Internet Engineering Task Force (IETF)                      G. Fairhurst
Request for Comments: 8084                        University of Aberdeen
BCP: 208                                                      March 2017
Category: Best Current Practice
ISSN: 2070-1721


                   Network Transport Circuit Breakers

Abstract

   This document explains what is meant by the term "network transport
   Circuit Breaker".  It describes the need for Circuit Breakers (CBs)
   for network tunnels and applications when using non-congestion-
   controlled traffic and explains where CBs are, and are not, needed.
   It also defines requirements for building a CB and the expected
   outcomes of using a CB within the Internet.

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   BCPs is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8084.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.





Fairhurst                 Best Current Practice                 [Page 1]


RFC 8084                                                      March 2017


Table of Contents

   1. Introduction ....................................................2
      1.1. Types of CBs ...............................................5
   2. Terminology .....................................................6
   3. Design of a CB (What makes a good CB?) ..........................6
      3.1. Functional Components ......................................6
      3.2. Other Network Topologies ...................................9
           3.2.1. Use with a Multicast Control/Routing Protocol ......10
           3.2.2. Use with Control Protocols Supporting
                  Pre-provisioned Capacity ...........................11
           3.2.3. Unidirectional CBs over Controlled Paths ...........11
   4. Requirements for a Network Transport CB ........................12
   5. Examples of CBs ................................................15
      5.1. A Fast-Trip CB ............................................15
           5.1.1. A Fast-Trip CB for RTP .............................16
      5.2. A Slow-Trip CB ............................................16
      5.3. A Managed CB ..............................................17
           5.3.1. A Managed CB for SAToP Pseudowires .................17
           5.3.2. A Managed CB for Pseudowires (PWs) .................18
   6. Examples in Which CBs May Not Be Needed ........................19
      6.1. CBs over Pre-provisioned Capacity .........................19
      6.2. CBs with Tunnels Carrying Congestion-Controlled Traffic ...19
      6.3. CBs with Unidirectional Traffic and No Control Path .......20
   7. Security Considerations ........................................20
   8. References .....................................................22
      8.1. Normative References ......................................22
      8.2. Informative References ....................................22
   Acknowledgments ...................................................24
   Author's Address ..................................................24

1.  Introduction

   The term "Circuit Breaker" originates in electricity supply, and has
   nothing to do with network circuits or virtual circuits.  In
   electricity supply, a Circuit Breaker (CB) is intended as a
   protection mechanism of last resort.  Under normal circumstances, a
   CB ought not to be triggered; it is designed to protect the supply
   network and attached equipment when there is overload.  People do not
   expect an electrical CB (or fuse) in their home to be triggered,
   except when there is a wiring fault or a problem with an electrical
   appliance.

   In networking, the CB principle can be used as a protection mechanism
   of last resort to avoid persistent excessive congestion impacting
   other flows that share network capacity.  Persistent congestion was a
   feature of the early Internet of the 1980s.  This resulted in excess
   traffic starving other connections from access to the Internet.  It



Fairhurst                 Best Current Practice                 [Page 2]


RFC 8084                                                      March 2017


   was countered by the requirement to use congestion control (CC) in
   the Transmission Control Protocol (TCP) [Jacobson88].  These
   mechanisms operate in Internet hosts to cause TCP connections to
   "back off" during congestion.  The addition of a congestion control
   to TCP (currently documented in [RFC5681]) ensured the stability of
   the Internet, because it was able to detect congestion and promptly
   react.  This was effective in an Internet where most TCP flows were
   long lived (ensuring that they could detect and respond to congestion
   before the flows terminated).  Although TCP was, by far, the dominant
   traffic, this is no longer the always the case, and non-congestion-
   controlled traffic, including many applications using the User
   Datagram Protocol (UDP), can form a significant proportion of the
   total traffic traversing a link.  To avoid persistent excessive
   congestion, the current Internet therefore requires consideration of
   the way that non-congestion-controlled traffic is forwarded.

   A network transport CB is an automatic mechanism that is used to
   continuously monitor a flow or aggregate set of flows.  The mechanism
   seeks to detect when the flow(s) experience persistent excessive
   congestion.  When this is detected, a CB terminates (or significantly
   reduces the rate of) the flow(s).  This is a safety measure to
   prevent starvation of network resources denying other flows from
   access to the Internet.  Such measures are essential for an Internet
   that is heterogeneous and for traffic that is hard to predict in
   advance.  Avoiding persistent excessive congestion is important to
   reduce the potential for "Congestion Collapse" [RFC2914].

   There are important differences between a transport CB and a
   congestion control method.  Congestion control (as implemented in
   TCP, Stream Control Transmission Protocol (SCTP), and Datagram
   Congestion Control Protocol (DCCP)) operates on a timescale on the
   order of a packet Round-Trip Time (RTT): the time from sender to
   destination and return.  Congestion at a network link can also be
   detected using Explicit Congestion Notification (ECN) [RFC3168],
   which allows the network to signal congestion by marking ECN-capable
   packets with a Congestion Experienced (CE) mark.  Both loss and
   reception of CE-marked packets are treated as congestion events.
   Congestion control methods are able to react to a congestion event by
   continuously adapting to reduce their transmission rate.  The goal is
   usually to limit the transmission rate to a maximum rate that
   reflects a fair use of the available capacity across a network path.
   These methods typically operate on individual traffic flows (e.g., a
   5-tuple that includes the IP addresses, protocol, and ports).

   In contrast, CBs are recommended for non-congestion-controlled
   Internet flows and for traffic aggregates, e.g., traffic sent using a
   network tunnel.  They operate on timescales much longer than the
   packet RTT, and trigger under situations of abnormal (excessive)



Fairhurst                 Best Current Practice                 [Page 3]


RFC 8084                                                      March 2017


   congestion.  People have been implementing what this document
   characterizes as CBs on an ad hoc basis to protect Internet traffic.
   This document therefore provides guidance on how to deploy and use
   these mechanisms.  Later sections provide examples of cases where CBs
   may or may not be desirable.

   A CB needs to measure (meter) some portion of the traffic to
   determine if the network is experiencing congestion and needs to be
   designed to trigger robustly when there is persistent excessive
   congestion.

   A CB trigger will often utilize a series of successive sample
   measurements metered at an ingress point and an egress point (either
   of which could be a transport endpoint).  The trigger needs to
   operate on a timescale much longer than the path RTT (e.g., seconds
   to possibly many tens of seconds).  This longer period is needed to
   provide sufficient time for transport congestion control or
   applications to adjust their rate following congestion, and for the
   network load to stabilize after any adjustment.  Congestion events
   can be common when a congestion-controlled transport is used over a
   network link operating near capacity.  Each event results in
   reduction in the rate of the transport flow experiencing congestion.
   The longer period seeks to ensure that a CB is not accidentally
   triggered following a single (or even successive) congestion
   event(s).

   Once triggered, the CB needs to provide a control function (called
   the "reaction").  This removes traffic from the network, either by
   disabling the flow or by significantly reducing the level of traffic.
   This reaction provides the required protection to prevent persistent
   excessive congestion being experienced by other flows that share the
   congested part of the network path.

   Section 4 defines requirements for building a CB.

   The operational conditions that cause a CB to trigger ought to be
   regarded as abnormal.  Examples of situations that could trigger a CB
   include:

   o  anomalous traffic that exceeds the provisioned capacity (or whose
      traffic characteristics exceed the threshold configured for the
      CB);

   o  traffic generated by an application at a time when the provisioned
      network capacity is being utilized for other purposes;

   o  routing changes that cause additional traffic to start using the
      path monitored by the CB;



Fairhurst                 Best Current Practice                 [Page 4]


RFC 8084                                                      March 2017


   o  misconfiguration of a service/network device where the capacity
      available is insufficient to support the current traffic
      aggregate;

   o  misconfiguration of an admission controller or traffic policer
      that allows more traffic than expected across the path monitored
      by the CB.

   Other mechanisms could also be available to network operators to
   detect excessive congestion (e.g., an observation of excessive
   utilization for a port on a network device).  Utilizing such
   information, operational mechanisms could react to reduce network
   load over a shorter timescale than those of a network transport CB.
   The role of the CB over such paths remains as a method of last
   resort.  Because it acts over a longer timescale, the CB ought to be
   triggered only when other reactions did not succeed in reducing
   persistent excessive congestion.

   In many cases, the reason for triggering a CB will not be evident to
   the source of the traffic (user, application, endpoint, etc.).  A CB
   can be used to limit traffic from applications that are unable, or
   choose not, to use congestion control or in cases in which the
   congestion control properties of the traffic cannot be relied upon
   (e.g., traffic carried over a network tunnel).  In such
   circumstances, it is all but impossible for the CB to signal back to
   the impacted applications.  In some cases, applications could
   therefore have difficulty in determining that a CB has been triggered
   and where in the network this happened.

   Application developers are therefore advised, where possible, to
   deploy appropriate congestion control mechanisms.  An application
   that uses congestion control will be aware of congestion events in
   the network.  This allows it to regulate the network load under
   congestion, and it is expected to avoid triggering a network CB.  For
   applications that can generate elastic traffic, this will often be a
   preferred solution.

1.1.  Types of CBs

   There are various forms of network transport CBs.  These are
   differentiated mainly on the timescale over which they are triggered,
   but also in the intended protection they offer:

   o  Fast-Trip CBs: The relatively short timescale used by this form of
      CB is intended to provide protection for network traffic from a
      single flow or related group of flows.





Fairhurst                 Best Current Practice                 [Page 5]


RFC 8084                                                      March 2017


   o  Slow-Trip CBs: This CB utilizes a longer timescale and is designed
      to protect network traffic from congestion by traffic aggregates.

   o  Managed CBs: Utilize the operations and management functions that
      might be present in a managed service to implement a CB.

   Examples of each type of CB are provided in Section 4.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Design of a CB (What makes a good CB?)

   Although CBs have been talked about in the IETF for many years, there
   has not yet been guidance on the cases where CBs are needed or upon
   the design of CB mechanisms.  This document seeks to offer advice on
   these two topics.

   CBs are RECOMMENDED for IETF protocols and tunnels that carry non-
   congestion-controlled Internet flows and for traffic aggregates.
   This includes traffic sent using a network tunnel.  Designers of
   other protocols and tunnel encapsulations also ought to consider the
   use of these techniques as a last resort to protect traffic that
   shares the network path being used.

   This document defines the requirements for the design of a CB and
   provides examples of how a CB can be constructed.  The specifications
   of individual protocols and tunnel encapsulations need to detail the
   protocol mechanisms needed to implement a CB.

   Section 3.1 describes the functional components of a CB and
   Section 3.2 defines requirements for implementing a CB.

3.1.  Functional Components

   The basic design of a CB involves communication between an ingress
   point (a sender) and an egress point (a receiver) of a network flow
   or set of flows.  A simple picture of operation is provided in
   Figure 1.  This shows a set of routers (each labeled R) connecting a
   set of endpoints.

   A CB is used to control traffic passing through a subset of these
   routers, acting between the ingress and a egress point network
   devices.  The path between the ingress and egress could be provided
   by a tunnel or other network-layer technique.  One expected use would



Fairhurst                 Best Current Practice                 [Page 6]


RFC 8084                                                      March 2017


   be at the ingress and egress of a service, where all traffic being
   considered terminates beyond the egress point; hence, the ingress and
   egress carry the same set of flows.

 +--------+                                                   +--------+
 |Endpoint|                                                   |Endpoint|
 +--+-----+          >>> circuit breaker traffic >>>          +--+-----+
    |                                                            |
    | +-+  +-+  +---------+  +-+  +-+  +-+  +--------+  +-+  +-+ |
    +-+R+--+R+->+ Ingress +--+R+--+R+--+R+--+ Egress |--+R+--+R+-+
      +++  +-+  +------+--+  +-+  +-+  +-+  +-----+--+  +++  +-+
       |         ^     |                          |      |
       |         |  +--+------+            +------+--+   |
       |         |  | Ingress |            | Egress  |   |
       |         |  | Meter   |            | Meter   |   |
       |         |  +----+----+            +----+----+   |
       |         |       |                      |        |
  +-+  |         |  +----+----+                 |        |  +-+
  |R+--+         |  | Measure +<----------------+        +--+R|
  +++            |  +----+----+      Reported               +++
   |             |       |           Egress                  |
   |             |  +----+----+      Measurement             |
+--+-----+       |  | Trigger +                           +--+-----+
|Endpoint|       |  +----+----+                           |Endpoint|
+--------+       |       |                                +--------+
                 +---<---+
                  Reaction

   Figure 1: A CB controlling the part of the end-to-end path between an
   ingress point and an egress point.  Note in some cases, the trigger
   and measurement functions could alternatively be located at other
   locations (e.g., at a network operations center).

   In the context of a CB, the ingress and egress functions could be
   implemented in different places.  For example, they could be located
   in network devices at a tunnel ingress and at the tunnel egress.  In
   some cases, they could be located at one or both network endpoints
   (see Figure 2), implemented as components within a transport
   protocol.












Fairhurst                 Best Current Practice                 [Page 7]


RFC 8084                                                      March 2017


    +----------+                 +----------+
    | Ingress  |  +-+  +-+  +-+  | Egress   |
    | Endpoint +->+R+--+R+--+R+--+ Endpoint |
    +--+----+--+  +-+  +-+  +-+  +----+-----+
       ^    |                         |
       | +--+------+             +----+----+
       | | Ingress |             | Egress  |
       | | Meter   |             | Meter   |
       | +----+----+             +----+----+
       |      |                       |
       | +--- +----+                  |
       | | Measure +<-----------------+
       | +----+----+      Reported
       |      |           Egress
       | +----+----+      Measurement
       | | Trigger |
       | +----+----+
       |      |
       +---<--+
       Reaction

   Figure 2: An endpoint CB implemented at the sender (ingress)
   and receiver (egress).

   The set of components needed to implement a CB are:

   1.  An ingress meter (at the sender or tunnel ingress) that records
       the number of packets/bytes sent in each measurement interval.
       This measures the offered network load for a flow or set of
       flows.  For example, the measurement interval could be many
       seconds (or every few tens of seconds or a series of successive
       shorter measurements that are combined by the CB Measurement
       function).

   2.  An egress meter (at the receiver or tunnel egress) that records
       the number/bytes received in each measurement interval.  This
       measures the supported load for the flow or set of flows, and it
       could utilize other signals to detect the effect of congestion
       (e.g., loss/congestion marking [RFC3168] experienced over the
       path).  The measurements at the egress could be synchronized
       (including an offset for the time of flight of the data, or
       referencing the measurements to a particular packet) to ensure
       any counters refer to the same span of packets.








Fairhurst                 Best Current Practice                 [Page 8]


RFC 8084                                                      March 2017


   3.  A method that communicates the measured values at the ingress and
       egress to the CB Measurement function.  This could use several
       methods including sending return measurement packets (or control
       messages) from a receiver to a trigger function at the sender; an
       implementation using Operations, Administration and Management
       (OAM); or sending an in-band signaling datagram to the trigger
       function.  This could also be implemented purely as a control-
       plane function, e.g., using a software-defined network
       controller.

   4.  A measurement function that combines the ingress and egress
       measurements to assess the present level of network congestion.
       (For example, the loss rate for each measurement interval could
       be deduced from calculating the difference between ingress and
       egress counter values.)  Note the method does not require high
       accuracy for the period of the measurement interval (or therefore
       the measured value, since isolated and/or infrequent loss events
       need to be disregarded).

   5.  A trigger function that determines whether the measurements
       indicate persistent excessive congestion.  This function defines
       an appropriate threshold for determining that there is persistent
       excessive congestion between the ingress and egress.  This
       preferably considers a rate or ratio, rather than an absolute
       value (e.g., more than 10% loss, but other methods could also be
       based on the rate of transmission as well as the loss rate).  The
       CB is triggered when the threshold is exceeded in multiple
       measurement intervals (e.g., three successive measurements).
       Designs need to be robust so that single or spurious events do
       not trigger a reaction.

   6.  A reaction that is applied at the ingress when the CB is
       triggered.  This seeks to automatically remove the traffic
       causing persistent excessive congestion.

   7.  A feedback control mechanism that triggers when either the
       ingress and egress measurements are not available, since this
       also could indicate a loss of control packets (also a symptom of
       heavy congestion or inability to control the load).

3.2.  Other Network Topologies

   A CB can be deployed in networks with topologies different from that
   presented in Figures 1 and 2.  This section describes examples of
   such usage and possible places where functions can be implemented.






Fairhurst                 Best Current Practice                 [Page 9]


RFC 8084                                                      March 2017


3.2.1.  Use with a Multicast Control/Routing Protocol

    +----------+                 +--------+  +----------+
    | Ingress  |  +-+  +-+  +-+  | Egress |  |  Egress  |
    | Endpoint +->+R+--+R+--+R+--+ Router |--+ Endpoint +->+
    +----+-----+  +-+  +-+  +-+  +---+--+-+  +----+-----+  |
         ^         ^    ^    ^       |  ^         |        |
         |         |    |    |       |  |         |        |
    +----+----+    + - - - < - - - - +  |    +----+----+   | Reported
    | Ingress |      multicast Prune    |    | Egress  |   | Ingress
    | Meter   |                         |    | Meter   |   | Measurement
    +---------+                         |    +----+----+   |
                                        |         |        |
                                        |    +----+----+   |
                                        |    | Measure +<--+
                                        |    +----+----+
                                        |         |
                                        |    +----+----+
                              multicast |    | Trigger |
                              Leave     |    +----+----+
                              Message   |         |
                                        +----<----+

   Figure 3: An example of a multicast CB controlling the end-to-end
   path between an ingress endpoint and an egress endpoint.

   Figure 3 shows one example of how a multicast CB could be implemented
   at a pair of multicast endpoints (e.g., to implement a Fast-Trip CB,
   Section 5.1).  The ingress endpoint (the sender that sources the
   multicast traffic) meters the ingress load, generating an ingress
   measurement (e.g., recording timestamped packet counts), and it sends
   this measurement to the multicast group together with the traffic it
   has measured.

   Routers along a multicast path forward the multicast traffic
   (including the ingress measurement) to all active endpoint receivers.
   Each last hop (egress) router forwards the traffic to one or more
   egress endpoints.

   In Figure 3, each endpoint includes a meter that performs a local
   egress load measurement.  An endpoint also extracts the received
   ingress measurement from the traffic and compares the ingress and
   egress measurements to determine if the CB ought to be triggered.
   This measurement has to be robust to loss (see the previous section).
   If the CB is triggered, it generates a multicast leave message for
   the egress (e.g., an IGMP or MLD message sent to the last-hop
   router), which causes the upstream router to cease forwarding traffic
   to the egress endpoint [RFC1112].



Fairhurst                 Best Current Practice                [Page 10]


RFC 8084                                                      March 2017


   Any multicast router that has no active receivers for a particular
   multicast group will prune traffic for that group, sending a prune
   message to its upstream router.  This starts the process of releasing
   the capacity used by the traffic and is a standard multicast routing
   function (e.g., using Protocol Independent Multicast - Sparse Mode
   (PIM-SM) routing protocol [RFC7761]).  Each egress operates
   autonomously, and the CB "reaction" is executed by the multicast
   control plane (e.g., by PIM) requiring no explicit signaling by the
   CB along the communication path used for the control messages.  Note
   there is no direct communication with the ingress; hence, a triggered
   CB only controls traffic downstream of the first-hop multicast
   router.  It does not stop traffic flowing from the sender to the
   first-hop router; this is common practice for multicast deployment.

   The method could also be used with a multicast tunnel or subnetwork
   (e.g., Section 5.2, Section 5.3), where a meter at the ingress
   generates additional control messages to carry the measurement data
   towards the egress where the egress metering is implemented.

3.2.2.  Use with Control Protocols Supporting Pre-provisioned Capacity

   Some paths are provisioned using a control protocol, e.g., flows
   provisioned using the Multiprotocol Label Switching (MPLS) services,
   paths provisioned using the Resource Reservation Protocol (RSVP),
   networks utilizing Software-Defined Network (SDN) functions, or
   admission-controlled Differentiated Services.  Figure 1 shows one
   expected use case, where in this usage a separate device could be
   used to perform the measurement and trigger functions.  The reaction
   generated by the trigger could take the form of a network-control
   message sent to the ingress and/or other network elements causing
   these elements to react to the CB.  Examples of this type of use are
   provided in Section 5.3.

3.2.3.  Unidirectional CBs over Controlled Paths

   A CB can be used to control unidirectional UDP traffic, providing
   that there is a communication path that can be used for control
   messages to connect the functional components at the ingress and
   egress.  This communication path for the control messages can exist
   in networks for which the traffic flow is purely unidirectional.  For
   example, a multicast stream that sends packets across an Internet
   path and can use multicast routing to prune flows to shed network
   load.  Some other types of subnetwork also utilize control protocols
   that can be used to control traffic flows.







Fairhurst                 Best Current Practice                [Page 11]


RFC 8084                                                      March 2017


4.  Requirements for a Network Transport CB

   The requirements for implementing a CB are:

   1.   There needs to be a communication path for control messages to
        carry measurement data from the ingress meter and from the
        egress meter to the point of measurement.  (Requirements 16-18
        relate to the transmission of control messages.)

   2.   A CB is REQUIRED to define a measurement period over which the
        CB Measurement function measures the level of congestion or
        loss.  This method does not have to detect individual packet
        loss, but it MUST have a way to know that packets have been
        lost/marked from the traffic flow.

   3.   An egress meter can also count ECN [RFC3168] Congestion
        Experienced (CE) marks as a part of measurement of congestion,
        but in this case, loss MUST also be measured to provide a
        complete view of the level of congestion.  For tunnels,
        [CONGESTION-FEEDBACK] describes a way to measure both loss and
        ECN-marking; these measurements could be used on a relatively
        short timescale to drive a congestion control response and/or
        aggregated over a longer timescale with a higher trigger
        threshold to drive a CB.  Subsequent bullet items in this
        section discuss the necessity of using a longer timescale and a
        higher trigger threshold.

   4.   The measurement period used by a CB Measurement function MUST be
        longer than the time that current Congestion Control algorithms
        need to reduce their rate following detection of congestion.
        This is important because end-to-end Congestion Control
        algorithms require at least one RTT to notify and adjust the
        traffic when congestion is experienced, and congestion
        bottlenecks can share traffic with a diverse range of end-to-end
        RTTs.  The measurement period is therefore expected to be
        significantly longer than the RTT experienced by the CB itself.

   5.   If necessary, a CB MAY combine successive individual meter
        samples from the ingress and egress to ensure observation of an
        average measurement over a sufficiently long interval.  (Note
        when meter samples need to be combined, the combination needs to
        reflect the sum of the individual sample counts divided by the
        total time/volume over which the samples were measured.
        Individual samples over different intervals cannot be directly
        combined to generate an average value.)

   6.   A CB MUST be constructed so that it does not trigger under light
        or intermittent congestion (see requirements 7-9).



Fairhurst                 Best Current Practice                [Page 12]


RFC 8084                                                      March 2017


   7.   A CB is REQUIRED to define a threshold to determine whether the
        measured congestion is considered excessive.

   8.   A CB is REQUIRED to define the triggering interval, defining the
        period over which the trigger uses the collected measurements.
        CBs need to trigger over a sufficiently long period to avoid
        additionally penalizing flows with a long path RTT (e.g., many
        path RTTs).

   9.   A CB MUST be robust to multiple congestion events.  This usually
        will define a number of measured persistent congestion events
        per triggering period.  For example, a CB MAY combine the
        results of several measurement periods to determine if the CB is
        triggered (e.g., it is triggered when persistent excessive
        congestion is detected in three of the measurements within the
        triggering interval when more than three measurements were
        collected).

   10.  The normal reaction to a trigger SHOULD disable all traffic that
        contributed to congestion (otherwise, see requirements 11 and
        12).

   11.  The reaction MUST be much more severe than that of a Congestion
        Control algorithm (such as TCP's congestion control [RFC5681] or
        TCP-Friendly Rate Control, TFRC [RFC5348]), because the CB
        reacts to more persistent congestion and operates over longer
        timescales (i.e., the overload condition will have persisted for
        a longer time before the CB is triggered).

   12.  A reaction that results in a reduction SHOULD result in reducing
        the traffic by at least an order of magnitude.  A response that
        achieves the reduction by terminating flows, rather than
        randomly dropping packets, will often be more desirable to users
        of the service.  A CB that reduces the rate of a flow, MUST
        continue to monitor the level of congestion and MUST further
        react to reduce the rate if the CB is again triggered.

   13.  The reaction to a triggered CB MUST continue for a period that
        is at least the triggering interval.  Operator intervention will
        usually be required to restore a flow.  If an automated response
        is needed to reset the trigger, then this needs to not be
        immediate.  The design of an automated reset mechanism needs to
        be sufficiently conservative that it does not adversely interact
        with other mechanisms (including other CB algorithms that
        control traffic over a common path).  It SHOULD NOT perform an
        automated reset when there is evidence of continued congestion.





Fairhurst                 Best Current Practice                [Page 13]


RFC 8084                                                      March 2017


   14.  A CB trigger SHOULD be regarded as an abnormal network event.
        As such, this event SHOULD be logged.  The measurements that
        lead to triggering of the CB SHOULD also be logged.

   15.  The control communication needs to carry measurements
        (requirement 1) and, in some uses, also needs to transmit
        trigger messages to the ingress.  This control communication may
        be in or out of band.  The use of in-band communication is
        RECOMMENDED when either design would be possible.  The preferred
        CB design is one that triggers when it fails to receive
        measurement reports that indicate an absence of congestion, in
        contrast to relying on the successful transmission of a
        "congested" signal back to the sender.  (The feedback signal
        could itself be lost under congestion).

        In Band:  An in-band control method SHOULD assume that loss of
           control messages is an indication of potential congestion on
           the path, and repeated loss ought to cause the CB to be
           triggered.  This design has the advantage that it provides
           fate-sharing of the traffic flow(s) and the control
           communications.  This fate-sharing property is weaker when
           some or all of the measured traffic is sent using a path that
           differs from the path taken by the control traffic (e.g.,
           where traffic and control messages follow a different path
           due to use of equal-cost multipath routing, traffic
           engineering, or tunnels for specific types of traffic).

        Out of Band:  An out-of-band control method SHOULD NOT trigger a
           CB reaction when there is loss of control messages (e.g., a
           loss of measurements).  This avoids failure amplification/
           propagation when the measurement and data paths fail
           independently.  A failure of an out-of-band communication
           path SHOULD be regarded as an abnormal network event and be
           handled as appropriate for the network; for example, this
           event SHOULD be logged, and additional network operator
           action might be appropriate, depending on the network and the
           traffic involved.

   16.  The control communication MUST be designed to be robust to
        packet loss.  A control message can be lost if there is a
        failure of the communication path used for the control messages,
        loss is likely also to be experienced during congestion/
        overload.  This does not imply that it is desirable to provide
        reliable delivery (e.g., over TCP), since this can incur
        additional delay in responding to congestion.  Appropriate
        mechanisms could be to duplicate control messages to provide
        increased robustness to loss and/or to regard a lack of control
        traffic as an indication that excessive congestion could be



Fairhurst                 Best Current Practice                [Page 14]


RFC 8084                                                      March 2017


        being experienced [RFC8085].  If control message traffic is sent
        over a shared path, it is RECOMMENDED that this control traffic
        is prioritized to reduce the probability of loss under
        congestion.  Control traffic also needs to be considered when
        provisioning a network that uses a CB.

   17.  There are security requirements for the control communication
        between endpoints and/or network devices (Section 7).  The
        authenticity of the source and integrity of the control messages
        (measurements and triggers) MUST be protected from off-path
        attacks.  When there is a risk of an on-path attack, a
        cryptographic authentication mechanism for all control/
        measurement messages is RECOMMENDED.

5.  Examples of CBs

   There are multiple types of CB that could be defined for use in
   different deployment cases.  There could be cases where a flow
   becomes controlled by multiple CBs (e.g., when the traffic of an end-
   to-end flow is carried in a tunnel within the network).  This section
   provides examples of different types of CB.

5.1.  A Fast-Trip CB

   [RFC2309] discusses the dangers of congestion unresponsive flows and
   states that "all UDP-based streaming applications should incorporate
   effective congestion avoidance mechanisms."  Some applications do not
   use a full-featured transport (TCP, SCTP, DCCP).  These applications
   (e.g., using UDP and its UDP-Lite variant) need to provide
   appropriate congestion avoidance.  Guidance for applications that do
   not use congestion-controlled transports is provided in [RFC8085].
   Such mechanisms can be designed to react on much shorter timescales
   than a CB, that only observes a traffic envelope.  Congestion control
   methods can also interact with an application to more effectively
   control its sending rate.

   A Fast-trip CB is the most responsive form of CB.  It has a response
   time that is only slightly larger than that of the traffic that it
   controls.  It is suited to traffic with well-understood
   characteristics (and could include one or more trigger functions
   specifically tailored the type of traffic for which it is designed).
   It is not suited to arbitrary network traffic and could be unsuitable
   for traffic aggregates, since it could prematurely trigger (e.g.,
   when the combined traffic from multiple congestion-controlled flows
   leads to short-term overload).






Fairhurst                 Best Current Practice                [Page 15]


RFC 8084                                                      March 2017


   Although the mechanisms can be implemented in RTP-aware network
   devices, these mechanisms are also suitable for implementation in
   endpoints (e.g., as a part of the transport system) where they can
   also complement end-to-end congestion control methods.  A shorter
   response time enables these mechanisms to triggers before other forms
   of CB (e.g., CBs operating on traffic aggregates at a point along the
   network path).

5.1.1.  A Fast-Trip CB for RTP

   A set of Fast-Trip CB methods have been specified for use together by
   a Real-time Transport Protocol (RTP) flow using the RTP/AVP Profile
   [RFC8083].  It is expected that, in the absence of severe congestion,
   all RTP applications running on best-effort IP networks will be able
   to run without triggering these CBs.  An RTP Fast-Trip CB is
   therefore implemented as a fail-safe that, when triggered, will
   terminate RTP traffic.

   The sending endpoint monitors reception of in-band RTP Control
   Protocol (RTCP) reception report blocks, as contained in sender
   report (SR) or receiver report (RR) packets, that convey reception
   quality feedback information.  This is used to measure (congestion)
   loss, possibly in combination with ECN [RFC6679].

   The CB action (shutdown of the flow) triggers when any of the
   following trigger conditions are true:

   1.  An RTP CB triggers on reported lack of progress.

   2.  An RTP CB triggers when no receiver reports messages are
       received.

   3.  An RTP CB triggers when the long-term RTP throughput (over many
       RTTs) exceeds a hard upper limit determined by a method that
       resembles TCP-Friendly Rate Control (TFRC).

   4.  An RTP CB includes the notion of Media Usability.  This CB is
       triggered when the quality of the transported media falls below
       some required minimum acceptable quality.

5.2.  A Slow-Trip CB

   A Slow-Trip CB could be implemented in an endpoint or network device.
   This type of CB is much slower at responding to congestion than a
   Fast-Trip CB.  This is expected to be more common.






Fairhurst                 Best Current Practice                [Page 16]


RFC 8084                                                      March 2017


   One example where a Slow-Trip CB is needed is where flows or traffic-
   aggregates use a tunnel or encapsulation and the flows within the
   tunnel do not all support TCP-style congestion control (e.g., TCP,
   SCTP, TFRC), see [RFC8085], Section 3.1.3.  A use case is where
   tunnels are deployed in the general Internet (rather than "controlled
   environments" within an Internet service provider or enterprise
   network), especially when the tunnel could need to cross a customer
   access router.

5.3.  A Managed CB

   A managed CB is implemented in the signaling protocol or management
   plane that relates to the traffic aggregate being controlled.  This
   type of CB is typically applicable when the deployment is within a
   "controlled environment".

   A CB requires more than the ability to determine that a network path
   is forwarding data or to measure the rate of a path -- which are
   often normal network operational functions.  There is an additional
   need to determine a metric for congestion on the path and to trigger
   a reaction when a threshold is crossed that indicates persistent
   excessive congestion.

   The control messages can use either in-band or out-of-band
   communications.

5.3.1.  A Managed CB for SAToP Pseudowires

   Section 8 of [RFC4553], SAToP Pseudowire Emulation Edge-to-Edge
   (PWE3), describes an example of a managed CB for isochronous flows.

   If such flows were to run over a pre-provisioned (e.g., Multiprotocol
   Label Switching, MPLS) infrastructure, then it could be expected that
   the PW would not experience congestion, because a flow is not
   expected to either increase (or decrease) their rate.  If, instead,
   PW traffic is multiplexed with other traffic over the general
   Internet, it could experience congestion.  [RFC4553] states: "If
   SAToP PWs run over a PSN providing best-effort service, they SHOULD
   monitor packet loss in order to detect 'severe congestion'."  The
   currently recommended measurement period is 1 second, and the trigger
   operates when there are more than three measured Severely Errored
   Seconds (SES) within a period.  [RFC4553] goes on to state that "If
   such a condition is detected, a SAToP PW ought to shut down
   bi-directionally for some period of time...".







Fairhurst                 Best Current Practice                [Page 17]


RFC 8084                                                      March 2017


   The concept was that when the packet-loss ratio (congestion) level
   increased above a threshold, the PW was, by default, disabled.  This
   use case considered fixed-rate transmission, where the PW had no
   reasonable way to shed load.

   The trigger needs to be set at a rate at which the PW is likely to
   experience a serious problem, possibly making the service
   noncompliant.  At this point, triggering the CB would remove the
   traffic preventing undue impact on congestion-responsive traffic
   (e.g., TCP).  Part of the rationale was that high-loss ratios
   typically indicated that something was "broken" and ought to have
   already resulted in operator intervention and therefore now need to
   trigger this intervention.

   An operator-based response to the triggering of a CB provides an
   opportunity for other action to restore the service quality (e.g., by
   shedding other loads or assigning additional capacity) or to
   consciously avoid reacting to the trigger while engineering a
   solution to the problem.  This could require the trigger function to
   send a control message to a third location (e.g., a network
   operations center, NOC) that is responsible for operation of the
   tunnel ingress, rather than the tunnel ingress itself.

5.3.2.  A Managed CB for Pseudowires (PWs)

   Pseudowires (PWs) [RFC3985] have become a common mechanism for
   tunneling traffic, and they could compete for network resources both
   with other PWs and with non-PW traffic, such as TCP/IP flows.

   [RFC7893] discusses congestion conditions that can arise when PWs
   compete with elastic (i.e., congestion responsive) network traffic
   (e.g., TCP traffic).  Elastic PWs carrying IP traffic (see [RFC4448])
   do not raise major concerns because all of the traffic involved
   responds, reducing the transmission rate when network congestion is
   detected.

   In contrast, inelastic PWs (e.g., a fixed-bandwidth Time Division
   Multiplex, TDM [RFC4553] [RFC5086] [RFC5087]) have the potential to
   harm congestion-responsive traffic or to contribute to excessive
   congestion because inelastic PWs do not adjust their transmission
   rate in response to congestion.  [RFC7893] analyses TDM PWs, with an
   initial conclusion that a TDM PW operating with a degree of loss that
   could result in congestion-related problems is also operating with a
   degree of loss that results in an unacceptable TDM service.  For that
   reason, the document suggests that a managed CB that shuts down a PW
   when it persistently fails to deliver acceptable TDM service is a
   useful means for addressing these congestion concerns.  (See
   Appendix A of [RFC7893] for further discussion.)



Fairhurst                 Best Current Practice                [Page 18]


RFC 8084                                                      March 2017


6.  Examples in Which CBs May Not Be Needed

   A CB is not required for a single congestion-controlled flow using
   TCP, SCTP, TFRC, etc.  In these cases, the congestion control methods
   are already designed to prevent persistent excessive congestion.

6.1.  CBs over Pre-provisioned Capacity

   One common question is whether a CB is needed when a tunnel is
   deployed in a private network with pre-provisioned capacity.

   In this case, compliant traffic that does not exceed the provisioned
   capacity ought not to result in persistent congestion.  A CB will
   hence only be triggered when there is noncompliant traffic.  It could
   be argued that this event ought never to happen -- but it could also
   be argued that the CB equally ought never to be triggered.  If a CB
   were to be implemented, it will provide an appropriate response, if
   persistent congestion occurs in an operational network.

   Implementing a CB will not reduce the performance of the flows, but
   in the event that persistent excessive congestion occurs, it protects
   network traffic that shares network capacity with these flows.  It
   also protects network traffic from a failure when CB traffic is
   (re)routed to cause additional network load on a non-pre-provisioned
   path.

6.2.  CBs with Tunnels Carrying Congestion-Controlled Traffic

   IP-based traffic is generally assumed to be congestion controlled,
   i.e., it is assumed that the transport protocols generating IP-based
   traffic at the sender already employ mechanisms that are sufficient
   to address congestion on the path.  Therefore, a question arises when
   people deploy a tunnel that is thought to carry only an aggregate of
   TCP traffic (or traffic using some other congestion control method):
   Is there an advantage in this case in using a CB?

   TCP (and SCTP) traffic in a tunnel is expected to reduce the
   transmission rate when network congestion is detected.  Other
   transports (e.g., using UDP) can employ mechanisms that are
   sufficient to address congestion on the path [RFC8085].  However,
   even if the individual flows sharing a tunnel each implement a
   congestion control mechanism, and individually reduce their
   transmission rate when network congestion is detected, the overall
   traffic resulting from the aggregate of the flows does not
   necessarily avoid persistent congestion.  For instance, most
   congestion control mechanisms require long-lived flows to react to
   reduce the rate of a flow.  An aggregate of many short flows could
   result in many flows terminating before they experience congestion.



Fairhurst                 Best Current Practice                [Page 19]


RFC 8084                                                      March 2017


   It is also often impossible for a tunnel service provider to know
   that the tunnel only contains congestion-controlled traffic (e.g.,
   Inspecting packet headers might not be possible).  Some IP-based
   applications might not implement adequate mechanisms to address
   congestion.  The important thing to note is that if the aggregate of
   the traffic does not result in persistent excessive congestion
   (impacting other flows), then the CB will not trigger.  This is the
   expected case in this context -- so implementing a CB ought not to
   reduce performance of the tunnel, but in the event that persistent
   excessive congestion occurs, the CB protects other network traffic
   that shares capacity with the tunnel traffic.

6.3.  CBs with Unidirectional Traffic and No Control Path

   A one-way forwarding path could have no associated communication path
   for sending control messages; therefore, it cannot be controlled
   using a CB (compare with Section 3.2.3).

   A one-way service could be provided using a path with dedicated
   pre-provisioned capacity that is not shared with other elastic
   Internet flows (i.e., flows that vary their rate).  A forwarding path
   could also be shared with other flows.  One way to mitigate the
   impact of traffic on the other flows is to manage the traffic
   envelope by using ingress policing.  Supporting this type of traffic
   in the general Internet requires operator monitoring to detect and
   respond to persistent excessive congestion.

7.  Security Considerations

   All CB mechanisms rely upon coordination between the ingress and
   egress meters and communication with the trigger function.  This is
   usually achieved by passing network-control information (or protocol
   messages) across the network.  Timely operation of a CB depends on
   the choice of measurement period.  If the receiver has an interval
   that is overly long, then the responsiveness of the CB decreases.
   This impacts the ability of the CB to detect and react to congestion.
   If the interval is too short, the CB could trigger prematurely
   resulting in insufficient time for other mechanisms to act and
   potentially resulting in unnecessary disruption to the service.

   A CB could potentially be exploited by an attacker to mount a Denial-
   of-Service (DoS) attack against the traffic being controlled by the
   CB.  Therefore, mechanisms need to be implemented to prevent attacks
   on the network-control information that would result in DoS.

   The authenticity of the source and integrity of the control messages
   (measurements and triggers) MUST be protected from off-path attacks.
   Without protection, it could be trivial for an attacker to inject



Fairhurst                 Best Current Practice                [Page 20]


RFC 8084                                                      March 2017


   fake or modified control/measurement messages (e.g., indicating high
   packet loss rates) causing a CB to trigger and therefore to mount a
   DoS attack that disrupts a flow.

   Simple protection can be provided by using a randomized source port,
   or equivalent field in the packet header (such as the RTP SSRC value
   and the RTP sequence number) expected not to be known to an off-path
   attacker.  Stronger protection can be achieved using a secure
   authentication protocol to mitigate this concern.

   An attack on the control messages is relatively easy for an attacker
   on the control path when the messages are neither encrypted nor
   authenticated.  Use of a cryptographic authentication mechanism for
   all control/measurement messages is RECOMMENDED to mitigate this
   concern, and would also provide protection from off-path attacks.
   There is a design trade-off between the cost of introducing
   cryptographic security for control messages and the desire to protect
   control communication.  For some deployment scenarios, the value of
   additional protection from DoS attacks will therefore lead to a
   requirement to authenticate all control messages.

   Transmission of network-control messages consumes network capacity.
   This control traffic needs to be considered in the design of a CB and
   could potentially add to network congestion.  If this traffic is sent
   over a shared path, it is RECOMMENDED that this control traffic be
   prioritized to reduce the probability of loss under congestion.
   Control traffic also needs to be considered when provisioning a
   network that uses a CB.

   The CB MUST be designed to be robust to packet loss that can also be
   experienced during congestion/overload.  Loss of control messages
   could be a side-effect of a congested network, but it also could
   arise from other causes Section 4.

   The security implications depend on the design of the mechanisms, the
   type of traffic being controlled and the intended deployment
   scenario.  Each design of a CB MUST therefore evaluate whether the
   particular CB mechanism has new security implications.













Fairhurst                 Best Current Practice                [Page 21]


RFC 8084                                                      March 2017


8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC3168]  Ramakrishnan, K., Floyd, S., and D. Black, "The Addition
              of Explicit Congestion Notification (ECN) to IP",
              RFC 3168, DOI 10.17487/RFC3168, September 2001,
              <http://www.rfc-editor.org/info/rfc3168>.

   [RFC8085]  Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage
              Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085,
              March 2017, <http://www.rfc-editor.org/info/rfc8085>.

8.2.  Informative References

   [CONGESTION-FEEDBACK]
              Wei, X., Zhu, L., and L. Deng, "Tunnel Congestion
              Feedback", Work in Progress,
              draft-ietf-tsvwg-tunnel-congestion-feedback-04,
              January 2017.

   [Jacobson88]
              Jacobson, V., "Congestion Avoidance and Control", SIGCOMM
              Symposium proceedings on Communications architectures
              and protocols, August 1988.

   [RFC1112]  Deering, S., "Host extensions for IP multicasting", STD 5,
              RFC 1112, DOI 10.17487/RFC1112, August 1989,
              <http://www.rfc-editor.org/info/rfc1112>.

   [RFC2309]  Braden, B., Clark, D., Crowcroft, J., Davie, B., Deering,
              S., Estrin, D., Floyd, S., Jacobson, V., Minshall, G.,
              Partridge, C., Peterson, L., Ramakrishnan, K., Shenker,
              S., Wroclawski, J., and L. Zhang, "Recommendations on
              Queue Management and Congestion Avoidance in the
              Internet", RFC 2309, DOI 10.17487/RFC2309, April 1998,
              <http://www.rfc-editor.org/info/rfc2309>.

   [RFC2914]  Floyd, S., "Congestion Control Principles", BCP 41,
              RFC 2914, DOI 10.17487/RFC2914, September 2000,
              <http://www.rfc-editor.org/info/rfc2914>.





Fairhurst                 Best Current Practice                [Page 22]


RFC 8084                                                      March 2017


   [RFC3985]  Bryant, S., Ed. and P. Pate, Ed., "Pseudo Wire Emulation
              Edge-to-Edge (PWE3) Architecture", RFC 3985,
              DOI 10.17487/RFC3985, March 2005,
              <http://www.rfc-editor.org/info/rfc3985>.

   [RFC4448]  Martini, L., Ed., Rosen, E., El-Aawar, N., and G. Heron,
              "Encapsulation Methods for Transport of Ethernet over MPLS
              Networks", RFC 4448, DOI 10.17487/RFC4448, April 2006,
              <http://www.rfc-editor.org/info/rfc4448>.

   [RFC4553]  Vainshtein, A., Ed. and YJ. Stein, Ed., "Structure-
              Agnostic Time Division Multiplexing (TDM) over Packet
              (SAToP)", RFC 4553, DOI 10.17487/RFC4553, June 2006,
              <http://www.rfc-editor.org/info/rfc4553>.

   [RFC5086]  Vainshtein, A., Ed., Sasson, I., Metz, E., Frost, T., and
              P. Pate, "Structure-Aware Time Division Multiplexed (TDM)
              Circuit Emulation Service over Packet Switched Network
              (CESoPSN)", RFC 5086, DOI 10.17487/RFC5086, December 2007,
              <http://www.rfc-editor.org/info/rfc5086>.

   [RFC5087]  Stein, Y(J)., Shashoua, R., Insler, R., and M. Anavi,
              "Time Division Multiplexing over IP (TDMoIP)", RFC 5087,
              DOI 10.17487/RFC5087, December 2007,
              <http://www.rfc-editor.org/info/rfc5087>.

   [RFC5348]  Floyd, S., Handley, M., Padhye, J., and J. Widmer, "TCP
              Friendly Rate Control (TFRC): Protocol Specification",
              RFC 5348, DOI 10.17487/RFC5348, September 2008,
              <http://www.rfc-editor.org/info/rfc5348>.

   [RFC5681]  Allman, M., Paxson, V., and E. Blanton, "TCP Congestion
              Control", RFC 5681, DOI 10.17487/RFC5681, September 2009,
              <http://www.rfc-editor.org/info/rfc5681>.

   [RFC6679]  Westerlund, M., Johansson, I., Perkins, C., O'Hanlon, P.,
              and K. Carlberg, "Explicit Congestion Notification (ECN)
              for RTP over UDP", RFC 6679, DOI 10.17487/RFC6679, August
              2012, <http://www.rfc-editor.org/info/rfc6679>.

   [RFC7761]  Fenner, B., Handley, M., Holbrook, H., Kouvelas, I.,
              Parekh, R., Zhang, Z., and L. Zheng, "Protocol Independent
              Multicast - Sparse Mode (PIM-SM): Protocol Specification
              (Revised)", STD 83, RFC 7761, DOI 10.17487/RFC7761, March
              2016, <http://www.rfc-editor.org/info/rfc7761>.






Fairhurst                 Best Current Practice                [Page 23]


RFC 8084                                                      March 2017


   [RFC7893]  Stein, Y(J)., Black, D., and B. Briscoe, "Pseudowire
              Congestion Considerations", RFC 7893,
              DOI 10.17487/RFC7893, June 2016,
              <http://www.rfc-editor.org/info/rfc7893>.

   [RFC8083]  Perkins, C. and V. Singh, "Multimedia Congestion Control:
              Circuit Breakers for Unicast RTP Sessions", RFC 8083,
              DOI 10.17487/RFC8083, March 2017,
              <http://www.rfc-editor.org/info/rfc8083>.

Acknowledgments

   There are many people who have discussed and described the issues
   that have motivated this document.  Contributions and comments
   included: Lars Eggert, Colin Perkins, David Black, Matt Mathis,
   Andrew McGregor, Bob Briscoe, and Eliot Lear.  This work was partly
   funded by the European Community under its Seventh Framework
   Programme through the Reducing Internet Transport Latency (RITE)
   project (ICT-317700).

Author's Address

   Godred Fairhurst
   University of Aberdeen
   School of Engineering
   Fraser Noble Building
   Aberdeen, Scotland  AB24 3UE
   United Kingdom

   Email: gorry@erg.abdn.ac.uk
   URI:   http://www.erg.abdn.ac.uk




















Fairhurst                 Best Current Practice                [Page 24]