One document matched: draft-ietf-conex-destopt-09.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY rfc2401 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2401.xml'>
<!ENTITY rfc2460 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2460.xml'>
<!ENTITY rfc3168 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3168.xml'>
<!ENTITY rfc4301 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4301.xml'>
<!ENTITY rfc4302 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4302.xml'>
<!ENTITY rfc6789 PUBLIC ''
'http://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6789.xml'>
<!ENTITY I-D.ietf-conex-abstract-mech SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-conex-abstract-mech.xml">
<!ENTITY I-D.ietf-conex-tcp-modifications SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-conex-tcp-modifications.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc compact="yes"?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no"?>
<?rfc strict="yes"?>
<rfc category="exp" ipr="trust200902" docName="draft-ietf-conex-destopt-09">
<front>
<title abbrev="ConEx Destination Option">IPv6 Destination Option for Congestion Exposure (ConEx)</title>
<author initials="S.K." surname="Krishnan" fullname="Suresh Krishnan"><organization>Ericsson</organization><address>
<postal>
<street>8400 Blvd Decarie</street><city>Town of Mount Royal</city><region>Quebec</region><country>Canada</country></postal>
<email>suresh.krishnan@ericsson.com</email></address>
</author>
<author initials="M.K." surname="Kuehlewind" fullname="Mirja Kuehlewind"><organization>ETH Zurich</organization><address>
<email>
mirja.kuehlewind@tik.ee.ethz.ch</email></address>
</author>
<author initials="C.R.U." surname="Ralli" fullname="Carlos Ralli Ucendo"><organization>Telefonica</organization><address>
<email>ralli@tid.es</email></address>
</author>
<date/><area>Transport</area><workgroup>ConEx Working Group</workgroup>
<abstract><t>Congestion Exposure (ConEx) is a mechanism by which senders inform the network about the congestion encountered by packets earlier in the same flow. This document specifies an IPv6 destination option that is capable of carrying ConEx markings in IPv6 datagrams.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>Congestion Exposure (ConEx) <xref target="I-D.ietf-conex-abstract-mech"/> is a mechanism by which senders inform the network about the congestion encountered by packets earlier in the same flow. This document specifies an IPv6 destination option <xref target="RFC2460"/> that can be used for performing ConEx markings in IPv6 datagrams.</t>
<t>This document specifies the ConEx wire protocol in IPv6. The ConEx information can be used by any network element on the path to e.g. do traffic management or egress policing. Additionally this information will potentially be used by an audit function that checks the integrity of the sender's signaling. Further each transport protocol, that supports ConEx signaling, will need to specify precisely when the transport sets ConEx
markings (e.g. the behavior for TCP is specified in [ID.conex-tcp-modifications]).</t>
<t>This document specifies ConEx for IPv6 only. Due to space limitation and the risk of options that might be stripped by middlebox in IPv4 the primary goal of the working goal was to specify ConEx in IPv6 for experimentation.</t>
<t>This specification is experimental to allow the IETF to assess whether the decision to implement the ConEx signal as a destination option fulfills the requirements stated in this document, as well as to evaluate the proposed encoding of the ConEx signals as described in <xref target="I-D.ietf-conex-abstract-mech"/>.</t>
<t>The duration of this experiment is expected to be no less than two years from publication
of this document as infrastructure is needed to be set up to determine the outcome
of this experiment.
Experimenting with Conex requires IPv6 traffic. Even though the amount of IPv6 traffic is
growing, the traffic mix carried over IPv6 is still very different as over IPv4.
Therefore, it might taker longer to find a suitable test scenario where
only IPv6 traffic is managed using ConEx.
</t>
</section>
<section title="Conventions used in this document">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target='RFC2119' />.</t>
</section>
<!--<section anchor="background" title="Background">
<t>The ConEx working group came up with a list of requirements that had to be met by any ConEx coding. It then considered several alternative mechanisms in Ipv6 and evaluated their suitability for ConEx marking. There were no mechanisms found that were completely suitable, but the only mechanism that came close to meeting the requirements was IPv6 destination options. The analysis of the different alternatives can be found in [draft-krishnan-conex-ipv6].
</t>
</section>-->
<section title="Requirements for the coding of ConEx in IPv6">
<t>A set of requirement for an ideal concrete ConEx wire protocol is given in <xref target="I-D.ietf-conex-abstract-mech"/>. In the ConEx working group is was recognized that it will be difficult to find an encoding in IPv6 that satisfies all requirements.
<!-- It then considered several alternative mechanisms in Ipv6 and evaluated their suitability for ConEx signaling.</t><t>-->
The choice in this document to implement the ConEx information in a destination option aims to satisfy those requirements that constrain the placement of ConEx information:</t>
<t>R-1: The marking mechanism needs to be visible to all ConEx-capable
nodes on the path.</t>
<t>R-2: The mechanism needs to be able to traverse nodes that do not
understand the markings. This is required to ensure that ConEx can
be incrementally deployed over the Internet.</t>
<t>R-3: The presence of the marking mechanism should not significantly
alter the processing of the packet. This is required to ensure that
ConEx marked packets do not face any undue delays or drops due to a
badly chosen mechanism.</t>
<t>R-4: The markings should be immutable once set by the sender. At the
very least, any tampering should be detectable.</t>
<t> Based on these requirements four solutions to implement the ConEx
information in the IPv6 header have been investigated: hop-by-hop options,
destination options, using IPv6 header bits (from the flow label), and new
extension headers. After evaluating the different solutions, the ConEx working group concluded
that the use of a destination option would best address these requirements.</t>
<t>Choosing to use a destination option does not necessarily satisfy the requirement for on-path visibility,
because it can be encapsulated by additional IP header(s). Therefore, ConEx-aware network devices,
including policy or audit devices, might have to follow the chaining (extension-)headers into inner IP
headers to find ConEx information.
This choice was a compromise between fast-path performance of Conex-aware network nodes and visibility, as discussed in Section
<xref target="fastpath"/>.</t>
</section>
<section title="ConEx Destination Option (CDO)">
<t>The ConEx Destination Option (CDO) is a destination option that can be
included in IPv6 datagrams that are sent by ConEx-aware senders in order to
inform ConEx-aware nodes on the path about the congestion encountered by
packets earlier in the same flow or the expected risk of encountering congestion
in the future. The CDO has an alignment requirement of (none).
</t>
<figure title="ConEx Destination Option Layout" anchor="cdo_layout">
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Option Type | Option Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|X|L|E|C| res |
+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<figure title="foo">
<artwork>
Option Type
8-bit identifier of the type of option. The option identifier
for the ConEx destination option will be allocated by the IANA.
Option Length
8-bit unsigned integer. The length of the option (excluding
the Option Type and Option Length fields). The sender MUST set
this field to 1 but ConEx-aware nodes MUST accept an option
length of 1 or more.
X Bit
When this bit is set, the transport sender is using ConEx with
this packet. If it is not set, the sender is not using ConEx with
this packet.
L Bit
When this bit is set, the transport sender has experienced a loss.
E Bit
When this bit is set, the transport sender has experienced congestion signaled
using Explicite Congestion Notification (ECN) [RFC3168].
C Bit
When this bit is set, the transport sender is building up
congestion credit in the audit function.
Reserved (res)
These four bits are not used in the current specification. They
are set to zero on the sender and are ignored on the receiver.
</artwork>
</figure>
<t> All packets sent over a ConEx-capable TCP connection or belonging to the same ConEx-capable flow
MUST carry the CDO.
The CDO is immutable. Network devices with ConEx-aware functions read the flags, but all
network devices MUST forward the CDO unaltered.
</t>
<t>CDO MUST be placed as the first option in the destination option header
before the AH and/or ESP (if present). IPsec Authentication Header (AH) MAY
be used to verify that the CDO has not been modified.
</t>
<t> If the X bit is zero all other three bits are undefined and thus MUST be ignored
and forwarded unchanged by network nodes.
The X bit set to zero means that the connection is ConEx-capable but this
packet MUST NOT be counted when determining ConEx information in an audit function.
This can be the case if no congestion feedback is (currently) available e.g. in TCP
if one endpoint has been receiving data but sending nothing but pure ACKs
(no user data) for some time. This is because pure ACKs do not advance
the sequence number, so the TCP endpoint receiving them cannot reliably tell
whether any have been lost due to congestion.
Pure TCP ACKs cannot be ECN-marked either <xref target="RFC3168"/>.
<!-- This can be the case if no feedback on the congestion status is (currently) available
e.g. for control packets (not carrying any user data). As an example a TCP receiver
that only sends pure ACKs will usually send them as not-ConEx-capable as ACK usually
are not ECN-capable and TCP does not have a mechanism to announce ACK lost.
Thus congestion information about ACKs are not available.
An audit function should be aware of this possibility and SHOULD ensure that not a large amount of data is sent as not-ConEx capable with a ConEx capable connection.-->
</t>
<t> If the X bit is set, any of the other three bits (L, E, C) might be set.
Whenever one of these bits is set, the
number of bytes carried by this IP packet (including the IP header that directly encapsulates
the CDO and everything that IP header encapsulates) SHOULD be counted to determine
congestion or credit information. In IPv6 the number of bytes can easily
be calculated by adding the number 40 (length of the IPv6 header in bytes) to the value
present in the Payload Length field in the IPv6 header.
</t>
<t> <!--The total number of credits sent (in one connection) should always be larger than the sum of
losses and ECN marks that can be seen by an audit.-->
A transport sends credits prior to the occurrence of congestion (loss
or ECN-CE marks) and the amount of credits should cover the congestion risk.
This is further specified in <xref target="I-D.ietf-conex-abstract-mech"/> and described in detail
for the case of TCP in <xref target="I-D.ietf-conex-tcp-modifications"/>.
Note, the maximum congestion risk is that all packets in flight get lost or ECN marked.
</t>
<t>If the L or E bit is set, a congestion signal in the form of a loss or, respectively, an ECN mark was previously experienced by the same connection.
</t>
<t> In principle all of these three bits (L, E, C)
might be set in the same packet. In this case the packet size MUST be counted more than once
for each respective ConEx information counter.
<!--In practice loss and ECN
marks cannot occur at the same time, so there should usually be a way to signal the respective ConEx
information in different packets.-->
<!--In many cases if congestion occurs the sender will not sent additional credit, but if e.g. a sender assumes losses because of an audit function or needs to maintain a certain sending rate to make an application layer service work, the occurrence of credit bits (c) in parallel to congestion exposure bit (L, E) is reasonable.-->
<!--As new credits need to be send after the occurrence of congestion, a sender will usually set the C bit in parallel to the L or E bit.-->
<!--The C bit should be set to build up new credits
if the sending rate is larger than at any previous time of the connection or the sender
assumes a loss of audit state.-->
</t>
<t> If a network node extracts the ConEx information from a connection, it is expected to
hold this information in bytes, e.g. comparing the total number of bytes
sent with the number of bytes sent with ConEx congestion marks (L, E) to determine the
current whole path congestion level.
Therefore a ConEx-aware nodes, that processes the CDO, MUST use the Payload length field of the
preceding IPv6 header for byte-based counting.
When a ratio is measured and equally sized packets can be assumed, counting the number of packets
(instead of the number of bytes) should deliver the same result.
But a network node must be aware that this estimation can be
quite wrong, if e.g. different sized packed are sent and thus it is not reliable.
</t>
<t>All remaining bits in the CDO are reserved for future use (which are currently the last four bits of
the eight bit option space). A ConEx sender SHOULD set the reserved bits in the CDO to zero.
Other nodes MUST ignore these bits and ConEx-aware intermediate nodes
MUST forward them unchanged, whatever their values. They MAY log the
presence of a non-zero reserved field.
</t>
<t>It might be possible to implement a proxy for a ConEx sender, as long as
it is located where receiver feedback is always visible. A ConEx proxy
MUST NOT introduce a CDO header into a packet already carrying one and it
MUST NOT alter the information in any existing CDO header. However, it
can add a CDO header to any packets without one, taking care not to
disrupt any integrity or authentication mechanisms as well as to not exceed the MTU.
</t>
<t>The CDO is only applicable on unicast or anycast packets
(see <xref target="I-D.ietf-conex-abstract-mech"/> note regarding item J on multicast at the end of section 3.3 for reasoning).
<!--A ConEx sender MUST NOT send a packet with X = 1 (ConEx-capable)
to a multicast address, and it SHOULD NOT even include the CDO in such a packet.-->
A ConEx sender MUST NOT send a packet with the CDO to a multicast address.
ConEx-capable network nodes MUST treat a multicast packet with the X flag set
the same as an equivalent packet without the CDO, and they SHOULD forward it unchanged.
</t>
<t>As stated in <xref target="I-D.ietf-conex-abstract-mech"/> (see section 3.3 item N on network layer requirements) protocol specs should describe any warning or error messages relevant to the encoding.
There are no warnings or error messages associated with the CDO.
</t>
</section>
<section title="Implementation in the fast path of ConEx-aware routers" anchor="fastpath">
<t>The ConEx information is being encoded into a destination option so
that it does not impact forwarding performance in the non-ConEx-aware
nodes on the path. Since destination options are not usually
processed by routers, the existence of the CDO does not affect the
fast path processing of the datagram on non-ConEx-aware routers, i.e.
they are not pushed into the slow path towards the control plane for
exception processing.</t>
<t>ConEx-aware nodes still need to process the CDO without severely
affecting forwarding. For this to be possible, the ConEx-aware
routers need to quickly ascertain the presence of the CDO and process
the option if it is present. To efficiently perform this, the CDO
needs to be placed in a fairly deterministic location. In order to
facilitate forwarding on ConEx-aware routers, ConEx-aware senders that
send IPv6 datagrams with the CDO MUST place the CDO as the first
destination option in the destination options header.</t>
</section>
<section title="Tunnel Processing">
<t>As with any destination option, an ingress tunnel endpoint will not natively copy the CDO
when adding an encapsulating outer IP header. In general an ingress tunnel SHOULD NOT
copy the CDO to the outer header as this would changed the number of bytes that would
be counted. However, it MAY copy the CDO to the outer header
in order to facilitate visibility by subsequent on-path ConEx functions if
the configuration of the tunnel ingress and the ConEx nodes is co-ordinated.
<!-- the tunnel ingrees is aware of these nodes and these nodes are aware of the tunneling.-->
This trades off the performance of ConEx functions against that of tunnel processing.
</t>
<t>An egress tunnel endpoint SHOULD ignore any CDO on decapsulation of an
outer IP header. The information in any inner CDO will always be
considered correct, even if it differs from any outer CDO. Therefore,
the decapsulator can strip the outer CDO without comparison to the inner.
A decapsulator MAY compare the two, and MAY log any case where they differ.
However, the packet MUST be forwarded irrespective of any such anomaly,
given an outer CDO is only a performance optimization.
</t>
<t>A network node that assesses ConEx information SHOULD search for
encapsulated IP headers until a CDO is found. At any specific network
location, the maximum necessary depth of search is likely to be the same
for all packets.</t>
</section>
<section title="Compatibility with use of IPsec">
<t>If the transport network cannot be trusted, IPsec Authentication should be used to
ensure integrity of the ConEx information. If an attacker would be able to
remove the ConEx marks, this could cause an audit device to penalize
the respective connection, while the sender cannot easily
detect that ConEx information is missing.
</t>
<t>In IPv6 a Destination Option header can be placed in two possible position
in the order of possible headers, either before the Routing header or
after the Encapsulating Security Payload (ESP) header <xref target="RFC2460"/>.
As the CDO is placed in the destination option header before the AH and/or ESP,
it is not encrypted in transport mode <xref target="RFC4301"/>. Otherwise, if the CDO were placed in the latter position
and an ESP header were used, the CDO would also be encrypted and could not be interpreted
by ConEx-aware devices.
</t>
<t>The IPv6 protocol architecture currently does not provide a mechanism
for new headers to be copied to the outer IP header. Therefore if IPsec encryption
is used in tunnel mode, ConEx information cannot be accessed over the extent of the ESP tunnel.
</t>
<!--<t> If the packet is encrypted using IPSec tunnel mode, the CDO MUST
be placed in the destination option before the Routing header such that it does not get
encrypted and can be read by ConEx-aware nodes. Note as the Authentication Header (AH)
also only protects fields after the AH header, the CDO is not authenticated in this case.
</t>
<t>In IPSec transport mode both destination option headers can be used, as the CDO is in both cases
visible to the network.
If the transport network cannot be trusted, the Destination Option header after the ESP header
SHOULD be used to ensure integrity of the ConEx information.
If an attacker would be able to remove the ConEx marks, this could
cause an audit device to penalize the respective connection, while the sender cannot easily
detect that ConEx information is missing.
</t>-->
</section>
<section title="Mitigating flooding attacks by using preferential drop ">
<t>This section is aspirational, and not critical to the use of ConEx for
more general traffic management. However, once CDO information is
present, the CDO header could optionally also be used in the data plane
of any IP-aware forwarding node to mitigate flooding attacks.
</t>
<t>Please note that ConEx is an experimental protocol and that any kind of mechanisms that
reacts on information provided by the ConEx protocol needs to be evaluated in experimentation as well.
This is also true, or especially true, for the preferential drop mechanism described below.</t>
<t>Dropping packets preferentially that are not ConEx-capable or do not carry a ConEx mark
can be beneficial to migrate flooding attacks as ConEx-marked packets can be assumed to be
already restricted by an ConEx ingress policer as further described in
<xref target="I-D.ietf-conex-abstract-mech"/>. Therefore the following ConEx-based perferential dropping scheme is proposed:</t>
<t>If a router queue experiences very high load so that it has
to drop arriving packets, it MAY preferentially drop packets within the same
DiffServ PHB using the preference order given in <xref target="Tab1"/> (1 means drop first).
Additionally, if a router implements preferential drop based on ConEx it SHOULD also support ECN-marking.
Even though preferential dropping can be difficult to implement on some hardware,
<!--but if feasible it would discriminate against attack traffic
if done as part of the overall policing framework as described in
<xref target="I-D.ietf-ConEx-abstract-mech"/>.-->
if nowhere else, routers at the egress of
a network SHOULD implement preferential drop based on ConEx markings (stronger than the MAY above).
</t>
<texttable anchor="Tab1" align="center" title="Drop preference for ConEx packets">
<ttcol align="left"></ttcol> <ttcol align="center">Preference</ttcol>
<c>Not-ConEx or no CDO</c> <c>1 (drop first)</c>
<c>X (but not L,E or C)</c> <c>2</c>
<c>X and L,E or C</c> <c>3</c>
</texttable>
<t> A flooding attack is inherently about congestion of a resource.
<!--Because ConEx policing ensures the sources causing network congestion
experience the cost of their own actions, it acts as a first line of
defence against DDoS.-->
As load focuses on a victim, upstream queues
grow, requiring honest sources to pre-load packets with a higher
fraction of ConEx-marks.
</t>
<t>If ECN marking is supported by downstream queues, preferential dropping
provides the most benefits because, if the queue is so congested
that it drops traffic, it will be CE-marking 100% of any forwarded traffic.
Honest sources will therefore be sending 100% ConEx E-marked packets
(and subject to rate-limiting at an ingress policer).</t>
<t>Senders under malicious control can either do the same as honest
sources, and be rate-limited at ingress, or they can understate
congestion and not set the E bit.</t>
<t>If the preferential drop ranking is implemented on
queues, these queues will preserve E/L-marked
traffic until last. So, the traffic from malicious sources
will all be automatically dropped first. Either way, malicious
sources cannot send more than honest sources.
Therefore ConEx-based perferential drooping as describe above
discriminates against attack traffic
if done as part of the overall policing framework as described in
<xref target="I-D.ietf-conex-abstract-mech"/>.
</t>
</section>
<section title="Acknowledgements">
<t>The authors would like to thank Marcelo Bagnulo, Bob Briscoe, Ingemar Johansson, Joel Halpern
and John Leslie for the discussions that led to this document.
</t>
<t>Special thanks to Bob Briscoe who contributed text and analysis work on preferential dropping.
</t>
</section>
<section anchor="security" title="Security Considerations">
<t><xref target="I-D.ietf-conex-abstract-mech"/> describes the overall audit framework for assuring
that ConEx markings truly reflect actual path congestion. This
section focuses purely on the security of the encoding chosen for
ConEx markings.</t>
<t>The chg bit in the CDO option type field is set to zero, meaning that
the CDO option is immutable. If IPsec AH is used, a zero chg bit
causes AH to cover the CDO option so that its end-to-end integrity
can be verified, as explained in Section 4.</t>
<t>This document specifies that the Reserved field in the CDO must be
ignored and forwarded unchanged even if it does not contain all
zeroes. The Reserved field is also required to sit outside the
Encapsulating Security Payload (ESP), at least in transport mode (see
Section 7). This allows the sender to use the Reserved field
as a 4-bit-per-packet covert channel to send information to an
on-path node outside the control of IPsec. However, a covert channel
is only a concern if it can circumvent IPsec in tunnel mode and, in
the tunnel mode case, ESP would close the covert channel as outlined
in Section 7. </t>
</section>
<section title="IANA Considerations">
<t>
This document defines a new IPv6 ConEx destination option for carrying ConEx
markings. IANA is requested to assign a new destination option
type in the Destination Options registry maintained at
http://www.iana.org/assignments/ipv6-parameters
<TBA1> ConEx Destination Option [RFCXXXX]
The act bits for this option need to be 00. The chg bit need to be 0.
The destination IP stack will not usually process the CDO,
therefore the sender can send a CDO without checking if the
receiver will understand it. The CDO MUST still be forwarded to the
destination IP stack, because the destination might check the
integrity of the whole packet, irrespective of whether it
understands ConEx.
Please also update the describe of the Option Type in section 4 after assignment!
</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc2460;
&rfc3168;
&rfc4301;
&rfc4302;
&I-D.ietf-conex-abstract-mech;
</references>
<references title="Informative References">
&rfc6789;
&I-D.ietf-conex-tcp-modifications;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-23 09:30:27 |