Internet DRAFT - draft-martinsen-tram-dscp-mangle-detection
draft-martinsen-tram-dscp-mangle-detection
TRAM P. Martinsen
Internet-Draft S. Nandakumar
Intended status: Experimental Cisco
Expires: April 24, 2017 October 21, 2016
DSCP mangle detection
draft-martinsen-tram-dscp-mangle-detection-00
Abstract
This document describes a mechanism for an endpoint to detect DSCP
"mangling" by the network path.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 24, 2017.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Martinsen & Nandakumar Expires April 24, 2017 [Page 1]
Internet-Draft DSCP mangle detection October 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Notational Conventions . . . . . . . . . . . . . . . . . . . 2
3. Detecting DSCP mangling . . . . . . . . . . . . . . . . . . . 3
3.1. DSCP VALUE attribute . . . . . . . . . . . . . . . . . . 3
3.2. Usage in Requests . . . . . . . . . . . . . . . . . . . . 3
3.3. Usage in Responses . . . . . . . . . . . . . . . . . . . 3
3.4. Example Operation . . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
In some use-cases is useful to know if the network path changes the
DSCP/TOS values in the IP header.
This document introduces a new STUN attribute that can carry the
original DSCP/TOS values. This enables the remote receiver to
compare the values in the IP header and the STUN attribute to detect
mangling.
The information in the STUN attribute is probably of little interest
for the remote receiver. The main use case is to collect metrics
regarding how often DSCP values are mangled.
ICE could potentially also use this information to prefer paths with
intact DSCP markings.
(Just assigning an attribute from IANA is possible, but we thought it
was better to have a draft describing the attribute so everyone knows
what it is)
2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
This specification uses terminology defined in ICE [RFC5245] And STUN
[RFC5389].
Martinsen & Nandakumar Expires April 24, 2017 [Page 2]
Internet-Draft DSCP mangle detection October 2016
3. Detecting DSCP mangling
Both ICE ICE [RFC5245] connectivity checks and TURN ICE [RFC5766]
allocations can benefit from detecting if the DSCP bits survives the
rough journey across the Internet ocean.
3.1. DSCP VALUE attribute
The IANA assigned STUN type for the new attribute is TBD-CA.
The format of the value in DSCP_VALUE attribute in the request is:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Tx DSCP Value | Rx DSCP Value | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 1: DSCP_VALUE attribute
The fields is described below:
Tx DSCP value: The DSCP/TOS field value if the IP header carrying
the transmitted STUN packet.
Rx DSCP value: The DSCP/DOS field value if the IP header in received
STUN packet on the same 5-tuple.
The padding is necessary to hit the 32-bit boundary needed for STUN
attributes. The padding bits are ignored, but to allow for future
reuse of these bits they MUST be set to 0.
3.2. Usage in Requests
When sending a STUN request in sets the Tx DSCP value field to the
same value as the DSCP/TOS field in the IP header of the packet that
is going to carry the STUN request. The Rx DSCP value MUST be set to
0.
3.3. Usage in Responses
This attribute MUST only be added to the response if it was present
in the request.
The Tx DSCP value field is populated with the value of the DSCP/TOS
field of the IP packet carrying the STUN response. the Rx DSCP value
Martinsen & Nandakumar Expires April 24, 2017 [Page 3]
Internet-Draft DSCP mangle detection October 2016
is populated with the value from the DSCP/TOS field from the packet
carrying the original receiving STUN request.
3.4. Example Operation
When a client receives the response it can compare the values of in
the DSCP_VALUE attribute with values from the IP socket. The results
could be used to detect and collect metrics regarding DSCP
"survivability" on the Internet. It could potentially also influence
ICE path decisions.
4. IANA Considerations
[Paragraphs in braces should be removed by the RFC Editor upon
publication]
[The TRANSACTION_TRANSMIT_COUNTER attribute requires that IANA
allocate a value in the "STUN attributes Registry" from the
comprehension-optional range (0x8000-0xBFFF), to be replaced for TBD-
CA throughout this document]
This document defines the DSCP_VALUE STUN attribute, described in
Section 3. IANA has allocated the comprehension-optional code-point
TBD-CA for this attribute.
5. Security Considerations
Security considerations discussed in [RFC5389] are to be taken into
account. STUN requires the 96 bits transaction ID to be uniformly
and randomly chosen from the interval 0 .. 2**96-1, and be
cryptographically strong. This is good enough security against an
off-path attacker. An on-path attacker can either inject a fake
response or modify the values in DSCP_VALUE attribute to mislead the
client and server. This attack can be mitigated using STUN
authentication. As DSCP_VALUE is expected to be used between peers
using ICE, and ICE uses STUN short-term credential mechanism the risk
of on-path attack influencing the messages is minimal. If DSCP_VALUE
is used with Allocate request then STUN long-term credential
mechanism or STUN Extension for Third-Party Authorization [RFC7635]
or (D)TLS connection can be used between the TURN client and the TURN
server to prevent attackers from trying to impersonate a TURN server
and sending bogus DSCP_VALUE attribute in the Allocate response.
The information sent in any STUN packet if not encrypted can
potentially be observed passively and used for reconnaissance and
later attacks.
Martinsen & Nandakumar Expires April 24, 2017 [Page 4]
Internet-Draft DSCP mangle detection October 2016
6. Acknowledgements
Someone that provided feedback?
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245, DOI
10.17487/RFC5245, April 2010,
<http://www.rfc-editor.org/info/rfc5245>.
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389,
DOI 10.17487/RFC5389, October 2008,
<http://www.rfc-editor.org/info/rfc5389>.
[RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766, DOI
10.17487/RFC5766, April 2010,
<http://www.rfc-editor.org/info/rfc5766>.
7.2. Informative References
[RFC7635] Reddy, T., Patil, P., Ravindranath, R., and J. Uberti,
"Session Traversal Utilities for NAT (STUN) Extension for
Third-Party Authorization", RFC 7635, DOI 10.17487/
RFC7635, August 2015,
<http://www.rfc-editor.org/info/rfc7635>.
Authors' Addresses
Paal-Erik Martinsen
Cisco Systems, Inc.
Philip Pedersens vei 22
Lysaker, Akershus 1325
Norway
Email: palmarti@cisco.com
Martinsen & Nandakumar Expires April 24, 2017 [Page 5]
Internet-Draft DSCP mangle detection October 2016
Suhas Nandakumar
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134
USA
Email: snandaku@cisco.com
Martinsen & Nandakumar Expires April 24, 2017 [Page 6]