IETF Logo Mail Archive

Re: [tsvwg] Case for ECN-capable TCP control packets: draft-bagnulo-tsvwg-generalized-ecn

Brian Trammell <ietf@trammell.ch> Sat, 16 July 2016 09:14 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEB312D7F1; Sat, 16 Jul 2016 02:14:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.189
X-Spam-Level:
X-Spam-Status: No, score=-3.189 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iqbLp0qiJXnb; Sat, 16 Jul 2016 02:14:24 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id 62D4812D7E3; Sat, 16 Jul 2016 02:14:24 -0700 (PDT)
Received: from dhcp-9999.meeting.ietf.org (dhcp-9999.meeting.ietf.org [31.133.153.153]) by trammell.ch (Postfix) with ESMTPSA id 92F5D1A1675; Sat, 16 Jul 2016 11:14:22 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_24ED7FF2-D681-4669-9BA1-B97B262BE298"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail
From: Brian Trammell <ietf@trammell.ch>
In-Reply-To: <57892BE9.4020309@bobbriscoe.net>
Date: Sat, 16 Jul 2016 11:14:21 +0200
Message-Id: <6CBDEF21-E2A2-4514-BA81-7EF930ABDAF9@trammell.ch>
References: <CE03DB3D7B45C245BCA0D243277949362F5D88C0@MX307CL04.corp.emc.com> <57892BE9.4020309@bobbriscoe.net>
To: Bob Briscoe <ietf@bobbriscoe.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/qOdGmn7xr9zf_Ddu3lZ2BLyHFRA>
Cc: tcpm IETF list <tcpm@ietf.org>, tsvwg IETF list <tsvwg@ietf.org>, "draft-bagnulo-tsvwg-generalized-ecn@ietf.org" <draft-bagnulo-tsvwg-generalized-ecn@ietf.org>
Subject: Re: [tsvwg] Case for ECN-capable TCP control packets: draft-bagnulo-tsvwg-generalized-ecn
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2016 09:14:27 -0000

hi Bob, all,

Interesting stuff.

There is one argument against ECN-marked control packets not appearing in 3168: the presence of ECT or CE marked TCP control packets is currently an indication of ECN signaling malfunction in the Internet, either due to buggy implementations or deployed boxes who still believe the ToS byte is the ToS byte.

In our measurement we haven't seen a lot of this (10^-5 - 10^-6 or so), but it seems relatively stable as long as we've been looking at it.

Allowing TCP control packets to use ECN marking will cause confusion between correct signaling and incorrect signaling, which makes this measurement methodology no longer available.

It's a minor problem, admittedly, but it will blind us to the ability to continue monitoring the de-deployemnt of these broken middleboxes and endpoints.

Cheers,

Brian

> On 15 Jul 2016, at 20:31, Bob Briscoe <ietf@bobbriscoe.net> wrote:
> 
> David, [re-sending to include tsvwg & tcpm, which is what I had intended to do first time.]
> 
> Here's a heads-up for tsvwg, plus cross-posting to tcpm as suggested,
> And for a fast read, there's a summary of every argument below.
> Pls bash the arguments.
> 
> Summary:
> The ECN spec [RFC 3168] says various TCP control packets must not be ECN capable.
> This draft lays out each argument given in the RFCs, and articulates a rebuttal against each one:
> draft-bagnulo-tsvwg-generalized-ecn
> Subject to some more experiments, we think this knocks down every reason given, so that all these packets could safely be ECN-capable.
> 
> Pls read the draft for more details (preferably before responding).
> 
> Enumeration of arguments about each type of control packet follows, starting with some arguments common to many:
> ___________________________________________________________________________________________
> 
> Common arguments against ECT
> 	• Unreliable congestion notification delivery
> 	• DoS Attacks
> Common rebuttals (respectively):
> 	• No worse than undetectable loss of Not-ECT control packet, and better performance
> 	• Mandating Not-ECT does not stop attackers using ECT for flooding. Nonetheless, it would allow firewalls to discard control packets not meant to be ECT., however this would negate the benefit of ECT for compliant transports and seems unnecessary for the following reason.
> RFC3168 (Sec.7) and RFC7567 (Sec.4.2.1) say an AQM MUST turn off ECN support if under persistent overload. This makes it hard for flooding packets to gain from ECT, but more experiments needed to see how much might be gained by an attacker flying "just under the radar".
> 
> SYN/ACK
> ECT on SYN/ACK already justified in RFC5562
> 
> SYN
> Arguments against ECT:
> 	• Unknown ECN capability at the responder (may discard ECT SYN or RST connection)
> 	• Loss of congestion notification due to lack of support for feeding back CE on SYN at the responder.
> 	• DoS attacks.
> Rebuttals (respectively):
> 	• No RFC mandates these responder behaviours, but 0.6% - 0.8% of Alexa top 1M Web sites (or their network paths) exhibit this. Could retransmit the SYN without ECT, and cache this knowledge to avoid 1 RTT delay in future
> 	• Support for CE feedback in SYN needed in the TCP wire protocol. Solution proposed in AccECN draft: if SYN/ACK shows lack of support for feeding back CE on SYN (i.e. no support for AccECN) IW MUST be reduced conservatively as if CE on SYN (no need to be as conservative as drop of SYN - cannot be severe congestion as packet got through). Could cache this knowledge.
> 	• See common DoS Attack rebuttal
> 
> Pure ACK
> Arguments against ECT:
> 	• Unreliable congestion notification delivery
> 	• No means to feed back congestion notifications (no ACKs of ACKs)
> Rebuttals (respectively):
> 	• See common unreliability rebuttal
> 	• No worse than drop of Pure ACK, and better performance
> 
> Retransmission
> Arguments against ECT:
> 	• Unreliable congestion notification delivery
> 	• DoS attacks
> 	• Over-reacting to congestion.
> Rebuttals (respectively):
> 	• See common unreliability rebuttal
> 	• See common DoS Attack rebuttal, complemented by recommendation to ignore CE on out of window packets
> 	• Correct to react twice to congestion in different RTTs
> 
> Window Probe
> 
> Arguments against ECT:
> 	• Unreliable congestion notification delivery
> Rebuttal:
> 	• See common unreliability rebuttal
> FIN
> 
> No arguments against using ECT in RFCs.
> To be discussed in next rev of draft.
> 
> RST
> 
> No arguments against using ECT in RFCs
> To be discussed in next rev of draft.
> 
> Cheers
> 
> 
> Bob & Marcelo
> 
> 
> On 11/07/16 21:28, Black, David wrote:
>> Marcelo and Bob,
>> 
>> Interesting draft - I need to read it in more detail ... in my "copious spare time" this week ;-).
>> 
>> While it is of interest to TSVWG, as general ECN work happens here, I suspect
>> that as a proposed modification to TCP it would be in the domain of the TCPM WG,
>> as was the case for RFC 5562.
>> 
>> Thanks, --David
>> ----------------------------------------------------
>> David L. Black, Distinguished Engineer
>> EMC, 176 South St., Hopkinton, MA  01748
>> +1 (508) 293-7953     Cell: +1 (978) 394-7754
>> 
>> david.black@emc.com
>> 
>> ---------------------------------------------------
>> 
>> 
>> --
>> ________________________________________________________________
>> Bob Briscoe
>> http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email