IETF Logo Mail Archive

Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

"Black, David" <David.Black@dell.com> Tue, 18 May 2021 14:01 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1A8D3A1369 for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 07:01:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztHGb3pEYupx for <tsvwg@ietfa.amsl.com>; Tue, 18 May 2021 07:01:38 -0700 (PDT)
Received: from mx0b-00154904.pphosted.com (mx0b-00154904.pphosted.com [148.163.137.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACA7F3A1363 for <tsvwg@ietf.org>; Tue, 18 May 2021 07:01:38 -0700 (PDT)
Received: from pps.filterd (m0170396.ppops.net [127.0.0.1]) by mx0b-00154904.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14IDvwEn004431; Tue, 18 May 2021 10:01:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=eNJXMOO0MWYF/LbG0HPvSrjEvTzaOitnE/Zg52yd4iw=; b=WvCWAgwnJtxGNKKsuseT8orjzZ9WNQs7Vg5iK3T4S7If9kr/PkndObrBBgSAPtddqWCX 5JIhGFoWm/wytzAofdpNR1yMgyQjakZh/73n1jD06KJf0F9PQoJikwbqPdYzYI5DJzha 7a0ix6z0PAimHzcNyySHgEqxD9HD/0Y3PeEmRJsJRFmcqPQMcXOG2R8Yat3NjEpVa9Wr nJ8Pn2xFIUwHPn8vbcEyP6VT7TDfdEK7DU0V9gv73tcLdZhMjb41AydjGiN3KDUiIbnG Nqp+82BAT03diXQlu+ljgPwG7k4jDTFBtqE4p36TPlZjaAWA6tAMnazcozLKSV2zqWoK ww==
Received: from mx0a-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0b-00154904.pphosted.com with ESMTP id 38kssp4pen-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 18 May 2021 10:01:35 -0400
Received: from pps.filterd (m0089484.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14IE0Arq118984; Tue, 18 May 2021 10:01:29 -0400
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2046.outbound.protection.outlook.com [104.47.66.46]) by mx0b-00154901.pphosted.com with ESMTP id 38kn2dncjf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 18 May 2021 10:01:28 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gzw+fYl5qY6M/b47krSTha+MFDDiJv40YNp1MZbRRBgE5uNiKTx/F32AwI9XEHhb5v280kgID4BTswrRTN4kUXs+ImjBSj40VyT4KvikHWKvMoVfDtVWqhOaZ7xhSOJIiN+zsGIPsMBO1QMEQPOENp0QyAWzuv1mzzyxheuoPaJpJpRx0i1N9fB7TvYszjuT0seNbAs7DEmv6AabpkzZK53KfD7egur9s9phqMrht6kz7Kyluev2CscS4vhHaZ90qq2OUeKix80nDmgjP7uNqkHAseCikAq7iTpp31wcV68P93l58wBK3xADtdHOcc27iqpC+eTv8DlfJpMdzRe8xQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eNJXMOO0MWYF/LbG0HPvSrjEvTzaOitnE/Zg52yd4iw=; b=TOciagUhUQJgYhUyi7I2gdH/8E5baMeZBMZC5QNhSVWIyyaMCnuL7/9G57RcAs7tM2loaZeaVjv77GlYSUyIhUaUNpXioaRZ8/4ghYgDGySjOlKirpoJzHhJLdLgmcTeC29LC83IUa0Qv0iHHJxmaBbiMwJvS667Poh8Gl6IjdH35u40Zk5cnUdzs3iilc4gNSEebXKdXhSU9qlqsEXqrmSyk64ravg+wsuCo6yuZjhD+cwTWYhy2rWEDkD+2kKEXe5HdYKrUmyutJHEcIZVxV0D1LcQ9bHkcUA4kGumspIO/UJSxe34L/VGSD+smnmRpwq0cAz5N7AptHp4GXEf2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB4125.namprd19.prod.outlook.com (2603:10b6:208:1e6::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.28; Tue, 18 May 2021 14:01:26 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6%8]) with mapi id 15.20.4129.033; Tue, 18 May 2021 14:01:26 +0000
From: "Black, David" <David.Black@dell.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "tsvwg@ietf.org" <tsvwg@ietf.org>
Thread-Topic: [tsvwg] L4S & VPN anti-replay interaction: Explanation
Thread-Index: AddGbSzrba/1b13cRB2WCtt4aI1NaAFdM6WAAALuJCA=
Date: Tue, 18 May 2021 14:01:26 +0000
Message-ID: <MN2PR19MB404558275B8D72BA5D2D67F7832C9@MN2PR19MB4045.namprd19.prod.outlook.com>
References: <MN2PR19MB4045206ECB759EEE5FA3C60383539@MN2PR19MB4045.namprd19.prod.outlook.com> <7e30e959539920a2b0f188b051375ad958cd1383.camel@ericsson.com>
In-Reply-To: <7e30e959539920a2b0f188b051375ad958cd1383.camel@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2021-05-18T13:57:15.4757709Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_ActionId=111fe8a5-172e-4cd6-b378-2774c3fad7da; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=dell.com;
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9f92d6b9-b500-41b2-95d8-08d91a056dad
x-ms-traffictypediagnostic: MN2PR19MB4125:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR19MB41250E399133AF080F8B24A9832C9@MN2PR19MB4125.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AsX3aNa3cqP5huFZT9LQuvHI2Ftwya6aIO43f14vEaAP1earZE4B04D2I0YklyOUwEhtjeHRraRIPUwGFJ9YFGyBf9abJYfPCdAX8LcnS05Ha0lTmzYZ2KuP+O8fpXRPqWfpK+QciglTBTU+xgPT8mahr5WKK2wDPghPWAlXS6QcNOcf5i0BRU9lmvlmvaRLieO5ti0MdAJXXbWt9EyDKeZmc9PCQS1OGWvEtG5jtXi8j1KeLLfSVYwW+FoWQRXrwC8iBcrsuQGDGnM+pUd0lAlDY4rDf051TPAYE2eIjqCMFMCJgeV+cQtcphrLrhiKF5uh4AO6Rn+ThHnEG7Lgk959LwMwDY64mTNwmOMcr4S/1CkHbu8z96LPwZDoLzDTvmJsESxGE3E/gqz+wfswikjG63mCTMcZOgMm+gzZ6LpWFyhrcoav+3CSN5vpcUSrCVbAYyMLeROkj6/9vY7YY0YZGLXQCcOQrerpgky7ABugndzZAQm4GnPRNZSb8y1PKrCauXeGyt8Jwx1kl1f5HobqRIAVua1dQVm4I8Gjv56JeamoSJ9RuaikfR9KXN0r/TiDuvTWdoeJuj6U8fmarGTQlo+WkoTYcZiRBbPqnohgAJkLxLA55SafM4N8QGsbxQyIFrGJLaDn2rxqsM5eLceISYWGS/1CKWgJA45H+019U+Dzlrpi1B6nr3oNOVj4
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(396003)(366004)(39860400002)(966005)(66556008)(71200400001)(66446008)(64756008)(8676002)(66946007)(110136005)(66476007)(6506007)(786003)(316002)(478600001)(52536014)(4326008)(7696005)(76116006)(26005)(9686003)(55016002)(107886003)(8936002)(2906002)(5660300002)(53546011)(83380400001)(122000001)(33656002)(86362001)(186003)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: fs0xsXSo/roUcqw0FUIno59z83OoQWoW7+fsjYKscWEab9F86p9buU1q0jPQ22l0v+QnPenI4iOMjIYiASmechyLb3o94bXGVEiuu5m9hyiqHNviolLispeSk11wB/Nb9nEjNsO8fnO71DdvSaCqM8NRV8NpHy+zoN/wQOKE7u/fxDH+ynK/5HMceyzOLOKb6GYQfQhSi0Gbb3xAcU6h/bHovFJ2OnKN6ltpYEflx71PWlAj5Feq659Vb03hHdGMoJyCLl+RiA6I2galMHe4ZbSMwQMfOUj5srOWlHBm5M3EiBxMT2pqdo0RP3MjOeiqU7lZQvHZfDOv8811GqI6ewbYtXxzAjf10CN35lvo9MDYTRO650CCTVae8i5IN6i9Ukg5x1TNKTHyxpUepKw7eoS1OoUJHFXiJYZ3IvivUQL1NzeTMu81HH70Az3iD3/xel73HLTqH8Pn8LgwFXNNtxjsae5vtDhk+zby4rtmJP8hQbVwvSrDv8mr3BWFOyLB6cGHT+xRikX/03OcGRvUGifC/DyUzI4NjQB2P87OA2mQgBpcXjXiCx8jmtIm2niDRYb2Ujgi+uV2rxgkUdPeDdCtzwK97YnDFxTe6d6lLQ/8JRuw1Q2cck4WRFi3w8JQjCjr/R/53kBWTszanMylMBatELs5mPewaEVeTBHZUlacoilCbqNd6rZv0sUAb5qsUZZevdFkrvty6yPF1reDooMm53GQdTbZ1bysvz/CTrJw9JwwuuuqJoDcLBZhFJLLf6rEPrdMPIc6M0OYHA54Ljmb6dRP3GFjUGjxGGp+cj2VJGfBaBVYGNCDivGdB27JPb6TU1ohLQDtnFrZcSWT+XWOvcPEwoXVkJfRxiDf0EIGdzqiNxdLwR0Tc3xWDHd3C8cCkzKK4VTmIawufiyuEUuOFBLB5OtK3FGscLmQ2ACnQnyEOwATmxbHkQKMxUWNidN5BAUHPv2n20Rpe3DI03bbfH53vL7nL6rdhNhC0WbA9BNXu4vA0O5Mij56M+vhCYcwwNrU/IqGnwGGh8tkV9UJw91pA8w3WL66BUoFd2V+NhadqAO949v/lwFVksGFPRdPVg6zqvzExDEGUUCPQvMjFEm8yrRh0X/mcalp/VN5xbtYQLdz5u3Y7Vhfaa0SdHmE6vjfg49dMZt9WYECI44nFeXvtFdECpB/IU6fAMCIx6bKtl/JH1NseSB7ShRgEq+fXl0CfgxyzyNq5t9mEMZ8u0ro8hNIXski15mwEdbOpDfig0g+TVWx9SSgHk9CIdEv8RDBKFNSAAZiekrYaHariGe3qM9g+nRtqXC9058HSV5l3Cyl/1vBdRUPjN3x
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR19MB4045.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f92d6b9-b500-41b2-95d8-08d91a056dad
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 May 2021 14:01:26.5343 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: enJ4RKBbKbipV8vYZDbkgzcLc0kq0uqe81N15aejzBdF9zlmvG8hTe7CRTnrjjTwVePN17pyjPRnGfaQPUPCtQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB4125
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-18_07:2021-05-18, 2021-05-18 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 mlxlogscore=999 adultscore=0 lowpriorityscore=0 phishscore=0 mlxscore=0 spamscore=0 impostorscore=0 bulkscore=0 suspectscore=0 clxscore=1015 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105180100
X-Proofpoint-ORIG-GUID: FTowXzELD6x6Njs6riejaBGQoAjAnIGn
X-Proofpoint-GUID: FTowXzELD6x6Njs6riejaBGQoAjAnIGn
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999 adultscore=0 suspectscore=0 malwarescore=0 spamscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105180099
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/puUZ1VUd9XB4oAnEdbh6IBqyPIg>
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 14:01:43 -0000

I'm sorry Magnus, but I'm going to be blunt.

For IPsec tunnels, there appears to be both "rough consensus" (RFC 4301) and "running code" (e.g., strongSwan VPN) to address this problem for DSCP-caused reordering.

The message below appears to regard both as irrelevant.  I don't understand why - would you please explain?

Thanks, --David

-----Original Message-----
From: Magnus Westerlund <magnus.westerlund@ericsson.com> 
Sent: Tuesday, May 18, 2021 8:33 AM
To: tsvwg@ietf.org; Black, David
Subject: Re: [tsvwg] L4S & VPN anti-replay interaction: Explanation

Hi,

I think I have read through all the relevant discussion of this issue. I have to
agree with Bob Briscoe that this is a general issue for tunneling protocols that
have several properties:

 - Any form of replay protection with a window shorter than produced reordering 
   (e.g. IPsec) or have a reordering restoring functionality (e.g. L2TP).
 - Marks through ECN and/or DSCP.
 - Aggregate multiple sub-flows

These tunnels will exhibit issues either resulting in packet loss (replay
protection) or additional delay (to cancel out the reordering) when the tunnel
flow are going through some type of queue that will cause reordering, i.e. when
sufficiently loaded to have any queue buildup to reorder around. 

Any forwarding impacting technologhy that would cause subflows to be subject to
improved performance compared to other flows will trip over this issue. That is
clear based on the significant discussion of this related to diffserv in IPsec
RFC 4301, and Section 4.1 in RFC 2983 (
https://datatracker.ietf.org/doc/html/rfc2983#section-4.1).

From my perspective we can't halt progress towards improved performance based on
this general problem. We should mitigate and inform about the issue. However, I
think part of the burden here long term will need to be put on the tunnels that
exhibit the above properties. They need to track development in network
technologies to stay current. It is clear that tunnels that handles this by
correctly classifying the subflows before aggregation and put them in tunnels
with same type of forwarding performance will not suffer. The alternative
solution is to avoid the mark through seperation and loose the potential benefit
if encountering a queue where differentation could have been done. But that
requires the pipe style handling on egress to correctly preserve the ECN
information for L4S, just as it does for DSCP field. And thirdly, if ones replay
protection is reasonably scaled with experienced jitter and tunnel throughput
rates this would also not be a significant issue. 

Thus my opinion is that in the L4S context we need to document this impact. Link
to solutions or mitigations that can be applied and potential push for updates
on important affected specifications, like IPsec. 

Cheers

Magnus Westerlund

v2.23.0 | Report a Bug | By Email