Presentation is loading. Please wait.

Presentation is loading. Please wait.

Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Bob Briscoe, BT IETF-72 tsvwg.

Published byViolet Lane Modified over 8 years ago

Similar presentations

Presentation on theme: "Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Bob Briscoe, BT IETF-72 tsvwg."— Presentation transcript:

1 Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Bob Briscoe, BT IETF-72 tsvwg Jul 2008

2 2 updated draft Layered Encapsulation of Congestion Notification updated draft: draft-briscoe-tsvwg-ecn-tunnel-01.txtdraft-briscoe-tsvwg-ecn-tunnel-01.txt intended status:standards track immediate intent:move to WG item discuss widening scope exec summary –bring ECN IP in IP tunnel ingress [RFC3168] into line with IPsec [RFC4301] all tunnels can behave the same, revealing full congestion info only wire protocol processing, not marking or response algorithms –thorough analysis of implications: security, control, & management guidance on specifying ECN behaviour for new links, alternate PHBs –ideally fix egress too (currently only 'for discussion')

3 3 one main update to RFC3168 ECN DS ECNECN encapsulation at tunnel ingressdecapsulation at tunnel egress DS ECNECN ECNECN ECNECN ECNECN ECNECN incoming header (also = outgoing inner) outgoing outer RFC3168 ECN limited functionality RFC3168 ECN full functionality RFC4301 IPsec Not-ECT ECT(0)Not-ECT ECT(0) ECT(1)Not-ECT ECT(1) CENot-ECT ECT(0) CE proposalunchanged compatibility state for legacy 'reset' CE no longer used 'copy' CE becomes normal state for all IP in IP ‘I’ E

4 4 why update ECN RFC3168 now? sequence of standards actions led to perverse position –despite everyone’s best intentions –2001: RFC3168 tunnel ingress specified cautiously due to security concerns –2005: RFC4301 IPsec decided caution wasn't necessary IETF Security Area decided 2-bit ECN covert channel can be managed vestige of security no longer used by IPsec now limits usefulness of non-IPsec tunnels already PCN "excess rate marking" says "doesn't work with 3168 tunnels" anyway, copying of whole ECN field is simpler

5 5 activity from initial -00 to -01 draft general agreement on list with 'copy on encap' concern on list (a year ago) over a couple of details –exception for in-path load regulators (resolved by removing it) conceptual model from RFC2983 avoids need for exception Appx D: Non-dependence of tunnelling on in-path load regulation –reconstructing precise cross-tunnel congestion metric (resolved) Appx B: suggested precise cross-tunnel measurement technique since replaced with really simple technique [for -02 after IETF-72] that was 1 year ago agreed to go dormant until PCN wire protocol clearer... 1-before2-inner encap 3-outer

6 6 current egress behaviour OK(ish) works for current ECN propose only one state at egress same behaviour for both ingress states but any changes to ECT lost effectively wastes ½ bit in IP header PCN tried to use ECT codepoints having to waste DSCPs instead incoming inner incoming outer Not-ECTECT(0)ECT(1)CE Not-ECT drop (!!!) ECT(0) CE ECT(1) CE CE (!!!)CE Outgoing header (RFC3168 full & RFC4301) (bold red = proposed for all IP in IP) E (!!!) = illegal transition, E MAY raise an alarm DS ECNECN encapsulation at tunnel ingressdecapsulation at tunnel egress DS ECNECN ECNECN ECNECN ECNECN ECNECN ‘I’ E

7 7 ideally fix egress too (only 'for discussion') change egress at same time? backwards compatible just previous tunnels wouldn't propagate changes to ECT this is not currently part of proposal but documented in an appendix incoming inner incoming outer Not-ECTECT(0)ECT(1)CE Not-ECT drop (!!!) ECT(0) ECT(1)CE ECT(1) ECT(0)ECT(1)CE CE (!!!)CE Outgoing header (RFC3168 full & RFC4301) (bold red = proposed for all IP in IP) E (!!!) = illegal transition, E MAY raise an alarm DS ECNECN encapsulation at tunnel ingressdecapsulation at tunnel egress DS ECNECN ECNECN ECNECN ECNECN ECNECN ‘I’ E

8 8 next steps would like to request as WG item PCN w-g needs to know if proposal is likely to happen also implications for PWE3 (if using ECN) will need IPsec to be happy that they aren't affected also to discuss (here or on list): should we change the egress at the same time?

9 Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Q&A

10 10 backward & forward compatibility egress pro- posed RFC 4301 RFC 3168 RFC 2481 RFC2401 RFC2003 ingress mode*4301fulllim2481lim?- actioncalc B innercalc Ainner I-D.ecn- tunnel proposed normal'copy'BBBn/a compat'zero'innern/a inner '3g IPsec'RFC4301 4301'copy'BBBn/a ECNRFC3168 full'reset CE'Bn/aB limited'zero'innern/a inner ECN exptRFC2481 2481'copy'?Bn/aB A limited?'zero'innern/a innern/ainner '2g IPsec' IP in IP RFC2401 RFC2003 -'copy'Bn/a innerA broken: loses CE B:calculation B (preserves CE from outer) A:calculation A (for when ECN field was 2 separate bits) inner:forwards inner header, discarding outer n/a:not allowed by configuration

11 11 30 tunnel contribution to congestion, p t Q. how to measure p t at egress? A. p t = 12 / 70  17% just monitor the 70 packets without the inner header marked 0%30%100% inner header (already ECN marked before ingress) ptpt ECN marking across tunnel 12 The large square represents 100 packets problem: marks some packets marked already

12 12 physically protected domain A B ‘I’E M crypto protected tunnel XX conflicting design constraints security vs. management & control information security constraint (lesser known IPsec reqm’t) I can prevent covert channel A  M with encryption E an prevent covert channel M  B with integrity checking tunnel ingress control / management constraints marking algorithm at M may depend on prior markings (since A) –e.g. a number of PCN marking proposals work this way M may need to monitor congestion since A –e.g. if M is monitoring an SLA at a border IPsec crypto cannot cover mutable fields (ECN, DS & TTL) if ‘I’ copies ECN CE, it opens up 2-bit covert channel A  M or R  M A B ‘I’EMR

13 13 physically protected domain conflicting design constraints security vs. congestion control information security constraint (lesser known IPsec reqm’t) I can prevent covert channel A  M with encryption E an prevent covert channel M  B with integrity checking tunnel egress control constraint explicit congestion notification control channel M  B  A IPsec crypto cannot cover mutable fields (ECN, DS & TTL) if E copies ECN CE, it opens up 2-bit covert channel M  B A B ‘I’E M A B EM crypto protected tunnel XX

Download ppt "Layered Encapsulation of Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-01.txt draft-briscoe-tsvwg-ecn-tunnel-01.txt Bob Briscoe, BT IETF-72 tsvwg."

Similar presentations

1 IETF 74, 30 Jul 2009draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt Applicability of Keying Methods for RSVP security draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt.

1 IETF 74, 30 Jul 2009draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt Applicability of Keying Methods for RSVP security draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt.
Philip Eardley, Bob Briscoe, Dave Songhurst - BT Francois Le Faucheur, Anna Charny, Vassilis Liatsos – Cisco Kwok-Ho Chan, Joe Babiarz, Stephen Dudley.

Philip Eardley, Bob Briscoe, Dave Songhurst - BT Francois Le Faucheur, Anna Charny, Vassilis Liatsos – Cisco Kwok-Ho Chan, Joe Babiarz, Stephen Dudley.
Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-00 Bob Briscoe IETF-80 Mar 2011.

Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-00 Bob Briscoe IETF-80 Mar 2011.
RSVP/Diffserv Yoram Bernet - Microsoft Raj Yavatkar - Intel.

RSVP/Diffserv Yoram Bernet - Microsoft Raj Yavatkar - Intel.
An open ECN service in the IP layer 19 Mar 2001 Bob Briscoe, BT & UCL Jon Crowcroft, UCL M3I - Market Managed Multi-service Internet IST Project No 11429.

An open ECN service in the IP layer 19 Mar 2001 Bob Briscoe, BT & UCL Jon Crowcroft, UCL M3I - Market Managed Multi-service Internet IST Project No
Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
An Architecture for Differentiated Services

An Architecture for Differentiated Services
ConEx Concepts and Abstract Mechanism draft-ietf-conex-abstract-mech-07.txt draft-ietf-conex-abstract-mech-07.txt Matt Mathis, Google Bob Briscoe, BT IETF-87.

ConEx Concepts and Abstract Mechanism draft-ietf-conex-abstract-mech-07.txt draft-ietf-conex-abstract-mech-07.txt Matt Mathis, Google Bob Briscoe, BT IETF-87.
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-02 Bob Briscoe, BT John Kaippallimalil,

1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-02 Bob Briscoe, BT John Kaippallimalil,
Byte and Packet Congestion Notification draft-ietf-tsvwg-byte-pkt-congest-02.txt draft-ietf-tsvwg-byte-pkt-congest-02.txt Bob Briscoe, BT IETF-78 tsvwg.

Byte and Packet Congestion Notification draft-ietf-tsvwg-byte-pkt-congest-02.txt draft-ietf-tsvwg-byte-pkt-congest-02.txt Bob Briscoe, BT IETF-78 tsvwg.
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-ietf-tsvwg-ecn-encap-guidelines-01 Bob Briscoe, BT John Kaippallimalil,

1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-ietf-tsvwg-ecn-encap-guidelines-01 Bob Briscoe, BT John Kaippallimalil,
Tunnelling of Explicit Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-08.txt draft-briscoe-tsvwg-ecn-tunnel-08.txt Bob Briscoe, BT IETF-77 tsvwg.

Tunnelling of Explicit Congestion Notification draft-briscoe-tsvwg-ecn-tunnel-08.txt draft-briscoe-tsvwg-ecn-tunnel-08.txt Bob Briscoe, BT IETF-77 tsvwg.
1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-01 Bob Briscoe IETF-85 Nov 2012.

1 Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP draft-briscoe-tsvwg-ecn-encap-guidelines-01 Bob Briscoe IETF-85 Nov 2012.
Quick-Start for TCP and IP draft-ietf-tsvwg-quickstart-02.txt A.Jain, S. Floyd, M. Allman, and P. Sarolahti TSVWG, March 2006 This and earlier presentations::

Quick-Start for TCP and IP draft-ietf-tsvwg-quickstart-02.txt A.Jain, S. Floyd, M. Allman, and P. Sarolahti TSVWG, March 2006 This and earlier presentations::
Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets A. Kuzmanovic, A. Mondal, S. Floyd, and K.K. Ramakrishnan draft-ietf-tcpm-ecnsyn-03.txt.

Adding Explicit Congestion Notification (ECN) Capability to TCP's SYN/ACK Packets A. Kuzmanovic, A. Mondal, S. Floyd, and K.K. Ramakrishnan draft-ietf-tcpm-ecnsyn-03.txt.
PCN WG (Pre-Congestion Notification) – a brief status update Philip Eardley, BT TSVAREA, IETF-73 Minneapolis 18 Nov 08

PCN WG (Pre-Congestion Notification) – a brief status update Philip Eardley, BT TSVAREA, IETF-73 Minneapolis 18 Nov 08
Congestion marking for low delay (& admission control) Bob Briscoe BT Research Mar 2005.

Congestion marking for low delay (& admission control) Bob Briscoe BT Research Mar 2005.

Similar presentations

Ads by Google