ECN and defenses against evil applications: Date: Mon, 01 Dec 1997 16:10:21 PST From: Sally Floyd ... >Also you have no defense against an evil application that >sets ECN-capable on but doesn't slow down when ECN is applied. >So in the domain below the "high" threshold an evil application's >best bet is to set ECN-capable and send as much as it can. >The worst case is that this forces the network into drop >mode, i.e. no worse than today for the evil application. > >So as far as I can see ECN can be defeated by evil applications >in a way that RED can't. Which means that you certainly have >to write a security considerations section about denial of >service and theft of service by misuse of ECN-capable. I think that the issue of evil applications is quite serious. I have a draft of a paper-in-progress, "Router Mechanisms to Support End-to-End Congestion Control", available from my web page at http://www-nrg.ee.lbl.gov/floyd/, that is all about the need for routers to deploy mechanisms to detect and control the bandwidth of such evil applications. One form of an evil application would be an application that did not reduce its sending rate in the presence of a 5% packet drop rate, but instead increased its sending rate slightly, sending additional FEC, to compensate for the increased drop rate. Another form of an evil application would be a TCP application using non-conformant TCP, where the connection did not use FEC, but also did not decrease its congestion window in response to a packet drop, but just kept sending, using information in the TCP SACK option to identify dropped packets and retransmit them. A roughly equivalent form of an evil application, in terms of its negative impact on the network, would be an application that set the ECN-Capable bit, but did not slow down in response to ECN bits. That is, I don't think that a 5% packet drop rate, in and of itself, is a real deterrent to any application that wants to ignore congestion control. I don't think that there are **any** deterrents in the current Internet to keep connections from ignoring congestion control (other than the fact that they will know that they are being socially unresponsible). Somehow, it is still the case that roughly 95\% of the traffic seems to be using some form of vaguely-conformant TCP, the steady-state packet drop rate is not spiralling up to 10 or 20 percent, and congestion collapse has not yet hit. I think that we shouldn't press our luck, and I think that deterrents are indeed necessary, but I don't think that the addition of ECN makes the job of providing such deterrents any more difficult, or any more pressing. I think that the need for such deterrents is already pretty pressing... - Sally