BLAPR19MB4484D15525F7B0E8DEE11594832C9@BLAPR19MB4484.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wLKjkOxgcWPCCfO3sskancx/r4n7RnKA1q2rOHKg4NqNmEUvYqYnifo9BDUK0SNYspMMA4hHmqWlKr/nTGh5FZrO3abFZezt3kdZ/qu97Ox9ZVbSYItm7vQf/rws2M76nkmqRLNhlrdPND9zL/e/SqlX18kzxrhu1QFkdwfP1fpiBawd0eWvzo7v6WbcfM+mDjNyp+xXfU5RWfrqnc8/XIWsZn0rd8CsVefrMOcDhgv18H4hbd1/6pFyd2tY3ZlHkKqXSZ9r9QgGHYWsCR5CmBp5KrwSdhn8LP0j2C6FgC444nKATP8+6wfR2matv6S27DIWSxuzGRy/vjqb4oYt8Z+ryUJu7jxRH8shA3dpiWEsTMUEy3+UlPfPyTyjkRj93eYu/6f3zKxAugIvLJU6vrjAnqu2L7+XwqfuQBGYTPU8Oy4C9puu6YuxsOzOAEPwZL70iS7zJNHqOjscnKsv7eunTsYPMxkNMB5puMGlL32tNiFPcv3oGw4tMdhQbQ/QcKd5Pt9+ozSKDgn2pLeuDJlqvg7yw99A/KgbJUaLqzqhlFSuCLWM0K06JBKmLpKR+q9dSbR1SoVS5X9Tnit4PSfPb55D7nGxu3gvZUW+5Gz7P8Lbje/JdK5yCVp0r2I1xlHXlyvaF4dHEIJcK/z8LVd54Fz/8Tn/zupqaiohwuI8/p+4Zmts7yodu/oAB+GS5mTbQueTbKd1bD/8cuel4Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(39860400002)(136003)(366004)(376002)(346002)(55016002)(9686003)(66476007)(64756008)(122000001)(186003)(52536014)(66556008)(66446008)(86362001)(53546011)(2906002)(7696005)(786003)(316002)(71200400001)(26005)(110136005)(33656002)(8676002)(6506007)(5660300002)(83380400001)(8936002)(478600001)(76116006)(38100700002)(66946007)(4326008)(107886003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tBI0GQBKiySYzwPK39nwbTIEZgO3cgdjMAy8BXLsXZp1b90/svkk9SJCEcqRq6afqxRffTk6U+WFsdaBUPg+cIj5BDZrDFzzxAT21roh+QnWtFoJDXaBiKCazZZbApnYM2XVogzUqwOo2qHZWvUE10nSSwU+kKtJl7TpDuWMlLKwWyqONOyEDy4Ch3hej54Kv95Ak75ftHN10HQGO/HcxBeIWw/+0IIiYYvh4BAzYvWbB7KVTnzfQhJLv2GLKCjEACivPyAHbsiQiqkZICyXpONzwutWNNBdJHy3D6b23O6RhzZ92Xr3B7MokTNqzzfKXQMp6UVHnwlh3xV95rIyDTZTO6B3RvO/L4z/KAk9vCJZwj1FRVAs4h70Yhjypj8T3rQYtB4kjJ6RonF2fXI8qb3C1vokfXLE/yFvCxn4X5eY/+Vb4lXsTq9GGa4ONTxpf1x1MdS1RPlNGg4/Jewk+bh3Izbj8OMH+c4g5rz9DqlVNcxUSUqFFOBw2ZlHdw6c3FOWc6uQwZZvPQdZHYvjnxMOe+LoxUnETaVZ27ywN7bvxGpFZFnoO6tYTl0iMQaeciTVAIgQvAprl6/LvcFg6IVuapTag0lEn4/5Oh1WA0h1CrL5wzcw3qAYdKDQmo9EsQCuPmpCwJRb1+k+m0UHPO88JYs/2pjw7fhEKf62I0qUyXEQLiJ5LJDMiCVfrXFb70V0CrGSp1kRL0PzFQPw0ZgYuOMaLRr5Kl88T+Y7jxZ6cM6hzAwcxkJcrc8MEZmk4zlYA8IQc4tFTuTbkINGcIG3dhwhu9Q6zcI6WH6jHMzL0jAjV9IfUvAgY9C6kciH3BIxQ9dnuxUupxENUwj5Q+78FtOZsdNFRcriB6s6yS5jltRlrmQsuBUU6RX9HnSFSA8dbHyUxYGIWMi1xWonKfyQpTCi2F9u75yNiuzjs3Ck/wLTw1a1r1uvortLcMtkcR19KZxsixq/xMURegWCqQj2gCcM70W7pcnUOCu9KDXE2uX04zge2pA9DSgXB+RbwSpC9wJf4r7dA6KE3jUt2mudE5uQRPr48qcMy84m7uVK6TPBo1RXWARHfvsI770Kb7kgSALn1qwUdSGspsq0cRE0kKJSzZ2IRDmXtu2TGwsc6JSUrM4VTMFFI0dWlQEhzvxAVmxfnGkU2uPllsimZnZnOrv2Ix5blGgGMSMV+2fqOoMvMVf68pIMP+3RSnH19i4j7T4mMG0fMEP2HdLYl1y5eUl51QdsXgqcW5cyn5JTQc8Lwy2QTMZ1Pn7Hz3ZF47IuhbEkYSaT8dROM+k0r8aT15Dv3e1SUoVHl5CHSPxZcPkWZSwY0BiNR8TW7vn8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR19MB4045.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 96cf4dd2-f55e-434a-fa5c-08d91a479278
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2021 21:54:55.0813 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OsPe4IMV4RVRCQDngzuPaJwLdz/yZg0ueHIfnvMyBEYKABq1s8hi5IlZ9xy08j/sbYwUAGThUjiTaqyihM5kmA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR19MB4484
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-18_10:2021-05-18, 2021-05-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 impostorscore=0 mlxscore=0 malwarescore=0 spamscore=0 phishscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105180149
X-Proofpoint-ORIG-GUID: 2pOL9j23GGwqLWDcgOU2mW7wLInWf7uW
X-Proofpoint-GUID: 2pOL9j23GGwqLWDcgOU2mW7wLInWf7uW
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105180149
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/pizCkaqsrqvvEhiT-9zb9GZHhH8>
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 21:55:12 -0000

Magnus,

Thanks for the prompt explanation.

> My intention was to state that the same approach of addressing the issue for L4S
> ECN as for DSCP appear to be appropriate. However, to me that appears to mean
> that L4S would document the issue and point to similar approaches of handling or
> mitigation like for DSCP. To my understanding, the better approach of using two
> SAs after L4S aware subflow classifier in tunnel ingress, alternatively to
> downgrade the pipe segment the tunnel represents to not enable L4S treatment and
> recover the L4S on egress from the inner ECN markings. But, it does imply that
> tunnel implementations have some work to do. I recognize that guard DSCP would
> simplify that process to likely just a configuration change for implementation
> already capable of using sets of DSCP to SA mappings.

I generally agree with the above paragraph.  The crucial takeaway from my vantage
point is that IPsec has addressed this problem for Diffserv DSCPs.  FWIW,  the RFC 2983
text that I wrote likely contributed to the RFC 4301 provisions that address this problem,
so this is a familiar area.

I do hope that there will be no further attempts to argue that Diffserv interaction with
IPsec anti-replay is an unaddressed problem.

Thanks, --David

-----Original Message-----
From: Magnus Westerlund <magnus.westerlund@ericsson.com> 
Sent: Tuesday, May 18, 2021 11:16 AM
To: tsvwg@ietf.org; Black, David
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

On Tue, 2021-05-18 at 14:01 +0000, Black, David wrote:
> I'm sorry Magnus, but I'm going to be blunt.
> 
> For IPsec tunnels, there appears to be both "rough consensus" (RFC 4301) and
> "running code" (e.g., strongSwan VPN) to address this problem for DSCP-caused
> reordering.
> 
> The message below appears to regard both as irrelevant.  I don't understand
> why - would you please explain?

Okay, I must have expressed myself poorly. That you should arrive at the above
interpretation was definitely not my intention. 

My intention was to state that the same approach of addressing the issue for L4S
ECN as for DSCP appear to be appropriate. However, to me that appear to mean
that L4S would document the issue and point to similar approaches of handling or
mitiagation like for DSCP. To my undestanding, the better approach of using two
SAs after L4S aware subflow classifyier in tunnel ingress, alternatively to
downgrade the pipe segment the tunnel represents to not enable L4S treatment and
recover the L4S on egress from the inner ECN markings. But, it does imply that
tunnel implementations have some work to do. I recognize that guard DSCP would
simplify that process to likely just a configuration change for implementation
already capable of using sets of DSCP to SA mappings. 

I think a third way of dealing with this issue is adaptive scaling of the replay
protection window in the egress side of the tunnels. This maybe anyway is needed
based on the increase bandwidth, the changes in what lower layers are and how
they behave and on what level they preserve order. 

I think the core of my thinking is that this type of tunnels that has the
properties that I expressed are going to be impacted by any change in forwarding
behaviors that impacts packet priority or path when being forwarded through the
network. L4S do redefine in some sense what the flow selectors are when
forwarding packets. This, has to no surprise some cross area impact. The WG have
been discussing these impacts and there cost and severity for a while now. I
think describing this one and its handling appear fairly straightforward. So I
suggest that we continue on writing up the issue and its handling. The severity
and impact discussion can go on in parallel. I do want to arrive at the point
where the L4S related specifications are in good enough state that we can
actually see where the IETF wide consensus on this really stands. 

Cheers

Magnus


> 
> Thanks, --David
> 
> -----Original Message-----
> From: Magnus Westerlund <magnus.westerlund@ericsson.com> 
> Sent: Tuesday, May 18, 2021 8:33 AM
> To: tsvwg@ietf.org; Black, David
> Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
> 
> Hi,
> 
> I think I have read through all the relevant discussion of this issue. I have to
> agree with Bob Briscoe that this is a general issue for tunneling protocols that
> have several properties:
> 
>  - Any form of replay protection with a window shorter than produced reordering 
>    (e.g. IPsec) or have a reordering restoring functionality (e.g. L2TP).
>  - Marks through ECN and/or DSCP.
>  - Aggregate multiple sub-flows
> 
> These tunnels will exhibit issues either resulting in packet loss (replay
> protection) or additional delay (to cancel out the reordering) when the tunnel
> flow are going through some type of queue that will cause reordering, i.e. when
> sufficiently loaded to have any queue buildup to reorder around. 
> 
> Any forwarding impacting technologhy that would cause subflows to be subject to
> improved performance compared to other flows will trip over this issue. That is
> clear based on the significant discussion of this related to diffserv in IPsec
> RFC 4301, and Section 4.1 in RFC 2983 (https://datatracker.ietf.org/doc/html/rfc2983#section-4.1).
> 
> From my perspective we can't halt progress towards improved performance based on
> this general problem. We should mitigate and inform about the issue. However, I
> think part of the burden here long term will need to be put on the tunnels that
> exhibit the above properties. They need to track development in network
> technologies to stay current. It is clear that tunnels that handles this by
> correctly classifying the subflows before aggregation and put them in tunnels
> with same type of forwarding performance will not suffer. The alternative
> solution is to avoid the mark through seperation and loose the potential benefit
> if encountering a queue where differentation could have been done. But that
> requires the pipe style handling on egress to correctly preserve the ECN
> information for L4S, just as it does for DSCP field. And thirdly, if ones replay
> protection is reasonably scaled with experienced jitter and tunnel throughput
> rates this would also not be a significant issue. 
> 
> Thus my opinion is that in the L4S context we need to document this impact. Link
> to solutions or mitigations that can be applied and potential push for updates
> on important affected specifications, like IPsec. 
> 
> Cheers
> 
> Magnus Westerlund
> 
>

v2.23.0 | Report a Bug | By Email