IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

"Black, David" <David.Black@dell.com> Sat, 08 May 2021 02:01 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4633A1ECE for <tsvwg@ietfa.amsl.com>; Fri, 7 May 2021 19:01:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SWUQ5PtAg0hP for <tsvwg@ietfa.amsl.com>; Fri, 7 May 2021 19:01:22 -0700 (PDT)
Received: from mx0a-00154904.pphosted.com (mx0a-00154904.pphosted.com [148.163.133.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 771A43A1EA8 for <tsvwg@ietf.org>; Fri, 7 May 2021 19:01:22 -0700 (PDT)
Received: from pps.filterd (m0170391.ppops.net [127.0.0.1]) by mx0a-00154904.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1481vFX6027718; Fri, 7 May 2021 22:01:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dell.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=smtpout1; bh=bFl5ewlxaP/ptzSmBK/+C/O+xwE6O2u4pIH8kbNFZBs=; b=q8iCAH7RcaLglhlDRN55dqMWAQkWOy7v96NBARi9RxPhK2uOfr+Qzvs+15h9h3ZekaFV q+57MrW5ZN5FiqGEmJKv3czx72YnM3Cx684zWXA6xSSsqLMpvDCIWwQL03KC/QWczZAD HfhfVF6bZs2wVV2CYGw7m9nLjo9iK/v/6ACuZU6r1NEBICcNI1IkjwpN/u2CUFDb1GVR 1tqmzwE9IiPkPNrvZAjfsURBDirFy3HwswBz4MFy3cFp3ASJ8wQ6/uvW+1roOEx+krwz f+Z1Esxl9i4ix3hncHJDxXfbA1ANKFf9GmEg3rN7zZHTUqmwEa/D0jidRf1XgPKdzu1J bg==
Received: from mx0b-00154901.pphosted.com (mx0b-00154901.pphosted.com [67.231.157.37]) by mx0a-00154904.pphosted.com with ESMTP id 38csq4cf71-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 07 May 2021 22:01:15 -0400
Received: from pps.filterd (m0144103.ppops.net [127.0.0.1]) by mx0b-00154901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14820xt0138738; Fri, 7 May 2021 22:01:14 -0400
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2059.outbound.protection.outlook.com [104.47.37.59]) by mx0b-00154901.pphosted.com with ESMTP id 38d7f7pytv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 07 May 2021 22:01:14 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PNH3D48mgnVGMJ+JDv9WzrhF7TSsRLzht1DGn3zoQqH0unDWxT0Y8p4uYllDG5HQS3L45bw10hrSrwKJsVLkYj/pfl5dG/GZ6c8JXyP7+kpa9ljRbfpuKndEea+N8/uVjRFtEX+YHFoaHkCn0P/2F86UqNOhgpHma8GXDcGTo01GnbPeXXqDQdSHpBNO4LntZaweYSL05QYF2Ks2q5v/GaRATPvebbXsPCOI/FYg3/0KrQAeZNUys+0pj8JLuRbOJ7gytPtG7hPwJY0DNEsEVPMCnmkiMBQb4Ym2pZ7KFmsmRT9OAgy+6L7wbuzQZ66rmkb0aDoFFzeCjeN+rww7uw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bFl5ewlxaP/ptzSmBK/+C/O+xwE6O2u4pIH8kbNFZBs=; b=A5vgeD/bUsxUFZ9YpGLJsJoNOf8+18WNdXtVHQJGOspJ3NoC7yrZNDJbuKSEkR48Jhk5Hk2IatsHh9XJwKPIYkQ8vV0MgHD5Uv8fpLP30LZVy2tqzLbPtL3MPwvbcDNxu9JFukTFitBu/kT4A9rXen/YvKKSDeZdcQRaPMupvaT9kvVj5Z8sVY9Q8jbIJE64qU5B0rdHM+KPt3CTnwd8ilqN1chu40yvbmelYp/fTRelIA8nrASq5hXXJ4EGWzPFCKFj708srjWtgN9KJi7pdUbIhAZxGQrIc5HxDmNqgm92j2Lx0Y0afqKzp5tiM7YFTFVLlBRGni5rMz80Y7Shxg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dell.com; dmarc=pass action=none header.from=dell.com; dkim=pass header.d=dell.com; arc=none
Received: from MN2PR19MB4045.namprd19.prod.outlook.com (2603:10b6:208:1e4::9) by MN2PR19MB3693.namprd19.prod.outlook.com (2603:10b6:208:18a::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.24; Sat, 8 May 2021 02:01:10 +0000
Received: from MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6]) by MN2PR19MB4045.namprd19.prod.outlook.com ([fe80::8c88:4c4d:ef13:ffe6%8]) with mapi id 15.20.4108.030; Sat, 8 May 2021 02:01:10 +0000
From: "Black, David" <David.Black@dell.com>
To: Sebastian Moeller <moeller0@gmx.de>, Greg White <g.white@CableLabs.com>
CC: TSVWG <tsvwg@ietf.org>
Thread-Topic: [tsvwg] L4S dual-queue re-ordering and VPNs
Thread-Index: AQHXQELEO/txP1SwwEWhinU9UI/E/KrVaImAgANscaA=
Date: Sat, 08 May 2021 02:01:10 +0000
Message-ID: <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de>
In-Reply-To: <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Enabled=True; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SiteId=945c199a-83a2-4e80-9f8c-5a91be5752dd; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Owner=david.black@emc.com; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_SetDate=2021-05-08T01:37:49.9856748Z; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Name=External Public; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Application=Microsoft Azure Information Protection; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_ActionId=2e1459a7-7247-46b0-acc4-601ac726414d; MSIP_Label_17cb76b2-10b8-4fe1-93d4-2202842406cd_Extended_MSFT_Method=Manual
authentication-results: gmx.de; dkim=none (message not signed) header.d=none;gmx.de; dmarc=none action=none header.from=dell.com;
x-originating-ip: [72.74.71.221]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: de9bba73-d8e2-414c-e7db-08d911c526b8
x-ms-traffictypediagnostic: MN2PR19MB3693:
x-microsoft-antispam-prvs: <MN2PR19MB36938D4792647EDD97C4C0AE83569@MN2PR19MB3693.namprd19.prod.outlook.com>
x-exotenant: 2khUwGVqB6N9v58KS13ncyUmMJd8q4
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pI7HwWf3ktYVPot7J358h+Ymo1Yf/v4pwueF2EOlavlWKuwbZU8PFLo1SIwkSnJG2xOxdJ4DVVagUKvfvY0/itCD9OERmvnZfljJNPV4ZYPDlNzjz3Tbx6/FDTSbxDipuV0RXTZFsEmTpEgOQqA4NaAKrJhs56MeBkhxagbYRhF8G2o8VO75++BAaaMJk+OEmtGZEUU3UKwoqtWQXAmuuWzU2FFbcTl5+TeTr5LQjYMg1oBrlvXALUbSdUA6XmQTr+thE3Eugxn5/gnwZCC0qUGRf00NcVavd8J+PAEZJdkPK5lwYgMvDFzJolKViCqLWGIxp7RlZUqD6wQG7BKiH7AkNDjq/H7iCf5wSa0SBJxEAiN9uFPmZ7TQn01qNXFkOStw5NzEZpYHdr4Q18q1RHzKzDqhhBYjrHlBqMBypZ8uHjeOwmsx8Z1YI7fhfZ8fMcnYdsiI2azvII99zUwvK4vQD91RXIcOheGUgEypOMdoSSwZGsDR32ZcVNSLhWCHJWlnvEiAwZfWD4hPtIk5j2z7EIh/NHHGzFh7OflB8RS4jrj3g+p0k2FeVjNLzxNacPpFQAta4JugnZiGwHjyvsZBwz4bvjZxQw2eNscimqJdgRoq7w7vhQznNLcV+osvlgKOjd+UlaZdTRD5AhJlZ+KH6+eulDTrtHRt7+aVC9UqD0rQ0Iq6NvUi4IH2W4eb
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR19MB4045.namprd19.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(39860400002)(396003)(366004)(2906002)(86362001)(9686003)(76116006)(110136005)(966005)(4326008)(66946007)(55016002)(186003)(71200400001)(53546011)(786003)(64756008)(478600001)(122000001)(38100700002)(6506007)(66446008)(33656002)(5660300002)(83380400001)(8676002)(66556008)(66476007)(7696005)(52536014)(316002)(26005)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: fQc4CPQh5xHb8JnwSV0Jq7lJLnyLkCnuuu2VOQYnlYneBo3DewAiMy855L8MW+EHGN6zQI2/T27UofNAelkA7OntKXCGN8z0aa6knJhoXUzPi/6mHIA7a5kI/m843mtaNhFYpxFXLCfh4bs3aiC4JHxn7mGY5nXQ054/SPRQ4fd2qtkrRenCAHW1mpRovWnscvxxTSS8550VSML/M/j7yRTPsa0P5mpUF9PWbcE39sCuT5qqsS6FgfF87XB5dtwpAE9gkBLAyJfY/KBBORjfiBMb/OP3diUxGoSLRZCksxU/tb5KIJa7pGVVqq5E7fxV4oeKQsuzt1E8OR79T9Sic5Cbwz88pj2EE5es4jHOHNXi7rHTTO3avPlhfKuWgpb1EvUyl00Hnn24LGoapUte1xrTXL2yhnZsCMRp6UnV+M4ZSE0LzD9FzUH0knD51UmLRqaVvzZQfU6eKIJX30y+hiPi9P3WIxYVpseHqEgwDKL3v9MvyrUAUsBJgRGFNOYbIswuHxRiYOBq/m9gzkeB/wF8TAzHdS5KBRiWmdaJX25kt3I8/VIlJVVN51mQoCplFLorXHHIsU6UIXmd77PRxlfdrQquU7Y6qKbefjq1C8SfqDc4UM93iULQlCzlDS3GTtqV2Uf3sxorfRMk1p9SqO/SnRUg3MGQWdC6euD4p9oT3EG8vN0Sn733qprOODorWhidI5tFrDHweEMNHwonoVP9ldQwVwOJGc9fR50vl6r3cPxqWOvMmR0+2Q1WZJVV6uiv6CuWV4SqJOCYPPZTNa7hzps4L4SUqRA7C68G0JSmUFlr08nSlJZ1pdccblC35e9EMz7Ps3VdwKTAZSsiBKNJkhFqvCbDqFIrhfuoI//aE6ccstUiP93ln6QLqIOdtlqYA9ywyAMr73/3mCGm0Uh045BnzhnpnwFfB+AIvL59oE4qQIJDhG0dGVk1K0/1+G/RtaE7Ejfq1e8Vh/hh2W0fH9bWTZE2rrEc50N9c6GgcVCtBkzHEBQf4e+jPxdexgUu/BEZ/P0Kayog7oAkWanFLM66UZZhPt1E86cdQbVIXdB6LnZfPsxPv9o4S9Cbh/89pJ+fI1qVAcGDP/D1Xj4OEqnr7DTOdmiH/D54bRV9PdOHyACyqIKwRaRW9ZS3XW/L+MwfjstjG9d9Owi1w9Gur4XQR2GefmrsBUcOPPvk6mOyU49AO70rDtwmDsLnFXFiuNowg5+3PQVIzNAkvsmT+jLfcjGwk7H9HDftpW7wLz+L0LuJ4eYd+adHtSI0Wp5PH0rkNL4kGmx42QpCDPSUBsVLtTccjYHNGnuOdASLzJAH4QXxIRHg/xQRQ0Bc
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: Dell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR19MB4045.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: de9bba73-d8e2-414c-e7db-08d911c526b8
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2021 02:01:10.3864 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 945c199a-83a2-4e80-9f8c-5a91be5752dd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: teiKVZsV3lGa+0KgxhuwDZWxfKFFiFiwTEKQ9UXGpxf0bKkDzzY+fJ4L/ueJc5K6x0vYO6Qh4OckvHNjYmcedw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR19MB3693
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-05-07_10:2021-05-06, 2021-05-07 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 clxscore=1015 mlxscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 suspectscore=0 bulkscore=0 impostorscore=0 phishscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105080011
X-Proofpoint-GUID: BIZpM8HgmDKpLXaAcXkkyzqU-3uzLSdP
X-Proofpoint-ORIG-GUID: BIZpM8HgmDKpLXaAcXkkyzqU-3uzLSdP
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105080011
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/z8rYMTquTJ6jKnnxsBb_TkQTROc>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 02:01:27 -0000

[posting as an individual, not a WG chair]
Linking together a couple of related points:

> [SM] Current Linux kernels seem to use a window of ~8K packets, while OpenVPN defaults to 64 packets, Linux ipsec seems to default to either 32 or 64. 8K should be reasonably safe, but 64 seems less safe.

Common VPN design practice here appears to be picking a plausible default size (which can be reconfigured and change from release to release) for the accounting window to detect replay, hence this:

> >  But, in any case, it seems to me that protocols that need to be robust to out-of-order delivery would need to consider being robust
> > to re-ordering in time units anyway, and so would naturally need to scale that functionality as packet rates increase.

may not happen in a smooth fashion.  As Sebastian writes:

> [SM] The thing is these methods aim to avoid Mallory fudging with the secure connection between Alice and Bob (not our's), and need to track packet by packet, that is not easily solved efficiently with a simple time-out

That's correct, and use of a simple time-out by itself is prohibited for obvious security reasons.  For more details on a specific example, see Section 3.4.3 of RFC 4303 (ESP), which specifies the ESP anti-replay mechanism (could be used as a reference in writing text on how L4S interacts with anti-replay)  ... and the observant reader will notice that this section is a likely source of the anti-replay 32 and 64 packet values for Linux IPsec: https://datatracker.ietf.org/doc/html/rfc4303#section-3.4.3 .

Thanks, --David

-----Original Message-----
From: tsvwg <tsvwg-bounces@ietf.org> On Behalf Of Sebastian Moeller
Sent: Wednesday, May 5, 2021 5:21 PM
To: Greg White
Cc: TSVWG
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs


[EXTERNAL EMAIL] 

Hi Greg,

thanks for your response, more below prefixed [SM].

> On May 3, 2021, at 19:35, Greg White <g.white@CableLabs.com> wrote:
> 
> I'm not familiar with the replay attack mitigations used by VPNs, so can't comment on whether this would indeed be an issue for some VPN implementations.

[SM] I believe this to be an issue for at least those VPNs that use UDP and defend against replay attacks (including ipsec, wireguard, OpenVPN). All more or less seem to use the same approach with a limited accounting window to allow out-of-order delivery of packets. The head of the window typically seems to be advanced to the packet with the highest "sequence" number, hence all of these are sensitive for the kind of packet re-ordering the L4S ecn id draft argues was benign...


>  A quick search revealed (https://urldefense.com/v3/__https://www.wireguard.com/protocol/__;!!LpKI!0R_YA5wY-HgCAeBd-ajbFbEamek2Wo9ESyoFSJ6whDL8_0kmFhysbbCeOP789qBv$ [wireguard[.]com] ) that Wireguard apparently has a window of about 2000 packets, so perhaps it isn't an immediate issue for that VPN software?

[SM] Current Linux kernels seem to use a window of ~8K packets, while OpnenVPN defaults to 64 packets, Linux ipsec seems to default to either 32 or 64. 8K should be reasonably safe, but 64 seems less safe.

> But, if it is an issue for a particular algorithm, perhaps another solution to address condition b would be to use a different "head of window" for ECT1 packets compared to ECT(0)/NotECT packets?  

[SM] Without arguing whether that might or might not be a good idea, it is not what is done today, so all deployed end-points will treat all packets the same but at least wireguard and linux ipsec will propagate ECN vaule at en- and decapsulation, so are probably affected by the issue.

> In your 100 Gbps case, I guess you are assuming that A) the bottleneck between the two tunnel endpoints is 100 Gbps, B) a single VPN tunnel is consuming the entirety of that 100 Gbps link, and C) that there is a PI2 AQM targeting 20ms of buffering delay in that 100 Gbps link?  If so, I'm not sure that I agree that this is likely in the near term.

[SM] Yes, the back-of-an-envelop worst case estimate is not terribly concerning, I agree, but the point remains that a fixed 20ms delay target will potentially cause the issue with increasing link speeds...


>  But, in any case, it seems to me that protocols that need to be robust to out-of-order delivery would need to consider being robust to re-ordering in time units anyway, and so would naturally need to scale that functionality as packet rates increase.

[SM] The thing is these methods aim to avoid Mallory fudging with the secure connection between Alice and Bob (not our's), and need to track packet by packet, that is not easily solved efficiently with a simple time-out (at least not as far as I can seem but I do not claim expertise in cryptology or security engineering). But I am certain, if you have a decent new algorithm to enhance RFC2401 and/or RFC6479 the crypto community might be delighted to hear them. ;)

> I'm happy to include text in the L4Sops draft on this if the WG agrees it is useful to include it, and someone provides text that would fit the bill.

[SM] I wonder whether a section on L4S-OPs a la, "make sure to configure a sufficiently large replay window to allow for ~20ms reordering" would be enough, or  wether the whole discussion would not also be needed in https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-14*appendix-B.1__;Iw!!LpKI!0R_YA5wY-HgCAeBd-ajbFbEamek2Wo9ESyoFSJ6whDL8_0kmFhysbbCeOFX4wc3G$ [datatracker[.]ietf[.]org] widening the re-ordering scope from the existing "Risk of reordering Classic CE packets" subpoint 3.?

Regards
	Sebastian


> 
> -Greg
> 
> 
> On 5/3/21, 1:44 AM, "tsvwg on behalf of Sebastian Moeller" <tsvwg-bounces@ietf.org on behalf of moeller0@gmx.de> wrote:
> 
>    Dear All,
> 
>    we had a few discussions in the past about L4S' dual queue design and the consequences of packets of a single flow being accidentally steered into the wrong queue.
>    So far we mostly discussed the consequence of steering all packets marked CE into the LL-queue (and https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-14*appendix-B.1__;Iw!!LpKI!0R_YA5wY-HgCAeBd-ajbFbEamek2Wo9ESyoFSJ6whDL8_0kmFhysbbCeOFX4wc3G$ [datatracker[.]ietf[.]org] Risk of reordering Classic CE packets: only discusses this point); there the argument is, that this condition should be rare and should also be relative benign, as an occasional packet to early should not trigger the 3 DupACK mechanism. While I would liked to see hard data confirming the two hypothesis, let's accept that argument for the time being.
> 
>    BUT, there is a traffic class that is actually sensitive to packets arriving out-of-order and too early: VPNs. Most VPNs try to secure against replay attacks by maintaining a replay window and only accept packets that fall within that window. Now, as far as I can see, most replay window algorithms use a bounded window and use the highest received sequence number to set the "head" of the window and hence will trigger replay attack mitigation, if the too-early-packets move the replay window forward such that "in-order-packets" from the shorter queue fall behind the replay window.
> 
>    Wireguard is an example of a modern VPN affected by this issue, since it supports ECN and propagates ECN bits between inner and outer headers on en- and decapsulation. 
> 
>    I can see two conditions that trigger this:
>    a) the arguably relatively rare case of an already CE-marked packet hitting an L4S AQM (but we have no real number on the likelihood of that happening)
>    b) the arguably more and more common situation (if L4S actually succeeds in the field) of an ECT(1) sub-flow zipping past ECT(0)/NotECT sub-flows (all within the same tunnel outer flow)
> 
>    I note that neither single-queue rfc3168 or FQ AQMs (rfc3168 or not) are affected by that issue since they do not cause similar re-ordering.
> 
> 
>    QUESTIONS @ALL:
> 
>    1)  Are we all happy with that and do we consider this to be acceptable collateral damage?
> 
>    2) If yes, should the L4S OPs draft contain text to recommend end-points how to cope with that new situation? 
>    	If yes, how? Available options are IMHO to eschew the use of ECN on tunnels, or to recommend increased replay window sizes, but with a Gigabit link and L4S classic target of around 20ms, we would need to recommend a repay window of:
>> = ((1000^3 [b/s]) / (1538 [B/packet] * 8 [b/B])) * (20[ms]/1000[ms]) = 1625.48764629 [packets]
>    or with a power of two algorithm 2048, which is quite a bit larger than the old default of 64...
>    	But what if the L4s AQM is located on a back-bone link with considerably higher bandwidth, like 10 Gbps or even 100 Gbps? IMHO a replay window of 1625 * 100 = 162500 seems a bit excessive
> 
> 
>    Also the following text in https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-14*appendix-A.1.7__;Iw!!LpKI!0R_YA5wY-HgCAeBd-ajbFbEamek2Wo9ESyoFSJ6whDL8_0kmFhysbbCeOJfaO_VT$ [datatracker[.]ietf[.]org]
> 
>    "  Should work in tunnels:  Unlike Diffserv, ECN is defined to always
>          work across tunnels.  This scheme works within a tunnel that
>          propagates the ECN field in any of the variant ways it has been
>          defined, from the year 2001 [RFC3168] onwards.  However, it is
>          likely that some tunnels still do not implement ECN propagation at
>          all."
> 
>    Seems like it could need additions to reflect the just described new issue.
> 
> 
> 
>    Best Regards
>    	Sebastian
> 
>

v2.23.0 | Report a Bug | By Email