re-feedback Bob Briscoe 1,2 Arnaud Jacquet 1 , Carla Di Cairano- - - PowerPoint PPT Presentation

policing congestion response in an internetwork using

re-feedback

Bob Briscoe1,2

Arnaud Jacquet1, Carla Di Cairano- Gilfedder1, Alessandro Salvatori1,3, Andrea Soppera1 & Martin Koyabe1

1BT Research, 2UCL, 3Eurécom

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

2

intro

the problem: policing congestion response

• host response to congestion: voluntary
• short and long term congestion
• short: policing TCP-friendliness (or any agreed response)
• long: policing file-sharing (selfish), zombie hosts (malicious/careless)
• network policing users’ congestion response: voluntary
• a network doesn’t care if users cause congestion in other networks

access capacity

rate eg. TCP T √ρ rate path congestion, ρ

cumulative flows inverse prop’nal response

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

3

intro

very serious problem

• a few unresponsive (UDP) flows wasn’t a problem
• converged IP network
• initially ~30-50% of bits inelastic (mostly voice), for BT
• internetwork similar
• can’t police required response to path congestion, if you don’t know it
• each element only sees local congestion
• network can’t reliably see e2e feedback (IPsec encryption, lying, route asymmetry)
• can’t hope inelastic apps ask to be unresponsive (Diffserv/signalling)
• because those that don’t ask can free-ride anyway
• due to lack of evidence of their ‘crime’
• capacity investment risk unacceptable if can’t prevent free-riding
• uncontrollable demand dynamics and suppressed incentive to supply
• risk of repeated congestion collapse (alarmist?)

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

4

intro

previous work

• detect high absolute rate [commercial boxes]
• sampled rate response to local congestion [RED + sin bin]
• transport control embedded in network [ATM]
• honest senders police feedback from rcvrs [ECN nonce]

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

5

intro

wouldn’t it be nice if...

• source declared downstream path

characteristics to network

• everyone was truthful:

– endpoints and networks

• deployment could be incremental
• we could solve more general

Internet Architecture problems

– capacity allocn & accountability [NewArch]

• the big idea #1
• then 2 sub-ideas based on...
• network economics & incentives
• rational networks (not users)
• no fiddling with user pricing
• challenge: break and improve
• incremental deployment idea #4
• around unmodified IP routers
• BUT limited header bits slows

attack detection considerably

• generalisations
• QoS
• DoS mitigation
• flow start incentives
• inter-domain traffic engineering
• non-IP internetworks

...we can: our approach

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

6

path characterisation via data headers

state of the art

ECN marking rate

NA NB ND R1 S1

resource index along path 0.7% the idea 255 TTL resource index along path 0.5% 152 105

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

7

the idea before re-feedback after re-feedback

– 242

downstream knowledge upstream

N5 S1 R1 R2 N1 N2

29 24 23 16

S2 N3 N4

1 1 5 2 3 7 2

24 15 22 26 + 255 + 16

N5 S1 R1 R2 N1 N2

255 250 249 254 242 245

252

S2 N3 N4

255

1 1 5 2 3 7 1

242 245 – 245 + 255 + 16

target at destination standardised to 16, say

15 25 16 23 27 26

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

8

downstream path characterisation

ECN rate

NA NB ND R1 S1

0.5% resource index along path re-ECN

• 0.5%

0.7%

• 0.7%

the idea 255 TTL resource index along path 152 105 166 re-TTL 119 16 0.1%

• 0.6%

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

9

incentives

incentives: preamble

• so far, policing relies on self-incrimination?...
• focus initially on congestion
• header processing not just additive/subtractive
• generalises to monotonic functions (eg combinatorial probability of ECN marking)
• downstream unloaded delay (~TTL/2) has identical incentive properties
• to aid understanding
• solely graphical visualisation (see paper for maths)
• imagine that header carries a real number
• normalise: monotonically decreasing to target at zero

downstream path metric ρi resource index along path, i

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

10

incentives

incentive framework: user-network

policer incentivises understatement dropper incentivises overstatement downstream path metric, ρi i Rcv Snd dropper policer

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

11

incentives

naïve dropper

downstream path metric at rcvr, ρn

egress dropper

statement statement

i Rcv dropper

downstream congestion probability distribution

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

12

statement statement

i Rcv dropper

incentives downstream congestion probability distribution

1 systematic cheating, ∆ρnc ∆ ∆ ∆ ∆ρnc

penalising uncertain misbehaviour

idea #2 downstream path metric at rcvr, ρn

stateless dropper

truncated/dropped

adaptive drop probability if signature prevalent in discards spawn focused dropper(s)

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

13

incentives

if everyone honest minimise false positives

downstream path metric at rcvr, ρn ∆ ∆ ∆ ∆ρnc no systematic cheating, ∆ρnc = 0

stateless dropper

adaptive drop probability

downstream congestion probability distribution

statement statement

i Rcv dropper

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

14

typical dropper simulation (note log scale)

1e-05 1e-04 0.001 0.01 0.1 1

• 0.3
• 0.2
• 0.1

0.1 0.2 0.3 honest traffic truncated unaffected penalty prob. 1e-05 1e-04 0.001 0.01 0.1 1

• 0.3
• 0.2
• 0.1

0.1 0.2 0.3 dishonest traffic

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

15

incentives

flow policer

• eg. TCP

idea #3

downstream path metric, ρi Snd policer

flow policer

each packet header carries prediction of its own downstream path congestion, delay, … check/enforce agreed congestion response downstream congestion, ρi rate TCP- friendly

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

16

unloaded delay, ρ1,1 congestion, ρ2,1 packet size, s

incentives

ingress TCP policer: stateful implementation

downstream metrics in packet headers at internetwork ingress

p T s xTCP 2 3 ≈

x = s/∆t

path congestion ≈ downstr congestion

p ≈ ≈ ≈ ≈ ρ2,1

path RTT

≈ upstr RTT + 2 * downstr delay T ≈ ≈ ≈ ≈ T0 + 2 ρ1,1

ρ1,1 ρ2,1 s ρ1,1 ρ2,1 s

∆t

also bounded flow state policer implemented - using sampling

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

17

incentives

incentive compatibility – hosts

• incentivise:
• responsible actions
• honest words

net value to both end-points,

U

• verstatement of

downstream path metric at source

ρ0c

practical ideal

R1 S1

scheduler /policer dropper dropper push-back

ρ0c

dominant strategy

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

18

incentives

incentive framework

downstream path metric, ρi i Rcv Snd congestion pricing dropper routing policer

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

19

incentives for networks to police their users

• ρi is size of each packet factored by its downstream

congestion metric

• metered between domains by single bulk counter
• automagically shares congestion revenue across domains,

and within domains to direct upgrades

• can approximate congestion pricing with SLAs

incentives downstream path metric, ρi resource sequence index, i

NA NB ND R1 S1

ρAB ρBD

~ProfitA ProfitB ProfitD

£ £

flat-priced revenue

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

20

incentives

congestion competition – inter-domain routing

• if congestion → profit for a network, why not fake it?
• upstream networks will route round more highly congested paths
• NA can see relative costs of paths to R1 thru NB & NC
• the issue of monopoly paths
• incentivise new provision
• collusion issues require market regulation

NA NB NC ND R1 S1

? down- stream route cost, Qi resource sequence index, i

faked congestion

?

routing choice

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

21

deployment

re-ECN

(sketch idea #4)

• n every EchoCE from

TCP, set ECT(0)

• at any point on path,

diff between rates of ECT(0) & CE is downstream congestion

• works with unchanged

routers

CE 11 ECT(1) 01 ECT(0) 10 not-ECT 00 standard designation code- point

ECT(1)

…i… n

0% 100%

code-point rate resource index

0% re-ECN, ρi

• 3%
• 2.6%

NA NB ND R1 S1

3% 97% ρi = ECT(0) - CE ECT(0) CE 0.4%CE standard EchoCE in TCP

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

22

deployment

deployment incentives

• re-ECN deployment by incremental sender upgrades
• re-TTL can be hacked for legacy receivers
• deploy policers and droppers permissively config’d
• allows new & legacy behaviours to co-exist
• incrementally increase strictness
• throttles legacy stacks: upgrade incentive knob
• beware: slow to catch cheaters with one bit re-ECN

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

23

generalise

edge QoS = our original motivation

• once timely truthful path visible...
• ingress network can allow spectrum of responses to

incipient congestion (w-weighted policer)

• equivalent* to offering differentiated QoS (*caveat: see paper)
• like [Kelly98] but without the need for congestion pricing of users
• purely by local (sender↔ingress) arrangement
• no authorisation on any other network elements (equal marking)
• would need suitable back-pressure – e.g. higher flat fee
• other networks reimbursed automagically
• by inter-domain congestion pricing (SLA model also possible)

x wxTCP

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

24

generalise

no time for… (see paper)

• long term per-user policing (complements per-flow)
• throttles down sources of persistent long term congestion
• encourages p2p file-sharing apps to avoid peaks & fill troughs
• DDoS mitigation
• extreme downstream congestion

prompts extreme policing at all ingresses

• long term per-user policing throttles out zombies
• flow-start incentives
• deliberate dilemma: downstream metric during flow start?
• creates slow-start incentive

downstream congestion, ρi i

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

25 info & control info & control info & control R1 S1

info info

re-feedback summary

• reinsert feedback to align path characterisations at receiver
• packets arrive at each router predicting downstream path
• arranged for dominant strategy of all parties to be honesty
• incremental deployment + upgrade incentive knob
• hangs new capabilities on ECN deployment, not just performance
• a simple idea for the Internet’s accountability architecture
• democratises path information
• either network or source can control (control requires timely information)
• designed for tussle: preserves e2e principle, but endpoint control optional

summary

latent control latent control latent control R1 S1

info info

no info no info no info

control control

policing congestion response in an internetwork using

re-feedback

Q&A

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

27

intro

path congestion typically at both edges

• congestion risk highest in access nets
• cost economics of fan-out
• but small risk in cores/backbones
• failures, anomalous demand

bandwidth cost, C £/bps aggregate pipe bandwidth, B /bps

C ∝ 1 √B NA NB ND R1 S1

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

28

incentives

last hop dropper: discrimination sensitivity

10 20 30 40 50 60 70 80 90 100 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 d 0.050 d 0.045 d 0.040 d 0.035 d 0.030 d 0.025 d 0.020 d 0.015 d 0.010 d 0.005 d 0.001 d 0.0005 d 0.0001 d 0.00005 0.05 0.1 0.15 0.2 0.25 0.3 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 h 0.050 h 0.045 h 0.040 h 0.035 h 0.030 h 0.025 h 0.020 h 0.015 h 0.010 h 0.005 h 0.001 h 0.0005 h 0.0001 h 0.00005

f r a c t i

• n
• f

d i s h

• n

e s t a r r i v a l s t r u e p

• s

i t i v e s

truncation rate of dishonest traffic

f a l s e p

• s

i t i v e s

truncation rate of honest traffic

c h e a t i n g l e v e l

• f

dishonest sources

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

29

incentives

spawning focused droppers

• use sin-bin technique [Floyd99]
• examine (candidate) discards for any signature
• spawn child dropper to focus on subset that matches signature
• kill child dropper if no longer dropping (after random wait)
• push back
• send hint upstream defining signature(s)
• if (any) upstream node has idle processing resource

test hint by spawning dropper focused on signature as above

• cannot DoS with hints, as optional & testable
• no need for crypto authentication – no additional DoS vulnerability

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

30

generalise

ince

downstream congestion, ρi Snd congestion pricing policer /scheduler

per-user policer

policer /scheduler rate downstream congestion, ρi

long term congestion incentives

cumulative multiple flows

• effectively throttles out zombie hosts
• incentivises owners to fix them
• incentivises file-sharing in congestion trou

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

31

distributed denial of service

• merely enforcing congestion response
• honest sources
• increase initial metric & reduce rate
• malicious sources

– if do increase initial metric

• policer at attacker’s ingress forces rate response
• have to space out packets even at flow start

– if don’t increase initial metric

• negative either at the point of attack or before
• distinguished from honest traffic and discarded
• push back kicks in if persistent

downstream congestion, ρi i

generalise

intro intro intro the idea the idea the idea incentives incentives incentives

deployment deployment deployment

generalise generalise generalise

32

generalise

• initial value of metric(s)

for new flows?

• undefined – deliberately creates dilemma
• if too low, may be dropped at egress
• if too high, may be deprioritised at ingress
• without re-feedback (today)
• if congested: all other flows share cost equally with new flow
• if not congested: new flow rewarded with full rate
• with re-feedback
• risk from lack of path knowledge carried solely by new flow
• creates slow-start incentive
• nce path characterised, can rise directly to appropriate rate
• also creates incentive to share path knowledge
• can insure against the risk (see differentiated service)

slow-enough-start

R1 S1

scheduler/ policer dropper scheduler/ policer dropper push- back