idnits 2.17.1 draft-ietf-conex-destopt-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 19, 2015) is 3111 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2460 (Obsoleted by RFC 8200) == Outdated reference: A later version (-10) exists of draft-ietf-conex-tcp-modifications-08 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ConEx Working Group S. Krishnan 3 Internet-Draft Ericsson 4 Intended status: Experimental M. Kuehlewind 5 Expires: April 21, 2016 ETH Zurich 6 C. Ralli 7 Telefonica 8 October 19, 2015 10 IPv6 Destination Option for Congestion Exposure (ConEx) 11 draft-ietf-conex-destopt-10 13 Abstract 15 Congestion Exposure (ConEx) is a mechanism by which senders inform 16 the network about the congestion encountered by packets earlier in 17 the same flow. This document specifies an IPv6 destination option 18 that is capable of carrying ConEx markings in IPv6 datagrams. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 21, 2016. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions used in this document . . . . . . . . . . . . . . 3 56 3. Requirements for the coding of ConEx in IPv6 . . . . . . . . 3 57 4. ConEx Destination Option (CDO) . . . . . . . . . . . . . . . 4 58 5. Implementation in the fast path of ConEx-aware routers . . . 7 59 6. Tunnel Processing . . . . . . . . . . . . . . . . . . . . . . 7 60 7. Compatibility with use of IPsec . . . . . . . . . . . . . . . 8 61 8. Mitigating flooding attacks by using preferential drop . . . 9 62 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 63 10. Security Considerations . . . . . . . . . . . . . . . . . . . 10 64 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 65 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 66 12.1. Normative References . . . . . . . . . . . . . . . . . . 11 67 12.2. Informative References . . . . . . . . . . . . . . . . . 11 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 70 1. Introduction 72 Congestion Exposure (ConEx) [I-D.ietf-conex-abstract-mech] is a 73 mechanism by which senders inform the network about the congestion 74 encountered by packets earlier in the same flow. This document 75 specifies an IPv6 destination option [RFC2460] that can be used for 76 performing ConEx markings in IPv6 datagrams. 78 This document specifies the ConEx wire protocol in IPv6. The ConEx 79 information can be used by any network element on the path to e.g. do 80 traffic management or egress policing. Additionally this information 81 will potentially be used by an audit function that checks the 82 integrity of the sender's signaling. Further each transport 83 protocol, that supports ConEx signaling, will need to specify 84 precisely when the transport sets ConEx markings (e.g. the behavior 85 for TCP is specified in [I-D.ietf-conex-tcp-modifications]). 87 This document specifies ConEx for IPv6 only. Due to space 88 limitations in the IPv4 header and the risk of options that might be 89 stripped by middlebox in IPv4 the primary goal of the working goal 90 was to specify ConEx in IPv6 for experimentation. 92 This specification is experimental to allow the IETF to assess 93 whether the decision to implement the ConEx signal as a destination 94 option fulfills the requirements stated in this document, as well as 95 to evaluate the proposed encoding of the ConEx signals as described 96 in [I-D.ietf-conex-abstract-mech]. 98 The duration of this experiment is expected to be no less than two 99 years from publication of this document as infrastructure is needed 100 to be set up to determine the outcome of this experiment. 101 Experimenting with Conex requires IPv6 traffic. Even though the 102 amount of IPv6 traffic is growing, the traffic mix carried over IPv6 103 is still very different as over IPv4. Therefore, it might taker 104 longer to find a suitable test scenario where only IPv6 traffic is 105 managed using ConEx. 107 2. Conventions used in this document 109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", 110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 111 document are to be interpreted as described in [RFC2119]. 113 3. Requirements for the coding of ConEx in IPv6 115 A set of requirement for an ideal concrete ConEx wire protocol is 116 given in [I-D.ietf-conex-abstract-mech]. In the ConEx working group 117 is was recognized that it will be difficult to find an encoding in 118 IPv6 that satisfies all requirements. The choice in this document to 119 implement the ConEx information in a destination option aims to 120 satisfy those requirements that constrain the placement of ConEx 121 information: 123 R-1: The marking mechanism needs to be visible to all ConEx-capable 124 nodes on the path. 126 R-2: The mechanism needs to be able to traverse nodes that do not 127 understand the markings. This is required to ensure that ConEx can 128 be incrementally deployed over the Internet. 130 R-3: The presence of the marking mechanism should not significantly 131 alter the processing of the packet. This is required to ensure that 132 ConEx marked packets do not face any undue delays or drops due to a 133 badly chosen mechanism. 135 R-4: The markings should be immutable once set by the sender. At the 136 very least, any tampering should be detectable. 138 Based on these requirements four solutions to implement the ConEx 139 information in the IPv6 header have been investigated: hop-by-hop 140 options, destination options, using IPv6 header bits (from the flow 141 label), and new extension headers. After evaluating the different 142 solutions, the ConEx working group concluded that the use of a 143 destination option would best address these requirements. 145 Choosing to use a destination option does not necessarily satisfy the 146 requirement for on-path visibility, because it can be encapsulated by 147 additional IP header(s). Therefore, ConEx-aware network devices, 148 including policy or audit devices, might have to follow the chaining 149 (extension-)headers into inner IP headers to find ConEx information. 150 This choice was a compromise between fast-path performance of Conex- 151 aware network nodes and visibility, as discussed in 152 Section Section 5. 154 Please note that the IPv6 specification [RFC2460] does not require or 155 expect intermediate nodes to inspect destination options such as the 156 CDO. This implies that ConEx-aware intermediate nodes following this 157 specification need updated extension header processing code to be 158 able read the destination options. 160 4. ConEx Destination Option (CDO) 162 The ConEx Destination Option (CDO) is a destination option that can 163 be included in IPv6 datagrams that are sent by ConEx-aware senders in 164 order to inform ConEx-aware nodes on the path about the congestion 165 encountered by packets earlier in the same flow or the expected risk 166 of encountering congestion in the future. The CDO has an alignment 167 requirement of (none). 169 0 1 2 170 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 171 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 | Option Type | Option Length |X|L|E|C| res | 173 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 Figure 1: ConEx Destination Option Layout 177 Option Type 179 8-bit identifier of the type of option. Set to the value 180 30 (0x1E) allocated for experimental work. 182 Option Length 184 8-bit unsigned integer. The length of the option in octets 185 (excluding the Option Type and Option Length fields). Set to 186 the value 1. 188 X Bit 190 When this bit is set, the transport sender is using ConEx with 191 this packet. If it is not set, the sender is not using ConEx 192 with this packet. 194 L Bit 196 When this bit is set, the transport sender has experienced a 197 loss. 199 E Bit 201 When this bit is set, the transport sender has experienced 202 congestion signaled using Explicite Congestion Notification 203 (ECN) [RFC3168]. 205 C Bit 207 When this bit is set, the transport sender is building up 208 congestion credit in the audit function. 210 Reserved (res) 212 These four bits are not used in the current specification. 213 They are set to zero on the sender and are ignored on the 214 receiver. 216 Option Layout 218 All packets sent over a ConEx-capable TCP connection or belonging to 219 the same ConEx-capable flow MUST carry the CDO. The chg bit (the 220 third-highest-order bit) in the CDO Option Type field is set to zero, 221 meaning that the CDO option is immutable. Network devices with 222 ConEx-aware functions read the flags, but all network devices MUST 223 forward the CDO unaltered. 225 The CDO SHOULD be placed as the first option in the destination 226 option header before the AH and/or ESP (if present). IPsec 227 Authentication Header (AH) MAY be used to verify that the CDO has not 228 been modified. 230 If the X bit is zero all other three bits are undefined and thus MUST 231 be ignored and forwarded unchanged by network nodes. The X bit set 232 to zero means that the connection is ConEx-capable but this packet 233 MUST NOT be counted when determining ConEx information in an audit 234 function. This can be the case if no congestion feedback is 235 (currently) available e.g. in TCP if one endpoint has been receiving 236 data but sending nothing but pure ACKs (no user data) for some time. 237 This is because pure ACKs do not advance the sequence number, so the 238 TCP endpoint receiving them cannot reliably tell whether any have 239 been lost due to congestion. Pure TCP ACKs cannot be ECN-marked 240 either [RFC3168]. 242 If the X bit is set, any of the other three bits (L, E, C) might be 243 set. Whenever one of these bits is set, the number of bytes carried 244 by this IP packet (including the IP header that directly encapsulates 245 the CDO and everything that IP header encapsulates) SHOULD be counted 246 to determine congestion or credit information. In IPv6 the number of 247 bytes can easily be calculated by adding the number 40 (length of the 248 IPv6 header in bytes) to the value present in the Payload Length 249 field in the IPv6 header. 251 A transport sends credits prior to the occurrence of congestion (loss 252 or ECN-CE marks) and the amount of credits should cover the 253 congestion risk. This is further specified in 254 [I-D.ietf-conex-abstract-mech] and described in detail for the case 255 of TCP in [I-D.ietf-conex-tcp-modifications]. Note, the maximum 256 congestion risk is that all packets in flight get lost or ECN marked. 258 If the L or E bit is set, a congestion signal in the form of a loss 259 or, respectively, an ECN mark was previously experienced by the same 260 connection. 262 In principle all of these three bits (L, E, C) might be set in the 263 same packet. In this case the packet size MUST be counted more than 264 once for each respective ConEx information counter. 266 If a network node extracts the ConEx information from a connection, 267 it is expected to hold this information in bytes, e.g. comparing the 268 total number of bytes sent with the number of bytes sent with ConEx 269 congestion marks (L, E) to determine the current whole path 270 congestion level. Therefore a ConEx-aware nodes, that processes the 271 CDO, MUST use the Payload length field of the preceding IPv6 header 272 for byte-based counting. When a ratio is measured and equally sized 273 packets can be assumed, counting the number of packets (instead of 274 the number of bytes) should deliver the same result. But an audit 275 function must be aware that this estimation can be quite wrong, if 276 e.g. different sized packed are sent and thus it is not reliable. 278 All remaining bits in the CDO are reserved for future use (which are 279 currently the last four bits of the eight bit option space). A ConEx 280 sender SHOULD set the reserved bits in the CDO to zero. Other nodes 281 MUST ignore these bits and ConEx-aware intermediate nodes MUST 282 forward them unchanged, whatever their values. They MAY log the 283 presence of a non-zero reserved field. 285 The CDO is only applicable on unicast or anycast packets (see 286 [I-D.ietf-conex-abstract-mech] note regarding item J on multicast at 287 the end of section 3.3 for reasoning). A ConEx sender MUST NOT send 288 a packet with the CDO to a multicast address. ConEx-capable network 289 nodes MUST treat a multicast packet with the X flag set the same as 290 an equivalent packet without the CDO, and they SHOULD forward it 291 unchanged. 293 As stated in [I-D.ietf-conex-abstract-mech] (see section 3.3 item N 294 on network layer requirements) protocol specs should describe any 295 warning or error messages relevant to the encoding. There are no 296 warnings or error messages associated with the CDO. 298 5. Implementation in the fast path of ConEx-aware routers 300 The ConEx information is being encoded into a destination option so 301 that it does not impact forwarding performance in the non-ConEx-aware 302 nodes on the path. Since destination options are not usually 303 processed by routers, the existence of the CDO does not affect the 304 fast path processing of the datagram on non-ConEx-aware routers, i.e. 305 they are not pushed into the slow path towards the control plane for 306 exception processing. 308 ConEx-aware nodes still need to process the CDO without severely 309 affecting forwarding. For this to be possible, the ConEx-aware 310 routers need to quickly ascertain the presence of the CDO and process 311 the option if it is present. To efficiently perform this, the CDO 312 needs to be placed in a fairly deterministic location. In order to 313 facilitate forwarding on ConEx-aware routers, ConEx-aware senders 314 that send IPv6 datagrams with the CDO SHOULD place the CDO as the 315 first destination option in the destination options header. 317 6. Tunnel Processing 319 As with any destination option, an ingress tunnel endpoint will not 320 normally copy the CDO when adding an encapsulating outer IP header. 321 In general an ingress tunnel SHOULD NOT copy the CDO to the outer 322 header as this would changed the number of bytes that would be 323 counted. However, it MAY copy the CDO to the outer header in order 324 to facilitate visibility by subsequent on-path ConEx functions if the 325 configuration of the tunnel ingress and the ConEx nodes is co- 326 ordinated. This trades off the performance of ConEx functions 327 against that of tunnel processing. 329 An egress tunnel endpoint SHOULD ignore any CDO in the outer header 330 on decapsulation of an outer IP header. The information in any inner 331 CDO will always be considered correct, even if it differs from any 332 outer CDO. Therefore, the decapsulator can strip the outer CDO 333 without comparison to the inner. A decapsulator MAY compare the two, 334 and MAY log any case where they differ. However, the packet MUST be 335 forwarded irrespective of any such anomaly, given an outer CDO is 336 only a performance optimization. 338 A network node that assesses ConEx information SHOULD search for 339 encapsulated IP headers until a CDO is found. At any specific 340 network location, the maximum necessary depth of search is likely to 341 be the same for all packets between a given set of tunnel endpoints. 343 7. Compatibility with use of IPsec 345 If the transport network cannot be trusted, the IPsec Authentication 346 Header (AH) [RFC4302] should be used to ensure integrity of the ConEx 347 information. If an attacker would be able to remove the ConEx marks, 348 this could cause an audit device to penalize the respective 349 connection, while the sender cannot easily detect that ConEx 350 information is missing. Similarly, if confidentiality of the 351 transmitted information is desired, the IPsec Encapsulating Security 352 Payload (ESP) [RFC4303] should be used. 354 Inside an IPv6 packet, a Destination Option header can be placed in 355 two possible positions, either before the Routing header or after the 356 ESP/AH headers as described in Section 4.1 of [RFC2460]. When the 357 CDO is placed in the destination option header before the AH and/or 358 ESP, it is not encrypted in transport mode [RFC4301]. Otherwise, if 359 the CDO were placed in the latter position and an ESP header was used 360 with encryption, the CDO cannot be viewed and interpreted by ConEx- 361 aware intermediate nodes effectively rendering it useless. 363 The IPv6 protocol architecture currently does not provide a mechanism 364 for new headers to be copied to the outer IP header. Therefore if 365 IPsec encryption is used in tunnel mode, ConEx information cannot be 366 accessed over the extent of the ESP tunnel. 368 Also, the destination IP stack will not usually process the CDO, 369 therefore the sender can send a CDO without checking if the receiver 370 will understand it. The CDO MUST still be forwarded to the 371 destination IP stack, because the destination might check the 372 integrity of the whole packet, irrespective of whether it understands 373 ConEx. 375 8. Mitigating flooding attacks by using preferential drop 377 This section is aspirational, and not critical to the use of ConEx 378 for more general traffic management. However, once CDO information 379 is present, the CDO header could optionally also be used in the data 380 plane of any IP-aware forwarding node to mitigate flooding attacks. 382 Please note that ConEx is an experimental protocol and that any kind 383 of mechanisms that reacts on information provided by the ConEx 384 protocol needs to be evaluated in experimentation as well. This is 385 also true, or especially true, for the preferential drop mechanism 386 described below. 388 Dropping packets preferentially that are not ConEx-capable or do not 389 carry a ConEx mark can be beneficial to migrate flooding attacks as 390 ConEx-marked packets can be assumed to be already restricted by an 391 ConEx ingress policer as further described in 392 [I-D.ietf-conex-abstract-mech]. Therefore the following ConEx-based 393 perferential dropping scheme is proposed: 395 If a router queue experiences very high load so that it has to drop 396 arriving packets, it MAY preferentially drop packets within the same 397 DiffServ PHB using the preference order given in Table 1 (1 means 398 drop first). Additionally, if a router implements preferential drop 399 based on ConEx it SHOULD also support ECN-marking. Even though 400 preferential dropping can be difficult to implement on some hardware, 401 if nowhere else, routers at the egress of a network SHOULD implement 402 preferential drop based on ConEx markings (stronger than the MAY 403 above). 405 +----------------------+----------------+ 406 | | Preference | 407 +----------------------+----------------+ 408 | Not-ConEx or no CDO | 1 (drop first) | 409 | X (but not L,E or C) | 2 | 410 | X and L,E or C | 3 | 411 +----------------------+----------------+ 413 Table 1: Drop preference for ConEx packets 415 A flooding attack is inherently about congestion of a resource. As 416 load focuses on a victim, upstream queues grow, requiring honest 417 sources to pre-load packets with a higher fraction of ConEx-marks. 419 If ECN marking is supported by downstream queues, preferential 420 dropping provides the most benefits because, if the queue is so 421 congested that it drops traffic, it will be CE-marking 100% of any 422 forwarded traffic. Honest sources will therefore be sending 100% 423 ConEx E-marked packets (and subject to rate-limiting at an ingress 424 policer). 426 Senders under malicious control can either do the same as honest 427 sources, and be rate-limited at ingress, or they can understate 428 congestion and not set the E bit. 430 If the preferential drop ranking is implemented on queues, these 431 queues will preserve E/L-marked traffic until last. So, the traffic 432 from malicious sources will all be automatically dropped first. 433 Either way, malicious sources cannot send more than honest sources. 434 Therefore ConEx-based perferential drooping as describe above 435 discriminates against attack traffic if done as part of the overall 436 policing framework as described in [I-D.ietf-conex-abstract-mech]. 438 9. Acknowledgements 440 The authors would like to thank Marcelo Bagnulo, Bob Briscoe, Ingemar 441 Johansson, Joel Halpern, John Leslie, Martin Stiemerling, Robert 442 Sparks, Ron Bonica, Brian Haberman, Kathleen Moriarty, Bob Hinden, 443 Ole Troan and Brian Carpenter for the discussions that made this 444 document better. 446 Special thanks to Bob Briscoe who contributed text and analysis work 447 on preferential dropping. 449 10. Security Considerations 451 [I-D.ietf-conex-abstract-mech] describes the overall audit framework 452 for assuring that ConEx markings truly reflect actual path 453 congestion. This section focuses purely on the security of the 454 encoding chosen for ConEx markings. 456 The CDO Option Type is defined with a chg bit set to zero as 457 described in Section 4. If IPsec AH is used, a zero chg bit causes 458 AH to cover the CDO option so that its end-to-end integrity can be 459 verified, as explained in Section 4. 461 This document specifies that the Reserved field in the CDO must be 462 ignored and forwarded unchanged even if it does not contain all 463 zeroes. The Reserved field is also required to sit outside the 464 Encapsulating Security Payload (ESP), at least in transport mode (see 465 Section 7). This allows the sender to use the Reserved field as a 4 466 -bit-per-packet covert channel to send information to an on-path node 467 outside the control of IPsec. However, a covert channel is only a 468 concern if it can circumvent IPsec in tunnel mode and, in the tunnel 469 mode case, ESP would close the covert channel as outlined in 470 Section 7. 472 This document does not define how audit mechanisms work in protocols 473 that use this option and how those protocols can protect themselves 474 from likely attacks. This option MUST only be used alongside 475 protocols that define the audit mechanisms and the means for 476 protecting against likely attacks on such mechanisms. 478 11. IANA Considerations 480 The IPv6 ConEx destination option is used for carrying ConEx 481 markings. This document uses the experimental option type 0x1E with 482 the act bits set to 00 and the chg bit set to 0 for realizing this 483 option. No further allocation action is required from IANA at this 484 time. 486 12. References 488 12.1. Normative References 490 [I-D.ietf-conex-abstract-mech] 491 Mathis, M. and B. Briscoe, "Congestion Exposure (ConEx) 492 Concepts, Abstract Mechanism and Requirements", draft- 493 ietf-conex-abstract-mech-13 (work in progress), October 494 2014. 496 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 497 Requirement Levels", BCP 14, RFC 2119, March 1997. 499 [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 500 (IPv6) Specification", RFC 2460, December 1998. 502 [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition 503 of Explicit Congestion Notification (ECN) to IP", RFC 504 3168, September 2001. 506 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 507 Internet Protocol", RFC 4301, December 2005. 509 [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 510 2005. 512 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 513 4303, DOI 10.17487/RFC4303, December 2005, 514 . 516 12.2. Informative References 518 [I-D.ietf-conex-tcp-modifications] 519 Kuehlewind, M. and R. Scheffenegger, "TCP modifications 520 for Congestion Exposure", draft-ietf-conex-tcp- 521 modifications-08 (work in progress), April 2015. 523 Authors' Addresses 525 Suresh Krishnan 526 Ericsson 527 8400 Blvd Decarie 528 Town of Mount Royal, Quebec 529 Canada 531 Email: suresh.krishnan@ericsson.com 533 Mirja Kuehlewind 534 ETH Zurich 536 Email: mirja.kuehlewind@tik.ee.ethz.ch 538 Carlos Ralli Ucendo 539 Telefonica 541 Email: ralli@tid.es