ConEx Working Group S. Krishnan Internet-Draft Ericsson Intended status: Experimental M. Kuehlewind Expires: April 21, 2016 ETH Zurich C. Ralli Telefonica October 19, 2015 IPv6 Destination Option for Congestion Exposure (ConEx) draft-ietf-conex-destopt-11 Abstract Congestion Exposure (ConEx) is a mechanism by which senders inform the network about the congestion encountered by packets earlier in the same flow. This document specifies an IPv6 destination option that is capable of carrying ConEx markings in IPv6 datagrams. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 21, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of Krishnan, et al. Expires April 21, 2016 [Page 1] Internet-Draft ConEx Destination Option October 2015 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions used in this document . . . . . . . . . . . . . . 3 3. Requirements for the coding of ConEx in IPv6 . . . . . . . . 3 4. ConEx Destination Option (CDO) . . . . . . . . . . . . . . . 4 5. Implementation in the fast path of ConEx-aware routers . . . 7 6. Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7. Tunnel Processing . . . . . . . . . . . . . . . . . . . . . . 8 8. Compatibility with use of IPsec . . . . . . . . . . . . . . . 9 9. Mitigating flooding attacks by using preferential drop . . . 10 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 11. Security Considerations . . . . . . . . . . . . . . . . . . . 11 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 13.1. Normative References . . . . . . . . . . . . . . . . . . 12 13.2. Informative References . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction Congestion Exposure (ConEx) [I-D.ietf-conex-abstract-mech] is a mechanism by which senders inform the network about the congestion encountered by packets earlier in the same flow. This document specifies an IPv6 destination option [RFC2460] that can be used for performing ConEx markings in IPv6 datagrams. This document specifies the ConEx wire protocol in IPv6. The ConEx information can be used by any network element on the path to e.g. do traffic management or egress policing. Additionally this information will potentially be used by an audit function that checks the integrity of the sender's signaling. Further each transport protocol, that supports ConEx signaling, will need to specify precisely when the transport sets ConEx markings (e.g. the behavior for TCP is specified in [I-D.ietf-conex-tcp-modifications]). This document specifies ConEx for IPv6 only. Due to space limitations in the IPv4 header and the risk of options that might be stripped by middlebox in IPv4 the primary goal of the working goal was to specify ConEx in IPv6 for experimentation. Krishnan, et al. Expires April 21, 2016 [Page 2] Internet-Draft ConEx Destination Option October 2015 This specification is experimental to allow the IETF to assess whether the decision to implement the ConEx signal as a destination option fulfills the requirements stated in this document, as well as to evaluate the proposed encoding of the ConEx signals as described in [I-D.ietf-conex-abstract-mech]. The duration of this experiment is expected to be no less than two years from publication of this document as infrastructure is needed to be set up to determine the outcome of this experiment. Experimenting with Conex requires IPv6 traffic. Even though the amount of IPv6 traffic is growing, the traffic mix carried over IPv6 is still very different as over IPv4. Therefore, it might taker longer to find a suitable test scenario where only IPv6 traffic is managed using ConEx. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Requirements for the coding of ConEx in IPv6 A set of requirement for an ideal concrete ConEx wire protocol is given in [I-D.ietf-conex-abstract-mech]. In the ConEx working group is was recognized that it will be difficult to find an encoding in IPv6 that satisfies all requirements. The choice in this document to implement the ConEx information in a destination option aims to satisfy those requirements that constrain the placement of ConEx information: R-1: The marking mechanism needs to be visible to all ConEx-capable nodes on the path. R-2: The mechanism needs to be able to traverse nodes that do not understand the markings. This is required to ensure that ConEx can be incrementally deployed over the Internet. R-3: The presence of the marking mechanism should not significantly alter the processing of the packet. This is required to ensure that ConEx marked packets do not face any undue delays or drops due to a badly chosen mechanism. R-4: The markings should be immutable once set by the sender. At the very least, any tampering should be detectable. Based on these requirements four solutions to implement the ConEx information in the IPv6 header have been investigated: hop-by-hop Krishnan, et al. Expires April 21, 2016 [Page 3] Internet-Draft ConEx Destination Option October 2015 options, destination options, using IPv6 header bits (from the flow label), and new extension headers. After evaluating the different solutions, the ConEx working group concluded that the use of a destination option would best address these requirements. Choosing to use a destination option does not necessarily satisfy the requirement for on-path visibility, because it can be encapsulated by additional IP header(s). Therefore, ConEx-aware network devices, including policy or audit devices, might have to follow the chaining (extension-)headers into inner IP headers to find ConEx information. This choice was a compromise between fast-path performance of Conex- aware network nodes and visibility, as discussed in Section Section 5. Please note that the IPv6 specification [RFC2460] does not require or expect intermediate nodes to inspect destination options such as the CDO. This implies that ConEx-aware intermediate nodes following this specification need updated extension header processing code to be able read the destination options. 4. ConEx Destination Option (CDO) The ConEx Destination Option (CDO) is a destination option that can be included in IPv6 datagrams that are sent by ConEx-aware senders in order to inform ConEx-aware nodes on the path about the congestion encountered by packets earlier in the same flow or the expected risk of encountering congestion in the future. The CDO has an alignment requirement of (none). 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Option Type | Option Length |X|L|E|C| res | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: ConEx Destination Option Layout Option Type 8-bit identifier of the type of option. Set to the value 30 (0x1E) allocated for experimental work. Option Length 8-bit unsigned integer. The length of the option in octets (excluding the Option Type and Option Length fields). Set to the value 1. Krishnan, et al. Expires April 21, 2016 [Page 4] Internet-Draft ConEx Destination Option October 2015 X Bit When this bit is set, the transport sender is using ConEx with this packet. If it is not set, the sender is not using ConEx with this packet. L Bit When this bit is set, the transport sender has experienced a loss. E Bit When this bit is set, the transport sender has experienced congestion signaled using Explicite Congestion Notification (ECN) [RFC3168]. C Bit When this bit is set, the transport sender is building up congestion credit in the audit function. Reserved (res) These four bits are not used in the current specification. They are set to zero on the sender and are ignored on the receiver. Option Layout All packets sent over a ConEx-capable TCP connection or belonging to the same ConEx-capable flow MUST carry the CDO. The chg bit (the third-highest-order bit) in the CDO Option Type field is set to zero, meaning that the CDO option is immutable. Network devices with ConEx-aware functions read the flags, but all network devices MUST forward the CDO unaltered. The CDO SHOULD be placed as the first option in the destination option header before the AH and/or ESP (if present). IPsec Authentication Header (AH) MAY be used to verify that the CDO has not been modified. If the X bit is zero all other three bits are undefined and thus MUST be ignored and forwarded unchanged by network nodes. The X bit set to zero means that the connection is ConEx-capable but this packet MUST NOT be counted when determining ConEx information in an audit function. This can be the case if no congestion feedback is (currently) available e.g. in TCP if one endpoint has been receiving Krishnan, et al. Expires April 21, 2016 [Page 5] Internet-Draft ConEx Destination Option October 2015 data but sending nothing but pure ACKs (no user data) for some time. This is because pure ACKs do not advance the sequence number, so the TCP endpoint receiving them cannot reliably tell whether any have been lost due to congestion. Pure TCP ACKs cannot be ECN-marked either [RFC3168]. If the X bit is set, any of the other three bits (L, E, C) might be set. Whenever one of these bits is set, the number of bytes carried by this IP packet (including the IP header that directly encapsulates the CDO and everything that IP header encapsulates) SHOULD be counted to determine congestion or credit information. In IPv6 the number of bytes can easily be calculated by adding the number 40 (length of the IPv6 header in bytes) to the value present in the Payload Length field in the IPv6 header. A transport sends credits prior to the occurrence of congestion (loss or ECN-CE marks) and the amount of credits should cover the congestion risk. This is further specified in [I-D.ietf-conex-abstract-mech] and described in detail for the case of TCP in [I-D.ietf-conex-tcp-modifications]. Note, the maximum congestion risk is that all packets in flight get lost or ECN marked. If the L or E bit is set, a congestion signal in the form of a loss or, respectively, an ECN mark was previously experienced by the same connection. In principle all of these three bits (L, E, C) might be set in the same packet. In this case the packet size MUST be counted more than once for each respective ConEx information counter. If a network node extracts the ConEx information from a connection, it is expected to hold this information in bytes, e.g. comparing the total number of bytes sent with the number of bytes sent with ConEx congestion marks (L, E) to determine the current whole path congestion level. Therefore a ConEx-aware nodes, that processes the CDO, MUST use the Payload length field of the preceding IPv6 header for byte-based counting. When a ratio is measured and equally sized packets can be assumed, counting the number of packets (instead of the number of bytes) should deliver the same result. But an audit function must be aware that this estimation can be quite wrong, if e.g. different sized packed are sent and thus it is not reliable. All remaining bits in the CDO are reserved for future use (which are currently the last four bits of the eight bit option space). A ConEx sender SHOULD set the reserved bits in the CDO to zero. Other nodes MUST ignore these bits and ConEx-aware intermediate nodes MUST forward them unchanged, whatever their values. They MAY log the presence of a non-zero reserved field. Krishnan, et al. Expires April 21, 2016 [Page 6] Internet-Draft ConEx Destination Option October 2015 The CDO is only applicable on unicast or anycast packets (see [I-D.ietf-conex-abstract-mech] note regarding item J on multicast at the end of section 3.3 for reasoning). A ConEx sender MUST NOT send a packet with the CDO to a multicast address. ConEx-capable network nodes MUST treat a multicast packet with the X flag set the same as an equivalent packet without the CDO, and they SHOULD forward it unchanged. As stated in [I-D.ietf-conex-abstract-mech] (see section 3.3 item N on network layer requirements) protocol specs should describe any warning or error messages relevant to the encoding. There are no warnings or error messages associated with the CDO. 5. Implementation in the fast path of ConEx-aware routers The ConEx information is being encoded into a destination option so that it does not impact forwarding performance in the non-ConEx-aware nodes on the path. Since destination options are not usually processed by routers, the existence of the CDO does not affect the fast path processing of the datagram on non-ConEx-aware routers, i.e. they are not pushed into the slow path towards the control plane for exception processing. ConEx-aware nodes still need to process the CDO without severely affecting forwarding. For this to be possible, the ConEx-aware routers need to quickly ascertain the presence of the CDO and process the option if it is present. To efficiently perform this, the CDO needs to be placed in a fairly deterministic location. In order to facilitate forwarding on ConEx-aware routers, ConEx-aware senders that send IPv6 datagrams with the CDO SHOULD place the CDO as the first destination option in the destination options header. 6. Auditing An audit element shall be a shadow device in the network, i.e. its presence should not be detectable for well-behaving senders. The objective of an audit is to verify that senders correctly signals ConEx information and to penalize cheaters. For this, the audit element has to maintain state for any active ConEx-enabled flow. Flows must be audited independently, as there are no dependencies. There are two aspects the audit element has to check for each flow: o if the congestion reported using the ConEx mechanism (L- or E-marked bytes) matches the congestion actually observed by the receivers (loss or ECN-CE-marks) and Krishnan, et al. Expires April 21, 2016 [Page 7] Internet-Draft ConEx Destination Option October 2015 o if sufficient credit marks have been sent to signal the congestion risk in advance (number of C-marked bytes is larger than lost or ECN-EC-marked bytes). By the Re-Echo-Loss signal a sender exposes to the network that this transport has experienced loss very recently. By the Re-Echo-ECN signal a sender exposes to the network that this transport has experienced an ECN-CE mark very recently. For the audit this means, that if it detects a loss or an ECN-CE mark for a ConEx-enabled flow, for a compliant sender the corresponding Re-Echo-Loss or Re-Echo-ECN signals must be observed in the near future (e.g. within a 1-2 RTT after the congestion has been observed). The Credit signal represents potential for congestion. A ConEx- enabled sender SHOULD signal sufficient credit in advance to any congestion event. If a congestion event occurs, a corresponding amount of credit is consumed. If the sender intends to take the same risk again, it just must replace this consumed credit as non-consumed credit does not expire. The audit penalizes a flow if it fails either of these two criteria. In order to not incentivize senders to simply start new flows when detecting being penalized by an audit element, the penalty of a misbehaving flow SHOULD be proportional to the misbehavior. This document does not mandate a particular audit design. Implementation considerations are further discussed in [I-D.wagner-conex-audit]. The CDO MUST only be used alongside protocols that provide a way to audit loss in the network. Any protocol specification that uses the CDO MUST define how an audit device can detect loss on the forward path (e.g. sequence number monitoring) and the means for protecting against likely attacks on such mechanisms. 7. Tunnel Processing As with any destination option, an ingress tunnel endpoint will not normally copy the CDO when adding an encapsulating outer IP header. In general an ingress tunnel SHOULD NOT copy the CDO to the outer header as this would changed the number of bytes that would be counted. However, it MAY copy the CDO to the outer header in order to facilitate visibility by subsequent on-path ConEx functions if the configuration of the tunnel ingress and the ConEx nodes is co- ordinated. This trades off the performance of ConEx functions against that of tunnel processing. An egress tunnel endpoint SHOULD ignore any CDO in the outer header on decapsulation of an outer IP header. The information in any inner CDO will always be considered correct, even if it differs from any Krishnan, et al. Expires April 21, 2016 [Page 8] Internet-Draft ConEx Destination Option October 2015 outer CDO. Therefore, the decapsulator can strip the outer CDO without comparison to the inner. A decapsulator MAY compare the two, and MAY log any case where they differ. However, the packet MUST be forwarded irrespective of any such anomaly, given an outer CDO is only a performance optimization. A network node that assesses ConEx information SHOULD search for encapsulated IP headers until a CDO is found. At any specific network location, the maximum necessary depth of search is likely to be the same for all packets between a given set of tunnel endpoints. 8. Compatibility with use of IPsec If the endpoints are using the IPsec Authentication Header (AH) [RFC4302] to detect alteration of IP headers along the path, AH will also ensure the e2e integrity of the CDO header. A network-based attacker could alter ConEx information to fool an audit function in a downstream network into discarding packets. However, other existing attacks from one network on another such a TTL expiry attacks are more damaging (because ConEx audit discards silently) and less traceable (because TTL is meant to change, whereas CDO is not). Inside an IPv6 packet, a Destination Option header can be placed in two possible positions, either before the Routing header or after the ESP/AH headers as described in Section 4.1 of [RFC2460]. When the CDO is placed in the destination option header before the AH and/or ESP, it is not encrypted in transport mode [RFC4301]. Otherwise, if the CDO were placed in the latter position and an ESP header was used with encryption, the CDO cannot be viewed and interpreted by ConEx- aware intermediate nodes effectively rendering it useless. The IPv6 protocol architecture currently does not provide a mechanism for new headers to be copied to the outer IP header. Therefore if IPsec encryption is used in tunnel mode, ConEx information cannot be accessed over the extent of the ESP tunnel. Also, the destination IP stack will not usually process the CDO, therefore the sender can send a CDO without checking if the receiver will understand it. The CDO MUST still be forwarded to the destination IP stack, because the destination might check the integrity of the whole packet, irrespective of whether it understands ConEx. Krishnan, et al. Expires April 21, 2016 [Page 9] Internet-Draft ConEx Destination Option October 2015 9. Mitigating flooding attacks by using preferential drop This section is aspirational, and not critical to the use of ConEx for more general traffic management. However, once CDO information is present, the CDO header could optionally also be used in the data plane of any IP-aware forwarding node to mitigate flooding attacks. Please note that ConEx is an experimental protocol and that any kind of mechanisms that reacts on information provided by the ConEx protocol needs to be evaluated in experimentation as well. This is also true, or especially true, for the preferential drop mechanism described below. Dropping packets preferentially that are not ConEx-capable or do not carry a ConEx mark can be beneficial to migrate flooding attacks as ConEx-marked packets can be assumed to be already restricted by an ConEx ingress policer as further described in [I-D.ietf-conex-abstract-mech]. Therefore the following ConEx-based perferential dropping scheme is proposed: If a router queue experiences very high load so that it has to drop arriving packets, it MAY preferentially drop packets within the same DiffServ PHB using the preference order given in Table 1 (1 means drop first). Additionally, if a router implements preferential drop based on ConEx it SHOULD also support ECN-marking. Even though preferential dropping can be difficult to implement on some hardware, if nowhere else, routers at the egress of a network SHOULD implement preferential drop based on ConEx markings (stronger than the MAY above). +----------------------+----------------+ | | Preference | +----------------------+----------------+ | Not-ConEx or no CDO | 1 (drop first) | | X (but not L,E or C) | 2 | | X and L,E or C | 3 | +----------------------+----------------+ Table 1: Drop preference for ConEx packets A flooding attack is inherently about congestion of a resource. As load focuses on a victim, upstream queues grow, requiring honest sources to pre-load packets with a higher fraction of ConEx-marks. If ECN marking is supported by downstream queues, preferential dropping provides the most benefits because, if the queue is so congested that it drops traffic, it will be CE-marking 100% of any forwarded traffic. Honest sources will therefore be sending 100% Krishnan, et al. Expires April 21, 2016 [Page 10] Internet-Draft ConEx Destination Option October 2015 ConEx E-marked packets (and subject to rate-limiting at an ingress policer). Senders under malicious control can either do the same as honest sources, and be rate-limited at ingress, or they can understate congestion and not set the E bit. If the preferential drop ranking is implemented on queues, these queues will preserve E/L-marked traffic until last. So, the traffic from malicious sources will all be automatically dropped first. Either way, malicious sources cannot send more than honest sources. Therefore ConEx-based perferential drooping as describe above discriminates against attack traffic if done as part of the overall policing framework as described in [I-D.ietf-conex-abstract-mech]. 10. Acknowledgements The authors would like to thank Marcelo Bagnulo, Bob Briscoe, Ingemar Johansson, Joel Halpern, John Leslie, Martin Stiemerling, Robert Sparks, Ron Bonica, Brian Haberman, Kathleen Moriarty, Bob Hinden, Ole Troan and Brian Carpenter for the discussions that made this document better. Special thanks to Bob Briscoe who contributed text and analysis work on preferential dropping and to David Wagner for providing the text on which the audting section is based. 11. Security Considerations [I-D.ietf-conex-abstract-mech] describes the overall audit framework for assuring that ConEx markings truly reflect actual path congestion. This section focuses purely on the security of the encoding chosen for ConEx markings. The CDO Option Type is defined with a chg bit set to zero as described in Section 4. If IPsec AH is used, a zero chg bit causes AH to cover the CDO option so that its end-to-end integrity can be verified, as explained in Section 4. Krishnan, et al. Expires April 21, 2016 [Page 11] Internet-Draft ConEx Destination Option October 2015 This document specifies that the Reserved field in the CDO must be ignored and forwarded unchanged even if it does not contain all zeroes. The Reserved field is also required to sit outside the Encapsulating Security Payload (ESP), at least in transport mode (see Section 7). This allows the sender to use the Reserved field as a 4 -bit-per-packet covert channel to send information to an on-path node outside the control of IPsec. However, a covert channel is only a concern if it can circumvent IPsec in tunnel mode and, in the tunnel mode case, ESP would close the covert channel as outlined in Section 7. 12. IANA Considerations The IPv6 ConEx destination option is used for carrying ConEx markings. This document uses the experimental option type 0x1E with the act bits set to 00 and the chg bit set to 0 for realizing this option. No further allocation action is required from IANA at this time. 13. References 13.1. Normative References [I-D.ietf-conex-abstract-mech] Mathis, M. and B. Briscoe, "Congestion Exposure (ConEx) Concepts, Abstract Mechanism and Requirements", draft- ietf-conex-abstract-mech-13 (work in progress), October 2014. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC3168] Ramakrishnan, K., Floyd, S., and D. Black, "The Addition of Explicit Congestion Notification (ECN) to IP", RFC 3168, September 2001. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, DOI 10.17487/RFC4303, December 2005, . Krishnan, et al. Expires April 21, 2016 [Page 12] Internet-Draft ConEx Destination Option October 2015 13.2. Informative References [I-D.ietf-conex-tcp-modifications] Kuehlewind, M. and R. Scheffenegger, "TCP modifications for Congestion Exposure", draft-ietf-conex-tcp- modifications-08 (work in progress), April 2015. [I-D.wagner-conex-audit] Wagner, D. and M. Kuehlewind, "Auditing of Congestion Exposure (ConEx) signals", draft-wagner-conex-audit-01 (work in progress), February 2014. Authors' Addresses Suresh Krishnan Ericsson 8400 Blvd Decarie Town of Mount Royal, Quebec Canada Email: suresh.krishnan@ericsson.com Mirja Kuehlewind ETH Zurich Email: mirja.kuehlewind@tik.ee.ethz.ch Carlos Ralli Ucendo Telefonica Email: ralli@tid.es Krishnan, et al. Expires April 21, 2016 [Page 13]