Академический Документы
Профессиональный Документы
Культура Документы
Robust ECN
Robust Explicit Congestion Notification, referred to as Robust ECN, is an Experimental Protocol for the Internet community. Robust ECN is defined in Request for Comments 3540 issued in June 2003. RFC 3540 is an optional addition to RFC 3168 (Explicit Congestion Notification, or ECN). The goal of ECN is to enhance the speed performance of TCP connections and reduce the severity y of Internet congestion. g The goal of the Robust ECN extension is to improve TCP robustness against malicious concealment of packet losses. To explain how Robust ECN works, a high-level understanding of ECN is needed.
Client
Server
ECN-Capable Routers
0 THmin THmax C
Donotdiscard
Discardwithincreasing probability
Discard
ECN-capable routers employ an active queue management (AQM) protocol that discards packets proactively upon detecting an incipient congestion. The most popular type of AQM routers is RED (Random Early Detection) routers, for example, Cisco WRED routers. The router drops packet probabilistically when the average size of the queue of packets is between two thresholds thresholds, THmin i and THmax where Thmax is less than the capacity of the buffer, C. For ECN-capable TCP connections, the router does not drop the packet at the time i of f incipient i i i congestion. i Instead I d , the h router marks k (tags) ( ) the h packet k by b setting a Congestion Experienced (CE) code in two bits in the IP header. When the receiver receives a marked bit, it should notify y the sender by y setting the ECN-Echo bit in the TCP header.
Donotdiscard
Markordiscardwith increasingprobabilityPa
Discard
Pa is called the packet dropping probability or packet marking probability if (avg < THmin) { accept and queue packet } else if (THmin avg THmax) {calculate probability Pa; with probability Pa Mark or discard p packet otherwise with probability 1 Pa queue packet } else if (avg > THmax) { discard packet } q = length of the queue avg = average length l h of f the h queue Computing Pa F = (avg - THmin)/(THmax THmin) Pb = F Pmax 0F1 Pa = Pb / (1 - count Pb) = 1/ ({1/ Pb} - count )
ECN-Capable Routers
Congestion is detected
Sender
ECN Router
Receiver
Congestion is detected
ECN packet
Sender
ECN-Echo is set
ECN Router
CE is set
ECN-Echo is set
Receiver
When the sender receives an ACK with ECN ECN-Echo Echo set, it should react to the congestion in the same way it would have reacted if the packet was lost, i.e., the sender should reduce its transmission rate by reducing its congestion window, cwnd.
The sender sets ECT(1) or ECT(0) in the ECN field of the IP header on outgoing packets to indicate to routers that the TCP connection is ECN-Capable. ECN Capable Basically, Basically the sender is promising the router that the TCP connection will reduce its transmission rate if the router marks the packet instead of dropping it. This is a win-win win win situation because the TCP connection will save the overhead of retransmitting the packet but will also reduce its transmission rate, thereby helping in alleviating the congestion of the router.
Bits 6 and 7 in the IPv4 Differentiated Services Field are designated g as the ECN field. The two bits have been approved for experimental use for ECN.
ECN uses two bits in the TCP header. h d The Th two t bits bit are bits 8 and 9 of the unused Reserved bits in the FLAGS field. field When the receiver receives a packet with CE indication, it notifies the sender of the detected congestion g by y setting g the ECN-Echo (ECE) bit in the returned ACK.
TCP Sender sets both ECE and CWR in SYN packet TCP Receiver sets only y ECE in SYN-ACK p packet A host must not set ECT in SYN or SYN-ACK packets
SomefaultyfirewallseitherdropanECNsetupSYNpacketorrespond withanRSTTCPpacket
ECN-capable routers treat the ECT(0) and ECT(1) codepoints as equivalent. Senders are free to use either the ECT(0) or the ECT(1) codepoint to indicate ECT, on a packet-by-packet basis. For a router, the CE codepoint (binary code 11) of an ECN-Capable packet should only be set if the router would otherwise have dropped the packet as an indication of congestion to the end nodes. When the router's buffer is not yet full and the router is prepared to drop a packet to inform end nodes of incipient congestion, the router should first check to see if the ECT codepoint d i t is i set t (i.e., (i binary bi code d 10 or 01) in i that th t packet's k t' IP header. h d If so, then instead of dropping the packet, the router sets the CE codepoint in the IP header.
Advantages of ECN
ECN p prevents unnecessary yp packet drops p at routers resulting g in less retransmissions and improvement in throughput ECN avoids timeouts by getting faster notification to end hosts Less retransmissions also means less traffic on the network
Robust ECN
The correct operation of ECN requires the cooperation of the receiver to return Congestion Experienced signals to the sender but the ECN protocol lacks a mechanism to enforce sender, this cooperation. This raises the possibility that a malicious or poorly implemented receiver could always clear ECN-Echo and d refuse f to return congestion i signals i l to the h sender. d This hi would give the receiver a performance advantage at the expense p of other TCP connections that behave p properly. p y The ECN-nonce is a simple, efficient mechanism to eliminate the potential abuse of TCP connections. connections
Robust ECN
The ECN-nonce enables the sender to verify the correct behavior of the ECN receiver and that there is no other interference that conceals l marked k d or dropped d d packets k t in i the th routing ti path. th The Th ECN nonce protects against implementation errors and deliberate abuse. The ECN nonce: catches a misbehaving receiver with a high probability, and never implicates an innocent receiver. does not change other aspects of ECN, nor does it reduce the benefits of ECN for behaving receivers. is cheap in both per-packet per packet overhead and processing requirements; it introduces only one new bit in the TCP header which is bit 7 of the unused Reserved bits in the TCP FLAGS field.
Robust ECN
The use of the ECN-nonce has two additional benefits, even when only non-ECN routers are used (i.e., even if all routers drop ECN packets and never mark them). With Robust ECN, ECN packet drops (losses) cannot be concealed from the sender. Robust ECN prevents optimistic TCP acknowledgements , in which hi h TCP segments t are acknowledged k l d d before b f they th have h been b received.
The above benefits also serve to increase the robustness of congestion control from attacks.
Abusing ECN
Receiverhidesdroppedandmarkedpacketsandcontinuouslysends gtheECNEchobit. normalACKswithoutenabling Senderisnotawareofthecongestionandkeepsincreasingits sendingrate.
There is no congestion. I will increase cwnd
ECN packet
Congested
Illustration
The sender uses the two ECN bits in the IP header to attach a nonce with each packet.
Value 00 10 01 11 Name Not-ECT (Not ECN Capable Transport) ECT(0) (ECN Capable Transport (0) ) Nonce = 0 ECT(1) (ECN Capable Transport(1) ) CE (Congestion Experienced) Nonce = 1
The binary variable Nonce Sum is initially to zero in both the sender and receiver. When acknowledging a received packet, the receiver should return to the sender the current value of the Nonce Sum variable via the NS bit in the TCP header. The following slide shows different scenarios.
Packet Number
Nonce
Congestion inpath
ECTbits received
ValueofNS atreceiver
1 2 3 4 5 6
10 01 01 01 10 10
0 1 1 1 0 0
No No No No No Yes
10 01 01 01 10 11
0 1 0 1 1 unknown
For packet 6, the honest TCP receiver gets a marked data packet with CE indication. The value of NS cannot be determined. The receiver sets the ECE fl i flag in th the TCP ACK h header d t to 1 1. ECE =1 1 i implies li th that t th the nonce sum bit (denoted by * in the above table) does not store a valid value.
Packet Number
Nonce
Congestion inpath
ECTbits received
ValueofNS atreceiver
1 2 3 4 5 6
10 01 01 01 10 10
0 1 1 1 0 0
No No No No No Yes
10 01 01 01 10 11
0 1 0 1 1 unknown
For packet 6, the malicious TCP receiver hides the CE indication and does not echo it to the sender. sender The receiver sends normal ACK containing a guess for the value of NS.
20
15
10 Slow start t t 5
Round-trip times
Congestionwind dow
Time(s)
Honest Receiver
Malicious Receiver
The malicious TCP C receiver hides p packet losses. Multiple malicious TCP users could cooperate to congest the server.
cwnd d
2 3 4 5 6 7 8
cwnd d
Conge estionwindow w
Time(s)
Conge estionwindow w
Time(s)
Honest Receiver
Receiver Accelerator
The malicious Th li i accelerator l t causes the th sender d to t double d bl the th congestion ti window i d and d thus double its sending rate much earlier than normal. The sender reaches its maximum sending rate very quickly and stays at this maximum rate.
Additional Remark
The approach of Robust ECN is to use binary nonces to detect if the receiver is cheating and is hiding packet losses by guessing the value of the nonce sum. Any guess is equally likely to be wrong and has a 50-50 chance of being caught by the sender. d Because each h new acknowledgement k l d is i an independent i d d trial, i l a cheating h i receiver is likely to be caught after a small number of lies. The e binary b a y nonce o ce approach app oac is s used in so some e ot other e secu security ty p protocols otoco s such suc as Fiat Shamir protocol used for entity authentication in real-time client server sessions. Each round consists of three message exchanges and uses a binary nonce . A dishonest claimant (attacker) has a probability of 0.5 for authenticating th ti ti successfully f ll in i each h round. d Using U i 20 rounds, d the th chances h of f success is reduced to approximately 1 in one million. 802.11i protocol used for Wireless LAN Security. In the EAP Exchange of g from AS and the response p the 802.11i Authentication Phase, the challenge from STA may be repeated multiple times (often requiring 10 to 20 round trips for TLS tunneling).
EAP = Extensible Authentication Protocol AS = Authentication Server STA = Station TLS = Transport Layer Security Protocol
http://www.icir.org/floyd/ecn.html http://www.icir.org/floyd/ecnProblems.html
Many of the offending machines/products were identified, and an earlier web page was developed containing a list of non-compliant products and the fixes posted by the vendors vendors.
http://gtf.org/garzik/ecn/
However, the above web page was lost in a hard drive storm crash and is no However longer maintained.