Re: [tsvwg] L4S and the RACK requirement
Neal Cardwell <ncardwell@google.com> Thu, 21 July 2022 15:31 UTC
Return-Path: <ncardwell@google.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F02C13C504 for <tsvwg@ietfa.amsl.com>; Thu, 21 Jul 2022 08:31:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -20.921
X-Spam-Level:
X-Spam-Status: No, score=-20.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_DOTEDU=1.685, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eggaVJicstIN for <tsvwg@ietfa.amsl.com>; Thu, 21 Jul 2022 08:31:37 -0700 (PDT)
Received: from mail-qv1-xf2f.google.com (mail-qv1-xf2f.google.com [IPv6:2607:f8b0:4864:20::f2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BCCBC13D086 for <tsvwg@ietf.org>; Thu, 21 Jul 2022 08:31:37 -0700 (PDT)
Received: by mail-qv1-xf2f.google.com with SMTP id h18so1415729qvr.12 for <tsvwg@ietf.org>; Thu, 21 Jul 2022 08:31:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F4g6FV9wYsSc/Neoa7rEUIzSVUAUgkYubbq/LbDPdJA=; b=Sq1U2DVLkKVwgP5peLtMDXt9m24zjwryTd041Z3kO0Zp0WqsWeer1uOC7/UhfkatIr zL/kl2cSdTGxTLYH1eWSllOr+zfD4xFdyAlC4TS1WoCLULbSGGvFMZq5fwfnJUtk7/XP sb7qN2bU71Xpu7seJE+H+CpxNtlcQmXFw/20guwu9tHI6Bk8ZEu1uGxp8EPkOnuMLlFv wzIQUn6C4ztuehCVf+xvuAPmA3mk3Iw6BAveJBV97SC/GkZpt4NekeQeWs53y6/p8csq efAFIiRwh0YGARelyFlSdZR8HfhwLYshS5UHziM9cx6fHAAN8AfiekfKVt56hmCfLmm0 Sf3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F4g6FV9wYsSc/Neoa7rEUIzSVUAUgkYubbq/LbDPdJA=; b=chy+GnPzmIBwKuTTukhuTL59OCcOsAjsNzlwq+6u3ZPiV8XGqa72McGh2pv3jMg2FG cwmgKZ64+XH8CV9UDR818I1zVzZbmWeBlpYtzzAea+3EIPPLpiFtF16WiME/vEtOBo3e 0ZH8ezlQem3zUICpucVhPa/nKoqwD7UR/b/wqsDtVOMsnJfjoHBU0ioRASnpONLPiran 8UQtfTjYdJJAXAiIctcv51lvhqPCyxH+LtTLGtY1TsKgbFvmpQssGIcfjvYjNHgfWFJ2 oMRQcDgepT39RTuQifOchpkE3p31Z/D1zPrLy0JUc7F/nvwWVGOQ3PIpyXHCYjIlQp0d WwJw==
X-Gm-Message-State: AJIora+GUdMCT+ZOvBhgPWmatL0j8wk9CIhBFZhwRifRKuE+S4PNPl/3 ylUgAOjkg+S33YC7ojpeGEyhF2PYgB84oikiZAJ5ZA==
X-Google-Smtp-Source: AGRyM1tl9MfB8P7nZL7hhPOcSiiAMWzB2WW1tPXbTaqkUSoRgLDN+mmeovAW0OCDP94zZV39JEYsHS/lPeGO2XPUlu0=
X-Received: by 2002:ad4:5b8b:0:b0:473:5895:d6fe with SMTP id 11-20020ad45b8b000000b004735895d6femr34182579qvp.39.1658417495696; Thu, 21 Jul 2022 08:31:35 -0700 (PDT)
MIME-Version: 1.0
References: <fb6d2979-a6a4-b122-a90e-4a0732ee89fa@mti-systems.com> <1316285020.1534460.1550493368197@mail.yahoo.com> <a535883e-6812-1ca5-9ce2-c005d534a0ba@mti-systems.com> <5c1a723a-c9d8-4ac5-0c13-a8d2df62a52f@bobbriscoe.net>
In-Reply-To: <5c1a723a-c9d8-4ac5-0c13-a8d2df62a52f@bobbriscoe.net>
From: Neal Cardwell <ncardwell@google.com>
Date: Thu, 21 Jul 2022 11:31:19 -0400
Message-ID: <CADVnQymibtj2xV3x1jEJ6p4t7a5hE0+PmPaYgZaZfyoUPpe7Fw@mail.gmail.com>
To: Bob Briscoe <ietf@bobbriscoe.net>
Cc: Wesley Eddy <wes@mti-systems.com>, lloyd.wood@yahoo.co.uk, Tsvwg IETF List <tsvwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b8da6b05e45269fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/zpDvWVUxW_XapDmjsxwwgs09izY>
Subject: Re: [tsvwg] L4S and the RACK requirement
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 15:31:41 -0000
Thanks, Bob. FWIW, as a co-author on the [Savage-TCP <https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-26#ref-Savage-TCP>] paper and the RACK-TLP RFC [RFC8985], I agree wholeheartedly with your description of the misbehaving receiver attacks from that paper and their implications with respect to RACK-TLP and L4S. I also agree it is best to just remove these two lines from the draft. best regards, neal On Thu, Jul 21, 2022 at 10:43 AM Bob Briscoe <ietf@bobbriscoe.net> wrote: > Wes, Lloyd, > > I'm dredging up this old 2019 thread, because a Security Directorate > review just asked us to provide more background on these two lines in > ecn-l4s-id that resulted from this thread. Specifically: > > The recommendation to detect loss in time units prevents the ACK- > splitting attacks described in [Savage-TCP <https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-ecn-l4s-id-26#ref-Savage-TCP>]. > > > Lloyd actually originally said "ACK-splitting and packet counting" > attacks. Having looked into all three attacks in [Savage-TCP], I believe > that detecting loss in time units (as opposed to ACK counting) doesn't > prevent or mitigate any of them (details below). Lloyd might have meant > attack #2 in the paper (DupACK spoofing). But that concerns how the CC > guesses whether packets are leaving the network when it doesn't have any > other info (i.e. no SACK). This is an orthogonal question to whether to use > time rather than ACK counting to deem whether there has been a loss. So, > it's not relevant to the point being made about loss-detection, so doesn't > belong in this L4S draft. > > Therefore, we've decided to just remove these two lines from the draft > (which Wes originally argued for on similar, but not quite the same, > grounds). > > > Details of the 3 attacks in Savage-TCP: > #1 ACK division Description: > The receiver exploits a sender's CC that increases cwnd by one segment > per ACK rather than per SMSS bytes. > Effect: > The receiver causes the sender's CC to be more aggressive for its flow. > Mitigated by RACK? > *No* (anyway this attack was since mitigated by the byte counting > (ABC) RFC) > > #2 DupACK spoofing Description: > The receiver exploits the fast recovery algorithm that inflates cwnd > by one segment for every 3 DupACKs received in addition to the first three > that triggered fast-retransmit/fast recovery. > Before an RTO timeout, the attacking receiver can move on to > repeatedly DupACK'ing a later packet. > Effect: > The receiver causes the sender's CC to open cwnd indefinitely by > continually repeating the same DupACK, without needing to acknowledge new > data. > Mitigated by RACK? > *Not specifically.* RACK replaces the trigger for FR/FR (by counting > in time not DupACKs). But RACK-TLP [RFC8985] doesn't say anything about > whether fast recovery still increments cwnd every 3 DupACKs after that. And > it doesn't need to, because this vulnerability in TCP fast recovery was > already highlighted in the latest spec of fast recovery [RFC5681; §3.2; > step 4] with a suggested mitigation. > #3 Optimistic ACKing Description > The receiver sends a stream of ACKs that anticipate future data > Effect: > The receiver causes the sender's CC to open cwnd more aggressively > than the standard expects > Mitigated by RACK-TLP? > *No.* > > > > Bob > > On 23/02/2019 00:03, Wesley Eddy wrote: > > On 2/18/2019 7:36 AM, lloyd.wood@yahoo.co.uk wrote: > > Am I the only person who remembers Savage attacks from ack splitting and > packet counting? > > http://cseweb.ucsd.edu/~savage/papers/CCR99.pdf > > there's the support for the MUST NOT, at least. I's not the lack of scale > that is the major issue there, it's being open to abuse. ack counting > didn't work... > > I think it's only sort-of related, but not really. > > The tricks described there are ways to get a sender to be overly > aggressive if it doesn't implement ABC (or other mitigations) so is growing > a congestion window based on units of packets rather than bytes. The L4S > requirement here is about retransmission / loss detection though (reducing > the window) happening based on units of time vs packets (rather than bytes > vs packets). > > > > > -- > ________________________________________________________________ > Bob Briscoe http://bobbriscoe.net/ > >
- [tsvwg] L4S and the RACK requirement Wesley Eddy
- Re: [tsvwg] L4S and the RACK requirement Yuchung Cheng
- Re: [tsvwg] L4S and the RACK requirement Black, David
- Re: [tsvwg] L4S and the RACK requirement Yuchung Cheng
- Re: [tsvwg] L4S and the RACK requirement Black, David
- Re: [tsvwg] L4S and the RACK requirement Scheffenegger, Richard
- Re: [tsvwg] L4S and the RACK requirement lloyd.wood
- Re: [tsvwg] L4S and the RACK requirement Bob Briscoe
- Re: [tsvwg] L4S and the RACK requirement Bob Briscoe
- Re: [tsvwg] L4S and the RACK requirement Yuchung Cheng
- Re: [tsvwg] L4S and the RACK requirement Wesley Eddy
- Re: [tsvwg] Linux DCTCP response to loss (was: L4… Bob Briscoe
- Re: [tsvwg] L4S and the RACK requirement Bob Briscoe
- Re: [tsvwg] L4S and the RACK requirement Neal Cardwell