draft-ietf-ippm-6man-pdm-option-07.txt   draft-ietf-ippm-6man-pdm-option-08.txt 
INTERNET-DRAFT N. Elkins INTERNET-DRAFT N. Elkins
Inside Products Inside Products
R. Hamilton R. Hamilton
Chemical Abstracts Service Chemical Abstracts Service
M. Ackermann M. Ackermann
Intended Status: Proposed Standard BCBS Michigan Intended Status: Proposed Standard BCBS Michigan
Expires: August 10, 2017 February 6, 2017 Expires: September 1, 2017 February 28, 2017
IPv6 Performance and Diagnostic Metrics (PDM) Destination Option IPv6 Performance and Diagnostic Metrics (PDM) Destination Option
draft-ietf-ippm-6man-pdm-option-07 draft-ietf-ippm-6man-pdm-option-08
Abstract Abstract
To assess performance problems, measurements based on optional To assess performance problems, measurements based on optional
sequence numbers and timing may be embedded in each packet. Such sequence numbers and timing may be embedded in each packet. Such
measurements may be interpreted in real-time or after the fact. An measurements may be interpreted in real-time or after the fact. An
implementation of the existing IPv6 Destination Options extension implementation of the existing IPv6 Destination Options extension
header, the Performance and Diagnostic Metrics (PDM) Destination header, the Performance and Diagnostic Metrics (PDM) Destination
Options extension header as well as the field limits, calculations, Options extension header as well as the field limits, calculations,
and usage of the PDM in measurement are included in this document. and usage of the PDM in measurement are included in this document.
skipping to change at page 3, line 10 skipping to change at page 3, line 10
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 End User Quality of Service (QoS) . . . . . . . . . . . . . 4 1.2 End User Quality of Service (QoS) . . . . . . . . . . . . . 4
1.3 Need for a Packet Sequence Number . . . . . . . . . . . . . 5 1.3 Need for a Packet Sequence Number (PSN) . . . . . . . . . . 5
1.4 Rationale for defined solution . . . . . . . . . . . . . . . 5 1.4 Rationale for defined solution . . . . . . . . . . . . . . . 5
1.5 PDM Works in Collaboration with Other Headers . . . . . . . 6 1.5 PDM Works in Collaboration with Other Headers . . . . . . . 6
1.6 IPv6 Transition Technologies . . . . . . . . . . . . . . . . 6 1.6 IPv6 Transition Technologies . . . . . . . . . . . . . . . . 6
2 Measurement Information Derived from PDM . . . . . . . . . . . . 6 2 Measurement Information Derived from PDM . . . . . . . . . . . . 6
2.1 Round-Trip Delay . . . . . . . . . . . . . . . . . . . . . . 7 2.1 Round-Trip Delay . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Server Delay . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 Server Delay . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Performance and Diagnostic Metrics Destination Option Layout . . 7 3 Performance and Diagnostic Metrics Destination Option Layout . . 7
3.1 Destination Options Header . . . . . . . . . . . . . . . . . 7 3.1 Destination Options Header . . . . . . . . . . . . . . . . . 7
3.2 Performance and Diagnostic Metrics Destination Option . . . 7 3.2 Performance and Diagnostic Metrics Destination Option . . . 7
3.2.1 PDM Layout . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.1 PDM Layout . . . . . . . . . . . . . . . . . . . . . . . 7
3.2.2 Base Unit for Time Measurement . . . . . . . . . . . . . 10 3.2.2 Base Unit for Time Measurement . . . . . . . . . . . . . 9
3.2.3 Considerations of this time-differential 3.2.3 Considerations of this time-differential
representation . . . . . . . . . . . . . . . . . . . . . 10 representation . . . . . . . . . . . . . . . . . . . . . 10
3.2.3.1 Limitations with this encoding method . . . . . . . 11 3.2.3.1 Limitations with this encoding method . . . . . . . 10
3.2.3.2 Loss of precision induced by timer value 3.2.3.2 Loss of precision induced by timer value
truncation . . . . . . . . . . . . . . . . . . . . . 11 truncation . . . . . . . . . . . . . . . . . . . . . 11
3.3 Header Placement . . . . . . . . . . . . . . . . . . . . . . 12 3.3 Header Placement . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Header Placement Using IPSec ESP Mode . . . . . . . . . . . 13 3.4 Header Placement Using IPSec ESP Mode . . . . . . . . . . . 12
3.4.1 Using ESP Transport Mode . . . . . . . . . . . . . . . . 13 3.4.1 Using ESP Transport Mode . . . . . . . . . . . . . . . . 12
3.4.2 Using ESP Tunnel Mode . . . . . . . . . . . . . . . . . 14 3.4.2 Using ESP Tunnel Mode . . . . . . . . . . . . . . . . . 13
3.5 Implementation Considerations . . . . . . . . . . . . . . . 14 3.5 Implementation Considerations . . . . . . . . . . . . . . . 14
3.6 Dynamic Configuration Options . . . . . . . . . . . . . . . 15 3.6 Dynamic Configuration Options . . . . . . . . . . . . . . . 14
3.6 5-tuple Aging . . . . . . . . . . . . . . . . . . . . . . . 15 3.6 5-tuple Aging . . . . . . . . . . . . . . . . . . . . . . . 14
4 PDM Flow - Simple Client Server . . . . . . . . . . . . . . . . 15 4 Security Considerations . . . . . . . . . . . . . . . . . . . . 14
4.1 Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.1. SYN Flood and Resource Consumption Attacks . . . . . . . . 15
4.2 Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.2 Pervasive monitoring . . . . . . . . . . . . . . . . . . . 15
4.3 Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 4.3 PDM as a Covert Channel . . . . . . . . . . . . . . . . . . 16
4.4 Step 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.4 Timing Attacks . . . . . . . . . . . . . . . . . . . . . . . 16
4.5 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 17
5 Other Flows . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5.1 PDM Flow - One Way Traffic . . . . . . . . . . . . . . . . . 20 6.1 Normative References . . . . . . . . . . . . . . . . . . . . 17
5.2 PDM Flow - Multiple Send Traffic . . . . . . . . . . . . . . 21 6.2 Informative References . . . . . . . . . . . . . . . . . . . 18
5.3 PDM Flow - Multiple Send with Errors . . . . . . . . . . . . 22 Appendix A : Timing Time Differential Calculations . . . . . . . . 18
6 Potential Overhead Considerations . . . . . . . . . . . . . . . 23 Appendix B: Sample Packet Flows . . . . . . . . . . . . . . . . . 19
7 Security Considerations . . . . . . . . . . . . . . . . . . . . 24 B.1 PDM Flow - Simple Client Server . . . . . . . . . . . . . . 19
7.1. SYN Flood and Resource Consumption Attacks . . . . . . . . 24 B.1.1 Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.2 Pervasive monitoring . . . . . . . . . . . . . . . . . . . 25 B.1.2 Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.3 PDM as a Covert Channel . . . . . . . . . . . . . . . . . . 25 B.1.3 Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.4 Timing Attacks . . . . . . . . . . . . . . . . . . . . . . . 26 B.1.4 Step 4 . . . . . . . . . . . . . . . . . . . . . . . . . 22
8 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 26 B.1.5 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . 23
9 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 B.2 Other Flows . . . . . . . . . . . . . . . . . . . . . . . . 23
9.1 Normative References . . . . . . . . . . . . . . . . . . . . 27 B.2.1 PDM Flow - One Way Traffic . . . . . . . . . . . . . . . 23
9.2 Informative References . . . . . . . . . . . . . . . . . . . 27 B.2.2 PDM Flow - Multiple Send Traffic . . . . . . . . . . . . 24
Appendix A : Timing Considerations . . . . . . . . . . . . . . . . 28 B.2.3 PDM Flow - Multiple Send with Errors . . . . . . . . . . 25
A.1 Time Differential Calculations . . . . . . . . . . . . . . . 28 Appendix C: Potential Overhead Considerations . . . . . . . . . . 27
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 29 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 29 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 28
1 Background 1 Background
To assess performance problems, measurements based on optional To assess performance problems, measurements based on optional
sequence numbers and timing may be embedded in each packet. Such sequence numbers and timing may be embedded in each packet. Such
measurements may be interpreted in real-time or after the fact. measurements may be interpreted in real-time or after the fact.
As defined in RFC2460 [RFC2460], destination options are carried by As defined in RFC2460 [RFC2460], destination options are carried by
the IPv6 Destination Options extension header. Destination options the IPv6 Destination Options extension header. Destination options
include optional information that need be examined only by the IPv6 include optional information that need be examined only by the IPv6
skipping to change at page 5, line 12 skipping to change at page 5, line 12
Low, reliable and acceptable response times are not just "nice to Low, reliable and acceptable response times are not just "nice to
have". On many networks, the impact can be financial hardship or can have". On many networks, the impact can be financial hardship or can
endanger human life. In some cities, the emergency police contact endanger human life. In some cities, the emergency police contact
system operates over IP; law enforcement, at all levels, use IP system operates over IP; law enforcement, at all levels, use IP
networks; transactions on our stock exchanges are settled using IP networks; transactions on our stock exchanges are settled using IP
networks. The critical nature of such activities to our daily lives networks. The critical nature of such activities to our daily lives
and financial well-being demand a simple solution to support response and financial well-being demand a simple solution to support response
time measurements. time measurements.
1.3 Need for a Packet Sequence Number 1.3 Need for a Packet Sequence Number (PSN)
While performing network diagnostics of an end-to-end connection, it While performing network diagnostics of an end-to-end connection, it
often becomes necessary to isolate the factors along the network path often becomes necessary to isolate the factors along the network path
responsible for problems. Diagnostic data may be collected at responsible for problems. Diagnostic data may be collected at
multiple places along the path (if possible), or at the source and multiple places along the path (if possible), or at the source and
destination. Then, in post-collection processing, the diagnostic destination. Then, in post-collection processing, the diagnostic
data corresponding to each packet at different observation points data corresponding to each packet at different observation points
must be matched for proper measurements. A sequence number in each must be matched for proper measurements. A sequence number in each
packet provides sufficient basis for the matching process. If need packet provides sufficient basis for the matching process. If need
be, the timing fields may be used along with the sequence number to be, the timing fields may be used along with the sequence number to
skipping to change at page 5, line 40 skipping to change at page 5, line 40
1.4 Rationale for defined solution 1.4 Rationale for defined solution
The current IPv6 specification does not provide timing nor a similar The current IPv6 specification does not provide timing nor a similar
field in the IPv6 main header or in any extension header. So, we field in the IPv6 main header or in any extension header. So, we
define the IPv6 Performance and Diagnostic Metrics destination option define the IPv6 Performance and Diagnostic Metrics destination option
(PDM). (PDM).
Advantages include: Advantages include:
1. Real measure of actual transactions. 1. Real measure of actual transactions
2. Independence from transport layer protocols. 2. Independence from transport layer protocols
3. Ability to span organizational boundaries with consistent 3. Ability to span organizational boundaries with consistent
instrumentation instrumentation
4. No time synchronization needed between session partners 4. No time synchronization needed between session partners
5. Ability to handle all transport protocols (TCP, UDP, SCTP, etc) 5. Ability to handle all transport protocols (TCP, UDP, SCTP, etc)
in a uniform way in a uniform way
The PDM provides the ability to determine quickly if the (latency) The PDM provides the ability to determine quickly if the (latency)
problem is in the network or in the server (application). More problem is in the network or in the server (application). More
intermediate measurements may be needed if the host or network intermediate measurements may be needed if the host or network
discrimination is not sufficient. At the client, TCP/IP stack time discrimination is not sufficient. At the client, TCP/IP stack time
skipping to change at page 9, line 6 skipping to change at page 9, line 6
8-bit signed integer. This is the scaling value for the Delta Time 8-bit signed integer. This is the scaling value for the Delta Time
Last Sent (DELTATLS) field. The possible values are from 0 to 255. Last Sent (DELTATLS) field. The possible values are from 0 to 255.
Packet Sequence Number This Packet (PSNTP) Packet Sequence Number This Packet (PSNTP)
16-bit unsigned integer. This field will wrap. It is intended for 16-bit unsigned integer. This field will wrap. It is intended for
use while analyzing packet traces. use while analyzing packet traces.
Initialized at a random number and incremented monotonically for each Initialized at a random number and incremented monotonically for each
packet of the session flow of the 5-tuple. The 5-tuple consists of packet of the session flow of the 5-tuple. The random number
the source and destination IP addresses, the source and destination initialization is intended to make it harder to spoof and insert such
ports, and the upper layer protocol (ex. TCP, ICMP, etc). The packets.
random number initialization is intended to make it harder to spoof
and insert such packets.
Operating systems MUST implement a separate packet sequence number Operating systems MUST implement a separate packet sequence number
counter per 5-tuple. Operating systems MUST NOT implement a single counter per 5-tuple.
counter for all connections.
Packet Sequence Number Last Received (PSNLR) Packet Sequence Number Last Received (PSNLR)
16-bit unsigned integer. This is the PSNTP of the packet last 16-bit unsigned integer. This is the PSNTP of the packet last
received on the 5-tuple. received on the 5-tuple.
Delta Time Last Received (DELTATLR) Delta Time Last Received (DELTATLR)
A 16-bit unsigned integer field. The value is set according to the A 16-bit unsigned integer field. The value is set according to the
scale in SCALEDTLR. scale in SCALEDTLR.
skipping to change at page 9, line 38 skipping to change at page 9, line 35
Delta Time Last Sent (DELTATLS) Delta Time Last Sent (DELTATLS)
A 16-bit unsigned integer field. The value is set according to the A 16-bit unsigned integer field. The value is set according to the
scale in SCALEDTLS. scale in SCALEDTLS.
Delta Time Last Sent = (Receive time packet 2 - Send time packet 1) Delta Time Last Sent = (Receive time packet 2 - Send time packet 1)
Option Type Option Type
The two highest-order bits of the Option Type field are encoded to In keeping with RFC2460[RFC2460], the two high order bits of the
indicate specific processing of the option; for the PDM destination Option Type field are encoded to indicate specific processing of the
option, these two bits MUST be set to 00. This indicates the option; for the PDM destination option, these two bits MUST be set to
following processing requirements: 00.
00 - skip over this option and continue processing the header.
RFC2460 [RFC2460] defines other values for the Option Type field.
These MUST NOT be used in the PDM.
In keeping with RFC2460 [RFC2460], the third-highest-order bit of the
Option Type specifies whether or not the Option Data of that option
can change en-route to the packet's final destination.
In the PDM, the value of the third-highest-order bit MUST be 0. The
possible values are as follows:
0 - Option Data does not change en-route
1 - Option Data may change en-route
The three high-order bits described above are to be treated as part The third high order bit of the Option Type specifies whether or not
of the Option Type, not independent of the Option Type. That is, a the Option Data of that option can change en-route to the packet's
particular option is identified by a full 8-bit Option Type, not just final destination.
the low-order 5 bits of an Option Type.
In the PDM, the value of the third high order bit MUST be 0.
3.2.2 Base Unit for Time Measurement 3.2.2 Base Unit for Time Measurement
A time differential is always a whole number in a CPU; it is the unit A time differential is always a whole number in a CPU; it is the unit
specification -- hours, seconds, nanoseconds -- that determine what specification -- hours, seconds, nanoseconds -- that determine what
the numeric value means. For PDM, we establish the base time unit as the numeric value means. For PDM, we establish the base time unit as
1 attosecond (asec). This allows for a common unit and scaling of the 1 attosecond (asec). This allows for a common unit and scaling of the
time differential among all IP stacks and hardware implementations. time differential among all IP stacks and hardware implementations.
Note that we are trying to provide the ability to measure both time Note that we are trying to provide the ability to measure both time
differentials that are extremely small, and time differentials in a differentials that are extremely small, and time differentials in a
skipping to change at page 12, line 40 skipping to change at page 12, line 21
1111 1111 1111 1111 1111 1111 1111 = 2**28-1 asec or 268435455 asec 1111 1111 1111 1111 1111 1111 1111 = 2**28-1 asec or 268435455 asec
Granted, these are small values, but the point is, any value between Granted, these are small values, but the point is, any value between
these two values will have a maximum loss of precision of 4095 asec, these two values will have a maximum loss of precision of 4095 asec,
or about 0.00305% for the first value, as encoded, and at most or about 0.00305% for the first value, as encoded, and at most
0.001526% for the second. These maximum-loss percentages are 0.001526% for the second. These maximum-loss percentages are
consistent for all scaling values. consistent for all scaling values.
3.3 Header Placement 3.3 Header Placement
The PDM destination option follows the order defined in RFC2460 The PDM Destination Option is placed as defined in RFC2460 [RFC2460].
[RFC2460]. There may be a choice of where to place the Destination Options
IPv6 header
Hop-by-Hop Options header
Destination Options header <--------
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header <------------
upper-layer header
Note that there is a choice of where to place the Destination Options
header. If using ESP mode, please see section 3.4 of this document header. If using ESP mode, please see section 3.4 of this document
for placement of the PDM Destination Options header. for placement of the PDM Destination Options header.
For each IPv6 packet header, the PDM MUST NOT appear more than once. For each IPv6 packet header, the PDM MUST NOT appear more than once.
However, an encapsulated packet MAY contain a separate PDM associated However, an encapsulated packet MAY contain a separate PDM associated
with each encapsulated IPv6 header. with each encapsulated IPv6 header.
3.4 Header Placement Using IPSec ESP Mode 3.4 Header Placement Using IPSec ESP Mode
IPSec Encapsulating Security Payload (ESP) is defined in [RFC4303] IPSec Encapsulating Security Payload (ESP) is defined in [RFC4303]
skipping to change at page 15, line 20 skipping to change at page 14, line 31
If implemented, each operating system MUST have a default If implemented, each operating system MUST have a default
configuration parameter, e.g. diag_header_sys_default_value=yes/no. configuration parameter, e.g. diag_header_sys_default_value=yes/no.
The operating system MAY also have a dynamic configuration option to The operating system MAY also have a dynamic configuration option to
change the configuration setting as needed. change the configuration setting as needed.
If the PDM destination options extension header is used, then it MAY If the PDM destination options extension header is used, then it MAY
be turned on for all packets flowing through the host, applied to an be turned on for all packets flowing through the host, applied to an
upper-layer protocol (TCP, UDP, SCTP, etc), a local port, or IP upper-layer protocol (TCP, UDP, SCTP, etc), a local port, or IP
address only. These are at the discretion of the implementation. address only. These are at the discretion of the implementation.
As with all other destination options extension headers, the PDM is
for destination nodes only. As specified above, intermediate devices
MUST neither set nor modify this field.
3.6 5-tuple Aging 3.6 5-tuple Aging
Within the operating system, metrics must be kept on a 5-tuple basis. Within the operating system, metrics must be kept on a 5-tuple basis.
The 5-tuple is:
SADDR : IP address of the sender SPORT : Port for sender DADDR : IP
address of the destination DPORT : Port for destination PROTC :
Protocol for upper layer (ex. TCP, UDP, ICMP)
The question comes of when to stop keeping data or restarting the The question comes of when to stop keeping data or restarting the
numbering for a 5-tuple. For example, in the case of TCP, at some numbering for a 5-tuple. For example, in the case of TCP, at some
point, the connection will terminate. Keeping data in control blocks point, the connection will terminate. Keeping data in control blocks
forever, will have unfortunate consequences for the operating system. forever, will have unfortunate consequences for the operating system.
So, the recommendation is to use a known aging parameter such as Max So, the recommendation is to use a known aging parameter such as Max
Segment Lifetime (MSL) as defined in Transmission Control Protocol Segment Lifetime (MSL) as defined in Transmission Control Protocol
[RFC0793] to reuse or drop the control block. The choice of aging [RFC0793] to reuse or drop the control block. The choice of aging
parameter is left up to the implementation. parameter is left up to the implementation.
4 PDM Flow - Simple Client Server 4 Security Considerations
PDM may introduce some new security weaknesses.
4.1. SYN Flood and Resource Consumption Attacks
PDM needs to calculate the deltas for time and keep track of the
sequence numbers. This means that control blocks must be kept at the
end hosts per 5-tuple. Any time a control block is kept, an
attacker can try to mis-use the control blocks such that there is a
compromise of the end host.
PDM is used only at the end hosts and the control blocks are only
kept at the end host and not at routers or middle boxes. Remember,
PDM is an implementation of the Destination Option extension header.
A "SYN flood" type of attack succeeds because a TCP SYN packet is
small but it causes the end host to start creating a place holder for
the session such that quite a bit of control block and other storage
is used. This is an asynchronous type of attack in that a small
amount of work by the attacker creates a large amount of work by the
resource attacked.
For PDM, the amount of data to be kept is quite small. That is, the
control block is quite lightweight. Concerns about SYN Flood and
other type of resource consumption attacks (memory, processing power,
etc) can be alleviated by having a limit on the number of control
block entries.
We recommend that implementation of PDM SHOULD have a limit on the
number of control block entries.
4.2 Pervasive monitoring
Since PDM passes in the clear, a concern arises as to whether the
data can be used to fingerprint the system or somehow obtain
information about the contents of the payload.
Let us discuss fingerprinting of the end host first. It is possible
that seeing the pattern of deltas or the absolute values could give
some information as to the speed of the end host - that is, if it is
a very fast system or an older, slow device. This may be useful to
the attacker. However, if the attacker has access to PDM, the
attacker also has access to the entire packet and could make such a
deduction based merely on the time frames elapsed between packets
WITHOUT PDM.
As far as deducing the content of the payload, it appears to us that
PDM is quite unhelpful in this regard.
4.3 PDM as a Covert Channel
PDM provides a set of fields in the packet which could be used to
leak data. But, there is no real reason to suspect that PDM would
be chosen rather than another part of the payload or another
Extension Header.
A firewall or another device could sanity check the fields within the
PDM but randomly assigned sequence numbers and delta times might be
expected to vary widely. The biggest problem though is how an
attacker would get access to PDM in the first place to leak data.
The attacker would have to either compromise the end host or have Man
in the Middle (MitM). It is possible that either one could change
the fields. But, then the other end host would get sequence numbers
and deltas that don't make any sense. Presumably, one is using PDM
and doing packet tracing for diagnostic purposes, so the changes
would be obvious. It is conceivable that someone could compromise
an end host and make it start sending packets with PDM without the
knowledge of the host. But, again, the bigger problem is the
compromise of the end host. Once that is done, the attacker
probably has better ways to leak data.
Having said that, an implementation SHOULD stop using PDM if it gets
some number of "nonsensical" sequence numbers.
4.4 Timing Attacks
The fact that PDM can help in the separation of node processing time
from network latency brings value to performance monitoring. Yet, it
is this very characteristic of PDM which may be misused to make
certain new type of timing attacks against protocols and
implementations possible.
Depending on the nature of the cryptographic protocol used, it may be
possible to leak the long term credentials of the device. For
example, if an attacker is able to create an attack which causes the
enterprise to turn on PDM to diagnose the attack, then the attacker
might use PDM during that debugging time to launch a timing attack
against the long term keying material used by the cryptographic
protocol.
An implementation may want to be sure that PDM is enabled only for
certain ip addresses, or only for some ports. Additionally, we
recommend that the implementation SHOULD require an explicit restart
of monitoring after a certain timeperiod (for example for 1 hour), to
make sure that PDM is not accidently left on after debugging has been
done etc.
Even so, if using PDM, we introduce the concept of user "Consent to
be Measured" as a pre-requisite for using PDM. Consent is common in
enterprises and with some subscription services. So, if with PDM, we
recommend that the user SHOULD consent to its use.
5 IANA Considerations
This draft requests an Option Type assignment in the Destination
Options and Hop-by-Hop Options sub-registry of Internet Protocol
Version 6 (IPv6) Parameters [ref to RFCs and URL below].
http://www.iana.org/assignments/ipv6-parameters/ipv6-
parameters.xhtml#ipv6-parameters-2
Hex Value Binary Value Description Reference
act chg rest
-------------------------------------------------------------------
TBD TBD Performance and [This draft]
Diagnostic Metrics
(PDM)
6 References
6.1 Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts --
Communication Layers", RFC 1122, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip
Delay Metric for IPPM", RFC 2681, September 1999.
[RFC2780] Bradner, S. and V. Paxson, "IANA Allocation Guidelines For
Values In the Internet Protocol and Related Headers", BCP 37, RFC
2780, March 2000.
[RFC4303] Kent, S, "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2005.
6.2 Informative References
[TRAM-TCPM] Trammel, B., "Encoding of Time Intervals for the TCP
Timestamp Option-01", Internet Draft, July 2013. [Work in Progress]
Appendix A : Timing Time Differential Calculations
The time counter in a CPU is a binary whole number, representing a
number of milliseconds (msec), microseconds (usec) or even
picoseconds (psec). Representing one of these values as attoseconds
(asec) means multiplying by 10 raised to some exponent. Refer to this
table of equalities:
Base value = # of sec = # of asec 1000s of asec
--------------- ------------- ------------- -------------
1 second 1 sec 10**18 asec 1000**6 asec
1 millisecond 10**-3 sec 10**15 asec 1000**5 asec
1 microsecond 10**-6 sec 10**12 asec 1000**4 asec
1 nanosecond 10**-9 sec 10**9 asec 1000**3 asec
1 picosecond 10**-12 sec 10**6 asec 1000**2 asec
1 femtosecond 10**-15 sec 10**3 asec 1000**1 asec
For example, if you have a time differential expressed in
microseconds, since each microsecond is 10**12 asec, you would
multiply your time value by 10**12 to obtain the number of
attoseconds. If you time differential is expressed in nanoseconds,
you would multiply by 10**9 to get the number of attoseconds.
The result is a binary value that will need to be shortened by a
number of bits so it will fit into the 16-bit PDM DELTA field.
The next step is to divide by 2 until the value is contained in just
16 significant bits. The exponent of the value in the last column of
of the table is useful here; the initial scaling factor is that
exponent multiplied by 10. This is the minimum number of low-order
bits to be shifted-out or discarded. It represents dividing the time
value by 1024 raised to that exponent.
The resulting value may still be too large to fit into 16 bits, but
can be normalized by shifting out more bits (dividing by 2) until the
value fits into the 16-bit DELTA field. The number of extra bits
shifted out is then added to the scaling factor. The scaling factor,
the total number of low-order bits dropped, is the SCALEDTL value.
For example: say an application has these start and finish timer
values (hexadecimal values, in microseconds):
Finish: 27C849234 usec (02:57:58.997556)
-Start: 27C83F696 usec (02:57:58.957718)
========== ========= ===============
Difference 9B9E usec 00.039838 sec or 39838 usec
To convert this differential value to binary attoseconds, multiply
the number of microseconds by 10**12. Divide by 1024**4, or simply
discard 40 bits from the right. The result is 36232, or 8D88 in hex,
with a scaling factor or SCALEDTL value of 40.
For another example, presume the time differential is larger, say
32.311072 seconds, which is 32311072 usec. Each microsecond is 10**12
asec, so multiply by 10**12, giving the hexadecimal value
1C067FCCAE8120000. Using the initial scaling factor of 40, drop the
last 10 characters (40 bits) from that string, giving 1C067FC. This
will not fit into a DELTA field, as it is 25 bits long. Shifting the
value to the right another 9 bits results in a DELTA value of E033,
with a resulting scaling factor of 49.
When the time differential value is a small number, regardless of the
time unit, the exponent trick given above is not useful in
determining the proper scaling value. For example, if the time
differential is 3 seconds and you want to convert that directly, you
would follow this path:
3 seconds = 3*10**18 asec (decimal)
= 29A2241AF62C0000 asec (hexadecimal)
If you just truncate the last 60 bits, you end up with a delta value
of 2 and a scaling factor of 60, when what you really wanted was a
delta value with more significant digits. The most precision with
which you can store this value in 16 bits is A688, with a scaling
factor of 46.
Appendix B: Sample Packet Flows
B.1 PDM Flow - Simple Client Server
Following is a sample simple flow for the PDM with one packet sent Following is a sample simple flow for the PDM with one packet sent
from Host A and one packet received by Host B. The PDM does not from Host A and one packet received by Host B. The PDM does not
require time synchronization between Host A and Host B. The require time synchronization between Host A and Host B. The
calculations to derive meaningful metrics for network diagnostics are calculations to derive meaningful metrics for network diagnostics are
shown below each packet sent or received. shown below each packet sent or received.
Each packet, in addition to the PDM contains information on the B.1.1 Step 1
sender and receiver. As discussed before, a 5-tuple consists of:
SADDR : IP address of the sender
SPORT : Port for sender
DADDR : IP address of the destination
DPORT : Port for destination
PROTC : Protocol for upper layer (ex. TCP, UDP, ICMP)
It should be understood that the packet identification information is
in each packet. We will not repeat that in each of the following
steps.
4.1 Step 1
Packet 1 is sent from Host A to Host B. The time for Host A is set Packet 1 is sent from Host A to Host B. The time for Host A is set
initially to 10:00AM. initially to 10:00AM.
The time and packet sequence number are saved by the sender The time and packet sequence number are saved by the sender
internally. The packet sequence number and delta times are sent in internally. The packet sequence number and delta times are sent in
the packet. the packet.
Packet 1 Packet 1
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
| Host | ----------> | Host | | Host | ----------> | Host |
| A | | B | | A | | B |
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
PDM Contents: PDM Contents:
PSNTP : Packet Sequence Number This Packet: 25 PSNTP : Packet Sequence Number This Packet: 25
PSNLR : Packet Sequence Number Last Received: - PSNLR : Packet Sequence Number Last Received: -
DELTATLR : Delta Time Last Received: - DELTATLR : Delta Time Last Received: -
SCALEDTLR: Scale of Delta Time Last Received: 0 SCALEDTLR: Scale of Delta Time Last Received: 0
DELTATLS : Delta Time Last Sent: - DELTATLS : Delta Time Last Sent: -
SCALEDTLS: Scale of Delta Time Last Sent: 0 SCALEDTLS: Scale of Delta Time Last Sent: 0
Internally, within the sender, Host A, it must keep: Internally, within the sender, Host A, it must keep:
Packet Sequence Number of the last packet sent: 25 Packet Sequence Number of the last packet sent: 25
Time the last packet was sent: 10:00:00 Time the last packet was sent: 10:00:00
Note, the initial PSNTP from Host A starts at a random number. In Note, the initial PSNTP from Host A starts at a random number. In
this case, 25. The time in these examples is shown in seconds for this case, 25. The time in these examples is shown in seconds for
the sake of simplicity. the sake of simplicity.
4.2 Step 2 B.1.2 Step 2
Packet 1 is received at Host B. Its time is set to one hour later Packet 1 is received at Host B. Its time is set to one hour later
than Host A. In this case, 11:00AM than Host A. In this case, 11:00AM
Internally, within the receiver, Host B, it must note: Internally, within the receiver, Host B, it must note:
Packet Sequence Number of the last packet received: 25 Packet Sequence Number of the last packet received: 25
Time the last packet was received : 11:00:03 Time the last packet was received : 11:00:03
Note, this timestamp is in Host B time. It has nothing whatsoever to Note, this timestamp is in Host B time. It has nothing whatsoever to
do with Host A time. The Packet Sequence Number of the last packet do with Host A time. The Packet Sequence Number of the last packet
received will become PSNLR which will be sent out in the packet sent received will become PSNLR which will be sent out in the packet sent
by Host B in the next step. The time last received will be used to by Host B in the next step. The time last received will be used to
calculate the DELTALR value to be sent out in the packet sent by Host calculate the DELTALR value to be sent out in the packet sent by Host
B in the next step. B in the next step.
4.3 Step 3 B.1.3 Step 3
Packet 2 is sent by Host B to Host A. Note, the initial packet Packet 2 is sent by Host B to Host A. Note, the initial packet
sequence number (PSNTP) from Host B starts at a random number. In sequence number (PSNTP) from Host B starts at a random number. In
this case, 12. Before sending the packet, Host B does a calculation this case, 12. Before sending the packet, Host B does a calculation
of deltas. Since Host B knows when it is sending the packet, and it of deltas. Since Host B knows when it is sending the packet, and it
knows when it received the previous packet, it can do the following knows when it received the previous packet, it can do the following
calculation: calculation:
Sending time : packet 2 - receive time : packet 1 Sending time : packet 2 - receive time : packet 1
We will call the result of this calculation: Delta Time Last Received We will call the result of this calculation: Delta Time Last Received
(DELTATLR) (DELTATLR)
That is:
Delta Time Last Received = (Sending time: packet 2 - receive time:
packet 1)
Note, both sending time and receive time are saved internally in Host Note, both sending time and receive time are saved internally in Host
B. They do not travel in the packet. Only the Delta is in the B. They do not travel in the packet. Only the Delta is in the
packet. packet.
Assume that within Host B is the following: Assume that within Host B is the following:
Packet Sequence Number of the last packet received: 25 Packet Sequence Number of the last packet received: 25
Time the last packet was received: 11:00:03 Time the last packet was received: 11:00:03
Packet Sequence Number of this packet: 12 Packet Sequence Number of this packet: 12
Time this packet is being sent: 11:00:07 Time this packet is being sent: 11:00:07
skipping to change at page 18, line 15 skipping to change at page 22, line 5
DELTATLR becomes: DELTATLR becomes:
4 seconds = 11:00:07 - 11:00:03 = 3782DACE9D900000 asec 4 seconds = 11:00:07 - 11:00:03 = 3782DACE9D900000 asec
This is the derived metric: Server Delay. The time and scaling This is the derived metric: Server Delay. The time and scaling
factor must be converted; in this case, the time differential is factor must be converted; in this case, the time differential is
DE0B, and the scaling factor is 2E, or 46 in decimal. Then, these DE0B, and the scaling factor is 2E, or 46 in decimal. Then, these
values, along with the packet sequence numbers will be sent to Host A values, along with the packet sequence numbers will be sent to Host A
as follows: as follows:
Packet 2 Packet 2
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
| Host | <---------- | Host | | Host | <---------- | Host |
| A | | B | | A | | B |
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
PDM Contents: PDM Contents:
PSNTP : Packet Sequence Number This Packet: 12 PSNTP : Packet Sequence Number This Packet: 12
PSNLR : Packet Sequence Number Last Received: 25 PSNLR : Packet Sequence Number Last Received: 25
DELTATLR : Delta Time Last Received: DE0B (4 seconds) DELTATLR : Delta Time Last Received: DE0B (4 seconds)
SCALEDTLR: Scale of Delta Time Last Received: 2E (46 decimal) SCALEDTLR: Scale of Delta Time Last Received: 2E (46 decimal)
DELTATLS : Delta Time Last Sent: - DELTATLS : Delta Time Last Sent: -
SCALEDTLS: Scale of Delta Time Last Sent: 0 SCALEDTLS: Scale of Delta Time Last Sent: 0
The metric left to be calculated is the Round-Trip Delay. This will The metric left to be calculated is the Round-Trip Delay. This will
be calculated by Host A when it receives Packet 2. be calculated by Host A when it receives Packet 2.
4.4 Step 4 B.1.4 Step 4
Packet 2 is received at Host A. Remember, its time is set to one Packet 2 is received at Host A. Remember, its time is set to one
hour earlier than Host B. Internally, it must note: hour earlier than Host B. Internally, it must note:
Packet Sequence Number of the last packet received: 12 Packet Sequence Number of the last packet received: 12
Time the last packet was received : 10:00:12 Time the last packet was received : 10:00:12
Note, this timestamp is in Host A time. It has nothing whatsoever to Note, this timestamp is in Host A time. It has nothing whatsoever to
do with Host B time. do with Host B time.
So, now, Host A can calculate total end-to-end time. That is: So, now, Host A can calculate total end-to-end time. That is:
End-to-End Time = Time Last Received - Time Last Sent End-to-End Time = Time Last Received - Time Last Sent
For example, packet 25 was sent by Host A at 10:00:00. Packet 12 was For example, packet 25 was sent by Host A at 10:00:00. Packet 12 was
received by Host A at 10:00:12 so: received by Host A at 10:00:12 so:
End-to-End time = 10:00:12 - 10:00:00 or 12 (Server and Network RT End-to-End time = 10:00:12 - 10:00:00 or 12 (Server and Network RT
delay combined). This time may also be called total Overall Round- delay combined). This time may also be called total Overall Round-
trip time (which includes Network RTT and Host Response Time). Trip Time (RTT) which includes Network RTT and Host Response Time.
This derived metric we will call Delta Time Last Sent (DELTATLS) This derived metric we will call Delta Time Last Sent (DELTATLS)
We can now also calculate round trip delay. The formula is: We can now also calculate round trip delay. The formula is:
Round trip delay = (Delta Time Last Sent - Delta Time Last Received) Round trip delay = (Delta Time Last Sent - Delta Time Last Received)
Or: Or:
Round trip delay = 12 - 4 or 8 Round trip delay = 12 - 4 or 8
Now, the only problem is that at this point all metrics are in Host A Now, the only problem is that at this point all metrics are in Host A
only and not exposed in a packet. To do that, we need a third packet. only and not exposed in a packet. To do that, we need a third packet.
Note: this simple example assumes one send and one receive. That Note: this simple example assumes one send and one receive. That
is done only for purposes of explaining the function of the PDM. In is done only for purposes of explaining the function of the PDM. In
cases where there are multiple packets returned, one would take the cases where there are multiple packets returned, one would take the
skipping to change at page 19, line 31 skipping to change at page 23, line 18
Now, the only problem is that at this point all metrics are in Host A Now, the only problem is that at this point all metrics are in Host A
only and not exposed in a packet. To do that, we need a third packet. only and not exposed in a packet. To do that, we need a third packet.
Note: this simple example assumes one send and one receive. That Note: this simple example assumes one send and one receive. That
is done only for purposes of explaining the function of the PDM. In is done only for purposes of explaining the function of the PDM. In
cases where there are multiple packets returned, one would take the cases where there are multiple packets returned, one would take the
time in the last packet in the sequence. The calculations of such time in the last packet in the sequence. The calculations of such
timings and intelligent processing is the function of post-processing timings and intelligent processing is the function of post-processing
of the data. of the data.
4.5 Step 5 B.1.5 Step 5
Packet 3 is sent from Host A to Host B. Packet 3 is sent from Host A to Host B.
+----------+ +----------+ +----------+ +----------+
| | | | | | | |
| Host | ----------> | Host | | Host | ----------> | Host |
| A | | B | | A | | B |
| | | | | | | |
+----------+ +----------+ +----------+ +----------+
PDM Contents: PDM Contents:
PSNTP : Packet Sequence Number This Packet: 26 PSNTP : Packet Sequence Number This Packet: 26
PSNLR : Packet Sequence Number Last Received: 12 PSNLR : Packet Sequence Number Last Received: 12
DELTATLR : Delta Time Last Received: 0 DELTATLR : Delta Time Last Received: 0
SCALEDTLS: Scale of Delta Time Last Received 0 SCALEDTLS: Scale of Delta Time Last Received 0
DELTATLS : Delta Time Last Sent: A688 (scaled value) DELTATLS : Delta Time Last Sent: A688 (scaled value)
SCALEDTLR: Scale of Delta Time Last Received: 30 (48 decimal) SCALEDTLR: Scale of Delta Time Last Received: 30 (48 decimal)
To calculate Two-Way Delay, any packet capture device may look at To calculate Two-Way Delay, any packet capture device may look at
these packets and do what is necessary. these packets and do what is necessary.
5 Other Flows B.2 Other Flows
What we have discussed so far is a simple flow with one packet sent What we have discussed so far is a simple flow with one packet sent
and one returned. Let's look at how PDM may be useful in other and one returned. Let's look at how PDM may be useful in other
types of flows. types of flows.
5.1 PDM Flow - One Way Traffic B.2.1 PDM Flow - One Way Traffic
The flow on a particular session may not be a send-receive paradigm. The flow on a particular session may not be a send-receive paradigm.
Let us consider some other situations. In the case of a one-way Let us consider some other situations. In the case of a one-way
flow, one might see the following: flow, one might see the following:
Note: The time is expressed in generic units for simplicity. That Note: The time is expressed in generic units for simplicity. That
is, these values do not represent a number of attoseconds, is, these values do not represent a number of attoseconds,
microseconds or any other real units of time. microseconds or any other real units of time.
Packet Sender PSN PSN Delta Time Delta Time Packet Sender PSN PSN Delta Time Delta Time
This Packet Last Recvd Last Recvd Last Sent This Packet Last Recvd Last Recvd Last Sent
===================================================================== =====================================================================
1 Server 1 0 0 0 1 Server 1 0 0 0
2 Server 2 0 0 5 2 Server 2 0 0 5
3 Server 3 0 0 12 3 Server 3 0 0 12
4 Server 4 0 0 20 4 Server 4 0 0 20
What does this mean and how is it useful? What does this mean and how is it useful?
In a one-way flow, only the Delta Time Last Sent will be seen as In a one-way flow, only the Delta Time Last Sent will be seen as
used. Recall, Delta Time Last Sent is the difference between the used. Recall, Delta Time Last Sent is the difference between the
send of one packet from a device and the next. This is a measure of send of one packet from a device and the next. This is a measure of
throughput for the sender - according to the sender's point of view. throughput for the sender - according to the sender's point of view.
That is, it is a measure of how fast is the application itself (with That is, it is a measure of how fast is the application itself (with
stack time included) able to send packets. stack time included) able to send packets.
How might this be useful? If one is having a performance issue at How might this be useful? If one is having a performance issue at
the client and sees that packet 2, for example, is sent after 5 time the client and sees that packet 2, for example, is sent after 5 time
units from the server but takes 10 times that long to arrive at the units from the server but takes 10 times that long to arrive at the
destination, then one may safely conclude that there are delays in destination, then one may safely conclude that there are delays in
the path other than at the server which may be causing the delivery the path other than at the server which may be causing the delivery
issue of that packet. Such delays may include the network links, issue of that packet. Such delays may include the network links,
middle-boxes, etc. middle-boxes, etc.
Now, true one-way traffic is quite rare. What people often mean by Now, true one-way traffic is quite rare. What people often mean by
"one-way" traffic is an application such as FTP where a group of "one-way" traffic is an application such as FTP where a group of
packets (for example, a TCP window size worth) is sent, then the packets (for example, a TCP window size worth) is sent, then the
sender waits for acknowledgment. This type of flow would actually sender waits for acknowledgment. This type of flow would actually
fall into the "multiple-send" traffic model. fall into the "multiple-send" traffic model.
5.2 PDM Flow - Multiple Send Traffic B.2.2 PDM Flow - Multiple Send Traffic
Assume that two packets are sent for each ACK from the server. For Assume that two packets are sent for each ACK from the server. For
example, a TCP flow will do this, per RFC1122 [RFC1122] Section- example, a TCP flow will do this, per RFC1122 [RFC1122] Section-
4.2.3. 4.2.3.
Packet Sender PSN PSN Delta Time Delta Time Packet Sender PSN PSN Delta Time Delta Time
This Packet Last Recvd Last Recvd Last Sent This Packet Last Recvd Last Recvd Last Sent
===================================================================== =====================================================================
1 Server 1 0 0 0 1 Server 1 0 0 0
2 Server 2 0 0 5 2 Server 2 0 0 5
3 Client 1 2 20 0 3 Client 1 2 20 0
4 Server 3 1 10 15 4 Server 3 1 10 15
How might this be used? How might this be used?
Notice that in packet 3, the client has a value of Delta Time Last Notice that in packet 3, the client has a value of Delta Time Last
received of 20. Recall that Delta Time Last Received is the Send received of 20. Recall that Delta Time Last Received is the Send
time of packet 3 - receive time of packet 2. So, what does one know time of packet 3 - receive time of packet 2. So, what does one know
now? In this case, Delta Time Last Received is the processing time now? In this case, Delta Time Last Received is the processing time
for the Client to send the next packet. for the Client to send the next packet.
How to interpret this depends on what is actually being sent. How to interpret this depends on what is actually being sent.
Remember, PDM is not being used in isolation, but to supplement the Remember, PDM is not being used in isolation, but to supplement the
skipping to change at page 22, line 10 skipping to change at page 25, line 40
Of course, one also needs to look at the PSN Last Received field to Of course, one also needs to look at the PSN Last Received field to
make sure of the interpretation of this data. That is, to make make sure of the interpretation of this data. That is, to make
sure that the Delta Last Received corresponds to the packet of sure that the Delta Last Received corresponds to the packet of
interest. interest.
The benefits of PDM are that we have such information available in a The benefits of PDM are that we have such information available in a
uniform manner for all applications and all protocols without uniform manner for all applications and all protocols without
extensive changes required to applications. extensive changes required to applications.
5.3 PDM Flow - Multiple Send with Errors B.2.3 PDM Flow - Multiple Send with Errors
Let us now look at a case of how PDM may be able to help in a case of Let us now look at a case of how PDM may be able to help in a case of
TCP retransmission and add to the information that is sent in the TCP TCP retransmission and add to the information that is sent in the TCP
header. header.
Assume that three packets are sent with each send from the server. Assume that three packets are sent with each send from the server.
From the server, this is what is seen. From the server, this is what is seen.
Pkt Sender PSN PSN Delta Time Delta Time TCP Data Pkt Sender PSN PSN Delta Time Delta Time TCP Data
skipping to change at page 22, line 36 skipping to change at page 26, line 23
The client, however, does not receive all the packets. From the The client, however, does not receive all the packets. From the
client, this is what is seen for the packets sent from the server. client, this is what is seen for the packets sent from the server.
Pkt Sender PSN PSN Delta Time Delta Time TCP Data Pkt Sender PSN PSN Delta Time Delta Time TCP Data
This Pkt LastRecvd LastRecvd LastSent SEQ Bytes This Pkt LastRecvd LastRecvd LastSent SEQ Bytes
===================================================================== =====================================================================
1 Server 1 0 0 0 123 100 1 Server 1 0 0 0 123 100
2 Server 3 0 0 5 333 100 2 Server 3 0 0 5 333 100
Let's assume that the server now retransmits the packet. Let's assume that the server now retransmits the packet. (Obviously,
(Obviously, a duplicate acknowledgment sequence for fast retransmit a duplicate acknowledgment sequence for fast retransmit or a
or a retransmit timeout would occur. To illustrate the point, these retransmit timeout would occur. To illustrate the point, these
packets are being left out.) packets are being left out.)
So, then if a TCP retransmission is done, then from the client, this So, then if a TCP retransmission is done, then from the client, this
is what is seen for the packets sent from the server. is what is seen for the packets sent from the server.
Pkt Sender PSN PSN Delta Time Delta Time TCP Data Pkt Sender PSN PSN Delta Time Delta Time TCP Data
This Pkt LastRecvd LastRecvd LastSent SEQ Bytes This Pkt LastRecvd LastRecvd LastSent SEQ Bytes
===================================================================== =====================================================================
1 Server 4 0 0 30 223 100 1 Server 4 0 0 30 223 100
skipping to change at page 23, line 18 skipping to change at page 27, line 4
Let's say that packet 4 is lost again. Then, after some amount of Let's say that packet 4 is lost again. Then, after some amount of
time (RTO) then the packet with TCP sequence number of 223 is resent. time (RTO) then the packet with TCP sequence number of 223 is resent.
From the client, this is what is seen for the packets sent from the From the client, this is what is seen for the packets sent from the
server. server.
Pkt Sender PSN PSN Delta Time Delta Time TCP Data Pkt Sender PSN PSN Delta Time Delta Time TCP Data
This Pkt LastRecvd LastRecvd LastSent SEQ Bytes This Pkt LastRecvd LastRecvd LastSent SEQ Bytes
===================================================================== =====================================================================
1 Server 5 0 0 60 223 100 1 Server 5 0 0 60 223 100
If now, this packet arrives at the destination, one has a very good If now, this packet arrives at the destination, one has a very good
idea that packets exist which are being sent from the server as idea that packets exist which are being sent from the server as
retransmissions and not arriving at the client. This is because the retransmissions and not arriving at the client. This is because the
PSN of the resent packet from the server is 5 rather than 4. If we PSN of the resent packet from the server is 5 rather than 4. If we
had used TCP sequence number alone, we would never have seen this had used TCP sequence number alone, we would never have seen this
situation. The TCP sequence number in all situations is 223. situation. The TCP sequence number in all situations is 223.
This situation would be experienced by the user of the application This situation would be experienced by the user of the application
(the human being actually sitting somewhere) as a "hangs" or long (the human being actually sitting somewhere) as a "hangs" or long
delay between packets. On large networks, to diagnose problems such delay between packets. On large networks, to diagnose problems such
as these where packets are lost somewhere on the network, one has to as these where packets are lost somewhere on the network, one has to
take multiple traces to find out exactly where. take multiple traces to find out exactly where.
The first thing is to start with doing a trace at the client and the The first thing is to start with doing a trace at the client and the
server. So, we can see if the server sent a particular packet and server. So, we can see if the server sent a particular packet and
the client received it. If the client did not receive it, then we the client received it. If the client did not receive it, then we
start tracking back to trace points at the router right after the start tracking back to trace points at the router right after the
server and the router right before the client. Did they get these server and the router right before the client. Did they get these
packets which the server has sent? This is a time consuming packets which the server has sent? This is a time consuming
activity. activity.
With PDM, we can speed up the diagnostic time because we may be able With PDM, we can speed up the diagnostic time because we may be able
to use only the trace taken at the client to see what the server is to use only the trace taken at the client to see what the server is
sending. sending.
6 Potential Overhead Considerations Appendix C: Potential Overhead Considerations
Questions have been posed as to the potential overhead of PDM. One might wonder as to the potential overhead of PDM. First, PDM is
First, PDM is entirely optional. That is, a site may choose to entirely optional. That is, a site may choose to implement PDM or
implement PDM or not as they wish. If they are happy with the costs not as they wish. If they are happy with the costs of PDM vs. the
of PDM vs. the benefits, then the choice should be theirs. benefits, then the choice should be theirs.
Below is a table outlining the potential overhead in terms of Below is a table outlining the potential overhead in terms of
additional time to deliver the response to the end user for various additional time to deliver the response to the end user for various
assumed RTTs. assumed RTTs.
Bytes RTT Bytes Bytes New Overhead Bytes RTT Bytes Bytes New Overhead
in Packet Per Milli in PDM RTT in Packet Per Millisec in PDM RTT
===================================================================== =====================================================================
1000 1000 milli 1 16 1016.000 16.000 milli 1000 1000 milli 1 16 1016.000 16.000 milli
1000 100 milli 10 16 101.600 1.600 milli 1000 100 milli 10 16 101.600 1.600 milli
1000 10 milli 100 16 10.160 .160 milli 1000 10 milli 100 16 10.160 .160 milli
1000 1 milli 1000 16 1.016 .016 milli 1000 1 milli 1000 16 1.016 .016 milli
Below are some examples of actual RTTs for packets traversing large Below are some examples of actual RTTs for packets traversing large
enterprise networks. The first example is for packets going to enterprise networks. The first example is for packets going to
multiple business partners. multiple business partners.
Bytes RTT Bytes Bytes New Overhead Bytes RTT Bytes Bytes New Overhead
in Packet Per Milli in PDM RTT in Packet Per Millisec in PDM RTT
===================================================================== =====================================================================
1000 17 milli 58 16 17.360 .360 milli 1000 17 milli 58 16 17.360 .360 milli
The second example is for packets at a large enterprise customer The second example is for packets at a large enterprise customer
within a data center. Notice that the scale is now in microseconds within a data center. Notice that the scale is now in microseconds
rather than milliseconds. rather than milliseconds.
Bytes RTT Bytes Bytes New Overhead Bytes RTT Bytes Bytes New Overhead
in Packet Per Micro in PDM RTT in Packet Per Microsec in PDM RTT
===================================================================== =====================================================================
1000 20 micro 50 16 20.320 .320 micro 1000 20 micro 50 16 20.320 .320 micro
7 Security Considerations
PDM may introduce some new security weaknesses.
7.1. SYN Flood and Resource Consumption Attacks
PDM needs to calculate the deltas for time and keep track of the
sequence numbers. This means that control blocks must be kept at the
end hosts per 5-tuple. Any time a control block is kept, an
attacker can try to mis-use the control blocks such that there is a
compromise of the end host.
PDM is used only at the end hosts and the control blocks are only
kept at the end host and not at routers or middle boxes. Remember,
PDM is an implementation of the Destination Option extension header.
A "SYN flood" type of attack succeeds because a TCP SYN packet is
small but it causes the end host to start creating a place holder for
the session such that quite a bit of control block and other storage
is used. This is an asynchronous type of attack in that a small
amount of work by the attacker creates a large amount of work by the
resource attacked.
For PDM, the amount of data to be kept is quite small. That is, the
control block is quite lightweight. Concerns about SYN Flood and
other type of resource consumption attacks (memory, processing power,
etc) can be alleviated by having a limit on the number of control
block entries.
We recommend that implementation of PDM SHOULD have a limit on the
number of control block entries.
7.2 Pervasive monitoring
Since PDM passes in the clear, a concern arises as to whether the
data can be used to fingerprint the system or somehow obtain
information about the contents of the payload.
Let us discuss fingerprinting of the end host first. It is possible
that seeing the pattern of deltas or the absolute values could give
some information as to the speed of the end host - that is, if it is
a very fast system or an older, slow device. This may be useful to
the attacker. However, if the attacker has access to PDM, the
attacker also has access to the entire packet and could make such a
deduction based merely on the time frames elapsed between packets
WITHOUT PDM.
As far as deducing the content of the payload, it appears to us that
PDM is quite unhelpful in this regard.
7.3 PDM as a Covert Channel
PDM provides a set of fields in the packet which could be used to
leak data. But, there is no real reason to suspect that PDM would
be chosen rather than another part of the payload or another
Extension Header.
A firewall or another device could sanity check the fields within the
PDM but randomly assigned sequence numbers and delta times might be
expected to vary widely. The biggest problem though is how an
attacker would get access to PDM in the first place to leak data.
The attacker would have to either compromise the end host or have Man
in the Middle (MitM). It is possible that either one could change
the fields. But, then the other end host would get sequence numbers
and deltas that don't make any sense. Presumably, one is using PDM
and doing packet tracing for diagnostic purposes, so the changes
would be obvious. It is conceivable that someone could compromise
an end host and make it start sending packets with PDM without the
knowledge of the host. But, again, the bigger problem is the
compromise of the end host. Once that is done, the attacker
probably has better ways to leak data.
Having said that, an implementation SHOULD stop using PDM if it gets
some number of "nonsensical" sequence numbers.
7.4 Timing Attacks
The fact that PDM can help in the separation of node processing time
from network latency brings value to performance monitoring. Yet, it
is this very characteristic of PDM which may be misused to make
certain new type of timing attacks against protocols and
implementations possible.
Depending on the nature of the cryptographic protocol used, it may be
possible to leak the long term credentials of the device. For
example, if an attacker is able to create an attack which causes the
enterprise to turn on PDM to diagnose the attack, then the attacker
might use PDM during that debugging time to launch a timing attack
against the long term keying material used by the cryptographic
protocol.
An implementation may want to be sure that PDM is enabled only for
certain ip addresses, or only for some ports. Additionally, we
recommend that the implementation SHOULD require an explicit restart
of monitoring after a certain timeperiod (for example for 1 hour), to
make sure that PDM is not accidently left on after debugging has been
done etc.
Even so, if using PDM, we introduce the concept of user "Consent to
be Measured" as a pre-requisite for using PDM. Consent is common in
enterprises and with some subscription services. So, if with PDM, we
recommend that the user SHOULD consent to its use.
8 IANA Considerations
This draft requests an Option Type assignment in the Destination
Options and Hop-by-Hop Options sub-registry of Internet Protocol
Version 6 (IPv6) Parameters [ref to RFCs and URL below].
http://www.iana.org/assignments/ipv6-parameters/ipv6-
parameters.xhtml#ipv6-parameters-2
Hex Value Binary Value Description Reference
act chg rest
-------------------------------------------------------------------
TBD TBD Performance and [This draft]
Diagnostic Metrics
(PDM)
9 References
9.1 Normative References
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[RFC1122] Braden, R., "Requirements for Internet Hosts --
Communication Layers", RFC 1122, October 1989.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
(IPv6) Specification", RFC 2460, December 1998.
[RFC2681] Almes, G., Kalidindi, S., and M. Zekauskas, "A Round-trip
Delay Metric for IPPM", RFC 2681, September 1999.
[RFC2780] Bradner, S. and V. Paxson, "IANA Allocation Guidelines For
Values In the Internet Protocol and Related Headers", BCP 37, RFC
2780, March 2000.
[RFC4303] Kent, S, "IP Encapsulating Security Payload (ESP)", RFC
4303, December 2005.
9.2 Informative References
[TRAM-TCPM] Trammel, B., "Encoding of Time Intervals for the TCP
Timestamp Option-01", Internet Draft, July 2013. [Work in Progress]
Appendix A : Timing Considerations
A.1 Time Differential Calculations
The time counter in a CPU is a binary whole number, representing a
number of milliseconds (msec), microseconds (usec) or even
picoseconds (psec). Representing one of these values as attoseconds
(asec) means multiplying by 10 raised to some exponent. Refer to this
table of equalities:
Base value = # of sec = # of asec 1000s of asec
--------------- ------------- ------------- -------------
1 second 1 sec 10**18 asec 1000**6 asec
1 millisecond 10**-3 sec 10**15 asec 1000**5 asec
1 microsecond 10**-6 sec 10**12 asec 1000**4 asec
1 nanosecond 10**-9 sec 10**9 asec 1000**3 asec
1 picosecond 10**-12 sec 10**6 asec 1000**2 asec
1 femtosecond 10**-15 sec 10**3 asec 1000**1 asec
For example, if you have a time differential expressed in
microseconds, since each microsecond is 10**12 asec, you would
multiply your time value by 10**12 to obtain the number of
attoseconds. If you time differential is expressed in nanoseconds,
you would multiply by 10**9 to get the number of attoseconds.
The result is a binary value that will need to be shortened by a
number of bits so it will fit into the 16-bit PDM DELTA field.
The next step is to divide by 2 until the value is contained in just
16 significant bits. The exponent of the value in the last column of
of the table is useful here; the initial scaling factor is that
exponent multiplied by 10. This is the minimum number of low-order
bits to be shifted-out or discarded. It represents dividing the time
value by 1024 raised to that exponent.
The resulting value may still be too large to fit into 16 bits, but
can be normalized by shifting out more bits (dividing by 2) until the
value fits into the 16-bit DELTA field. The number of extra bits
shifted out is then added to the scaling factor. The scaling factor,
the total number of low-order bits dropped, is the SCALEDTL value.
For example: say an application has these start and finish timer
values (hexadecimal values, in microseconds):
Finish: 27C849234 usec (02:57:58.997556)
-Start: 27C83F696 usec (02:57:58.957718)
========== ========= ===============
Difference 9B9E usec 00.039838 sec or 39838 usec
To convert this differential value to binary attoseconds, multiply
the number of microseconds by 10**12. Divide by 1024**4, or simply
discard 40 bits from the right. The result is 36232, or 8D88 in hex,
with a scaling factor or SCALEDTL value of 40.
For another example, presume the time differential is larger, say
32.311072 seconds, which is 32311072 usec. Each microsecond is 10**12
asec, so multiply by 10**12, giving the hexadecimal value
1C067FCCAE8120000. Using the initial scaling factor of 40, drop the
last 10 characters (40 bits) from that string, giving 1C067FC. This
will not fit into a DELTA field, as it is 25 bits long. Shifting the
value to the right another 9 bits results in a DELTA value of E033,
with a resulting scaling factor of 49.
When the time differential value is a small number, regardless of the
time unit, the exponent trick given above is not useful in
determining the proper scaling value. For example, if the time
differential is 3 seconds and you want to convert that directly, you
would follow this path:
3 seconds = 3*10**18 asec (decimal)
= 29A2241AF62C0000 asec (hexadecimal)
If you just truncate the last 60 bits, you end up with a delta value
of 2 and a scaling factor of 60, when what you really wanted was a
delta value with more significant digits. The most precision with
which you can store this value in 16 bits is A688, with a scaling
factor of 46.
Acknowledgments Acknowledgments
The authors would like to thank Keven Haining, Al Morton, Brian The authors would like to thank Keven Haining, Al Morton, Brian
Trammel, David Boyes, Bill Jouris, Richard Scheffenegger, and Rick Trammel, David Boyes, Bill Jouris, Richard Scheffenegger, and Rick
Troth for their comments and assistance. We would also like to thank Troth for their comments and assistance. We would also like to thank
Tero Kivinen for his detailed and perceptive review. Tero Kivinen for his detailed and perceptive review.
Authors' Addresses Authors' Addresses
 End of changes. 53 change blocks. 
404 lines changed or deleted 338 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/