From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc7713.txt | 1683 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1683 insertions(+) create mode 100644 doc/rfc/rfc7713.txt (limited to 'doc/rfc/rfc7713.txt') diff --git a/doc/rfc/rfc7713.txt b/doc/rfc/rfc7713.txt new file mode 100644 index 0000000..a1f1ae0 --- /dev/null +++ b/doc/rfc/rfc7713.txt @@ -0,0 +1,1683 @@ + + + + + + +Internet Engineering Task Force (IETF) M. Mathis +Request for Comments: 7713 Google, Inc. +Category: Informational B. Briscoe +ISSN: 2070-1721 BT + December 2015 + + + Congestion Exposure (ConEx) Concepts, Abstract Mechanism, + and Requirements + +Abstract + + This document describes an abstract mechanism by which senders inform + the network about the congestion recently encountered by packets in + the same flow. Today, network elements at any layer may signal + congestion to the receiver by dropping packets or by Explicit + Congestion Notification (ECN) markings, and the receiver passes this + information back to the sender in transport-layer feedback. The + mechanism described here enables the sender to also relay this + congestion information back into the network in-band at the IP layer, + such that the total amount of congestion from all elements on the + path is revealed to all IP elements along the path, where it could, + for example, be used to provide input to traffic management. This + mechanism is called Congestion Exposure, or ConEx. The companion + document, "Congestion Exposure (ConEx) Concepts and Use Cases" + (RFC 6789), provides the entry point to the set of ConEx + documentation. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7713. + + + + + + + + +Mathis & Briscoe Informational [Page 1] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + +Copyright Notice + + Copyright (c) 2015 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 + 3. Requirements for the ConEx Abstract Mechanism . . . . . . . . 7 + 3.1. Requirements for ConEx Signals . . . . . . . . . . . . . 7 + 3.2. Constraints on the Audit Function . . . . . . . . . . . . 8 + 3.3. Requirements for Non-abstract ConEx Specifications . . . 9 + 4. Encoding Congestion Exposure . . . . . . . . . . . . . . . . 12 + 4.1. Naive Encoding . . . . . . . . . . . . . . . . . . . . . 12 + 4.2. Null Encoding . . . . . . . . . . . . . . . . . . . . . . 13 + 4.3. ECN-Based Encoding . . . . . . . . . . . . . . . . . . . 13 + 4.4. Independent Bits . . . . . . . . . . . . . . . . . . . . 14 + 4.5. Codepoint Encoding . . . . . . . . . . . . . . . . . . . 14 + 4.6. Units Implied by an Encoding . . . . . . . . . . . . . . 15 + 5. Congestion Exposure Components . . . . . . . . . . . . . . . 16 + 5.1. Network Devices (Not Modified) . . . . . . . . . . . . . 16 + 5.2. Modified Senders . . . . . . . . . . . . . . . . . . . . 16 + 5.3. Receivers (Optionally Modified) . . . . . . . . . . . . . 17 + 5.4. Policy Devices . . . . . . . . . . . . . . . . . . . . . 17 + 5.4.1. Congestion Monitoring Devices . . . . . . . . . . . . 18 + 5.4.2. Rest-of-Path Congestion Monitoring . . . . . . . . . 18 + 5.4.3. Congestion Policers . . . . . . . . . . . . . . . . . 18 + 5.5. Audit . . . . . . . . . . . . . . . . . . . . . . . . . . 19 + 6. Support for Incremental Deployment . . . . . . . . . . . . . 23 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 25 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 27 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 27 + 8.2. Informative References . . . . . . . . . . . . . . . . . 27 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 + + + + +Mathis & Briscoe Informational [Page 2] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + +1. Introduction + + This document describes an abstract mechanism by which, to a first + approximation, senders inform the network about the congestion + encountered by packets earlier in the same flow. It is not a + complete protocol specification because it is known that designing an + encoding (e.g., packet formats, codepoint allocations, etc.) is + likely to entail compromises that preclude some uses of the protocol. + The goal of this document is to provide a framework for developing + and testing algorithms to evaluate the benefits of the ConEx protocol + and to evaluate the consequences of the compromises in various + different encoding designs. This document lays out requirements for + concrete protocol specifications. + + A companion document [RFC6789] provides the entry point to the set of + ConEx documentation. It outlines concepts that are prerequisites to + understanding why ConEx is useful, and it outlines various ways that + ConEx might be used. + +2. Overview + + As typical end-to-end transport protocols continually seek out more + network capacity, network elements signal whenever congestion + results, and the transports are responsible for controlling this + network congestion [RFC5681]. The more a transport tries to use + capacity that others want to use, the more congestion signals will be + attributable to that transport. Likewise, the more transport + sessions sustained by a user and the longer the user sustains them, + the more congestion signals will be attributable to that user. The + goal of ConEx is to ensure that the resulting congestion signals are + sufficiently visible and robust, because they are an ideal metric for + networks to use as the basis of traffic management or other related + functions. + + Networks indicate congestion by three possible signals: packet loss, + ECN marking, or queueing delay. ECN marking and some packet loss may + be the outcome of Active Queue Management (AQM), which the network + uses to warn senders to reduce their rates. Packet loss is also the + natural consequence of complete exhaustion of a buffer or other + network resource. Some experimental transport protocols and TCP + variants infer impending congestion from increasing queuing delay. + However, delay is too amorphous to use as a congestion metric. In + this and other ConEx documents, the term 'congestion signals' is + generally used solely for ECN markings and packet losses because they + are unambiguous signals of congestion. + + + + + + +Mathis & Briscoe Informational [Page 3] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + In both cases, the congestion signals follow the route indicated in + Figure 1. A congested network device sends a signal in the data + stream on the forward path to the transport receiver, the receiver + passes it back to the sender through transport-level feedback, and + the sender makes some congestion control adjustment. + + This document extends the capabilities of the Internet protocol suite + with the addition of a new Congestion Exposure signal. To a first + approximation, this signal (also shown in Figure 1) relays the + congestion information from the transport sender back through the + internetwork layer where it is visible to any interested + internetwork-layer devices along the forward path. This document + frames the engineering problem of designing the ConEx Signal. The + requirements are described in Section 3 and some example encodings + are presented in Section 4. Section 5 describes all of the protocol + components. + + This new signal is expressly designed to support a variety of new + policy mechanisms that might be used to instrument, monitor, or + manage traffic. The policy devices are not shown in Figure 1 but + might be placed anywhere along the forward data path (see + Section 5.4). + + ,---------. ,---------. + |Transport| |Transport| + | Sender | . |Receiver | + | | /|___________________________________________| | + | ,-<---------------Congestion-Feedback-Signals--<--------. | + | | |/ | | | + | | |\ Transport Layer Feedback Flow | | | + | | | \ ___________________________________________| | | + | | | \| | | | + | | | ' ,-----------. . | | | + | | |_____________| |_______________|\ | | | + | | | IP Layer | | Data Flow \ | | | + | | | |(Congested)| \ | | | + | | | | Network |--Congestion-Signals--->-' | + | | | | Device | \| | + | | | | | /| | + | `----------->--(new)-IP-Layer-ConEx-Signals-------->| | + | | | | / | | + | |_____________| |_______________ / | | + | | | | |/ | | + `---------' `-----------' ' `---------' + + Figure 1: The Flow of Congestion and ConEx Signals + + + + + +Mathis & Briscoe Informational [Page 4] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + Since the policy devices can affect how traffic is treated, it is + assumed that there is an intrinsic motivation for users, + applications, or operating systems to understate the congestion that + they are causing. Therefore, it is important to be able to audit + ConEx Signals and to be able to apply sufficient sanction to + discourage cheating of congestion policies. The general approach to + auditing is to count signals on the forward path to confirm that + there are never fewer ConEx Signals than congestion signals. Many + ConEx design constraints come from the need to assure that the audit + function is sufficiently robust. The audit function is described in + Section 5.5; however, significant portions of this document (and + prior research [Refb-dis]) are motivated by issues relating to the + audit function and making it robust. + + The congestion and ConEx Signals shown in Figure 1 represent a series + of discrete events: ECN marks or lost packets, carried by the forward + data stream and fed back into the internetwork layer. The policy and + audit functions are most likely to act on the accumulated values of + these signals, for which we use the term "volume". For example, + "traffic volume" is the total number of bytes delivered optionally + over a specified time interval and over some aggregate of traffic + (e.g., all traffic from a site), while "loss volume" is the total + amount of bytes discarded from some aggregate over an interval. The + term "congestion-volume" is defined precisely in [RFC6789]. Note + that volume per unit time is average rate. + + A design goal of the ConEx protocol is that the important policy + mechanisms can be implemented per logical link without per-flow state + (see Section 5.4). However, the trade-off is that per-flow state + could be needed to audit ConEx Signals (Section 5.5). This is + justified in that i) auditing at the edges, with a limited number of + flows, enables policy elsewhere, including in the core, without any + per-flow state; ii) auditing can use soft flow state, which does not + require route pinning. + + There is a long standing argument over units of congestion: bytes vs + packets (see [RFC7141] and its references). Section 4.6 explains why + this problem must be addressed carefully. However, this document + does not take a strong position on this issue. Nonetheless, it does + require that the units of congestion must be an explicitly stated + property of any proposed encoding, and the consequences of that + design decision must be evaluated along with other aspects of the + design. + + To be successful, the ConEx protocol needs to have the property that + the relevant stakeholders each have the incentive to unilaterally + start on each stage of partial deployment, which in turn creates + + + + +Mathis & Briscoe Informational [Page 5] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + incentives for further deployment. Furthermore, legacy systems that + will never be upgraded do not become a barrier to deploying ConEx. + Issues relating to partial deployment are described in Section 6. + + Note that ConEx Signals are not intended to be used for fine-grained + congestion control. They are anticipated to be most useful at longer + time scales and/or at coarser granularity than single microflows. + For example, the total congestion caused by a user might serve as an + input to higher-level policy or accountability functions designed to + create incentives for improving user behavior, such as choosing to + send large quantities of data at off-peak times, at lower data rates, + or with less aggressive protocols such as Low Extra Delay Background + Transport (LEDBAT) [RFC6817]; see [RFC6789]. + + Ultimately, ConEx Signals have the potential to provide a mechanism + to regulate global Internet congestion. From the earliest days of + research on congestion control, there has been a concern that there + is no mechanism to prevent transport designers from incrementally + making protocols more aggressive without bound and spiraling to a + "tragedy of the commons" Internet congestion collapse. The "TCP + friendly" paradigm was created in part to forestall this failure. + However, it no longer commands any authority because it has little to + say about the Internet of today, which has moved beyond the scaling + range of standard TCP. As a consequence, many transports and + applications are opening arbitrarily large numbers of connections or + using arbitrary levels of aggressiveness. ConEx represents a + recognition that the IETF cannot regulate this space directly because + it concerns the behaviour of users and applications, not individual + transport protocols. Instead, the IETF can give network operators + the protocol tools to arbitrate the space themselves with better bulk + traffic management. This, in turn, should create incentives for + users and designers of applications and of transport protocols to be + more mindful about contributing to congestion. + +2.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + + ConEx Signals in IP packet headers from the sender to the network: + + Not-ConEx: The transport (or at least this packet) is not using + ConEx. + + ConEx-Capable: The transport is using ConEx. This is the opposite + of Not-ConEx. + + + + +Mathis & Briscoe Informational [Page 6] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + ConEx Signal: A signal in a packet sent by a ConEx-capable + transport. It carries at least one of the following signals: + + Re-Echo-Loss: The transport has experienced a loss. + + Re-Echo-ECN: The transport has detected an ECN Congestion + Experienced (CE) mark. + + Credit: The transport is building up credit to signal advance + notice of the risk of packets contributing to congestion, in + contrast to signalling only after inherently delayed feedback + of actual congestion. + + ConEx-Not-Marked: The transport is ConEx-capable but is not + signaling Re-Echo-Loss, Re-Echo-ECN, or Credit. + + ConEx-Marked: At least one of Re-Echo-Loss, Re-Echo-ECN, or Credit. + + ConEx-Re-Echo: At least one of Re-Echo-Loss or Re-Echo-ECN. + +3. Requirements for the ConEx Abstract Mechanism + + First-time readers may wish to skim this section, since it is more + understandable having read the entire document. + +3.1. Requirements for ConEx Signals + + Ideally, all the following requirements would be met by a Congestion + Exposure Signal: + + a. The ConEx Signal SHOULD be visible to internetwork-layer devices + along the entire path from the transport sender to the transport + receiver. Equivalently, it SHOULD be present in the IPv4 or IPv6 + header and in the outermost IP header if using IP-in-IP + tunneling. It MAY need to be visible if other encapsulating + headers are used to interconnect networks. The ConEx Signal + SHOULD be immutable once set by the transport sender. A + corollary of these requirements is that the chosen ConEx encoding + SHOULD pass silently without modification through preexisting + networking gear. + + b. The ConEx Signal SHOULD be useful under only partial deployment. + A minimal deployment SHOULD only require changes to transport + senders. Furthermore, partial deployment SHOULD create + incentives for additional deployment, both in terms of enabling + ConEx on more devices and adding richer features to existing + devices. Nonetheless, ConEx deployment need never be universal, + + + + +Mathis & Briscoe Informational [Page 7] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + and it is anticipated that some hosts and some transports may + never support the ConEx protocol and some networks may never use + the ConEx Signals. + + c. The ConEx Signal SHOULD be timely. There will be a minimum delay + of one RTT and often longer if the transport protocol sends + infrequent feedback (consider Real-time Transport Control + Protocol (RTCP) [RFC3550] [RFC6679], for example). + + d. The ConEx Signal SHOULD be accurate and auditable. The general + approach for auditing is to observe the volume of congestion + signals and ConEx Signals on the forward data path and verify + that the ConEx Signals do not underrepresent the congestion + signals (see Section 5.5). + + e. The ConEx Signals for packet loss and ECN marking SHOULD have + distinct encodings because they are likely to require different + auditing techniques. + + f. Additionally, there SHOULD be an auditable ConEx Credit signal. + A sender can use Credit to indicate potential future congestion, + for example, as is often seen during startup. ConEx Credit is + intended to overestimate congestion actually experienced across + the network. + + It is already known that implementing ConEx Signals is likely to + entail some compromises, and therefore, all the requirements above + are expressed with the keyword "SHOULD" rather than "MUST". The only + mandatory requirement is that a concrete protocol description MUST + give sound reasoning if it chooses not to meet some requirement. + +3.2. Constraints on the Audit Function + + The role of the audit function and constraints on it are described in + Section 5.5. There is no intention to standardise the audit + function. However, it is necessary to lay down the following + normative constraints on audit behaviour so that transport designers + will know what to design against and implementers of audit devices + will know what pitfalls to avoid: + + Minimal False Hits: Audit SHOULD introduce minimal false hits for + honest flows. + + Minimal False Misses: Audit SHOULD quickly detect and sanction + dishonest flows, ideally on the first dishonest packet. + + + + + + +Mathis & Briscoe Informational [Page 8] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + Transport Oblivious: Audit SHOULD NOT be designed around one + particular rate response, such as any particular TCP congestion + control algorithm or one particular resource-sharing regime such + as TCP friendliness [RFC5348]. An important goal is to give + ingress networks the freedom to unilaterally allow different rate + responses to congestion and different resource sharing regimes + [Evol_cc] without having to coordinate with other networks over + details of individual flow behaviour. + + Sufficient Sanction: Audit SHOULD introduce sufficient sanction + (e.g., loss in goodput) such that senders cannot gain from + understating congestion. + + Proportionate Sanction: To the extent that the audit might be + subject to false hits, the sanction SHOULD be proportionate to the + degree to which congestion is understated. If the audit over- + punishes, attackers will find ways to harness it into amplifying + attacks on others. Ideally the audit should, in the long run, + cause the user to get no better performance than they would get by + being accurate. + + Manage Memory Exhaustion: Audit SHOULD be able to counter state- + exhaustion attacks. For instance, if the audit function uses flow + state, it should not be possible for senders to exhaust its memory + capacity by gratuitously sending numerous packets, each with a + different flow ID. + + Identifier Accountability: Audit SHOULD NOT be vulnerable to + 'identity whitewashing', where a transport can label a flow with a + new ID more cheaply than paying the cost of continuing to use its + current ID [CheapPseud]. + +3.3. Requirements for Non-abstract ConEx Specifications + + An experimental ConEx specification SHOULD describe the following + protocol details: + + Network Layer: + + A. the specific ConEx Signal encodings with packet formats, bit + fields, and/or codepoints; + + B. an inventory of invalid combinations of flags or invalid + codepoints in the encoding, as well as whether security + gateways should normalise, discard, or ignore such invalid + encodings, and what values they should be considered + equivalent to by ConEx-aware elements; + + + + +Mathis & Briscoe Informational [Page 9] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + C. an inventory of any conflated signals or any other effects + that are known to compromise signal integrity; + + D. whether the source is responsible for allowing for the round- + trip delay in ConEx Signals (e.g., using a Credit marking), + and if so, whether Credit is maintained for the duration of a + flow or degrades over time, and what defines the end of the + duration of a flow; + + E. a specification for signal units (bytes vs. packets, etc.), + any approximations allowed, and the algorithms to do any + implied conversions or accounting; + + F. if the units are bytes, a definition of which headers are + included in the size of the packet; + + G. how tunnels should propagate the ConEx encoding; + + H. whether the encoding fields are mutable or not, to ensure that + header authentication, checksum calculation, etc., process + them correctly; a ConEx encoding field SHOULD be immutable + end-to-end, then endpoints can detect if it has been tampered + with in transit; + + I. if a specific encoding allows mutability (e.g., at proxies), + then an inventory of invalid transitions between codepoints; + in all encodings, transitions from any ConEx marking to Not- + ConEx MUST be invalid; + + J. a statement that the ConEx encoding is only applicable to + unicast and anycast and that forwarding elements should + silently ignore any ConEx signalling on multicast packets + (they should be forwarded unchanged); + + K. the definition of any extensibility; + + L. backward and forward compatibility and potential migration + strategies; in all cases, a ConEx encoding MUST be arranged so + that legacy transport senders implicitly send Not-ConEx; + + M. any (optional) modification to data-plane forwarding dependent + on the encoding (e.g., preferential discard, interaction with + Diffserv, ECN, etc.); and + + N. any warning or error messages relevant to the encoding. + + + + + + +Mathis & Briscoe Informational [Page 10] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + Note regarding item J on multicast: A multicast tree may involve + different levels of congestion on each leg. Any traffic + management can only monitor or control multicast congestion at or + near each receiver. It would make no sense for the sender to try + to expose "whole-path congestion" in sent packets because it + cannot hope to describe all the differing congestion levels on + every leg of the tree. + + Transport Layer: + + A. a specification of any required changes to congestion feedback + in particular transport protocols; + + B. a specification (or, minimally, a recommendation) for how a + transport should estimate credits at the beginning of a + connection and while it is in progress; + + C. a specification of whether any other protocol options should + (or must) be enabled along with an implementation of ConEx + (e.g., at least attempting to negotiate ECN and Selective + Acknowledgement (SACK) capability); + + D. a specification of any configuration that a ConEx stack may + require (or, preferably, confirmation that it requires no + configuration); and + + E. a specification of the statistics that a protocol stack should + log for each type of marking on a per-flow or aggregate basis. + + Security: + + A. an example of a strong audit algorithm suitable for detecting + if a single flow is misstating congestion; this algorithm + should present minimal false results but need not have optimal + scaling properties (e.g., may need per-flow state). + + B. an example of an audit algorithm suitable for detecting + misstated congestion in a large aggregate (e.g., no per-flow + state). + + C. a definition of the level of ConEx-Re-Echo and ConEx-Credit + signals that will be sufficient to pass audit (see + Section 5.5). + + The possibility exists that these specifications overconstrain the + ConEx design and can not be fully satisfied. An important part of + the evaluation of any particular design will be a thorough inventory + of all ways in which it might fail to satisfy these specifications. + + + +Mathis & Briscoe Informational [Page 11] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + +4. Encoding Congestion Exposure + + Most protocol specifications start with a description of packet + formats and codepoints with their associated meanings. This document + does not: It is already known that choosing the encoding for ConEx is + likely to entail some engineering compromises that have the potential + to reduce the protocol's usefulness in some settings. For instance, + the experimental ConEx encoding chosen for IPv6 [CONEX-DESTOPT] had + to make compromises on tunnelling. Rather than making these + engineering choices prematurely, this document sidesteps the encoding + problem by making it abstract. It describes several different + representations of ConEx Signals, none of which are specified to the + level of specific bits or codepoints. + + The goal of this approach is to be as complete as possible for + discovering the potential usage and capabilities of the ConEx + protocol, so we have some hope of making optimal design decisions + when choosing the encoding. Even if experiments reveal particular + problems due to the encoding, then this document will still serve as + a reference model. + +4.1. Naive Encoding + + For tutorial purposes, it is helpful to describe a naive encoding of + the ConEx protocol for TCP and similar protocols: set a bit (not + specified here) in the IP header on each retransmission and on each + ECN-signalled window reduction. Network devices along the forward + path can see this bit and act on it. For example, any device along + the path might limit the rate of all traffic if the rate of marked + (congested) packets exceeds a threshold. + + This simple encoding is sufficient to illustrate many of the benefits + envisioned for ConEx. At first glance, it looks like it might + motivate people to deploy and use it. It is a one-line code change + that a small number of OS developers and content providers could + unilaterally deploy across a significant fraction of all Internet + traffic. However, this encoding does not support auditing so it + would also motivate users and/or applications to misrepresent the + congestion that they are causing [RFC3514]. As a consequence, the + naive encoding is not likely to be trusted and thus creates its own + disincentives for deployment. + + Nonetheless, this Naive encoding does present a clear mental model of + how the ConEx protocol might function under various uses. It is + useful for thought experiments where it can be stipulated that all + participants are honest and it does illustrate some of the incentives + that might be introduced by ConEx. + + + + +Mathis & Briscoe Informational [Page 12] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + +4.2. Null Encoding + + In limited contexts, it is possible to implement ConEx-like functions + without any signals at all by measuring rest-of-path congestion + directly from TCP headers. The algorithm is to keep at least one RTT + of past TCP headers and match each new header against the history to + count duplicate data. + + This could implement many ConEx policies, without any explicit + protocol. It is fairly easy to implement, at least at low rate + (e.g., in a software-based edge router). However, it would only be + useful in cases where the network operator can see the TCP headers. + At the time of writing (2014), those cases are the majority of + traffic because UDP, IPsec, and VPN tunnels are used far less than + Secure Socket Layer (SSL) or Transport Layer Security (TLS) over + TCP/IP, which do not hide TCP sequence numbers from network devices. + However, anyone specifically intending to avoid the attention of a + congestion policy device would only have to hide their TCP headers + from the network operator (e.g., by using a VPN tunnel). + +4.3. ECN-Based Encoding + + The re-ECN specification [RE-ECN-TCP] presents an encoding of ConEx + in IPv4 and IPv6 that was tightly integrated with ECN encoding in + order to fit into the IPv4 header. Any individual packet may need to + represent any ECN codepoint and any ConEx Signal value independently. + So, ideally, their encoding should be entirely independent. However, + given the limited number of header bits and/or codepoints, re-ECN + chooses to partially share codepoints and to re-echo both losses and + ECN with just one codepoint. + + The central theme of the re-ECN work is an audit mechanism that + provides sufficient disincentives against misrepresenting congestion + [RE-ECN-MOTIVATION]. It is analyzed extensively in Briscoe's PhD + dissertation [Refb-dis]. For a tutorial background on re-ECN + motivation and techniques, see [Re-fb] and [FairerFaster]. + + Re-ECN is an example of one chosen set of compromises attempting to + meet the requirements of Section 3. The present document takes a + step back, aiming to state the ideal requirements in order to allow + the Internet community to assess whether different compromises might + be better. + + The problem with re-ECN is that it requires that receivers be ECN + enabled in addition to sender changes. Newer encodings + [CONEX-DESTOPT] overcome this problem by being able to represent loss + and ECN-based congestion separately. + + + + +Mathis & Briscoe Informational [Page 13] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + +4.4. Independent Bits + + This encoding involves flag bits, each of which the sender can set + independently to indicate to the network one of the following four + signals: + + ConEx (Not-ConEx): The transport is (or is not) using ConEx with + this packet (network-layer encoding requirement L in Section 3.3 + says the protocol must be arranged so that legacy transport + senders implicitly send Not-ConEx). + + Re-Echo-Loss (Not-Re-Echo-Loss): The transport has (or has not) + experienced a loss. + + Re-Echo-ECN (Not-Re-Echo-ECN): The transport has (or has not) + experienced ECN-signalled congestion. + + Credit (Not-Credit): The transport is (or is not) building up + congestion credit (see Section 5.5 on the audit function). + + A packet with ConEx set, combined with all the three other flags + cleared, implies ConEx-Not-Marked. + + This encoding does not imply any exclusion property among the + signals. Multiple types of congestion (ECN, loss) can be signalled + on the same ACK. So, ideally, a ConEx sender would be able to + reflect these in the next packet. However, there will be many + invalid combinations of flags (e.g., Not-ConEx combined with any of + the ConEx-Marked flags), which a malicious sender could use to + advantage against naive policy devices that only check each flag + separately. + + As long as the packets in a flow have uniform sizes, it does not + matter whether the units of congestion are packets or bytes. + However, if an application sends very irregular packet sizes, it may + be necessary for the sender to mark multiple packets to avoid being + in technical violation of an audit function measuring in bytes (see + Section 4.6). + +4.5. Codepoint Encoding + + This encoding involves signaling one of the following five + codepoints: + + ENUM {Not-ConEx, ConEx-Not-Marked, Re-Echo-Loss, Re-Echo-ECN, Credit} + + + + + + +Mathis & Briscoe Informational [Page 14] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + Each named codepoint has the same meaning as in the encoding using + independent bits in the previous section. The use of any one + codepoint implies the negative of all the others. + + Inherently, the semantics of most of the enumerated codepoints are + mutually exclusive. 'Credit' is the only one that might need to be + used in combination with either Re-Echo-Loss or Re-Echo-ECN, but even + that requirement is questionable. It must not be forgotten that the + enumerated encoding loses the flexibility to signal these two + combinations, whereas the encoding with four independent bits is not + so limited. Alternatively, two extra codepoints could be assigned to + these two combinations of semantics. The comment in the previous + section about units also applies. + +4.6. Units Implied by an Encoding + + The following comments apply generally to all the other encodings. + + Congestion can be due to exhaustion of bit-carrying capacity or + exhaustion of packet-processing power. When a packet is discarded or + marked to indicate congestion, there is no easy way to know whether + the lost or marked packet signifies bit congestion or packet + congestion. The above ConEx encodings that rely on marking packets + suffer from the same ambiguity. + + This problem is most acute when audit needs to check that one count + of markings matches another. For example, if there are ConEx + markings on three large (1500 B) packets, is that sufficient to match + the loss of five small (60 B) packets? If a packet marking is + defined to mean all the bytes in the packet are marked, then we have + 4500 B of ConEx-Marked data against 300 B of lost data, which is + easily sufficient. If instead we are counting packets, then we have + three ConEx packets against five lost packets, which is not + sufficient. This problem will not arise when all the packets in a + flow are the same size, but a choice needs to be made for flows in + which packet sizes vary, such as BGP, SPDY, and some variable-rate + video encoding schemes. + + Whether to use bytes or packets is not obvious. For instance, the + most expensive links in the Internet, in terms of cost per bit, are + all at lower data rates, where transmission times are large and + packet sizes are important. In order for a policy to consider wire + time, it needs to know the number of congested bytes. However, high + speed networking equipment and the transport protocols themselves + sometimes gauge resource consumption and congestion in terms of + packets. + + + + + +Mathis & Briscoe Informational [Page 15] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + [RFC7141] advises that congestion indications should be interpreted + in units of bytes when responding to congestion, at least on today's + Internet. [RFC6789] takes the same view in its definition of + congestion-volume, again, for today's Internet. + + In any TCP implementation, this is simple to achieve for varying size + packets given that TCP SACK tracks losses in bytes. If an encoding + is specified in units of bytes, the encoding should also specify + which headers to include in the size of a packet (see network-layer + requirement F in Section 3.3). + + RFC 7141 constructs an argument for why equipment tends to be built + so that the bottleneck will be the bit-carrying capacity of its + interfaces, not its packet-processing capacity. However, RFC 7141 + acknowledges that the position may change in future and notes that + new techniques will need to be developed to distinguish packet and + bit congestion. + + Given this document describes an abstract ConEx mechanism, it is + intended to be timeless. Therefore, it does not take a strong + position on this issue. However, a ConEx encoding will need to + explicitly specify whether it assumes units of bytes or packets + consistently for both congestion indications and ConEx markings (see + network-layer requirement E in Section 3.3). It may help to refer to + the guidance in [RFC7141]. + +5. Congestion Exposure Components + + The components shown in Figure 1 as well as policy and audit are + described in more detail. + +5.1. Network Devices (Not Modified) + + Congestion signals originate from network devices as they do today. + A congested router, switch, or other network device can discard or + ECN-mark packets when it is congested. + +5.2. Modified Senders + + The sending transport needs to be modified to send Congestion + Exposure signals in response to congestion feedback signals (e.g., + for the case of a TCP transport, see [TCP-MODIFICATION]). We want to + permit ConEx without ECN (e.g., if the receiver does not support + ECN). However, we want to encourage a ConEx sender to at least + attempt to negotiate ECN (a ConEx transport protocol specification + may require this) because it is believed that ConEx without ECN is + harder to audit and thus potentially exposed to cheating. Since + honest users have the potential to benefit from stronger mechanisms + + + +Mathis & Briscoe Informational [Page 16] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + to manage traffic, they have an incentive to deploy ConEx and ECN + together. This incentive is not sufficient to prevent a dishonest + user from constructing (or configuring) a sender that enables ConEx + after choosing not to negotiate ECN, but it should be sufficient to + prevent this from being the sustained default case for any + significant pool of users. + + Permitting ConEx without ECN is necessary to facilitate bootstrapping + other parts of ConEx deployment. + +5.3. Receivers (Optionally Modified) + + Any receiving transport may already feedback sufficiently useful + signals to the sender so that it does not need to be altered. + + The native loss or ECN signaling mechanism required for compliance + with existing congestion control standards (e.g., RTCP, Stream + Control Transmission Protocol (SCTP)) will typically be sufficient + for the Sender to generate ConEx Signals. + + TCP's loss feedback is sufficient for ConEx if SACK is used + [RFC2018]. However, the original specification for ECN in TCP + [RFC3168] signals congestion no more than once per round trip. The + sender may require more precise feedback from the receiver otherwise + it is at risk of appearing to be understating its ConEx Signals. + + Ideally, ConEx should be added to a transport like TCP without + mandatory modifications to the receiver. But in the TCP-ECN case, an + optional modification to the receiver could be recommended for + precision (see [RFC7560], which is based on the approach originally + taken when adding re-ECN to TCP [RE-ECN-TCP]). + +5.4. Policy Devices + + Policy devices are characterised by a need to be configured with a + policy related to the users or neighboring networks being served. In + contrast, auditing devices solely enforce compliance with the ConEx + protocol and do not need to be configured with any client-specific + policy. + + One of the design goals of the ConEx protocol is that none of the + important policy mechanisms requires per-flow state and that policy + mechanisms can even be implemented for heavily aggregated traffic in + the core of the Internet with complexity akin to accumulating marking + volumes per logical link. Of course, policy mechanisms may sometimes + choose to focus down on individual flows, but ConEx aims to make + aggregate policy devices feasible. + + + + +Mathis & Briscoe Informational [Page 17] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + +5.4.1. Congestion Monitoring Devices + + Policy devices can typically be decomposed into two functions: + i) monitoring the ConEx Signal to compare it with a policy; then ii) + acting in some way on the result. Various actions might be invoked + against 'out of contract' traffic, such as policing (see + Section 5.4.3), re-routing, or downgrading the class of service. + + Alternatively, a policy device might not act directly on the traffic, + but instead report to management systems that are designed to control + congestion indirectly. For instance, the reports might trigger + capacity upgrades, penalty clauses in contracts, levy charges based + on congestion, or merely send warnings to clients who are causing + excessive congestion. + + Nonetheless, whatever action is invoked, the congestion monitoring + function will always be a necessary part of any policy device. + +5.4.2. Rest-of-Path Congestion Monitoring + + ConEx Signals indicate the level of congestion along a whole path + from source to destination. In contrast, ECN signals monitored in + the middle of a network indicate the level of congestion experienced + so far on the path (of course, only in ECN-capable traffic). + + If a monitor in the middle of a network (e.g., at a network border) + measures both of these signals, it can subtract the level of ECN + (path so far) from the level of ConEx (whole path) to derive a + measure of the congestion that packets are likely to experience + between the monitoring point and their destination (rest-of-path + congestion). + + It will often be preferable for policy devices to monitor rest-of- + path congestion if they can, because it is a measure of the + downstream congestion that the policy device can directly influence + by controlling the traffic passing through it. + +5.4.3. Congestion Policers + + A congestion policer can be implemented in a very similar way to a + bit-rate policer, but its effect can be focused solely on traffic of + users causing congestion downstream, which ConEx Signals make + visible. Without ConEx Signals, the only way to mitigate congestion + is to blindly limit the traffic bit-rate on the assumption that high + bit-rate is more likely to cause congestion. + + + + + + +Mathis & Briscoe Informational [Page 18] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + A congestion policer monitors all ConEx traffic entering a network or + some identifiable subset. Using ConEx Signals and/or Credit signals + (and preferably subtracting ECN signals to yield rest-of-path + congestion), it measures the amount of congestion that this traffic + is contributing somewhere downstream. If this persistently exceeds a + policy-configured 'congestion-bit-rate', the congestion policer can + limit all the monitored ConEx traffic. + + A congestion policer can be implemented by a simple token bucket + applied to an aggregate. But unlike a bit-rate policer, it removes + tokens only when it forwards packets that are ConEx-Marked, + effectively treating Not-ConEx-Marked packets as invisible. + Consequently, because tokens give the right to send congested bits, + the fill rate of the token bucket will represent the allowed + congestion-bit-rate. This should provide sufficient traffic + management without having to additionally constrain the straight bit- + rate at all. See [ISOLATION-POLICING] for details. + + Note that the policing action could be to introduce a throttle + (discard some traffic) immediately upstream of the congestion + monitor. Alternatively, this throttle could introduce delay using a + queue with its own AQM, which potentially increases the whole path + congestion. In effect, the congestion policer has moved the + congestion earlier in the path and focused it on one user to protect + downstream resources by reducing the congestion in the rest of the + path. + +5.5. Audit + + The most critical aspect of ConEx is the capability to support robust + auditing. It can be assumed that sanctions based on ConEx Signals + will create an intrinsic motivation for users to understate the + congestion that they are causing. So, without strong audit + functions, the ConEx Signal would become understated to the point of + being useless. Therefore, the most important feature of an encoding + design is likely to be the robustness of the auditing it supports. + + The general goal of an auditor is to make sure that any ConEx-enabled + traffic is sent with sufficient ConEx-Re-Echo and ConEx-Credit + signals. A concrete definition of the ConEx protocol MUST define + what sufficient means. + + If a ConEx-enabled transport does not carry sufficient ConEx Signals, + then an auditor is likely to apply some sanction to that traffic. + Although sanctions are beyond the scope of this document, an example + sanction might be to throttle the traffic immediately upstream of the + + + + + +Mathis & Briscoe Informational [Page 19] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + auditor to prevent the user from getting any advantage by + understating congestion. Such a throttle would likely include some + combination of delaying or dropping traffic. + + A ConEx auditor might use one of the following techniques: + + Generic loss auditing: For congestion signalled by loss, totally + accurate auditing is not believed to be possible in the general + case because it involves a network node detecting the absence of + some packets when it cannot always necessarily identify + retransmissions or missing packets. The missing packet might + simply be taking a different route, or the IP payload may be + encrypted. + + It is for this reason that it is desirable to motivate the + deploying of ECN, even though ECN is not strictly required for + ConEx. + + ECN auditing: Directly observe and compare the volume of ECN and + ConEx marks. Since the volume of ECN marks rises monotonically + along a path, ECN auditing is most accurate when located near the + transport receiver. For this reason, ECN should be monitored + downstream of the predominant bottleneck. + + TCP-specific loss auditing: For non-encrypted standard TCP traffic + on a single path, a tactical audit approach could be to measure + losses by detecting retransmissions, which appear as duplicate + sequence numbers upstream of the loss and out of order data + downstream of the loss. Since some reordering is present in the + Internet, such a loss estimator would be most accurate near the + sender. Such an audit device should treat non-ECN-capable packets + with encrypted IP payload as Not-ConEx, even if they claim to be + ConEx-capable, unless the operator is also using one of the other + two techniques below that can audit such packets against losses. + + Predominant bottleneck loss auditing: For networks designed so that + losses predominantly occur under the control of one IP-aware + bottleneck node on the path, the auditor could be located at this + bottleneck. It could simply compare ConEx Signals with actual + local packet discards (and ECN marks). This is a good model for + most consumer access networks where audit accuracy could well be + sufficient even if losses occasionally occur elsewhere in the + network. + + Although the auditor at the predominant bottleneck would not be + able to count losses at other nodes, transports would not know + where losses were occurring either. Therefore, a transport would + + + + +Mathis & Briscoe Informational [Page 20] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + not know which losses it could cheat and which ones it couldn't + without getting caught. + + ECN tunnel loss auditing: A network operator can arrange IP-in-IP + tunnels (or IP-in-MPLS, etc.) so that any losses within the + tunnels are deferred until the tunnel egress. Then, the audit + function can be deployed at the egress and be aware of all losses. + This is possible by enabling ECN marking on switches and routers + within a tunnel, irrespective of whether end systems support ECN, + by exploiting a side effect of the way tunnels handle the ECN + field. After encapsulation at the tunnel ingress, the network + should arrange for any non-ECN packets (with '00' in the ECN field + of the outer) to be set to the ECN-capable transport (ECT(0)) + codepoint. Then, if they experience congestion at one of the ECN- + capable switches or routers within the tunnel, some will be ECN- + marked rather than immediately dropped. However, when the tunnel + decapsulator strips the outer from such an ECN-marked packet, if + it finds the inner header has '00' in the ECN field (meaning that + the endpoints do not support ECN), it will automatically drop the + packet, assuming it complies with [RFC6040]. Thus, an audit + function at the decapsulator can know which packets would have + been dropped within the tunnel (and even which are genuinely ECN- + marked for the end-to-end protocol). Non-ECN end systems outside + the tunnel see no sign of the use of ECN internally. + + In addition, other audit techniques may be identified in the future. + + [Refb-dis] gives a comprehensive inventory of attacks against audit + proposed by various people. It includes pseudocode for both + deterministic and statistical audit functions designed to thwart + these attacks and analyses the effectiveness of an implementation. + Although this work is specific to the re-ECN protocol, most of the + material is useful for designing and assessing audit of other + specific ConEx encodings, against both ECN and loss. + + The auditing function should be able to trigger sufficient sanction + to discourage understating congestion [Salvatori05]. This seems to + require designing the sanction in concert with the policy functions, + even though they might be implemented in different parts of the + network. However, [Refb-dis] proves audit and policy functions can + be independent as long as audit drops sufficient traffic to + 'normalise' actual congestion signals to be no greater than ConEx + Signals. + + Similarly, the job of incentivising the sending of ConEx-enabled + packets is proper solely to policy devices independent of the audit + function. The audit function's job is policy neutral, so it should + be solely confined to checking for correctness within those packets + + + +Mathis & Briscoe Informational [Page 21] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + that have been marked as ConEx-capable. Even if there are Not-ConEx + packets mixed with ConEx packets within a flow, audit will not need + to monitor any Not-ConEx packets. + + Note that in the future it might prove to be desirable to provide + advice on uniformly implementing sanctions, because otherwise + insufficient sanctions could impair the ability to implement policy + elsewhere in the network. + + Some of the audit algorithms require per-flow state. This cost is + expected to be tolerable because these techniques are most apropos + near the edges of the network where traffic is generally much less + aggregated so the state need not overwhelm any one device. The flow + state required for the audit creates itself as it detects new flows. + Therefore, a flow will not fail if it is re-routed away from the + audit box currently holding its flow state, so auditing does not + require route pinning and works fine with multipath flows. + + Holding flow state seems to create a vulnerability to attacks that + exhaust the auditor's memory by opening numerous new short flows. + The audit function can protect itself from this attack by not + allocating new flow state unless a ConEx-Marked packet arrives (e.g., + credit at the start of a flow). Because policy devices rate limit + ConEx-Marked packets, this sets a natural limit to the rate at which + a source can create flow state in audit devices. The auditor would + treat all the remaining flows without any ConEx-Marked packets as a + single misbehaving aggregate. + + Auditing can be distributed and redundant. One flow may be audited + in multiple places, using multiple techniques. Some audit techniques + do not require any per-flow state and can be applied to aggregate + traffic. These might be able to detect the presence of understated + congestion at large scale and support recursively hunting for + individual flows that are understating their congestion. Even at + large scales, flows can be randomly selected for individual auditing. + + Sampling techniques can also be used to bound the total auditing + memory footprint, although the implementer needs to counter the + tactic where a source cheats until caught by sampling, then simply + discards that flow ID and starts cheating with a new one (termed + 'identifier whitewashing when caught'). + + For the concrete ConEx protocol encoding defined in [CONEX-DESTOPT], + ConEx Credit and ConEx-Re-Echo signals are intended to be audited + separately. The Credit signal can be audited directly against actual + congestion (loss and ECN). However, there will be an inherent delay + of at least one round trip between a congestion signal and the + subsequent ConEx-Re-Echo signal it triggers, as shown in Figure 1. + + + +Mathis & Briscoe Informational [Page 22] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + Therefore, ConEx-Re-Echo signals will need to be audited with some + allowance for this delay. Further discussion of design and + implementation choices for functions intended to audit this concrete + ConEx encoding can be found in [CONEX-AUDIT]. + +6. Support for Incremental Deployment + + The ConEx abstract protocol described so far is intended to support + incremental deployment in every possible respect. For convenience, + the following list collects together all the features that support + incremental deployment in the concrete ConEx specifications and + points to further information on each: + + Packets: The wire protocol encoding allows each packet to indicate + whether it is using ConEx or not (see Section 4 on + Encoding Congestion Exposure). + + Senders: ConEx requires a modification to the source in order to + send ConEx packet markings (see Section 5.2). Although ConEx + support can be indicated on a packet-by-packet basis, it is likely + that all the packets in a flow will either consistently support + ConEx or consistently not. It is also likely that, if the + implementation of a transport protocol supports ConEx, all the + packets sent from that host using that protocol will be ConEx- + Capable. + + The implementations of some of the transport protocols on a host + might not support ConEx (e.g., the implementation of DNS over UDP + might not support ConEx, while perhaps RTP over UDP and TCP will). + Any non-upgraded transports and non-upgraded hosts will simply + continue to send regular Not-ConEx packets as always. + + A network operator can create incentives for senders to + voluntarily reveal ConEx information (see the item on incremental + deployment by 'Networks' below). + + Receivers: A ConEx source should be able to work with the regular + receiver for the transport in question without requiring any + ConEx-specific modifications. This is true for modern transport + protocols (RTCP, SCTP, etc.) and it is even true for TCP, as long + as the receiver supports SACK, which is widely deployed anyway. + However, it is not true for ECN feedback in TCP. The need for + more precise ECN feedback in TCP is not exclusive to ConEx; for + instance, Data Centre TCP [DCTCP] uses precise feedback to good + effect. Therefore, if a receiver offers precise feedback, + [RFC7560] it will be best if ConEx uses it (see Section 5.3). + + + + + +Mathis & Briscoe Informational [Page 23] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + Alternatively, without sufficiently precise congestion feedback + from the receiver, the source may have to conservatively send + extra ConEx markings in order to avoid understating congestion. + + Proxies: Although it was stated above that ConEx requires a + modification to the source, ConEx Signals could theoretically be + introduced by a proxy for the source as long as it can intercept + feedback from the receiver. Similarly, more precise feedback + could theoretically be provided by a proxy for the receiver rather + than modifying the receiver itself. + + Forwarding: No modification to forwarding or queuing is needed for + ConEx. + + However, once some ConEx is deployed, it is possible that a queue + implementation could optionally take advantage of the ConEx + information in packets. For instance, it has been suggested + [CONEX-DESTOPT] that a queue would be more robust against flooding + if it preferentially discarded Not-ConEx packets then Not-Marked + ConEx packets. + + A ConEx sender re-echoes congestion whether the queues signaling + congestion are ECN enabled or not. Nonetheless, an operator + relying on ConEx Signals is recommended to enable ECN in queues + wherever possible. This is because auditing works best if most + congestion is indicated by ECN rather than loss (see Section 3). + Also, monitoring rest-of-path congestion is not accurate if there + are congested non-ECN queues upstream of the monitoring point + (Section 5.4.2). + + Networks: If a subset of traffic sources (or proxies) use ConEx + Signals to reveal congestion in the internetwork layer, a network + operator can choose (or not) to use this information for traffic + management. As long as the end-to-end ConEx Signals are present, + each network can unilaterally choose to use them -- independently + of whether other networks do. + + ConEx marked packets may safely traverse a network that ignores + them. ConEx Signals are defined to remain unchanged once set by + the sender, but some encodings may allow changes in transit (e.g., + by proxies). In no circumstances will a network node change + ConEx-Capable packets to Not-ConEx (network-layer encoding + requirement I in Section 3.3). If necessary, endpoints should be + able to detect if a network is removing ConEx Signals (network- + layer encoding requirement H in Section 3.3). + + + + + + +Mathis & Briscoe Informational [Page 24] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + An operator can deploy policy devices (Section 5.4) wherever + traffic enters its network in order to monitor the downstream + congestion that incoming traffic contributes to and control it if + necessary. A network operator can create incentives for the + developers of sending applications and transports to voluntarily + reveal ConEx information. Without ConEx information, a network + operator tends to have to limit the bit-rate or volume from a site + more than is necessary, just in case it might congest others. + With ConEx information, the operator can solely limit congestion- + causing traffic and otherwise allow complete freedom. This + greater freedom acts as an inducement for the source to volunteer + ConEx information. An operator may also monitor whether a source + transport has sent ConEx packets and treat the same transport with + greater suspicion (e.g., a more stringent rate limit) whenever it + selectively sends packets without ConEx support. See [RFC6789] + for further discussion of deployment incentives for networks and + references to scenarios where some networks use ConEx-based policy + devices and others don't. + + An operator can deploy audit devices (Section 5.5) unilaterally + within its own network to verify that traffic sources are not + understating ConEx information. From the viewpoint of one network + operator (say N_a), it only cares that the level of ConEx + signaling is sufficient to cover congestion in its own network. + If traffic continues into a congested downstream network (say + N_b), it is of no concern to the first network (N_a) if the end- + to-end ConEx signaling is insufficient to cover the congestion in + N_b as well. This is N_b's concern, and N_b can both detect such + anomalous traffic and deal with it using ConEx-based audit devices + itself. + +7. Security Considerations + + The only known risk associated with ConEx is that users and + applications are very likely to be motivated to underrepresent the + congestion that they are causing. Significant portions of this + document are about mechanisms to audit the ConEx Signals and create + sufficient sanction to inhibit such underrepresentation. In + particular, see Section 5.5. + + Security attacks and their defences are best discussed against a + concrete protocol specification, not the abstract mechanism of this + document. A concrete ConEx protocol will need to be accompanied by a + document describing how the protocol and its audit mechanisms defend + against likely attacks. [Refb-dis] will be a useful source for such + a document. It gives a comprehensive inventory of attacks against + audit that have been proposed by various parties. It includes + + + + +Mathis & Briscoe Informational [Page 25] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + pseudocode for both deterministic and statistical audit functions + designed to thwart these attacks and analyses the effectiveness of an + implementation. + + However, [Refb-dis] is specific to the re-ECN protocol, which + signalled ECN and loss together, whereas the concrete ConEx protocol + defined in [CONEX-DESTOPT] signals them separately. Therefore, + although likely attacks will be similar, there will be more + combinations of attacks to worry about, and defences and their + analysis are likely to be a little different for ConEx. + + The main known attacks that a security document for a concrete ConEx + protocol will need to address are listed below and [Refb-dis] should + be referred to for how re-ECN was designed to defend against similar + attacks: + + o Attacks on the audit function (see Section 7.5 of [Refb-dis]): + + Flow ID Whitewashing: Designing the audit function so that a + source cannot gain from starting a new flow once audit has + detected cheating in a previous flow. + + Dragging Down an Aggregate: Avoiding audit discarding packets + from all flows within an aggregate, which would allow one flow + to pull down the average so that the audit function would + discard packets from all flows, not just the offending flow. + + Dragging Down a Spoofed Flow ID: An attacker understates ConEx + markings in packets that spoof another flow, which fools the + audit function into dropping the genuine user's packets. + + o Attacks by networks on other networks (see Section 8.2 of + [Refb-dis]): + + Dummy Traffic: Sending dummy traffic across a border with + understated ConEx markings to bring down the average ConEx + markings in the aggregate of border traffic. This attack can + be combined with a TTL that expires before the packets reach an + audit function. + + Signal Poisoning with 'Cancelled' Marking: Sending high volumes + of valid packets that are both ConEx-Marked and ECN-marked, + which seems to represent congestion upstream, but it makes + these packets immune to being further ECN-marked downstream. + + + + + + + +Mathis & Briscoe Informational [Page 26] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + It is planned to document all known attacks and their defences + (including all of the above) in the RFC series against a concrete + ConEx protocol specification. In the interim, [Refb-dis] and its + references should be referred to for details and ways to address + these attacks in the case of re-ECN. + +8. References + +8.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + +8.2. Informative References + + [CheapPseud] + Friedman, E. and P. Resnick, "The Social Cost of Cheap + Pseudonyms", Journal of Economics and Management Strategy, + Volume 10, Issue 2, pp. 173-199, + DOI 10.1111/j.1430-9134.2001.00173.x, Summer 2001. + + [CONEX-AUDIT] + Wagner, D. and M. Kuehlewind, "Auditing of Congestion + Exposure (ConEx) signals", Work in Progress, + draft-wagner-conex-audit-01, February 2014. + + [CONEX-DESTOPT] + Krishnan, S., Kuehlewind, M., and C. Ucendo, "IPv6 + Destination Option for Congestion Exposure (ConEx)", Work + in Progress, draft-ietf-conex-destopt-11, October 2015. + + [DCTCP] Alizadeh, M., Greenberg, A., Maltz, D., Padhye, J., Patel, + P., Prabhakar, B., Sengupta, S., and M. Sridharan, "Data + Center TCP (DCTCP)", ACM SIGCOMM Computer Communication + Review, Volume 40, Issue 4, pages 63-74, + DOI 10.1145/1851182.1851192, October 2010, + . + + [Evol_cc] Gibbens, R. and F. Kelly, "Resource pricing and the + evolution of congestion control", Automatica, Volume 35, + Issue 12, pages 1969-1985, + DOI 10.1016/S0005-1098(99)00135-1, December 1999, + . + + + + + +Mathis & Briscoe Informational [Page 27] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + [FairerFaster] + Briscoe, B., "A Fairer, Faster Internet Protocol", IEEE + Spectrum, pages 38-43, DOI 10.1109/MSPEC.2008.4687368, + December 2008, + . + + [ISOLATION-POLICING] + Briscoe, B., "Network Performance Isolation using + Congestion Policing", Work in Progress, + draft-briscoe-conex-policing-01, February 2014. + + [RE-ECN-MOTIVATION] + Briscoe, B., Jacquet, A., Moncaster, T., and A. Smith, + "Re-ECN: A Framework for adding Congestion Accountability + to TCP/IP", Work in Progress, + draft-briscoe-conex-re-ecn-motiv-03, March 2014. + + [RE-ECN-TCP] + Briscoe, B., Jacquet, A., Moncaster, T., and A. Smith, + "Re-ECN: Adding Accountability for Causing Congestion to + TCP/IP", Work in Progress, + draft-briscoe-conex-re-ecn-tcp-04, July 2014. + + [Re-fb] Briscoe, B., Jacquet, A., Di Cairano-Gilfedder, C., + Salvatori, A., Soppera, A., and M. Koyabe, "Policing + Congestion Response in an Internetwork Using Re-Feedback", + ACM SIGCOMM Computer Communication Review, Volume 35, + Issue 4, pages 277--288, DOI 10.1145/1090191.1080124, + August 2005, + . + + [Refb-dis] Briscoe, B., "Re-feedback: Freedom with Accountability for + Causing Congestion in a Connectionless Internetwork", PhD + Dissertation, University College London, May 2009, + . + + [RFC2018] Mathis, M., Mahdavi, J., Floyd, S., and A. Romanow, "TCP + Selective Acknowledgment Options", RFC 2018, + DOI 10.17487/RFC2018, October 1996, + . + + [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition + of Explicit Congestion Notification (ECN) to IP", + RFC 3168, DOI 10.17487/RFC3168, September 2001, + . + + + + + +Mathis & Briscoe Informational [Page 28] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + [RFC3514] Bellovin, S., "The Security Flag in the IPv4 Header", + RFC 3514, DOI 10.17487/RFC3514, April 2003, + . + + [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. + Jacobson, "RTP: A Transport Protocol for Real-Time + Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, + July 2003, . + + [RFC5348] Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP + Friendly Rate Control (TFRC): Protocol Specification", + RFC 5348, DOI 10.17487/RFC5348, September 2008, + . + + [RFC5681] Allman, M., Paxson, V., and E. Blanton, "TCP Congestion + Control", RFC 5681, DOI 10.17487/RFC5681, September 2009, + . + + [RFC6040] Briscoe, B., "Tunnelling of Explicit Congestion + Notification", RFC 6040, DOI 10.17487/RFC6040, November + 2010, . + + [RFC6679] Westerlund, M., Johansson, I., Perkins, C., O'Hanlon, P., + and K. Carlberg, "Explicit Congestion Notification (ECN) + for RTP over UDP", RFC 6679, DOI 10.17487/RFC6679, August + 2012, . + + [RFC6789] Briscoe, B., Ed., Woundy, R., Ed., and A. Cooper, Ed., + "Congestion Exposure (ConEx) Concepts and Use Cases", + RFC 6789, DOI 10.17487/RFC6789, December 2012, + . + + [RFC6817] Shalunov, S., Hazel, G., Iyengar, J., and M. Kuehlewind, + "Low Extra Delay Background Transport (LEDBAT)", RFC 6817, + DOI 10.17487/RFC6817, December 2012, + . + + [RFC7141] Briscoe, B. and J. Manner, "Byte and Packet Congestion + Notification", BCP 41, RFC 7141, DOI 10.17487/RFC7141, + February 2014, . + + [RFC7560] Kuehlewind, M., Ed., Scheffenegger, R., and B. Briscoe, + "Problem Statement and Requirements for Increased Accuracy + in Explicit Congestion Notification (ECN) Feedback", + RFC 7560, DOI 10.17487/RFC7560, August 2015, + . + + + + + +Mathis & Briscoe Informational [Page 29] + +RFC 7713 ConEx Concepts and Abstract Mechanism December 2015 + + + [Salvatori05] + Salvatori, A., "Closed Loop Traffic Policing", Politecnico + Torino and Institut Eurecom Masters Thesis, September + 2005. + + [TCP-MODIFICATION] + Kuehlewind, M. and R. Scheffenegger, "TCP modifications + for Congestion Exposure", Work in Progress, draft-ietf- + conex-tcp-modifications-10, October 2015. + +Acknowledgments + + This document was improved by review comments from Toby Moncaster, + Nandita Dukkipati, Mirja Kuehlewind, Caitlin Bestler, Marcelo Bagnulo + Braun, John Leslie, Ingemar Johansson, and David Wagner. + + Bob Briscoe's work on this specification received part-funding from + the European Union's Seventh Framework Programme FP7/2007-2013 under + the Trilogy 2 project, grant agreement no. 317756. The views + expressed here are solely those of the authors. + +Authors' Addresses + + Matt Mathis + Google, Inc. + 1600 Amphitheater Parkway + Mountain View, California 93117 + United States + + Email: mattmathis@google.com + + + Bob Briscoe + BT (now at Simula Research Laboratory) + + Email: ietf@bobbriscoe.net + URI: http://bobbriscoe.net/ + + + + + + + + + + + + + + +Mathis & Briscoe Informational [Page 30] + -- cgit v1.2.3