idnits 2.17.1 draft-ietf-conex-destopt-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 2 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (November 10, 2014) is 3452 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- == Missing Reference: 'ID.conex-tcp-modifications' is mentioned on line 85, but not defined == Missing Reference: 'RFCXXXX' is mentioned on line 429, but not defined == Unused Reference: 'RFC4302' is defined on line 455, but no explicit reference was found in the text == Unused Reference: 'RFC6789' is defined on line 458, but no explicit reference was found in the text == Unused Reference: 'RFC2401' is defined on line 464, but no explicit reference was found in the text -- No information found for draft-ietf-ConEx-abstract-mech - is the name correct? ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) -- Obsolete informational reference (is this intentional?): RFC 2401 (Obsoleted by RFC 4301) Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ConEx Working Group S. Krishnan 3 Internet-Draft Ericsson 4 Intended status: Experimental M. Kuehlewind 5 Expires: May 14, 2015 ETH Zurich 6 C. Ralli 7 Telefonica 8 November 10, 2014 10 IPv6 Destination Option for ConEx 11 draft-ietf-conex-destopt-08 13 Abstract 15 ConEx is a mechanism by which senders inform the network about the 16 congestion encountered by packets earlier in the same flow. This 17 document specifies an IPv6 destination option that is capable of 18 carrying ConEx markings in IPv6 datagrams. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on May 14, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions used in this document . . . . . . . . . . . . . . 3 56 3. Requirements for the coding of ConEx in IPv6 . . . . . . . . 3 57 4. ConEx Destination Option (CDO) . . . . . . . . . . . . . . . 4 58 5. Implementation in the fast path of ConEx-aware routers . . . 6 59 6. Tunnel Processing . . . . . . . . . . . . . . . . . . . . . . 7 60 7. Compatibility with use of IPsec . . . . . . . . . . . . . . . 7 61 8. Mitigating flooding attacks by using preferential drop . . . 8 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 63 10. Security Considerations . . . . . . . . . . . . . . . . . . . 9 64 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 65 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 66 12.1. Normative References . . . . . . . . . . . . . . . . . . 10 67 12.2. Informative References . . . . . . . . . . . . . . . . . 10 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 70 1. Introduction 72 ConEx [I-D.ietf-ConEx-abstract-mech] is a mechanism by which senders 73 inform the network about the congestion encountered by packets 74 earlier in the same flow. This document specifies an IPv6 75 destination option [RFC2460] that can be used for performing ConEx 76 markings in IPv6 datagrams. 78 This document specifies the ConEx wire protocol. The ConEx 79 information can be used by any network element on the path to e.g. do 80 traffic management or egress policing. Additionally this information 81 will potentially be used by an audit function that checks the 82 integrity of the sender's signaling. Further each transport 83 protocol, that supports ConEx signaling, will need to specify 84 precisely when the transport sets ConEx markings (e.g. the behavior 85 for TCP is specified in [ID.conex-tcp-modifications]). 87 This specification is experimental to allow the IETF to assess 88 whether the decision to implement the ConEx signal as a destination 89 option fulfills the requirements stated in this document, as well as 90 to evaluate the proposed encoding of the ConEx signals as described 91 in [I-D.ietf-ConEx-abstract-mech]. 93 The duration of this experiment is expected to be no less than two 94 years from publication of this document as infrastructure is needed 95 to be set up to determine the outcome of this experiment. Given 96 ConEx is only chartered for IPv6, it might take longer to find a 97 suitable test scenario where only IPv6 traffic is managed using 98 ConEx. 100 2. Conventions used in this document 102 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", 103 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 104 document are to be interpreted as described in [RFC2119]. 106 3. Requirements for the coding of ConEx in IPv6 108 A set of requirement for an ideal concrete ConEx wire protocol is 109 given in [I-D.ietf-ConEx-abstract-mech]. In the ConEx working group 110 is was recognized that it will be difficult to find an encoding in 111 IPv6 that satisfies all requirements. The choice in this document to 112 implement the ConEx information in a destination option aims to 113 satisfy those requirements that constrain the placement of ConEx 114 information: 116 R-1: The marking mechanism needs to be visible to all ConEx-capable 117 nodes on the path. 119 R-2: The mechanism needs to be able to traverse nodes that do not 120 understand the markings. This is required to ensure that ConEx can 121 be incrementally deployed over the Internet. 123 R-3: The presence of the marking mechanism should not significantly 124 alter the processing of the packet. This is required to ensure that 125 ConEx marked packets do not face any undue delays or drops due to a 126 badly chosen mechanism. 128 R-4: The markings should be immutable once set by the sender. At the 129 very least, any tampering should be detectable. 131 Based on these requirements four solutions to implement the ConEx 132 information in the IPv6 header have been investigated: hop-by-hop 133 options, destination options, using IPv6 header bits (from the flow 134 label), and new extension headers. After evaluating the different 135 solutions, the ConEx working group concluded that the use of a 136 destination option would best address these requirements. 138 Choosing to use a destination option does not necessarily satisfy the 139 requirement for on-path visibility, because it can be encapsulated by 140 additional IP header(s). Therefore, ConEx-aware network devices, 141 including policy or audit devices, might have to bury into inner IP 142 headers to find ConEx information. This choice was a compromise 143 between fast-path performance of Conex-aware network nodes and 144 visibility, as discussed in Section Section 5. 146 4. ConEx Destination Option (CDO) 148 The ConEx Destination Option (CDO) is a destination option that can 149 be included in IPv6 datagrams that are sent by ConEx-aware senders in 150 order to inform ConEx-aware nodes on the path about the congestion 151 encountered by packets earlier in the same flow or the expected risk 152 of encountering congestion in the future. The CDO has an alignment 153 requirement of (none). 155 0 1 2 3 156 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 158 | Option Type | Option Length | 159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 160 |X|L|E|C| | 161 +-+-+-+-+-+-+-+-+ 163 Figure 1: ConEx Destination Option Layout 165 Option Type 167 8-bit identifier of the type of option. The option identifier 168 for the ConEx destination option will be allocated by the IANA. 170 Option Length 172 8-bit unsigned integer. The length of the option (excluding 173 the Option Type and Option Length fields). The sender MUST set 174 this field to 1 but ConEx-aware nodes MUST accept an option 175 length of 1 or more. 177 X Bit 179 When this bit is set, the transport sender is using ConEx with 180 this packet. If it is not set, the sender is not using ConEx with 181 this packet. 183 L Bit 185 When this bit is set, the transport sender has experienced a loss. 187 E Bit 189 When this bit is set, the transport sender has experienced 190 ECN-signaled congestion. 192 C Bit 193 When this bit is set, the transport sender is building up 194 congestion credit in the audit function. 196 Reserved 198 These bits are not used in the current specification. They 199 are set to zero on the sender and are ignored on the receiver. 201 All packets sent over a ConEx-capable connection MUST carry the CDO. 202 The CDO is immutable. Network devices with ConEx-aware functions 203 read the flags, but all network devices MUST forward the CDO 204 unaltered. 206 CDO MUST be placed as the first option in the destination option 207 header before the AH and/or ESP (if present). IPsec Authentication 208 Header (AH) MAY be used to verify that the CDO has not been modified. 210 If the X bit is zero all other three bits are undefined and thus 211 should be ignored and forwarded unchanged by network nodes. The X 212 bit set to zero means that the connection is ConEx-capable but this 213 packet MUST NOT be counted when determining ConEx information in an 214 audit function. This can be the case if no congestion feedback is 215 (currently) available e.g. in TCP if one endpoint has been receiving 216 data but sending nothing but pure ACKs (no user data) for some time. 217 This is because pure ACKs do not advance the sequence number, so the 218 TCP endpoint receiving them cannot reliably tell whether any have 219 been lost due to congestion. Pure TCP ACKs cannot be ECN-marked 220 either [RFC3168]. 222 If the X bit is set, any of the other three bits (L, E, C) MAY be 223 set. Whenever one of these bits is set, the number of bytes carried 224 by this IP packet (including the IP header that directly encapsulates 225 the CDO and everything that IP header encapsulates) SHOULD be counted 226 to determine congestion or credit information. In IPv6 the number of 227 bytes can easily be calculated by adding the number 40 (length of the 228 IPv6 header in bytes) to the value present in the Payload Length 229 field in the IPv6 header. 231 A transport sends credits prior to the occurrence of congestion (loss 232 or ECN-CE marks) and the amount of credits should cover the 233 congestion risk. Note, the maximum congestion risk is that all 234 packets in flight get lost or ECN marked. 236 If the L or E bit is set, a congestion signal in the form of a loss 237 or, respectively, an ECN mark was previously experienced by the same 238 connection. 240 In principle all of these three bits (L, E, C) MAY be set in the same 241 packet. In this case the packet size MUST be accounted more than 242 once for each respective ConEx information counter. 244 If a network node extracts the ConEx information from a connection, 245 it is expected to hold this information in bytes, e.g. comparing the 246 total number of bytes sent with the number of bytes sent with ConEx 247 congestion marks (L, E) to determine the current whole path 248 congestion level. For ConEx-aware node processing, the CDO MUST use 249 the Payload length field of the preceding IPv6 header for byte-based 250 accounting. When a ratio is measured and equally sized packets can 251 be assumed, counting the number of packets (instead of the number of 252 bytes) should deliver the same result. But a network node must be 253 aware that this estimation can be quite wrong, if e.g. different 254 sized packed are sent and thus it is not reliable. 256 A ConEx sender SHOULD set the reserved bits in the CDO to zero. 257 Other nodes MUST ignore these bits and ConEx-aware intermediate nodes 258 MUST forward them unchanged, whatever their values. They MAY log the 259 presence of a non-zero reserved field. 261 It might be possible to implement a proxy for a ConEx sender, as long 262 as it is located where receiver feedback is always visible. A ConEx 263 proxy MUST NOT introduce a CDO header into a packet already carrying 264 one and it MUST NOT alter the information in any existing CDO header. 265 However, it can add a CDO header to any packets without one, taking 266 care not to disrupt any integrity or authentication mechanisms. 268 The CDO is only applicable on unicast or anycast packets (see 269 [I-D.ietf-ConEx-abstract-mech] for reasoning). A ConEx sender MUST 270 NOT send a packet with the CDO to a multicast address. ConEx-capable 271 network nodes MUST treat a multicast packet with the X flag set the 272 same as an equivalent packet without the CDO, but they SHOULD forward 273 it unchanged. 275 There are no warning or error messages associated with the CDO. 277 5. Implementation in the fast path of ConEx-aware routers 279 The ConEx information is being encoded into a destination option so 280 that it does not impact forwarding performance in the non-ConEx-aware 281 nodes on the path. Since destination options are not usually 282 processed by routers, the existence of the CDO does not affect the 283 fast path processing of the datagram on non-ConEx-aware routers. i.e. 284 They are not pushed into the slow path towards the control plane for 285 exception processing. 287 The ConEx-aware nodes still need to process the CDO without severely 288 affecting forwarding. For this to be possible, the ConEx-aware 289 routers need to quickly ascertain the presence of the CDO and process 290 the option if it is present. To efficiently perform this, the CDO 291 needs to be placed in a fairly deterministic location. In order to 292 facilitate forwarding on ConEx-aware routers, ConEx-aware senders 293 that send IPv6 datagrams with the CDO MUST place the CDO as the first 294 destination option in the destination options header. 296 6. Tunnel Processing 298 As with any destination option, an ingress tunnel endpoint will not 299 natively copy the CDO when adding an encapsulating outer IP header. 300 In general an ingress tunnel SHOULD NOT copy the CDO to the outer 301 header as this would changed the number of bytes that would be 302 counted. However, it MAY copy the CDO to the outer in order to 303 facilitate visibility by subsequent on-path ConEx functions if the 304 configuration of the tunnel ingress and the ConEx nodes is co- 305 ordinated. This trades off the performance of ConEx functions 306 against that of tunnel processing. 308 An egress tunnel endpoint SHOULD ignore any CDO on decapsulation of 309 an outer IP header. The information in any inner CDO will always be 310 considered correct, even if it differs from any outer CDO. 311 Therefore, the decapsulator can strip the outer CDO without 312 comparison to the inner. A decapsulator MAY compare the two, and MAY 313 log any case where they differ. However, the packet MUST be 314 forwarded irrespective of any such anomaly, given an outer CDO is 315 only a performance optimization. 317 A network node that assesses ConEx information SHOULD search for 318 encapsulated IP headers until a CDO is found. At any specific 319 network location, the maximum necessary depth of search is likely to 320 be the same for all packets. 322 7. Compatibility with use of IPsec 324 If the transport network cannot be trusted, IPsec Authentication 325 should be used to ensure integrity of the ConEx information. If an 326 attacker would be able to remove the ConEx marks, this could cause an 327 audit device to penalize the respective connection, while the sender 328 cannot easily detect that ConEx information is missing. 330 In IPv6 a Destination Option header can be placed in two possible 331 position in the order of possible headers, either before the Routing 332 header or after the Encapsulating Security Payload (ESP) header 333 [RFC2460]. As the CDO is placed in the destination option header 334 before the AH and/or ESP, it is not encrypted in transport mode 336 [RFC4301]. Otherwise, if the CDO were placed in the latter position 337 and an ESP header were used, the CDO would also be encrypted and 338 could not be interpreted by ConEx-aware devices. 340 The IPv6 protocol architecture currently does not provide a mechanism 341 for new headers to be copied to the outer IP header. Therefore if 342 IPsec encryption is used in tunnel mode, ConEx information cannot be 343 accessed over the extent of the ESP tunnel. 345 8. Mitigating flooding attacks by using preferential drop 347 This section is aspirational, and not critical to the use of ConEx 348 for more general traffic management. However, once CDO information 349 is present, the CDO header could optionally also be used in the data 350 plane of any IP-aware forwarding node to mitigate flooding attacks. 352 If a router queue experiences very high load so that it has to drop 353 arriving packets, it MAY preferentially drop packets within the same 354 Diffserv PHB using the preference order given in Table 1 (1 means 355 drop first). Additionally, if a router implements preferential drop 356 based on ConEx it SHOULD also support ECN-marking. Preferential 357 dropping can be difficult to implement on some hardware, but if 358 feasible it would discriminate against attack traffic if done as part 359 of the overall policing framework as described in 360 [I-D.ietf-ConEx-abstract-mech]. If nowhere else, routers at the 361 egress of a network SHOULD implement preferential drop based on ConEx 362 markings(stronger than the MAY above). 364 +----------------------+----------------+ 365 | | Preference | 366 +----------------------+----------------+ 367 | Not-ConEx or no CDO | 1 (drop first) | 368 | X (but not L,E or C) | 2 | 369 | X and L,E or C | 3 | 370 +----------------------+----------------+ 372 Table 1: Drop preference for ConEx packets 374 A flooding attack is inherently about congestion of a resource. As 375 load focuses on a victim, upstream queues grow, requiring honest 376 sources to pre-load packets with a higher fraction of ConEx-marks. 378 If ECN marking is supported by downstream queues, preferential 379 dropping provides the most benefits because, if the queue is so 380 congested that it drops traffic, it will be CE-marking 100% of any 381 forwarded traffic. Honest sources will therefore be sending 100% 382 ConEx E-marked packets (and subject to rate-limiting at an ingress 383 policer). Senders under malicious control can either do the same as 384 honest sources, and be rate-limited at ingress, or they can 385 understate congestion and not set the E bit. If the preferential 386 drop ranking is implemented on queues, these queues will preserve E/ 387 L-marked traffic until last. So, the traffic from malicious sources 388 will all be automatically dropped first. Either way, malicious 389 sources cannot send more than honest sources. 391 9. Acknowledgements 393 The authors would like to thank Marcelo Bagnulo, Bob Briscoe, Ingemar 394 Johansson, Joel Halpern and John Leslie for the discussions that led 395 to this document. 397 Special thanks to Bob Briscoe who contributed text and analysis work 398 on preferential dropping. 400 10. Security Considerations 402 [I-D.ietf-ConEx-abstract-mech] describes the overall audit framework 403 for assuring that ConEx markings truly reflect actual path 404 congestion. This section focuses purely on the security of the 405 encoding chosen for ConEx markings. 407 The chg bit in the CDO option type field is set to zero, meaning that 408 the CDO option is immutable. If IPsec AH is used, a zero chg bit 409 causes AH to cover the CDO option so that its end-to-end integrity 410 can be verified, as explained in Section 4. 412 This document specifies that the Reserved field in the CDO must be 413 ignored and forwarded unchanged even if it does not contain all 414 zeroes. The Reserved field is also required to sit outside the 415 encrypting security payload (ESP), at least in transport mode (see 416 Section 7). This allows the sender to use the Reserved field as a 28 417 -bit-per-packet covert channel to send information to an on-path node 418 outside the control of IPsec. However, a covert channel is only a 419 concern if it can circumvent IPsec in tunnel mode and, in the tunnel 420 mode case, ESP would close the covert channel as outlined in 421 Section 7. 423 11. IANA Considerations 425 This document defines a new IPv6 ConEx destination option for 426 carrying ConEx markings. IANA is requested to assign a new 427 destination option type in the Destination Options registry 428 maintained at http://www.iana.org/assignments/ipv6-parameters 429 ConEx Destination Option [RFCXXXX] The act bits for this option need 430 to be 00. The destination IP stack will not usually process the CDO, 431 therefore the sender can send a CDO without checking if the receiver 432 will understand it. The CDO MUST still be forwarded to the 433 destination IP stack, because the destination might check the 434 integrity of the whole packet, irrespective of whether it understands 435 ConEx. 437 12. References 439 12.1. Normative References 441 [I-D.ietf-ConEx-abstract-mech] 442 Mathis, M. and B. Briscoe, "Congestion Exposure (ConEx) 443 Concepts and Abstract Mechanism", draft-ietf-ConEx- 444 abstract-mech (work in progress), July 2011. 446 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 447 Requirement Levels", BCP 14, RFC 2119, March 1997. 449 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 450 (IPv6) Specification", RFC 2460, December 1998. 452 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 453 Internet Protocol", RFC 4301, December 2005. 455 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 456 2005. 458 [RFC6789] Briscoe, B., Woundy, R., and A. Cooper, "Congestion 459 Exposure (ConEx) Concepts and Use Cases", RFC 6789, 460 December 2012. 462 12.2. Informative References 464 [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the 465 Internet Protocol", RFC 2401, November 1998. 467 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 468 of Explicit Congestion Notification (ECN) to IP", RFC 469 3168, September 2001. 471 Authors' Addresses 473 Suresh Krishnan 474 Ericsson 475 8400 Blvd Decarie 476 Town of Mount Royal, Quebec 477 Canada 479 Email: suresh.krishnan@ericsson.com 480 Mirja Kuehlewind 481 ETH Zurich 483 Email: mirja.kuehlewind@tik.ee.ethz.ch 485 Carlos Ralli Ucendo 486 Telefonica 488 Email: ralli@tid.es