]> ECN and DSCP support for HTTPS's Connect-UDP Ericsson
magnus.westerlund@ericsson.com
WIT MASQUE quic http datagram udp proxy tunnels quic in quic turtles all the way down masque http-ng HTTP's Extended Connect's Connect-UDP protocol enables a client to proxy a UDP flow from the HTTP server towards a specified target IP address and UDP port. QUIC and Real-time transport protocol (RTP) are examples of transport protocols that use UDP and support Explicit Congestion Notification (ECN) and provide the necessary feedback. This document specifies how ECN and DSCP can be supported through an extension to the Connect-UDP protocol for HTTP. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the MASQUE Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction Connect-UDP, as currently defined, limits the Explicit Congestion Notification (ECN) exchange between the HTTP server and the target. There is no support for carrying the ECN bits between the HTTP Connect-UDP client and the HTTP server proxying the UDP flow. Thus, it is not possible to establish the end-to-end ECN information flow necessary to support either classic ECN or L4S . Diffserv enables differential network treatment of packets. Connect-UDP, as currently defined, lacks support for carrying the DSCP field through the tunnel. This document specifies two Connect-UDP extensions that enable end-to-end ECN and DSCP for proxied connections: an ECN-zero-bytes extension, which adds no overhead by encoding the ECN value directly into the Context ID; and an ECN/DSCP extension, which carries both DSCP and ECN in the HTTP Datagram payload. For these two extensions, this document specifies negotiation and defines a new Datagram context that carries the DSCP and ECN bits and the UDP payload, replacing the context defined in . An alternative to this extension is Connect-IP ; however, it carries a full IP header between the HTTP client and server, resulting in significantly more overhead than this extension, which requires zero or one byte to carry both the DSCP and ECN bits. To define a solution that can be combined with other extensions, and thus other contexts, without redefining each combination, the extensions defined in this document indicate not only the ECN and DSCP values but also the next Context ID. The ECN-zero-bytes extension defines three additional Context ID values that are bound to an HTTP Datagram payload identifying the Context ID and indicate whether the packet was marked with ECT(0), ECT(1), or CE, respectively. An endpoint should not enable both extensions defined in this document, as that would lead to confusion if both extensions indicate different ECN values.
Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
ECN-zero-byte Extension For a zero-overhead encoding, the ECN bits can be indicated by using different Context IDs. At the same time, the Context ID indicates which Context ID would otherwise have been used to identify the structure of the rest of the HTTP payload, which we call the payload-identifying context ID, or short payload ID. Often this is the basic UDP-payload context (Context ID 0) as defined by . The core of this solution is to define additional Context IDs (A, B, and C) for a Connect-UDP stream that indicate ECN values other than Not-ECT, i.e., ECT(1), ECT(0), or CE . This idea is shown in . ECN Encoding Table
Context ID Value ECN bit ECN Value Payload ID
0 0b00 Not-ECT 0
A 0b01 ECT(1) 0
B 0b10 ECT(0) 0
C 0b11 CE 0
No new Context ID value is defined to represent Not-ECT, since using a Context ID without this extension would, by default, imply Not-ECT. Additionally, Context IDs are defined to represent the combination of an ECN value other than Not-ECT and the payload-identifying Context ID. If an application uses more Context ID values than just zero, additional Context IDs must be defined. This extension results in four times as many Context IDs within a single Connect-UDP stream. We expect that this is acceptable in most cases, as a total of 64 Context IDs can be encoded in a single byte, thus resulting in no packet expansion. However, for applications that have more than 16 original Context IDs (including zero), it is recommended to use the ECN/DSCP extension , which only doubles the number of Context IDs but requires an additional byte in the payload. An endpoint enabling this extension MUST define all three ECN values, even if the ECN-enabled application expects that only one ECT value (and CE) is used. This is because of transmission errors or erroneous remarking in the network, where the other ECT codepoint, as well as Not-ECT, may be observed. Negotiation of the conetxt ID values is defined using both HTTP headers and capsulses in .
DSCP/ECN Extension The HTTP Datagram Payload format is defined in as depicted below.
ECN enabled UDP Proxying HTTP Datagram Format
For the ECN/DSCP extension, the ECN/DSCP UDP Proxying Payload is defined in the following way:
ECN/DSCP UDP Proxying Payload
DSCP: A six bit field carrying the Differentiated Service Code Point as defined by associated with this UDP Proxying Payload. ECN: A two bit field carrying the IP ECN bits as defined by Section 5 of to be set or as received on the IP/UDP packet carrying the UDP Datagram payload included. UDP Proxying Payload: Another UDP Proxying Payload following the ECN carrying byte. This uses another Context ID as negotiated, e.g. Context ID 0. Thus enabling this byte to be combined with any other payload. This format used a negotiated context ID that MUST be non-zero. It MUST also negotiate the payload-identifying context ID.
Negotiating Extensions Usage This section defines capability negotation and Context ID configuration for the two defined extensions. Note that Context Identifiers are defined as QUIC varints (see Section 16 of ) and support values up to 4,611,686,018,427,387,903, which is larger than what a Structure Header Integer supports (limited to 999,999,999,999,999). We foresee no issues with this limitation, as Context Identifiers should primarily use the single-byte representation for efficiency, i.e., they should rarely exceed 63.
ECN-zero-byte Extension To use the ECN-zero-byte extension three Context IDs need to be configured relative to the Context ID that identifies the actual HTTP Datagram payload. A configuration of ECN signaling is represented by a four-tuple with the following format:
ECN CONTEXT ASSIGNMENT Format
ECT_1_CONTEXT:
The Context ID used to indicate the payload was marked with ECN value ECT(1).
ECT_0_CONTEXT:
The Context ID used to indicate the payload was marked with ECN value ECT(0).
CE_CONTEXT:
The Context ID used to indicate the payload was marked with ECN value CE.
PAYLOAD_CONTEXT:
The payload-identifiying context ID indicating the actual encoding of the start of the HTTP Datagram payload.
HTTP Structured field ECN-Context-ID is a Structured Header Field . Its value is a List consisting of zero or more Inner Lists, where the Inner List contains four Integer Items. The Integer Items MUST be non-negative, as they are context identifiers defined in . The four Context IDs are those defined in , in that order. When the header is included in an Extended Connect request, it indicates, first of all, support for this ECN extension. Secondly, it may define one or more 4-item inner lists of Context IDs for the requestor-to-responder direction. If no 4-item inner lists of Context IDs are included, then this header only indicates support for the extension, and the Context IDs MAY be signaled using capsules. When the request includes the ECN-Context-ID header, the responder MAY include this header in the response. If included, it defines the Context ID used in the responder-to-requestor direction. The following example indicates support for ECN-zero-byte-extension and defines two sets of Context IDs: ID=5, 6, 7 (ECT(1), ECT(0), CE) combined with Context ID 4; and ID=1, 2, 3 combined with the default ID=0 as defined in , i.e., a plain UDP payload.
Example of ECN-Context-ID header
ECN Context ID Assignment Capsule The ECN_CONTEXT_ASSIGN capsule is used to assign Context ID values to the ECN-zero-byte extension.
ECN_CONTEXT_ASSIGN Capsule Format
Type and Length as defined by Section 3.2 of the HTTP Capsule specification . The capsule value is the ECN_CONTEXT_ASSIGNMENT defined above in . Thus, the capsule value consists of zero or more ECN_CONTEXT_ASSIGNMENT four-tuples.
ECN/DSCP extension This section defines the negotiation of the ECN/DSCP extension defined in . It defines both an HTTP header field (DSCP-ECN-Context-ID) that can be included in the Extended Connect request, and a capsule.
HTTP Structured Header DSCP-ECN-Context-ID is a Structured Header Field . Its value is a List of zero or more Inner Lists, where each Inner List contains two Integer Items. The Integer Items MUST be non-negative, as they are context identifiers defined by . The first Integer Item is the Context ID being defined, and the second Integer Item is the Context ID for the payload following the ECN/DSCP byte. When the header is included in an Extended Connect request, it indicates, first of all, support for the ECN/DSCP extension. Secondly, it may define one or more context ID pairs for the requestor-to-responder direction. If no context ID pairs are included, then this header only indicates support for the extension, and it may be configured using capsules. When the request includes the DSCP-ECN-Context-ID header, the responder MAY include this header in the response. If included, it defines the Context ID used in the responder-to-requestor direction The following example indicates supoprt of the ECN/DSCP extension and defines three Context IDs: Context ID 1 combined with Context ID 4, Context ID 2 combined with Context ID 5, and Context ID 3 combined with the default Context ID 0 as defined in , i.e., a plain UDP payload.
Example of ECN-Context-ID header
DSCP/ECN Context ID Assignment Capsule The DSCP_ECN_CONTEXT_ASSIGN capsule is used to assign context ID values for the DSCP/ECN extension.
DSCP_ECN_CONTEXT_ASSIGN Capsule Format
Type and Length as defined by the HTTP Capsule specification in . The capsule value is defined below.
CONTEXT ASSIGNMENT Format
The capsule value consists of zero or more CCONTEXT ASSIGNMENT pair values. Each pair consists of these two fields: ASSIGNED_CONTEXT: : The context ID identifying that the indicated HTTP datagram payload starts with the ECN/DSCP UDP Proxying Payload.
NEXT_PAYLOAD_CONTEXT:
The context ID identifying the following payload in each HTTP datagram after the ECN/DSCP UDP Proxying Payload.
This capsule is sent by either endpoints to configure or extend the configuration of context IDs. The receiving HTTP endpoint MUST send back its corresponding DSCP_ECN_CONTEXT_ASSIGN capsule, which may be empty if the peer does not intend to provide any context IDs.
Tunnels and DSCP and ECN marking interactions
Tunnel Endpoint Marking The Tunnel Endpoint, when receiving an IP/UDP packet belonging to a Connect-UDP request with the ECN/DSCP extension enabled, copies the six DSCP bits and the two ECN bits from the IP header into the DSCP and ECN fields, respectively, in the HTTP Datagram payload using the relevant Context ID. When using the ECN-only extension, the two ECN bits in the incoming IP/UDP packet are used to select the appropriate Context ID. For the ECN/DSCP extension, the Tunnel Endpoint on egress copies the DSCP and ECN extension field values into the IP/UDP packet it creates for this UDP Proxying payload. For the ECN extension, the Context ID value is used to determine which value to write in the outgoing IP/UDP packet’s ECN field. A Tunnel endpoint which is unable to read or set the ECN Field SHALL NOT enable the ECN extension.
DSCP Remarking Considerations The tunnel may interconnect two different administrative domains that use DSCP values differently. Thus, the endpoints likely need to perform remarking of DSCP field values, similar to what an inter-domain router would. Depending on use cases and deployment, the HTTP client can be in different network domains with different DSCP usages. An HTTP server that, based on user identification, connects the HTTP client to different network domains behind it may also need to support multiple external domains. The above complications in handling DSCP make it impossible to provide a standardized remarking instruction. Instead, the deployment will have to define whether remarking is handled by the HTTP server, the HTTP client, or both, considering the tunnel a specific network domain in itself.
Tunnel Transport Connection ECN Interactions and Congestion Control The primary goal of the ECN extension is to enable ECN usage between the proxy and the target and to have the end-to-end transport react to that ECN. However, different potential models exist for providing ECN interactions for the tunnel, i.e., between the HTTP client and server. The choice depends on how the tunnel is configured and what additional support has been implemented for the Connect-UDP protocol. For HTTP tunnels (not using HTTP/3 , HTTP/3 using data streams, or HTTP/3 with datagrams but with congestion control enabled) the tunnel will consist of one or possibly several chained congestion-controlled transport connections. In this case, ECN may be enabled independently on each underlying transport connection. However, in this scenario, it is not possible to have a one-to-one correspondence between lower-layer ECN markings and tunneled HTTP datagrams, nor to avoid reacting at both the tunnel-transport layer and the end-to-end layer. Instead, the only practical choice is to have each HTTP-layer hop run an ECN-marking AQM governed by its transport connection, which marks the ECN field in the HTTP datagram or drops the datagram when a queue builds. In other words, each HTTP transport connection is treated as a single IP link in the end-to-end chain. For tunnels using HTTP/3 with datagrams, where the QUIC connection disables congestion control on packets containing HTTP datagrams as discussed in Section 6 of , the ECN marking on tunneled packets can be propagated between the IP packet of the transport connection and the end-to-end packet. This represents a specific implementation of IP-in-IP tunnels with tightly coupled shim headers as discussed in . It is implemented as Feed-Forward-and-Up as discussed in , and MUST use the normal mode on tunnel ingress and follow the specified default behavior on egress as defined in .
Tunnel Transport Connection DSCP Interactions For HTTP tunnels not using HTTP/3 , HTTP/3 using data streams, or HTTP/3 with datagrams but without disabling congestion control, the tunnel will consist of one or possibly several chained congestion-controlled transport connections. These transport connections can use only a single DSCP code point to avoid inconsistent network treatment that might confuse the congestion controller and retransmission mechanism. Thus, even if the tunneled packets use different DSCP values, the transport connection must settle on a single, suitable DSCP value. However, if the QUIC multipath extension is used, each path can have a different DSCP value. In this latter case, packets with different DSCP values can be mapped to different paths with the appropriate network treatment as indicated by their DSCP values. For tunnels using HTTP/3 with datagrams and where the QUIC connection disables congestion control on packets containing HTTP datagrams, as discussed in Section 6 of , the QUIC packets can be marked using the most suitable DSCP value based on the encapsulated packet. In cases where the tunnel connection is sent into a different network domain than the one on which the tunneled packet was received, a suitable remapping must occur for the domain to which the tunnel packet will be sent. The HTTP tunnel MUST NOT coalesce different tunneled payloads that are not mapped to the same DSCP in a single QUIC packet.
QUIC Aware Forwarding An HTTP endpoint that supports this extension and QUIC Aware Forwarding MUST preserve ECN markings on forwarded packets in both directions to ensure end-to-end ECN functionality. Using this extension in combination with QUIC Aware Forwarding, rather than relying solely on the latter, also ensures that ECN black holes do not occur, for example, on long-header packets or packets sent before the QUIC Aware Forwarding path is established for short-header packets. Thus, supporting both provides a consistent ECN experience.
IANA Considerations
HTTP Field Names IANA is request to register two new permanent Field name in the Hypertext Transfer Protocol (HTTP) Field Name Registry (At time of writing residing at: https://www.iana.org/assignments/http-fields/http-fields.xhtml).
ECN-Context-ID Field Name: ECN-Context-ID Status: Permanent Structured Type: List Reference: [RFC-TO-BE]
DSCP-ECN-Context-ID Field Name: DSCP-ECN-Context-ID Status: Permanent Structured Type: List Reference: [RFC-TO-BE]
HTTP Capsule Type IANA is reqeusted ot register two new HTTP Capsule Types in the permanent range (0x00-0x3f).
ECN_CONTEXT_ASSIGN
Value:
TBA_1
Capsule Type:
ECN_CONTEXT_ASSIGN
Status:
permanent
Reference:
RFC-TO-BE
Change Controller:
IETF
Contact:
MASQUE Working Group masque@ietf.org
Notes:
None
DSCP_ECN_CONTEXT_ASSIGN
Value:
TBA_2
Capsule Type:
DSCP_ECN_CONTEXT_ASSIGN
Status:
permanent
Reference:
RFC-TO-BE
Change Controller:
IETF
Contact:
MASQUE Working Group masque@ietf.org
Notes:
None
Acknowledgments This draft takes insperation from David Schinazi's An ECN Extension to Connect-UDP .
References Normative References QUIC-Aware Proxying Using HTTP Apple Inc. Apple Inc. Google LLC This document extends UDP Proxying over HTTP to add optimizations for proxied QUIC connections. Specifically, it allows a proxy to reuse UDP 4-tuples for multiple proxied connections, and adds a mode of proxying in which QUIC short header packets can be forwarded and transformed through a HTTP/3 proxy rather than being fully re- encapsulated and re-encrypted. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers This document defines the IP header field, called the DS (for differentiated services) field. [STANDARDS-TRACK] An Architecture for Differentiated Services This document defines an architecture for implementing scalable service differentiation in the Internet. This memo provides information for the Internet community. The Addition of Explicit Congestion Notification (ECN) to IP This memo specifies the incorporation of ECN (Explicit Congestion Notification) to TCP and IP, including ECN's use of two bits in the IP header. [STANDARDS-TRACK] Tunnelling of Explicit Congestion Notification This document redefines how the explicit congestion notification (ECN) field of the IP header should be constructed on entry to and exit from any IP-in-IP tunnel. On encapsulation, it updates RFC 3168 to bring all IP-in-IP tunnels (v4 or v6) into line with RFC 4301 IPsec ECN processing. On decapsulation, it updates both RFC 3168 and RFC 4301 to add new behaviours for previously unused combinations of inner and outer headers. The new rules ensure the ECN field is correctly propagated across a tunnel whether it is used to signal one or two severity levels of congestion; whereas before, only one severity level was supported. Tunnel endpoints can be updated in any order without affecting pre-existing uses of the ECN field, thus ensuring backward compatibility. Nonetheless, operators wanting to support two severity levels (e.g., for pre-congestion notification -- PCN) can require compliance with this new specification. A thorough analysis of the reasoning for these changes and the implications is included. In the unlikely event that the new rules do not meet a specific need, RFC 4774 gives guidance on designing alternate ECN semantics, and this document extends that to include tunnelling issues. [STANDARDS-TRACK] QUIC: A UDP-Based Multiplexed and Secure Transport This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. HTTP/3 The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3. Proxying UDP in HTTP This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy. HTTP Datagrams and the Capsule Protocol This document describes HTTP Datagrams, a convention for conveying multiplexed, potentially unreliable datagrams inside an HTTP connection. In HTTP/3, HTTP Datagrams can be sent unreliably using the QUIC DATAGRAM extension. When the QUIC DATAGRAM frame is unavailable or undesirable, HTTP Datagrams can be sent using the Capsule Protocol, which is a more general convention for conveying data in HTTP connections. HTTP Datagrams and the Capsule Protocol are intended for use by HTTP extensions, not applications. Low Latency, Low Loss, and Scalable Throughput (L4S) Internet Service: Architecture This document describes the L4S architecture, which enables Internet applications to achieve low queuing latency, low congestion loss, and scalable throughput control. L4S is based on the insight that the root cause of queuing delay is in the capacity-seeking congestion controllers of senders, not in the queue itself. With the L4S architecture, all Internet applications could (but do not have to) transition away from congestion control algorithms that cause substantial queuing delay and instead adopt a new class of congestion controls that can seek capacity with very little queuing. These are aided by a modified form of Explicit Congestion Notification (ECN) from the network. With this new architecture, applications can have both low latency and high throughput. The architecture primarily concerns incremental deployment. It defines mechanisms that allow the new class of L4S congestion controls to coexist with 'Classic' congestion controls in a shared network. The aim is for L4S latency and throughput to be usually much better (and rarely worse) while typically not impacting Classic performance. Guidelines for Adding Congestion Notification to Protocols that Encapsulate IP The purpose of this document is to guide the design of congestion notification in any lower-layer or tunnelling protocol that encapsulates IP. The aim is for explicit congestion signals to propagate consistently from lower-layer protocols into IP. Then, the IP internetwork layer can act as a portability layer to carry congestion notification from non-IP-aware congested nodes up to the transport layer (L4). Specifications that follow these guidelines, whether produced by the IETF or other standards bodies, should assure interworking among IP-layer and lower-layer congestion notification mechanisms. This document is included in BCP 89 and updates the single paragraph of advice to subnetwork designers about Explicit Congestion Notification (ECN) in Section 13 of RFC 3819 by replacing it with a reference to this document. Propagating Explicit Congestion Notification across IP Tunnel Headers Separated by a Shim RFC 6040 on "Tunnelling of Explicit Congestion Notification" made the rules for propagation of Explicit Congestion Notification (ECN) consistent for all forms of IP-in-IP tunnel. This specification updates RFC 6040 to clarify that its scope includes tunnels where two IP headers are separated by at least one shim header that is not sufficient on its own for wide-area packet forwarding. It surveys widely deployed IP tunnelling protocols that use such shim headers and updates the specifications of those that do not mention ECN propagation (including RFCs 2661, 3931, 2784, 4380 and 7450, which specify L2TPv2, L2TPv3, Generic Routing Encapsulation (GRE), Teredo, and Automatic Multicast Tunneling (AMT), respectively). This specification also updates RFC 6040 with configuration requirements needed to make any legacy tunnel ingress safe. Structured Field Values for HTTP This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields. This document obsoletes RFC 8941. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Relaxing Restrictions on Explicit Congestion Notification (ECN) Experimentation This memo updates RFC 3168, which specifies Explicit Congestion Notification (ECN) as an alternative to packet drops for indicating network congestion to endpoints. It relaxes restrictions in RFC 3168 that hinder experimentation towards benefits beyond just removal of loss. This memo summarizes the anticipated areas of experimentation and updates RFC 3168 to enable experimentation in these areas. An Experimental RFC in the IETF document stream is required to take advantage of any of these enabling updates. In addition, this memo makes related updates to the ECN specifications for RTP in RFC 6679 and for the Datagram Congestion Control Protocol (DCCP) in RFCs 4341, 4342, and 5622. This memo also records the conclusion of the ECN nonce experiment in RFC 3540 and provides the rationale for reclassification of RFC 3540 from Experimental to Historic; this reclassification enables new experimental use of the ECT(1) codepoint. Proxying IP in HTTP This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298. An ECN Extension to CONNECT-UDP Google LLC CONNECT-UDP allows proxying UDP packets over HTTP. This document describes an extension to CONNECT-UDP that allows conveying ECN information on proxied UDP packets. Discussion Venues This note is to be removed before publishing as an RFC. Source for this draft and an issue tracker can be found at https://github.com/DavidSchinazi/draft-connect-udp-ecn. Multipath Extension for QUIC Alibaba Inc. Uber Technologies Inc. University of Mons (UMONS) UCLouvain and Tessares Private Octopus Inc. Ericsson This document specifies a multipath extension for the QUIC protocol to enable the simultaneous usage of multiple paths for a single connection. Discussion Venues This note is to be removed before publishing as an RFC. Discussion of this document takes place on the QUIC Working Group mailing list (quic@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/quic/. Source for this draft and an issue tracker can be found at https://github.com/quicwg/multipath.