IP
Click on the red underlined text to get to the source
... Congestion Experienced (CE) codepoint in the IP
header of packets from ECN-capable transports. We describe when the
...
... standards process. We also describe in this document the issues
involving the use of ECN within IP tunnels, and within IPsec tunnels
...
... deployable. One challenge to the principle of incremental deployment
has been the prior existence of some IP tunnels that were not
compatible with the use of ECN. As ECN ...
... ECN. As ECN becomes deployed, non-
compatible IP tunnels will have to be upgraded to conform to this
document.
...
... 2481(-> 3168prop), "A Proposal to add Explicit
Congestion Notification (ECN) to IP", which defined ECN as an
Experimental Protocol ...
... Headers", in defining the ECN field
in the IP header, RFC 2401(-> 4301prop), "Security Architecture for the Internet
Protocol" to change the handling of IPv4 ...
... * Many routers process the "regular" headers in IP packets more
efficiently than they process the header information in IP
options ...
... IP packets more
efficiently than they process the header information in IP
options. This suggests keeping congestion experienced
information in the regular headers ...
... congestion experienced
information in the regular headers of an IP packet.
* It must be recognized that not all end-systems will cooperate in
...
... codepoint in the packet
header instead of dropping the packet, when such a field is provided
in the IP header and understood by the transport protocol. The use
of the CE ...
... Explicit Congestion Notification in IP ...
... notification can sometimes be through marking
packets rather than dropping them. This uses an ECN field in the IP
header with two bits, making four ECN codepoints ...
... router should first check to
see if the ECT codepoint is set in that packet's IP header. If so,
then instead of dropping the packet, the router MAY instead set the
...
... CE codepoint set in an
IP packet causes the transport layer to respond, in terms of
congestion control ...
... codepoint into the CE codepoint in the IP
header. We recognize that this is not the current practice, nor is
it in current standards. However, encouraging experimentation in this
manner may provide the information needed to enable evolution of
...
... congestion. In other words, if any fragment of an IP packet to be
reassembled has the CE codepoint ...
... transport protocol, in addition to the
functionality given by the ECN field in the IP packet header. The
transport protocol ...
... Thus, ECN uses the ECT and CE flags in the IP header (as shown in
Figure 1) for signaling between routers ...
... data
packets with ECT and CE codepoints set in the IP header, then
that host MUST process these packets as specified for an ECN ...
... data packets are transmitted with
an ECT codepoint set in the IP header. When only one ECT codepoint
is needed by a sender ...
... TCP implementations MUST NOT set
either ECT codepoint (ECT(0) or ECT(1)) in the IP header for
retransmitted data packets, and that the TCP ...
... sequence
numbers, with the CE codepoint set in the IP header. On receiving
this spoofed data packet ...
... CE packets).
We argue that the addition of ECN to the IP architecture will not
significantly increase the current vulnerability ...
... ECN field.
We note that in IPv4, the IP header is protected from bit errors by a
header checksum ...
... places, including IPsec and IP in IP [RFC2003]. This section
considers issues related to interactions between ECN ...
... RFC2003]. This section
considers issues related to interactions between ECN and IP tunnels,
and specifies two alternative solutions. This discussion is
...
... discussion of interactions between
Differentiated Services and IP tunnels of various forms [RFC2983],
as Differentiated Services ...
... as Differentiated Services uses the remaining six bits of the IP
header octet that is used by ECN (see Figure 2 in Section 5).
...
... ECN (see Figure 2 in Section 5).
Some IP tunnel modes are based on adding a new "outer" IP header that
encapsulates ...
...
Some IP tunnel modes are based on adding a new "outer" IP header that
encapsulates the original, or "inner" IP header ...
... IP header that
encapsulates the original, or "inner" IP header and its associated
packet. In many cases, the new "outer" IP header may be added and
...
... encapsulates the original, or "inner" IP header and its associated
packet. In many cases, the new "outer" IP header may be added and
removed at intermediate points along a connection ...
... connection endpoints. ECN interacts with IP tunnels based on the
treatment of the ECN field in the IP header ...
... IP tunnels based on the
treatment of the ECN field in the IP header. In simple IP tunnels
the octet containing the ECN ...
... treatment of the ECN field in the IP header. In simple IP tunnels
the octet containing the ECN field is copied or mapped from the inner
...
... the octet containing the ECN field is copied or mapped from the inner
IP header to the outer IP header at IP tunnel ingress, and the outer
...
... ECN field is copied or mapped from the inner
IP header to the outer IP header at IP tunnel ingress, and the outer
header ...
... IP header to the outer IP header at IP tunnel ingress, and the outer
header's copy of this field is discarded at IP tunnel ...
... IP tunnel ingress, and the outer
header's copy of this field is discarded at IP tunnel egress. If the
outer header were to be simply discarded without taking care to deal
...
... (Congestion Experienced) codepoint within a packet in a simple IP
tunnel, this indication would be discarded at tunnel egress, losing
the indication of congestion ...
...
Thus, the use of ECN over simple IP tunnels would result in routers
attempting to use the outer IP header ...
... IP tunnels would result in routers
attempting to use the outer IP header to signal congestion to
endpoints ...
... ECN in the outer header of
an IP tunnel might raise security concerns because an adversary could
tamper with the ECN ...
... concerns and the resultant risks, our overall approach is to make
support for ECN an option for IP tunnels, so that an IP tunnel can be
specified or configured either to use ECN ...
... support for ECN an option for IP tunnels, so that an IP tunnel can be
specified or configured either to use ECN or not to use ECN ...
... endpoints.
Support for these options requires varying amounts of changes to IP
header processing at tunnel ingress and egress. A small subset of
these changes sufficient to support only the limited-functionality
...
... option would be sufficient to eliminate any incompatibility between
ECN and IP tunnels.
One goal of this document is to give guidance about the tradeoffs
...
... The limited-functionality option for ECN encapsulation in IP tunnels
is for the not-ECT codepoint to be set in the outside (encapsulating)
...
... flow does not have ECN support for that part of
the path that is using IP tunneling, even if the encapsulated packet
...
... flow can take advantage of ECN
in those parts of the path that might use IP tunneling. The
disadvantage of the full-functionality option from a security ...
... disadvantage of the full-functionality option from a security
perspective is that the IP tunnel cannot protect the flow from
certain modifications to the ECN ...
... certain modifications to the ECN bits in the IP header within the
tunnel. The potential dangers from modifications to the ECN ...
... IP header are described in detail in Sections 18 and 19.
(1) An IP tunnel MUST modify the handling of the DS field octet at
IP tunnel ...
... IP tunnel MUST modify the handling of the DS field octet at
IP tunnel endpoints by implementing either the limited-
functionality or the full-functionality option.
...
... functionality or the full-functionality option.
(2) Optionally, an IP tunnel MAY enable the endpoints of an IP
tunnel to negotiate the choice between the limited-functionality
...
... (2) Optionally, an IP tunnel MAY enable the endpoints of an IP
tunnel to negotiate the choice between the limited-functionality
and the full-functionality option for ECN in the tunnel ...
...
The minimum required to make ECN usable with IP tunnels is the
limited-functionality option, which prevents ECN from being enabled
...
... option.
All IP tunnels MUST implement the limited-functionality option, and
SHOULD support the full-functionality option.
...
... The presence of a copy of the ECN field in the inner header of an IP
tunnel mode packet provides an opportunity for detection of
unauthorized modifications to the ECN field in the outer header ...
... document:
* If the IP tunnel uses the full-functionality option, then the
not-ECT codepoint should be set in the outer header ...
... a cause of concern.
Consider the case of an IP tunnel where the tunnel ingress point has
not been updated to this document's requirements ...
... tunnel
egress point has been updated to support ECN. In this case, the IP
tunnel is not explicitly configured to support the full-functionality
ECN option. However, the tunnel ...
... header, and should be forwarded otherwise.
An IP tunnel cannot provide protection against erasure of congestion
...
... connection. IPsec tunnel mode is based on adding a new "outer" IP
header that encapsulates the original, or "inner" IP header and its
...
... IPsec tunnel mode is based on adding a new "outer" IP
header that encapsulates the original, or "inner" IP header and its
associated packet. Tunnel mode security ...
... security headers are inserted between
these two IP headers. In contrast to transport mode, the new "outer"
...
... tunnel egress, ensuring that
security threats based on modifying the IP header do not propagate
beyond that tunnel endpoint. Further discussion ...
... IPsec protocol, as defined in [ESP, AH], does not include the IP
header's ECN field in any of its cryptographic calculations (in the
...
... cryptographic calculations (in the
case of tunnel mode, the outer IP header's ECN field is not
included). Hence modification of the ECN ...
... decapsulation processing allows
or forbids ECN usage in the outer IP header.
* An optional Security Association ...
... decapsulation
processing to allow or forbid ECN usage in the outer IP header
based on the value of the SAD field. When ECN ...
... SAD field. When ECN usage is allowed
in the outer IP header, the ECT codepoint is set in the outer
header ...
... support for ECN congestion notifications based on the outer IP header
to be negotiated for IPsec tunnels ...
...
A different set of issues are raised, relative to ECN, when IP
packets are encapsulated in tunnels with non-IP ...
... Floyd94] considers the advantages and drawbacks of adding ECN to the
TCP/IP architecture. As shown in the simulation-based comparisons,
one advantage of ECN ...
... transport protocol.
This section discusses issues of backwards compatibility with IP ECN
implementations in routers ...
... Explicit Congestion Notification) is used, it is required
that congestion indications generated within an IP tunnel not be lost
at the tunnel egress. We specified a minor modification to the IP
protocol ...
... IP tunnel not be lost
at the tunnel egress. We specified a minor modification to the IP
protocol's handling of the ECN field during encapsulation and de-
...
...
1) A limited-functionality option that does not use ECN inside the IP
tunnel, by setting the ECN field in the outer header to not-ECT, and
...
... 2481(-> 3168prop), "A Proposal to add Explicit
Congestion Notification (ECN) to IP", which defined ECN as an
Experimental Protocol ...
... discussion of IPsec tunnels to include all IP tunnels. Because older
IP tunnels are not compatible with a flow ...
... tunnels to include all IP tunnels. Because older
IP tunnels are not compatible with a flow's use of ECN, the
...
... Internet will create strong pressure for
older IP tunnels to be updated to an ECN-compatible version, using
...
... The discussion of ECN and IP tunnel considerations draws heavily on
related discussions and documents from the Differentiated Services ...
... Working Group. We thank Tabassum Bint Haque from Dhaka, Bangladesh,
for feedback on IP tunnels. We thank Derrell Piper and Kero Tivinen
for proposing modifications to RFC 2407(-> 4306prop) that improve the usability of
...
... this issue. We thank Bob Briscoe and Jon Crowcroft for raising the
issue of fragmentation in IP, on alternate semantics for the fourth
ECN ...
... Kent, S. and R. Atkinson, "IP Authentication Header", RFC 2402(-> 4305(-> 4835prop) | 4302prop), November 1998. ...
... Kent, S. and R. Atkinson, "IP Encapsulating Security Payload", RFC 2406(-> 4305(-> 4835prop) | 4303prop), November 1998. ...
... Piper, D., "The Internet IP Security Domain of Interpretation for ISAKMP", RFC 2407(-> 4306prop), November 1998. ...
... Ramakrishnan K. and S. Floyd, "A Proposal to add Explicit Congestion Notification (ECN) to IP", RFC 2481(-> 3168prop), January 1999. ...
... Performance Evaluation of Explicit Congestion Notification (ECN) in IP Networks", RFC 2884, July 2000. ...
... Possible Changes to the IP Header ...
...
Another issue concerns TCP packets with a spoofed IP source address
carrying invalid ECN information in the transport ...
... sequence numbers, and any attacker with this ability and with the
ability to spoof IP source addresses could damage the TCP connection
without using the ECN ...
... vulnerabilities in this respect.
An acknowledgement packet with a spoofed IP source address of the TCP
data receiver ...
... in vain. However, as described in Section 9.1.2, if an ECT codepoint
is changed in an IP tunnel, this can be detected at the egress point
of the tunnel, as long as the inner header ...
...
If an ECT codepoint is erased within an IP tunnel, then this can be
detected at the egress point of the tunnel, as long as the inner
...
... multicast packet duplication procedure(s) used).
The specification of IP tunnel modifications for ECN in this document
assumes that the only change made to the outer IP header ...
... IP tunnel modifications for ECN in this document
assumes that the only change made to the outer IP header's ECN field
between tunnel endpoints ...
... paragraph, and such procedures SHOULD NOT be deployed unless this
inconsistency between multicast duplication procedures and IP tunnels
with full ECN functionality is resolved. Limited ECN ...
...
Given the need for an ECT indication in the IP header, there still
remains the question of whether the ECT (ECN-Capable Transport ...
... bit. We believe that the use of
the extra bit in the IP header for the ECT-bit is extremely valuable
to overcome these limitations.
...
... RFC791] defined the ToS (Type of Service) octet in the IP
header. In RFC 791std5, bits 6 and 7 of the ToS ...
... The codepoints for the ECN Field of the IP header are specified by
the Standards Action of this RFC, as is required by RFC 2780.
...