idnits 2.17.1 draft-ietf-mboned-cbacc-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 504 has weird spacing: '...-second uin...' -- The document date (October 30, 2020) is 1272 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-03) exists of draft-ietf-mboned-ambi-00 == Outdated reference: A later version (-04) exists of draft-ietf-mboned-dorms-00 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Mboned J. Holland 3 Internet-Draft Akamai Technologies, Inc. 4 Intended status: Standards Track October 30, 2020 5 Expires: May 3, 2021 7 Circuit Breaker Assisted Congestion Control 8 draft-ietf-mboned-cbacc-01 10 Abstract 12 This document specifies Circuit Breaker Assisted Congestion Control 13 (CBACC). CBACC enables fast-trip Circuit Breakers by publishing rate 14 metadata about multicast channels from senders to intermediate 15 network nodes or receivers. The circuit breaker behavior is defined 16 as a supplement to receiver driven congestion control systems, to 17 preserve network health if misbehaving or malicious receiver 18 applications subscribe to a volume of traffic that exceeds capacity 19 policies or capability for a network or receiving device. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on May 3, 2021. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Background and Terminology . . . . . . . . . . . . . . . 4 57 1.2. Venues for Contribution and Discussion . . . . . . . . . 4 58 1.3. Non-obvious doc choices . . . . . . . . . . . . . . . . . 4 59 2. Circuit Breaker Behavior . . . . . . . . . . . . . . . . . . 5 60 2.1. Functional Components . . . . . . . . . . . . . . . . . . 5 61 2.1.1. Bitrate Advertisement . . . . . . . . . . . . . . . . 5 62 2.1.2. Circuit Breaker Node . . . . . . . . . . . . . . . . 5 63 2.1.3. Communication Method . . . . . . . . . . . . . . . . 6 64 2.1.4. Measurement Function . . . . . . . . . . . . . . . . 6 65 2.1.5. Trigger Function . . . . . . . . . . . . . . . . . . 7 66 2.1.6. Reaction . . . . . . . . . . . . . . . . . . . . . . 8 67 2.1.7. Feedback Control Mechanism . . . . . . . . . . . . . 9 68 2.2. States . . . . . . . . . . . . . . . . . . . . . . . . . 9 69 2.2.1. Interface State . . . . . . . . . . . . . . . . . . . 10 70 2.2.2. Flow State . . . . . . . . . . . . . . . . . . . . . 10 71 2.3. Implementation Design Considerations . . . . . . . . . . 11 72 2.3.1. Oversubscription Thresholds . . . . . . . . . . . . . 11 73 2.3.2. Fairness Functions . . . . . . . . . . . . . . . . . 11 74 3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 11 75 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 11 76 3.2. Module . . . . . . . . . . . . . . . . . . . . . . . . . 11 77 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 78 4.1. YANG Module Names Registry . . . . . . . . . . . . . . . 13 79 4.2. The XML Registry . . . . . . . . . . . . . . . . . . . . 14 80 5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 81 5.1. Metadata Security . . . . . . . . . . . . . . . . . . . . 14 82 5.2. Denial of Service . . . . . . . . . . . . . . . . . . . . 14 83 5.2.1. State Overload . . . . . . . . . . . . . . . . . . . 14 84 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 85 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 86 7.1. Normative References . . . . . . . . . . . . . . . . . . 15 87 7.2. Informative References . . . . . . . . . . . . . . . . . 15 88 Appendix A. Overjoining . . . . . . . . . . . . . . . . . . . . 17 89 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18 91 1. Introduction 93 This document defines Circuit Breaker Assisted Congestion Control 94 (CBACC). CBACC defines a Network Transport Circuit Breaker (CB), as 95 described by [RFC8084]. 97 The CB behavior defined in this document uses bit-rate metadata about 98 multicast data streams coupled with policy, capacity, and load 99 information at a network location to prune multicast channels so that 100 the network's aggregate capacity at that location is not exceeded by 101 the subscribed channels. 103 To communicate the required metadata, this document defines a YANG 104 [RFC7950] module that augments the DORMS 105 [I-D.draft-ietf-mboned-dorms-00] YANG module. DORMS provides a 106 mechanism for senders to publish metadata about the multicast streams 107 they're sending through a RESTCONF service, so that receivers or 108 forwarding nodes can discover and consume the metadata with a set of 109 standard methods. The CBACC metadata MAY be communicated to 110 receivers or forwarding nodes by some other method, but the 111 definition of any alternative methods is out of scope for this 112 document. 114 The CB behavior defined in this document matches the description 115 provided in Section 3.2.3 of [RFC8084] of a unidirectional CB over a 116 controlled path. The control messages from that description are 117 composed of the messages containing the metadata required for 118 operation of the CB. 120 CBACC is designed to supplement protocols that use multicast IP and 121 rely on well-behaved receivers to achieve congestion control. 122 Examples of congestion control systems fitting this description 123 include [PLM], [RLM], [RLC], [FLID-DL], [SMCC], and WEBRC [RFC3738]. 125 CBACC addresses a problem with "overjoining" by untrusted receivers. 127 In an overjoining condition, receivers (either malicious, 128 misconfigured, or with implementation errors) subscribe to multicast 129 channels but do not respond appropriately to congestion. When 130 sufficient multicast traffic is available for subscription by such 131 receivers, this can overload any network. 133 The overjoining problem is relevant to misbehaving receivers for both 134 receiver-driven and feedback-driven congestion control strategies, as 135 described in Section 4.1 of [RFC8085]. 137 Overjoining attacks and the challenges they present are discussed in 138 more detail in Appendix A. 140 CBACC offers a solution for the recommendation in Section 4 of 141 [RFC8085] that circuit breaker solutions be used even where 142 congestion control is optional. 144 1.1. Background and Terminology 146 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 147 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 148 "OPTIONAL" in this document are to be interpreted as described in BCP 149 14 [RFC2119] [RFC8174] when, and only when, they appear in all 150 capitals, as shown here. 152 1.2. Venues for Contribution and Discussion 154 This document is in the Github repository at: 156 https://github.com/GrumpyOldTroll/ietf-dorms-cluster 158 Readers are welcome to open issues and send pull requests for this 159 document. 161 Please note that contributions may be merged and substantially 162 edited, and as a reminder, please carefully consider the Note Well 163 before contributing: https://datatracker.ietf.org/submit/note-well/ 165 Substantial discussion of this document should take place on the 166 MBONED working group mailing list (mboned@ietf.org). 168 o Join: https://www.ietf.org/mailman/listinfo/mboned 170 o Search: https://mailarchive.ietf.org/arch/browse/mboned/ 172 1.3. Non-obvious doc choices 174 o Since nothing is necessarily being actively measured by a network 175 component at the ingress, referring to the bitrate advertisement 176 as an "ingress meter" for this context was considered confusing by 177 reviewers, so the section was renamed with just a note pointing to 178 the link. Likewise the egress meter and "CB node". 180 o TBD: might need more and better examples explaining the point in 181 Section 2.1.5.1? Some reason to believe it's not sufficiently 182 clear... 184 o Another TBD: consider Dino's suggestion from 2020-04-09 to include 185 an operational considerations section that addresses some possible 186 optimizations for CB placement and configuration. 188 2. Circuit Breaker Behavior 190 2.1. Functional Components 192 This section maps the functional components described in Section 3.1 193 of [RFC8084] to the operational components of the CBACC CB defined by 194 this document. 196 2.1.1. Bitrate Advertisement 198 The metadata provides an advertised maximum data bit-rate, namely the 199 "max-bits-per-second" field in the YANG model in Section 3. This is 200 a self-report by the sender about the maximum amount of traffic a 201 sender will send within the interval given by the "data-rate-window" 202 field, which is the measurement interval. 204 The sender MUST NOT send more data for a data stream than the amount 205 of data declared according to its advertised data rate within any 206 measurement window, and it's RECOMMENDED for the sender to provide 207 some margin to account for forwarding bursts. If a CB node observes 208 a higher data rate within any measurement window, it MAY circuit- 209 break that flow immediately. 211 In the terminology of [RFC8084], this qualifies as an ingress meter. 213 2.1.2. Circuit Breaker Node 215 A circuit breaker node (CB node) is a location in a network where the 216 costraints of the network and the observations about active traffic 217 are compared to the bitrate advertisement in order to make the 218 decision loop about when and whether to perform the circuit breaking 219 behavior. In the terminology of [RFC8084], the CB node qualifies as 220 an egress meter. 222 The CB node has access to several pieces of information that can be 223 used as relevant egress metrics that may include: 225 1. Physical capacity limits on each interface. 227 2. Configured capacity limits for multicast traffic for each 228 interface. 230 3. The observed received data rates of subscribed multicast channels 231 with CBACC metadata. 233 4. The observed received data rates of subscribed multicast channels 234 without CBACC metadata. 236 5. The observed received data rates of competing non-multicast 237 traffic. 239 6. The loss rate for subscribed multicast channels, when available. 240 The loss rate is only sometimes observable at a CB node; for 241 example, when using AMBI [I-D.draft-ietf-mboned-ambi-00], or when 242 the data stream carries a protocol that is known to the CB node 243 by some out of band means, and whose traffic can be monitored for 244 loss. When available, the loss rates may be used. 246 Note that any on-path router can behave as a CB node, even though 247 there may be other CB nodes downstream or upstream covering the same 248 data streams. When viewing CB nodes as egress meters in the context 249 of [RFC8084], it's important to recall there's not a single egress 250 meter in the network, but rather an egress meter per CB node, 251 representing potentially multiple overlaid circuit breakers that may 252 redundantly cover parts of the same path, with potentially different 253 constraints based on the network location where the egress meter 254 operates. All of the CB nodes anywhere on a path constitute separate 255 circuit breakers that may trip independently of other circuit 256 breakers. 258 Also note that other kinds of components besides on-path routers 259 forwarding the traffic can act as CB nodes, for example the operating 260 system or browser on a device receiving the traffic, or the receiving 261 application itself. 263 2.1.3. Communication Method 265 CBACC generally operates at a CB node, where metrics such as those 266 described in Section 2.1.2 are available through system calls, or by 267 communication with various locally deployable system monitoring 268 applications. However, the CBACC processing can equivalently occur 269 on a separate device that can monitor statistics gathered at a CB 270 node, as long as the necessary control functions to trigger the CB 271 can be invoked. 273 The communication path defined in this document for the CB node to 274 obtain the bitrate advertisement in Section 2.1.1 is the use of DORMS 275 [I-D.draft-ietf-mboned-dorms-00]. Other methods MAY be used as well 276 or instead, but are out of scope for this document. 278 2.1.4. Measurement Function 280 The measurement function maintains a few values for each interface, 281 computed from the metrics described in Section 2.1.2 and 282 Section 2.1.1: 284 1. The aggregate advertised maximum bit-rate capacity consumed by 285 CBACC data streams. This is the sum of the max-bit-rate values 286 in the CBACC metadata for all data streams subscribed through an 287 interface 289 2. An oversubscription threshold for each interface. The 290 oversubscription threshold will be determined differently for CB 291 nodes in different contexts. In some network devices, it might 292 be as simple as an administratively configured absolute value or 293 proportion of an interface's capacity. For other situations, 294 like a CB node operating in a context with loss visibility, it 295 could be a dynamically changing value that grows when data 296 streams are successfully subscribed and receiving data without 297 loss, and shrinks as loss is observed across subscribed data 298 streams. The oversubscription threshold calculation could also 299 incorporate other information like out-of-band path capacity 300 measurements with [PathChirp], if available. 302 This document covers some non-normative examples of valid 303 oversubscription threshold functions in Section 2.3.1. In 304 general, the oversubscription threshold is the primary parameter 305 that different CBs in different contexts can tune to provide the 306 safety guarantees necessary for their context. 308 2.1.5. Trigger Function 310 The trigger function fires when the aggregate advertised maximum bit- 311 rate exceeds the oversubscription threshold for any interface. 313 When oversubscribed, the trigger function changes the states of 314 subscribed channels to "blocked" until the aggregate subscribed bit- 315 rate is below the oversubscription threshold again. 317 2.1.5.1. Fairness and Inter-flow Ordering 319 The trigger function orders the monitored flows according to a 320 fairness function and a within-sender priority ordering (chosen by 321 the sender as part of the CBACC metadata). When flows are blocked, 322 they're blocked in order until the aggregate bitrate of the permitted 323 flows do not exceed the oversubscription thresholds monitored by the 324 CB node. 326 Flows from a single sender MUST be ordered according to their 327 priority field from the CBACC metadata when compared with each other. 328 This takes precedence over the fairness function ordering, since 329 certain flows from the same sender may need strict priority over 330 others. 332 For example, consider a sender using File Delivery over 333 Unidirectional Transport (FLUTE, defined in [RFC6726]) that sends 334 File Delivery Table Instances (see section 3.2 of [RFC6726]) in one 335 (S,G) and data for the various referenced files in other (S,G)s. In 336 this case the data for the files will not be consumable without the 337 (S,G) containing the FDT. Other transport protocols may similarly 338 send control information (often with a lower bitrate) on one channel, 339 and data information on another. In these cases, the sender may need 340 to ensure that data channels are only available when the control 341 channels are also available. 343 When comparing flows between senders, (S,G)s from the same sender 344 with different priorities should be treated as aggregated (S,G)s with 345 regard to their declared bitrate consumption, to ensure that if any 346 flows from the same sender need to be pruned by the circuit-breaker, 347 the least preferred priority flows from that sender are pruned first. 349 Between-sender flows and flows from the same sender with the same 350 priority are ordered according to the fairness function. The 351 fairness function can be different for CBs in different contexts. 353 A CBACC CB implementation SHOULD provide mechanisms for 354 administrative controls to configure explicit biases, as this may be 355 necessary to support Service Level Agreements for specific events or 356 providers, or to block or de-prioritize channels with historically 357 known misbehavior. 359 Subject to the above constraints, where possible the default fairness 360 behavior SHOULD favor streams with many receivers over streams with 361 few receivers, and streams with a low bit-rate over streams with a 362 high bit-rate. See Section 2.3.2 for further considerations and 363 examples. 365 2.1.6. Reaction 367 When the trigger function fires and a subscribed channel becomes 368 blocked, the reaction depends on whether it's an upstream interface 369 or a downstream interface. 371 If a channel is blocked on one or more downstream interfaces, it may 372 still be unblocked on other downstream interfaces. When this is the 373 case, traffic is simply not forwarded along blocked interfaces, even 374 though clients might still be joined downstream of those interfaces. 376 When a channel is blocked on all downstream interfaces or when the 377 upstream interface is oversubscribed, the channel is pruned so that 378 data no longer arrives from the network on the upstream interface. 379 The prune would be performed with a PIM prune (Section 3.5 of 381 [RFC7761]), or a "leave" operation to be communicated via IGMP, MLD, 382 or another multicast group signaling mechanism, according to the 383 expected signaling within the network. 385 Once initially pruned, a flow SHOULD remain pruned for a minimum 386 amount of time. The minimum hold-down duration SHOULD be no less 387 than 2.5 minutes by default, even if available bitrate space clears 388 up, to ensure downstream subscriptions will notice and respond. The 389 hold-down duration SHOULD be extended from the minimum by a randomly 390 chosen number of seconds uniformly distributed over a configurable 391 desynchronization period, to avoid synchronized recovery of different 392 circuit breakers along the path. The default length of the 393 desynchronization period should be at least 30 seconds. 395 2.5 minutes is chosen to exceed the default maximum lifetime of 2 396 minutes that can occur if an IGMP responder suddenly stops operation, 397 and ceases responding to IGMP queries with membership reports, and 30 398 seconds is chosen to allow for some flexibility in lost packets. The 399 values MAY be administratively tuned as needed by network operators 400 to meet performance goals specific to their networks or to the 401 traffic they're forwarding. 403 When enough capacity is available for a circuit-broken stream to be 404 unblocked and the circuit-breaker hold-down time is expired, flows 405 SHOULD be unblocked according to the priority order until no more 406 flows can be unblocked without exceeding the circuit breaker limits. 408 2.1.7. Feedback Control Mechanism 410 The bitrate advertisement metadata from Section 2.1.1 should be 411 refreshed as needed to maintain up to date values. When using DORMS 412 and RESTCONF, the Subscription to YANG Notifications for Datastore 413 Updates [RFC8641] is the preferred method to receive changes if 414 available. 416 If datastore subscriptions are not supported by the client or server, 417 the HTTP Cache Control headers provide valid refresh time properties 418 from the server, and SHOULD be used if present. If No-Cache is used, 419 the default refresh timing SHOULD be 30 seconds. A uniformly 420 distributed random value between 0 and 10 seconds SHOULD be added to 421 the Cache Control or the default refresh timing to avoid 422 synchronization across multiple clients. 424 2.2. States 425 2.2.1. Interface State 427 A CB holds the following state for each interface, for both the 428 inbound and outbound directions on that interface: 430 o aggregate bandwidth: The sum of the bandwidths of all non-circuit- 431 broken CBACC flows that transit this interface in this direction. 433 o bandwidth limit: The maximum aggregate CBACC advertised bandwidth 434 allowed, not including circuit-broken flows. 436 When reducing the bandwidth limit due to congestion, the circuit 437 breaker SHOULD NOT reduce the limit by more than half its value in 438 10 seconds, and SHOULD use a smoothing function to reduce the 439 limit gradually over time. 441 It is RECOMMENDED that no more than half the capacity for a link 442 be allocated to CBACC flows if the link might be shared with 443 unicast traffic that is responsive to congestion. 445 2.2.2. Flow State 447 Data streams with CBACC metadata have a state for the upstream 448 interface through which the stream is joined: 450 o 'subscribed' 451 Indicates that the circuit breaker is subscribed upstream to the 452 flow and forwarding packets through zero or more egress 453 interfaces. 455 o 'pruned' 456 Indicates that the flow has been circuit-broken. A request to 457 unsubscribe from the flow has been sent upstream, e.g. a PIM prune 458 (Section 3.5 of [RFC7761]) or a "leave" operation communicated via 459 IGMP, MLD, or another group membership management mechanism. 461 Data streams also have a per-interface state for downstream 462 interfaces with subscribers, where the data is being forwarded. It's 463 one of: 465 o 'forwarding' 466 Indicates that the flow is a non-circuit-broken flow in steady 467 state, forwarding packets downstream. 469 o 'blocked' 470 Indicates that data packets for this flow are NOT forwarded 471 downstream via this interface. 473 2.3. Implementation Design Considerations 475 2.3.1. Oversubscription Thresholds 477 TBD. 479 2.3.2. Fairness Functions 481 As an example fairness function that makes good sense for a general 482 case of unknown traffic: 484 Consider a network where the receiver count for multicast channels is 485 known, for example via the experimental PIM extension for population 486 count defined in [RFC6807]. 488 A good fairness metric for a flow is max-bandwidth divided by 489 receiver-count, with lower values of the fairness metric favored over 490 higher values. 492 An overview of some other approaches to appropriate fairness metrics 493 is given in Section 2.3 of [RFC5166]. 495 3. YANG Module 497 3.1. Tree Diagram 499 The tree diagram below follows the notation defined in [RFC8340]. 501 module: ietf-cbacc 502 augment /dorms:metadata/dorms:sender/dorms:group/dorms:udp-stream: 503 +--rw cbacc! 504 +--rw max-bits-per-second uint32 505 +--rw max-mss? uint16 506 +--rw data-rate-window? uint32 507 +--rw priority? uint16 509 3.2. Module 511 file ietf-cbacc@2020-10-31.yang 512 module ietf-cbacc { 513 yang-version 1.1; 515 namespace "urn:ietf:params:xml:ns:yang:ietf-cbacc"; 516 prefix "ambi"; 518 import ietf-dorms { 519 prefix "dorms"; 520 reference "I-D.jholland-mboned-dorms"; 521 } 523 organization "IETF"; 525 contact 526 "Author: Jake Holland 527 528 "; 530 description 531 "Copyright (c) 2019 IETF Trust and the persons identified as 532 authors of the code. All rights reserved. 534 Redistribution and use in source and binary forms, with or 535 without modification, is permitted pursuant to, and subject to 536 the license terms contained in, the Simplified BSD License set 537 forth in Section 4.c of the IETF Trust's Legal Provisions 538 Relating to IETF Documents 539 (https://trustee.ietf.org/license-info). 541 This version of this YANG module is part of 542 draft-jholland-mboned-cbacc. See the internet draft for full 543 legal notices. 545 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL 546 NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 547 'MAY', and 'OPTIONAL' in this document are to be interpreted as 548 described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, 549 they appear in all capitals, as shown here. 551 This module contains the definition for bandwidth consumption 552 metadata for SSM channels, as an extension to DORMS 553 (draft-jholland-mboned-dorms)."; 555 revision 2019-09-26 { 556 description "Initial revision as an extension."; 557 reference 558 ""; 559 } 561 augment 562 "/dorms:metadata/dorms:sender/dorms:group/dorms:udp-stream" { 563 description "Definition of the manifest stream providing 564 integrity info for the data stream"; 566 container cbacc { 567 presence "cbacc-enabled flow"; 568 description 569 "Information to enable fast-trip circuit breakers"; 570 leaf max-bits-per-second { 571 type uint32; 572 mandatory true; 573 description "Maximum bitrate for this stream, in Kilobits 574 of IP packet data (including headers) of native 575 multicast traffic per second"; 576 } 577 leaf max-mss { 578 type uint16; 579 default 1400; 580 description "Maximum payload size, in bytes"; 581 } 582 leaf data-rate-window { 583 type uint32; 584 default 2000; 585 description 586 "Time window over which data rate is guaranteed, 587 in milliseconds."; 588 /* TBD: range limits? */ 589 } 590 leaf priority { 591 type uint16; 592 default 256; 593 description 594 "The relative preference level for keeping this flow 595 compared to other flows from this sender (higher 596 value is more preferred to keep)"; 597 } 598 } 599 } 600 } 602 604 4. IANA Considerations 606 4.1. YANG Module Names Registry 608 This document adds one YANG module to the "YANG Module Names" 609 registry maintained at . The following registrations are made, per the format in 611 Section 14 of [RFC6020]: 613 name: ietf-cbacc 614 namespace: urn:ietf:params:xml:ns:yang:ietf-cbacc 615 prefix: cbacc 616 reference: I-D.draft-ietf-mboned-cbacc 618 4.2. The XML Registry 620 This document adds the following registration to the "ns" subregistry 621 of the "IETF XML Registry" defined in [RFC3688], referencing this 622 document. 624 URI: urn:ietf:params:xml:ns:yang:ietf-cbacc 625 Registrant Contact: The IESG. 626 XML: N/A, the requested URI is an XML namespace. 628 5. Security Considerations 630 5.1. Metadata Security 632 Be sure to authenticate the metadata. See DORMS security 633 considerations, and don't accept unauthenticated metadata if using an 634 alternative means. 636 5.2. Denial of Service 638 5.2.1. State Overload 640 Since CBACC flows require state, it may be possible for a set of 641 receivers and/or senders, possibly acting in concert, to generate 642 many flows in an attempt to overflow the circuit breakers' state 643 tables. 645 It is permissible for a network node to behave as a CBACC circuit 646 breaker for some CBACC flows while treating other CBACC flows as non- 647 CBACC, as part of a load balancing strategy for the network as a 648 whole, or simply as defense against this concern when the number of 649 monitored flows exceeds some threshold. 651 The same techniques described in Section 3.1 of [RFC4609] can be used 652 to help mitigate this attack, for much the same reasons. It is 653 RECOMMENDED that network operators implement measures to mitigate 654 such attacks. 656 6. Acknowledgements 658 Many thanks to Devin Anderson, Ben Kaduk, Cheng Jin, Scott Brown, 659 Miroslav Ponec, Bob Briscoe, Lenny Giuliani, Christian Worm 660 Mortensen, and Dino Farinacci for their thoughtful comments and 661 contributions. 663 7. References 665 7.1. Normative References 667 [I-D.draft-ietf-mboned-ambi-00] 668 Holland, J. and K. Rose, "Asymmetric Manifest Based 669 Integrity", draft-ietf-mboned-ambi-00 (work in progress), 670 March 2020. 672 [I-D.draft-ietf-mboned-dorms-00] 673 Holland, J., "Discovery Of Restconf Metadata for Source- 674 specific multicast", draft-ietf-mboned-dorms-00 (work in 675 progress), March 2020. 677 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 678 Requirement Levels", BCP 14, RFC 2119, 679 DOI 10.17487/RFC2119, March 1997, 680 . 682 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 683 RFC 7950, DOI 10.17487/RFC7950, August 2016, 684 . 686 [RFC8084] Fairhurst, G., "Network Transport Circuit Breakers", 687 BCP 208, RFC 8084, DOI 10.17487/RFC8084, March 2017, 688 . 690 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 691 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 692 March 2017, . 694 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 695 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 696 May 2017, . 698 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 699 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 700 . 702 7.2. Informative References 704 [FLID-DL] Byers, J., Horn, G., Luby, M., Mitzenmacher, M., Shaver, 705 W., and IEEE, "FLID-DL: congestion control for layered 706 multicast", DOI 10.1109/JSAC.2002.803998, n.d., 707 . 709 [PathChirp] 710 Ribeiro, V., Riedi, R., Baraniuk, R., Navratil, J., 711 Cottrell, L., Department of Electrical and Computer 712 Engineering Rice University, and SLAC/SCS-Network 713 Monitoring, Stanford University, "pathChirp: Efficient 714 Available Bandwidth Estimation for Network Paths", 2003. 716 [PLM] Biersack, Institut EURECOM, A., "PLM: Fast Convergence for 717 Cumulative Layered Multicast Transmission Schemes", 1999. 719 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 720 DOI 10.17487/RFC3688, January 2004, 721 . 723 [RFC3738] Luby, M. and V. Goyal, "Wave and Equation Based Rate 724 Control (WEBRC) Building Block", RFC 3738, 725 DOI 10.17487/RFC3738, April 2004, 726 . 728 [RFC4609] Savola, P., Lehtonen, R., and D. Meyer, "Protocol 729 Independent Multicast - Sparse Mode (PIM-SM) Multicast 730 Routing Security Issues and Enhancements", RFC 4609, 731 DOI 10.17487/RFC4609, October 2006, 732 . 734 [RFC5166] Floyd, S., Ed., "Metrics for the Evaluation of Congestion 735 Control Mechanisms", RFC 5166, DOI 10.17487/RFC5166, March 736 2008, . 738 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 739 the Network Configuration Protocol (NETCONF)", RFC 6020, 740 DOI 10.17487/RFC6020, October 2010, 741 . 743 [RFC6726] Paila, T., Walsh, R., Luby, M., Roca, V., and R. Lehtonen, 744 "FLUTE - File Delivery over Unidirectional Transport", 745 RFC 6726, DOI 10.17487/RFC6726, November 2012, 746 . 748 [RFC6807] Farinacci, D., Shepherd, G., Venaas, S., and Y. Cai, 749 "Population Count Extensions to Protocol Independent 750 Multicast (PIM)", RFC 6807, DOI 10.17487/RFC6807, December 751 2012, . 753 [RFC7761] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I., 754 Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent 755 Multicast - Sparse Mode (PIM-SM): Protocol Specification 756 (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, March 757 2016, . 759 [RFC8641] Clemm, A. and E. Voit, "Subscription to YANG Notifications 760 for Datastore Updates", RFC 8641, DOI 10.17487/RFC8641, 761 September 2019, . 763 [RLC] Rizzo, L., Vicisano, L., and J. Crowcroft, "The RLC 764 multicast congestion control algorithm", 1999. 766 [RLM] McCanne, S., Jacobson, V., Vetterli, M., University of 767 California, Berkeley, and Lawrence Berkeley National 768 Laboratory, "Receiver-driven Layered Multicast", 1995. 770 [SMCC] Kwon, G., Byers, J., and Computer Science Department, 771 Boston University, "Smooth Multirate Multicast Congestion 772 Control", 2002. 774 Appendix A. Overjoining 776 [RFC8085] describes several remedies for unicast congestion control 777 under UDP, even though UDP does not itself provide congestion 778 control. In general, any network node under congestion could in 779 theory collect evidence that a unicast flow's sending rate is not 780 responding to congestion, and would then be justified in circuit- 781 breaking it. 783 With multicast IP, the situation is different, especially in the 784 presence of malicious receivers. A well-behaved sender using a 785 receiver-controlled congestion scheme such as WEBRC does not reduce 786 its send rate in response to congestion, instead relying on receivers 787 to leave the appropriate multicast groups. 789 This leads to a situation where, when a network accepts inter-domain 790 multicast traffic, as long as there are senders somewhere in the 791 world with aggregate bandwidth that exceeds a network's capacity, 792 receivers in that network can join the flows and overflow the network 793 capacity. A receiver controlled by an attacker could do this at the 794 IGMP/MLD level without running the application layer protocol that 795 participates in the receiver-controlled congestion control. 797 A network might be able to detect and defend against the most naive 798 version of such an attack by blocking end users that try to join too 799 many flows at once. However, an attacker can achieve the same effect 800 by joining a few high-bandwidth flows, if those exist anywhere, and 801 an attacker that controls a few machines in a network can coordinate 802 the receivers so they join disjoint sets of non-responsive sending 803 flows. 805 This scenario will produce congestion in a middle node in the network 806 that can't be easily detected at the edge where the IGMP/MLD join is 807 accepted. Thus, an attacker with a small set of machines in a target 808 network can always trip a circuit breaker if present, or can induce 809 excessive congestion among the bandwidth allocated to multicast. 810 This problem gets worse as more multicast flows become available. 812 Although the same can apply to non-responsive unicast traffic, 813 network operators can assume that non-responsive sending flows are in 814 violation of congestion control best practices, and can therefore cut 815 off flows associated with the misbehaving senders. By contrast, non- 816 responsive multicast senders are likely to be well-behaved 817 participants in receiver-controlled congestion control schemes. 819 However, receiver controlled congestion control schemes also show the 820 most promise for efficient massive scale content distribution via 821 multicast, provided network health can be ensured. Therefore, 822 mechanisms to mitigate overjoining attacks while still permitting 823 receiver-controlled congestion control are necessary. 825 Author's Address 827 Jake Holland 828 Akamai Technologies, Inc. 829 150 Broadway 830 Cambridge, MA 02144 831 United States of America 833 Email: jakeholland.net@gmail.com