RFC 3540 (rfc3540) - Page 2 of 13

Robust Explicit Congestion Notification (ECN) Signaling with Nonces

Alternative Format: Original Text Document
< Previous
Next >
RFC 3540                  Robust ECN Signaling                 June 2003


   The correct operation of ECN requires the cooperation of the receiver
   to return Congestion Experienced signals to the sender, but the
   protocol lacks a mechanism to enforce this cooperation.  This raises
   the possibility that an unscrupulous or poorly implemented receiver
   could always clear ECN-Echo and simply not return congestion signals
   to the sender.  This would give the receiver a performance advantage
   at the expense of competing connections that behave properly.  More
   generally, any device along the path (NAT box, firewall, QOS
   bandwidth shapers, and so forth) could remove congestion marks with
   impunity.

   The above behaviors may or may not constitute a threat to the
   operation of congestion control in the Internet.  However, given the
   central role of congestion control, it is prudent to design the ECN
   signaling loop to be robust against as many threats as possible.  In
   this way, ECN can provide a clear incentive for improvement over the
   prior state-of-the-art without potential incentives for abuse.  The
   ECN-nonce is a simple, efficient mechanism to eliminate the potential
   abuse of ECN.

   The ECN-nonce enables the sender to verify the correct behavior of
   the ECN receiver and that there is no other interference that
   conceals marked (or dropped) packets in the signaling path.  The ECN-
   nonce protects against both implementation errors and deliberate
   abuse.  The ECN-nonce:

   -  catches a misbehaving receiver with a high probability, and never
      implicates an innocent receiver.

   -  does not change other aspects of ECN, nor does it reduce the
      benefits of ECN for behaving receivers.

   -  is cheap in both per-packet overhead (one TCP header flag) and
      processing requirements.

   -  is simple and, to the best of our knowledge, not prone to other
      attacks.

   We also note that use of the ECN-nonce has two additional benefits,
   even when only drop-tail routers are used.  First, packet drops
   cannot be concealed from the sender.  Second, it prevents optimistic
   acknowledgements [Savage], in which TCP segments are acknowledged
   before they have been received.  These benefits also serve to
   increase the robustness of congestion control from attacks.  We do
   not elaborate on these benefits in this document.

   The rest of this document describes the ECN-nonce.  We present an
   overview followed by detailed behavior at senders and receivers.



Spring, et. al.               Experimental
< Previous
Next >