IETF Logo Mail Archive

Re: [tsvwg] New rev of draft-ietf-tsvwg-ecn-l4s-id-17

Sebastian Moeller <moeller0@gmx.de> Mon, 24 May 2021 10:55 UTC

Return-Path: <moeller0@gmx.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0693A23B5 for <tsvwg@ietfa.amsl.com>; Mon, 24 May 2021 03:55:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_TTKTzDQD0x for <tsvwg@ietfa.amsl.com>; Mon, 24 May 2021 03:55:11 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C88AD3A23BB for <tsvwg@ietf.org>; Mon, 24 May 2021 03:55:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1621853664; bh=80nMoji6HrJjzIBl2z8vpnkXSM/yijAqMkxoSdCWsME=; h=X-UI-Sender-Class:Subject:From:In-Reply-To:Date:Cc:References:To; b=To7IQQHKnqh8oTnXtKJvWvrizQO/0k/A4/gIxqk4lZTID9aVU385VMyCaQgKqg64N 2hwwuKYabxLnsaZ+5rxLLVaLM+7grDczpwbDHHqLJ+AeXmBmthFV7Ow73IU9D6BQHq Lb/RfRPEPIt5Q2tAxvLDHyDaelNOg7+G2rp0eQCw=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.42.229] ([77.10.12.240]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MMXQF-1m34S70otj-00JbOv; Mon, 24 May 2021 12:54:24 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <c80a96a6-d6d4-3773-9048-805a76c6f926@bobbriscoe.net>
Date: Mon, 24 May 2021 12:54:22 +0200
Cc: tsvwg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <443768FD-CAB3-4670-9F1A-9F311D915401@gmx.de>
References: <162158815765.22731.15608328324211025925@ietfa.amsl.com> <f8ed1105-d1db-55ce-eb1f-00de8a83b0e8@bobbriscoe.net> <3F147A3D-BD68-4F0A-89FF-9A92284FF0A5@gmx.de> <c80a96a6-d6d4-3773-9048-805a76c6f926@bobbriscoe.net>
To: Bob Briscoe <ietf@bobbriscoe.net>
X-Mailer: Apple Mail (2.3445.104.20)
X-Provags-ID: V03:K1:87kgKb0W30gDz4MkNLhdom0Z1iNiPRoKx+aCgVDsD/eCLS0OXqT DuW87plbXaVZ1CGdayK6B37OU16beOtSfIi33nAtyMpS+VRh+ApqykSpkTdZ+QyKpQ8P/Cq +6hQ6Y9IBfbO/aedYBOazpNXLkrgdQaVjjpgQuy5U2mQZ94mqjZ6lWHZR0Ns206jEx5WiJl MY2mMsrujBMMU8K5EiX+g==
X-UI-Out-Filterresults: notjunk:1;V03:K0:X3oSvfikxw4=:Fm6Us3emHhA5olmLRZ6XXj M8Z91wrw7AO5/iIo6N9XoyP5p6jNc+9W4IQpxWjW9p7PfRvpXvhbGm6unRU1mcDfidwlg+aJU iVh5si0IzFdRgKsNEm2U5yS7b/El0+VYd3ZRxfwoKyJjeHG1Xs2kj+o+Glz+pMi7GnkEnECSx 7Bzgm+4Ozq/JAEyz+GRXbIGxUhwna9DecZalGkU8igR6k+vXDIE8twhqFg2Rh9+X1ABeDzoyt RKwHRdPwEGZ6jSVuwToKTDDq5oU3P3/ToMQIZ1j/cngeaampUz5qlXJ5+PVvzQrTBpMsIrB+2 HIHZF3Ik2hSq1t8rk4vwJ6cJk91XFwOlMymTILvTsLeOefb4gTz8a0l97QNfMWartJgGShYhh p8apPy59o3vcKUelw7qHHq2VYG4atOH8X6SvYV3HmvQr1ydNNwY0A/Xkr/SEH9HR7h8Xa+pZp 40dC2HBT9EaIrcPiDn0cMJiutCPjkh+4lMlwI2D/iLZbme1WAZFO6ZKWpWFGzw16Al/s/cDeG uibwZOZVYpM2ep+2aqyUr+JFH0xGE2GXdY7W72br7lpDVQgYda0E3zr2swzb6WI2wWK+4VEed w8AhStVjoyHY3/wlbpKeqBETFNaE6v9K+3KB6F0waw8cTH5kWK63mOdv9CxnrWdEQg2WQRoVO 4xETXduha7SsmqlSvxpUJ2U+jXOndT3NeuRtcGgiSDZx33e7Uqw1QA95PZCn3TspaB7gtTi0L TZ65iSlTv758N+xlbRcniYJOi4f/B8RWPHVe6FbaK2tcSkhYBfsy9CkbJuaSiM/NtRr0v0B57 yR0sPfu6DMyNUGzH7dYtyGa7c++yZYmWFq7xeNZvDaZAkATZb6FpWjLnSy+rJ2lsr0BUFagEh 8YOX8kXYeZ5eyiKrwd1XXkRwOl/I5aFcrMcsZClAQLwbozbv6lhbIKvBccmrz2HOqVACZRYYS MUfSoQcKZKrb2HIKBagWNwPyESaDNBP4gOB3EGkIWka+tsletRYv32vaOwBdbotWz7ldgK64U zvMkTKw2SYxPAd4OAduUQtZMZ7hDPRzfNoT4uV8WIunFIBb4rXt6RC0OuxMSn72+MaWzoZAkv qVj9D61wt1IcZuldN/2RnrsOkbKmAAECbT3OoVjzcs/DroS7DIxfVnZgyQq6akxl0diGjX2pZ AGRkuIId3egx7/4dnsTtoYb6oidlU1aoRvbpzouGYbjBlKoVD1V9MA6OMjxDxCTEBfefQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/zFu67M15-mZrqEnKjNTiv6Ml-vo>
Subject: Re: [tsvwg] New rev of draft-ietf-tsvwg-ecn-l4s-id-17
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 10:55:16 -0000

HI Bob,


> On May 23, 2021, at 22:54, Bob Briscoe <ietf@bobbriscoe.net> wrote:
> 
> Sebastian, inline [BB]
> 
> On 21/05/2021 22:26, Sebastian Moeller wrote:
>> Bob, chairs,
>> 
>> section 6.2 with its, "use two SAs, one for ECT(1) and one for the rest" seems a bit limited since it ignores that VPNs might propagate both DSCPs and ECN bits between the layers, so IMHO a better approach might be to recommend to treat DSCP+ECN bits as one aggregate byte (let's cal it TOS ;) ) as the extra ECT(1)-SA seems to be required for all SAs that already exist to deal with multiple supported DSCPs. So in a sense the recommendation would be to double the number of SAs.
>> 
> 
> [BB] Yes, we ought to reword it to say that the VPN ingress should /at least/ use two SAs indexed on the LSB of the ECN field, and, if it is also classifying on DSCPs, it could also consider classifying any low latency DSCP(s) with the L4S packets.

	[SM] That sounds quite risky, the whole "trick" behind the multiple SAs is to have independent replay-window for each fate-shared group, and a mapping multiple DSCPs and ECT(1)/CE into the same SA requires that no differential re-ordering can happen between these sets. I would probably rather advise to instantiate one SA per each TOS byte code point... sure that is 256 SAs, but it will also squash the issue comprehensively (modulo the fact that a flow's CE packets can be reordered in regards to their non-CE packets, but that is already like that for non replay-protected traffic).

> To avoid the anti-replay problem, there would only need to be one SA configured per each degree of queuing delay, not one for every ECN x DSCP combination. 

	[SM] True, but the number of queueing delay sets is a network function, that for a longer path the endpoints can't reasonably know or discover, so I do not think that this observation is actionable.

> 
> We'll have to see how common multiple combinations are in practice. As ecn-l4s-id says, L4S with just best efforts...
>    "is expected to be the most common and useful
>    arrangement.  But, more generally, an operator might choose to
>    control bandwidth allocation through a hierarchy of Diffserv PHBs"
> 
> 
> So the ECN field could be the only field that gives a delay delta.

	[SM] Yes, but that is not really discoverable short of trying and then see whether replay errors accumulate, which seems less than ideal for a recommendation IMHO.


> However different networks will have their own view on which technology they want to use for low latency. So VPNs will probably need to cater for both DSCPs and the ECN field being used for low delay in different networks.

	[SM] We seem to agree.

> 
>> Also:
>> "and the current draft of DTLS 1.3 says "The receiver	
>>  	   SHOULD pick a window large enough to handle any plausible reordering,	
>>  	   which depends on the data rate."  However, in practice, the size of	
>>  	   the VPN's anti-replay window is not always scaled appropriately."
>> 
>> L4S on a 10 ms path under load can introduce re-ordering in the range of 50 ms (roughly twice the difference between the L- and C-queue delay targets), re-ordering tolerance 5 times of the path RTT seems to be a bit on the high side to expect, no?
>> 
> 
> [BB] IMO, the above text that I quoted from the DTLS spec. is reasonable, both practically (see below) and in terms of taking responsibility for the problem. Beyond its window, the anti-replay function presumes a packet is guilty of a replay attack with no evidence, purely because it chooses not to hold that amount of evidence. Therefore it's proper that it holds a sufficient window of evidence for any plausible reordering.

	[SM] Exactly, my argument is that L45S additional re-ordering is not plausible... or reasonable... but I digress

> BTW, the C-queue target has never been 25ms. I noticed JM said that incorrectly as well recently.

	[SM] Fair enough (it seems I ms-attributed the https://github.com/L4STeam/linux/commit/a2ef76f8da1c9d1b13fa941f55607f3e60d4112e prague_rtt_target with the typical_rtt), but that only changes the numbers slightly the issue is still he same...


> * A default C queue delay target of 15ms has always been recommended in aqm-dualq-coupled.

	[SM] Not quite "always", https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-aqm-dualq-coupled-00 stated:
"target = 20ms"
But from https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-aqm-dualq-coupled-01 on it has been and still is set to 15ms...

Which reminds me, I still would like to see the stability analysis and optimization work that lead to that number.


> Under a heavy load of short and long flow arrivals in both the L&C queues, that results in PI2 Qdelay of about 25ms at the 99%ile or 30ms at the 99.9%ile. We have been considering whether to change the default target to 10ms for some time, but not done so yet.
> * Low Latency DOCSIS specifies a default C queue delay target of 10ms. 

	[SM] Again, it would be nice to see robust analysis behind this parameter selection. 


> So a replay window allowing for 30ms of packets at the interface rate would probably be sufficient.

	[SM] I would respectfully propose to actually run a few experiments before recommending any specific number here. "Probably sufficient" seems not the best basis for recommendations for setting replay-window sizes. 


> At 1Gb/s (say) using 1500B packets, that's a replay window of 2500 packets.

	[SM] It seems sub-optimal to give a fixed packet number recommendation for replay-windows, a formula allowing each user to set the replay-window based on e.g. the known speed of the ingress interface seems more useful (assuming that the interface speed will give an upper bound for achievable rates) as well as expected packet sizes.
I can guarantee that there is not going to be a one-number-fits-all situations solution to sizing replay-windows...


> 
> Quoting Pete Heist's info here https://github.com/heistp/l4s-tests/#dropped-packets-for-tunnels-with-replay-protection-enabled :
> "Modern Linux kernels have a default maximum replay window size of 4096 (XFRMA_REPLAY_ESN_MAX in xfrm.h). Wireguard uses a hardcoded value of 8192 with no option for runtime configuration, increased from 2048 in May 2020 by this commit."

	[SM] I happen to know this, but ipsec's default is still either 32 or 64... I also understand that that was a "solution" that was tested against the worst case re-ordering for a given rate and packetsize assumption, and in 10 years when everybody as 100 Gbps links at home (wishful thinking) that number will need re-visiting.

Regards
	Sebastian


> Regards
> 
> 
> 
> Bob
> 
>> 
>> 
>> Regards
>> 	Sebastian
>> 
>> 
>> 
>>> On May 21, 2021, at 11:21, Bob Briscoe <ietf@bobbriscoe.net>
>>>  wrote:
>>> 
>>> Chairs, list,
>>> 
>>> We've posted a new rev of draft-ietf-tsvwg-ecn-l4s-id-17 attempting to address all the discussion since the last posting just before the interim. In particular:
>>> * review comments on a careful read from Gorry and the chairs
>>> * the VPN anti-replay problem
>>> * added an out-of-band test for an RFC3168 ECN AQM in a shared queue.
>>> 
>>> There are a couple of outstanding discussions, which I'm sure will continue on the list, e.g. the role of RFC4774 and whether to remove any of Appx C. But it was considered better to get the queued up changes out, to re-base the discussions.
>>> 
>>> This is quite an extensive set of changes, so pls check and pass any comments to the list.
>>> 
>>> Thanks for everyone who is contributing, and particularly to the chairs for continuing to referee this all. We've added appropriate thanks in the Acks section.
>>> 
>>> 
>>> Bob
>>> 
>>> 
>>> On 21/05/2021 10:09, 
>>> internet-drafts@ietf.org
>>>  wrote:
>>> 
>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>> This draft is a work item of the Transport Area Working Group WG of the IETF.
>>>> 
>>>>         Title           : Explicit Congestion Notification (ECN) Protocol for Very Low Queuing Delay (L4S)
>>>>         Authors         : Koen De Schepper
>>>>                           Bob Briscoe
>>>> 	Filename        : draft-ietf-tsvwg-ecn-l4s-id-17.txt
>>>> 	Pages           : 57
>>>> 	Date            : 2021-05-21
>>>> 
>>>> Abstract:
>>>>    This specification defines the protocol to be used for a new network
>>>>    service called low latency, low loss and scalable throughput (L4S).
>>>>    L4S uses an Explicit Congestion Notification (ECN) scheme at the IP
>>>>    layer that is similar to the original (or 'Classic') ECN approach,
>>>>    except as specified within.  L4S uses 'scalable' congestion control,
>>>>    which induces much more frequent control signals from the network and
>>>>    it responds to them with much more fine-grained adjustments, so that
>>>>    very low (typically sub-millisecond on average) and consistently low
>>>>    queuing delay becomes possible for L4S traffic without compromising
>>>>    link utilization.  Thus even capacity-seeking (TCP-like) traffic can
>>>>    have high bandwidth and very low delay at the same time, even during
>>>>    periods of high traffic load.
>>>> 
>>>>    The L4S identifier defined in this document distinguishes L4S from
>>>>    'Classic' (e.g. TCP-Reno-friendly) traffic.  It gives an incremental
>>>>    migration path so that suitably modified network bottlenecks can
>>>>    distinguish and isolate existing traffic that still follows the
>>>>    Classic behaviour, to prevent it degrading the low queuing delay and
>>>>    low loss of L4S traffic.  This specification defines the rules that
>>>>    L4S transports and network elements need to follow with the intention
>>>>    that L4S flows neither harm each other's performance nor that of
>>>>    Classic traffic.  Examples of new active queue management (AQM)
>>>>    marking algorithms and examples of new transports (whether TCP-like
>>>>    or real-time) are specified separately.
>>>> 
>>>> 
>>>> The IETF datatracker status page for this draft is:
>>>> 
>>>> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-ecn-l4s-id/
>>>> 
>>>> 
>>>> There is also an htmlized version available at:
>>>> 
>>>> https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-17
>>>> 
>>>> 
>>>> A diff from the previous version is available at:
>>>> 
>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-tsvwg-ecn-l4s-id-17
>>>> 
>>>> 
>>>> 
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> 
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>> 
>>>> 
>>>> 
>>>> 
>>> -- 
>>> ________________________________________________________________
>>> Bob Briscoe                               
>>> http://bobbriscoe.net/
>>> 
>>> 
>>> 
> 
> -- 
> ________________________________________________________________
> Bob Briscoe                               
> http://bobbriscoe.net/

v2.39.1 | Report a Bug | By Email | System Status