Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Bob Briscoe, BT IETF-72 tsvwg.

Slides:



Advertisements
Similar presentations
1 IETF 74, 30 Jul 2009draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt Applicability of Keying Methods for RSVP security draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt.
Advertisements

Philip Eardley, Bob Briscoe, Dave Songhurst - BT Francois Le Faucheur, Anna Charny, Vassilis Liatsos – Cisco Kwok-Ho Chan, Joe Babiarz, Stephen Dudley.
Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-00 Bob Briscoe IETF-80 Mar 2011.
RSVP/Diffserv Yoram Bernet - Microsoft Raj Yavatkar - Intel.
An open ECN service in the IP layer 19 Mar 2001 Bob Briscoe, BT & UCL Jon Crowcroft, UCL M3I - Market Managed Multi-service Internet IST Project No
Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
An Architecture for Differentiated Services
ConEx Concepts and Abstract Mechanism draft-ietf-conex-abstract-mech-07.txt draft-ietf-conex-abstract-mech-07.txt Matt Mathis, Google Bob Briscoe, BT IETF-87.
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-02 Bob Briscoe, BT John Kaippallimalil,
Byte and Packet Congestion Notification draft-ietf-tsvwg-byte-pkt-congest-02.txt draft-ietf-tsvwg-byte-pkt-congest-02.txt Bob Briscoe, BT IETF-78 tsvwg.
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-ietf-tsvwg-ecn-encap-guidelines-01 Bob Briscoe, BT John Kaippallimalil,
Tunnelling of Explicit Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-08.txt draft-briscoe-tsvwg-ecn-tunnel-08.txt Bob Briscoe, BT IETF-77 tsvwg.
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-01 Bob Briscoe IETF-85 Nov 2012.
Quick-Start for TCP and IP draft-ietf-tsvwg-quickstart-02.txt A.Jain, S. Floyd, M. Allman, and P. Sarolahti TSVWG, March 2006 This and earlier presentations::
Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets A. Kuzmanovic, A. Mondal, S. Floyd, and K.K. Ramakrishnan draft-ietf-tcpm-ecnsyn-03.txt.
PCN WG (Pre-Congestion Notification) – a brief status update Philip Eardley, BT TSVAREA, IETF-73 Minneapolis 18 Nov 08
Congestion marking for low delay (& admission control) Bob Briscoe BT Research Mar 2005.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-01.txt draft-briscoe-tsvwg-byte-pkt-mark-01.txt Bob Briscoe, BT & UCL IETF-70.
Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-00.txt draft-briscoe-tsvwg-byte-pkt-mark-00.txt Bob Briscoe, BT & UCL IETF-69.
Quick-Start for TCP and IP draft-ietf-tsvwg-quickstart-01.txt A.Jain, S. Floyd, M. Allman, and P. Sarolahti TSVWG, November 2005 This and earlier presentations::
Tunnelling of Explicit Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-03.txt draft-briscoe-tsvwg-ecn-tunnel-03.txt Bob Briscoe, BT IETF-75 saag.
Byte and Packet Congestion Notification draft-ietf-tsvwg-byte-pkt-congest-00.txt draft-ietf-tsvwg-byte-pkt-congest-00.txt Bob Briscoe, BT & UCL IETF-73.
Tunnelling of Explicit Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-02.txt draft-briscoe-tsvwg-ecn-tunnel-02.txt Bob Briscoe, BT IETF-74 tsvwg.
Internet Security and Firewall Design Chapter 32.
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
Network Performance Isolation in Data Centres using Congestion Policing draft-briscoe-conex-data-centre-01.txt draft-briscoe-conex-data-centre-01.txt Bob.
Update on the IETF Diffserv Working Group NANOG 13 Detroit, MI June 8, 1998 Kathleen M. Nichols
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-03 Bob Briscoe, BT John Kaippallimalil,
Support for ECN and PCN in MPLS networks draft-davie-ecn-mpls-00.txt Bruce Davie Cisco Systems Bob Briscoe June Tay BT Research.
1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {
Byte and Packet Congestion Notification draft-briscoe-tsvwg-byte-pkt-mark-02.txt draft-briscoe-tsvwg-byte-pkt-mark-02.txt Bob Briscoe, BT & UCL IETF-71.
The Benefits to Applications of using Explicit Congestion Notification (ECN) draft-welzl-ecn-benefits-00 89th IETF Meeting London, UK 4 March 2014 Michael.
Uni Innsbruck Informatik th IETF, PMTUD WG: Path MTU Discovery Using Options draft-welzl-pmtud-options-01.txt Michael Welzl
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-04 Bob Briscoe, BT John Kaippallimalil,
TSVWG IETF-89 (London) 5 th & 7 th March 2014 Gorry Fairhurst David Black James Polk WG chairs 1.
Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP (draft-ietf-tsvwg-ecn-encap-guidelines-04) Bob Briscoe (Simula Research.
Congestion Notification Process for Real-Time Traffic draft-babiarz-tsvwg-rtecn-04.txt Jozef Babiarz Kwok Ho Chan
K. Salah1 Security Protocols in the Internet IPSec.
Philip Eardley, Bob Briscoe, Dave Songhurst - BT Francois Le Faucheur, Anna Charny, Vassilis Liatsos – Cisco Kwok-Ho Chan, Joe Babiarz, Stephen Dudley.
Fabric: A Retrospective on Evolving SDN Presented by: Tarek Elgamal.
Network Transport Circuit Breakers draft-ietf-tsvwg-circuit-breaker Most recent version -08 (uploaded for this meeting). Editor: Gorry Fairhurst.
Multi-protocol Label Switching (MPLS) RFC 3031 MPLS provides new capabilities: QoS support Traffic engineering VPN Multiprotocol support.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
recap draft-ietf-tsvwg-ecn-encap-guidelines-07
Ken Grewal Gabriel Montenegro Manav Bhatia
Support for ECN and PCN in MPLS networks
Bob Briscoe, BT IETF-73 pcn Nov 2008
Bob Briscoe Simula Research Laboratory
Encryption and Network Security
IP-NNI Joint Task Force Status Update
DetNet Data Plane Discussion
draft-khademi-tsvwg-ecn-response-00
Encoding 3 PCN-States in the IP header using a single DSCP draft-ietf-pcn-3-in-1-encoding-06.txt Bob Briscoe, BT Toby Moncaster, independent Michael Menth,
IT443 – Network Security Administration Instructor: Bo Sheng
Carrying IPSEC Authentication and ESP Headers Across SCPS-NP Networks
Bob Briscoe, BT IETF-72 tsvwg Jul 2008
Bob Briscoe Simula Research Laboratory
draft-bagnulo-tcpm-generalized-ecn-00 M. Bagnulo & B. Briscoe IETF97
IP-NNI Joint Task Force Status Update
Quick-Start for TCP and IP
Michael Welzl University of Oslo
ECN Experimentation draft-black-ecn-experimentation
Encoding 3 PCN-States in the IP header using a single DSCP draft-ietf-pcn-3-in-1-encoding-06.txt Bob Briscoe, BT Toby Moncaster, independent Michael Menth,
draft-ietf-dtn-bpsec-06
Encoding 3 PCN-States in the IP header using a single DSCP draft-ietf-pcn-3-in-1-encoding-04.txt Bob Briscoe, BT Toby Moncaster, independent Michael Menth,
DetNet Architecture Updates
Presentation transcript:

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Bob Briscoe, BT IETF-72 tsvwg Jul 2008

2 updated draft Layered Encapsulation of Congestion Notification updated draft: draft-briscoe-tsvwg-ecn-tunnel-01.txtdraft-briscoe-tsvwg-ecn-tunnel-01.txt intended status:standards track immediate intent:move to WG item discuss widening scope exec summary –bring ECN IP in IP tunnel ingress [RFC3168] into line with IPsec [RFC4301] all tunnels can behave the same, revealing full congestion info only wire protocol processing, not marking or response algorithms –thorough analysis of implications: security, control, & management guidance on specifying ECN behaviour for new links, alternate PHBs –ideally fix egress too (currently only 'for discussion')

3 one main update to RFC3168 ECN DS ECNECN encapsulation at tunnel ingressdecapsulation at tunnel egress DS ECNECN ECNECN ECNECN ECNECN ECNECN incoming header (also = outgoing inner) outgoing outer RFC3168 ECN limited functionality RFC3168 ECN full functionality RFC4301 IPsec Not-ECT ECT(0)Not-ECT ECT(0) ECT(1)Not-ECT ECT(1) CENot-ECT ECT(0) CE proposalunchanged compatibility state for legacy 'reset' CE no longer used 'copy' CE becomes normal state for all IP in IP ‘I’ E

4 why update ECN RFC3168 now? sequence of standards actions led to perverse position –despite everyone’s best intentions –2001: RFC3168 tunnel ingress specified cautiously due to security concerns –2005: RFC4301 IPsec decided caution wasn't necessary IETF Security Area decided 2-bit ECN covert channel can be managed vestige of security no longer used by IPsec now limits usefulness of non-IPsec tunnels already PCN "excess rate marking" says "doesn't work with 3168 tunnels" anyway, copying of whole ECN field is simpler

5 activity from initial -00 to -01 draft general agreement on list with 'copy on encap' concern on list (a year ago) over a couple of details –exception for in-path load regulators (resolved by removing it) conceptual model from RFC2983 avoids need for exception Appx D: Non-dependence of tunnelling on in-path load regulation –reconstructing precise cross-tunnel congestion metric (resolved) Appx B: suggested precise cross-tunnel measurement technique since replaced with really simple technique [for -02 after IETF-72] that was 1 year ago agreed to go dormant until PCN wire protocol clearer... 1-before2-inner encap 3-outer

6 current egress behaviour OK(ish) works for current ECN propose only one state at egress same behaviour for both ingress states but any changes to ECT lost effectively wastes ½ bit in IP header PCN tried to use ECT codepoints having to waste DSCPs instead incoming inner incoming outer Not-ECTECT(0)ECT(1)CE Not-ECT drop (!!!) ECT(0) CE ECT(1) CE CE (!!!)CE Outgoing header (RFC3168 full & RFC4301) (bold red = proposed for all IP in IP) E (!!!) = illegal transition, E MAY raise an alarm DS ECNECN encapsulation at tunnel ingressdecapsulation at tunnel egress DS ECNECN ECNECN ECNECN ECNECN ECNECN ‘I’ E

7 ideally fix egress too (only 'for discussion') change egress at same time? backwards compatible just previous tunnels wouldn't propagate changes to ECT this is not currently part of proposal but documented in an appendix incoming inner incoming outer Not-ECTECT(0)ECT(1)CE Not-ECT drop (!!!) ECT(0) ECT(1)CE ECT(1) ECT(0)ECT(1)CE CE (!!!)CE Outgoing header (RFC3168 full & RFC4301) (bold red = proposed for all IP in IP) E (!!!) = illegal transition, E MAY raise an alarm DS ECNECN encapsulation at tunnel ingressdecapsulation at tunnel egress DS ECNECN ECNECN ECNECN ECNECN ECNECN ‘I’ E

8 next steps would like to request as WG item PCN w-g needs to know if proposal is likely to happen also implications for PWE3 (if using ECN) will need IPsec to be happy that they aren't affected also to discuss (here or on list): should we change the egress at the same time?

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Q&A

10 backward & forward compatibility egress pro- posed RFC 4301 RFC 3168 RFC 2481 RFC2401 RFC2003 ingress mode*4301fulllim2481lim?- actioncalc B innercalc Ainner I-D.ecn- tunnel proposed normal'copy'BBBn/a compat'zero'innern/a inner '3g IPsec'RFC 'copy'BBBn/a ECNRFC3168 full'reset CE'Bn/aB limited'zero'innern/a inner ECN exptRFC 'copy'?Bn/aB A limited?'zero'innern/a innern/ainner '2g IPsec' IP in IP RFC2401 RFC2003 -'copy'Bn/a innerA broken: loses CE B:calculation B (preserves CE from outer) A:calculation A (for when ECN field was 2 separate bits) inner:forwards inner header, discarding outer n/a:not allowed by configuration

11 30 tunnel contribution to congestion, p t Q. how to measure p t at egress? A. p t = 12 / 70  17% just monitor the 70 packets without the inner header marked 0%30%100% inner header (already ECN marked before ingress) ptpt ECN marking across tunnel 12 The large square represents 100 packets problem: marks some packets marked already

12 physically protected domain A B ‘I’E M crypto protected tunnel XX conflicting design constraints security vs. management & control information security constraint (lesser known IPsec reqm’t) I can prevent covert channel A  M with encryption E an prevent covert channel M  B with integrity checking tunnel ingress control / management constraints marking algorithm at M may depend on prior markings (since A) –e.g. a number of PCN marking proposals work this way M may need to monitor congestion since A –e.g. if M is monitoring an SLA at a border IPsec crypto cannot cover mutable fields (ECN, DS & TTL) if ‘I’ copies ECN CE, it opens up 2-bit covert channel A  M or R  M A B ‘I’EMR

13 physically protected domain conflicting design constraints security vs. congestion control information security constraint (lesser known IPsec reqm’t) I can prevent covert channel A  M with encryption E an prevent covert channel M  B with integrity checking tunnel egress control constraint explicit congestion notification control channel M  B  A IPsec crypto cannot cover mutable fields (ECN, DS & TTL) if E copies ECN CE, it opens up 2-bit covert channel M  B A B ‘I’E M A B EM crypto protected tunnel XX

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.