Guidelines for Internet Congestion Control at Endpoints
University of Aberdeen
School of Engineering
Fraser Noble Building
Aberdeen
AB24 3UE
UK
gorry@erg.abdn.ac.uk
University of Oslo
Oslo
-
Incipient congestion: This is a consequential side effect of the
statistical multiplexing of packet flows.
There will be times when packets need to be buffered or dropped at the bottleneck(s) on a path,
irrespective of the long-term average load.
- Persistent congestion: This occurs when the pattern of arriving traffic results
in over-consumption of a path's resources. Typically this results in
packet loss. The effects of persistent congestion might impact the flow
that induces the congestion, but could adversely impact other flows,
e.g., starving them of resources or reducing the efficiency
of the path (e.g., congestion collapse).
Flows need to react when they encounter either form congestion to reduce their
contribution to the load. For persistent congestion, the reaction needs to be
sufficient to avoid excessive harm to other flows.
Incipient congestion results during normal operation of the Internet.
Buffering (which causes an increase in latency) or congestion loss (discard of a
packet) arises when the traffic arriving at a bottleneck exceeds
the resources available. A network device
uses will drop excess packets when its
queue(s) becomes full. This can be managed using
Active Queue Management (AQM) ,
which can
be combined with Explicit Congestion Notification (ECN) signalling
to mitigate incipient congestion
.
Buffers can be divided into pools and traffic
can be associated with a specific pool (e.g., using local
configuration, or coordinated using the Differentiated
Services architecture).
A schedular can
isolate the queuing of packets
for different flows, or aggregates of flows, and
reduce the impact of flow multiplexing on other flows
(e.g., flow scheduling ). This could
equally distribute resources between sharing
flows, but this equality is explicitly not a requirement
.
Even when a path is expected
to support such methods, an endpoint MUST NOT rely on the
presence and correct configuration of these methods, and therefore
needs to employ CC methods that work end-to-end, or employ
in-network control, such as a circuit-breaker.
In some controlled environments, Internet transports can use mechanisms to
reserve capacity.
Most Internet paths do not support this.
In the absence of such a reservation, endpoints
are unable to determine a safe rate at which to start a new
transmission. The use of an Internet path therefore requires
end-to-end CC mechanisms to detect and respond to congestion.
Section 3.3 of notes that a flow can use
CC to
"optimize its own performance regarding throughput, delay, and loss. In
some circumstances, for example in environments with high statistical
multiplexing, the delay and loss rate experienced by a flow are largely
independent of its own sending rate."
and continues: "in environments with lower
levels of statistical multiplexing or with per-flow scheduling, the
delay and loss rate experienced by a flow is in part a function of the
flow's own sending rate. Thus, a flow can use end-to-end congestion
control to limit the delay or loss experienced by its own packets."
Early RFCs recognised that a poorly designed transport
can lead to significant congestion, which could result in severe service degradation or
"Internet meltdown". One effect is called "Congestion Collapse",
where an increase in the network load results in a decrease in
the useful work done by the network.
.
. This was first observed in the mid 1980s
At that time, this was aggrevated by connections thjat did not use CC and
which unnecessarily retransmitted packets that were either in
transit or had already been received, resulting in
a stable persistent congestion .
also notes that it is even
more destructive when applications increase their
sending rate in response to an increase in the packet loss rate (e.g.,
automatically using an increased level of FEC (Forward Error
Correction)).
The problems of
congestion collapse have generally been corrected by
improvements to the loss recovery and congestion control mechanisms in
transport protocols , designed to avoid
starving other flows of capacity (e.g.,
). Section
3.1 describes preventing congestion collapse.
adds that
"all UDP-based streaming applications should incorporate
effective congestion avoidance mechanisms."
and both
reaffirm the continued need to provide methods to prevent
starvation.
CC is an evolving subject, responding to changes in protocol
design, operation of applications using the network and understanding of the
network operation under load.
The IETF has provided guidance for
considering and evaluating alternate CC algorithms.
The IRTF has described a set of metrics and related trade-off
between metrics to compare, contrast, and evaluate
CC algorithms . provided a snapshot of CC
research in 2008. discussed open issues in CC research in 2011.
In contrast to considering the fairness in distributing capacity between flows,
a different approach is to analyse
persistent congestion effects to understand the harm to other flows
(collateral impact of loss, starvation, collapse, etc).
Such an analysis of the suitability of a new mechanism can evaluate how
changes impact other flows sharing a bottleneck, and consider the
impact on the flows that have outliers in performance (e.g., the last 5%, 1%)
For example, the performance often does not
provide an indication that a new method could starve
other applications that share the bottleneck,
or when patterns of packets (e.g., bursts) are sent that
disrupt the packet timing needed by another application flow.
Recommendations and requirements on CC control are distributed across
many documents in the RFC series. This section
gathers and consolidates these recommendations. These,
and Internet engineering experience are used to derive the best current
practice in the design of Internet CC methods.
Standardization of new CC algorithms can avoid
an "arms race" among competing protocols . That is, avoid
competition for Internet resource in a way that significantly reduces
the ability of other flows to use the Internet.
The general recommendation in the UDP Guidelines is that applications SHOULD leverage existing
CC techniques, such as those defined for TCP , TCP-Friendly Rate Control (TFRC) , SCTP , and other
IETF-defined transports. This is because there are many trade offs and
details that can have a serious impact on the performance of a CC
mechanism and upon other traffic that seeks to
share a bottlneck.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
The path between endpoints (sometimes called "Internet Hosts" for IPv4 and
called "source nodes" and "destination nodes" in IPv6) consists of the endpoint
protocol stack at the sender and the receiver (which together implement
the transport service), and a succession of links and network devices
(routers or middleboxes) forming the network path.
The set of network devices forming the path is not usually fixed, and it
should generally be assumed that this set can change over arbitrary
lengths of time.
defines CC as "the
feedback-based adjustment of the rate at which data is sent into the
network. Congestion control is an indispensable set of principles and
mechanisms for maintaining the stability of the Internet."
The document draws on language used in the specifications of TCP and
other IETF transports. For example, a protocol timer is generally needed
to detect persistent congestion, and this document uses the term
Retransmission Timeout (RTO) to refer to the operation of this timer.
Similarly, it refers to a congestion window (cwnd) as a variable
that controls the rate of transmission by the CC.
Each new transport needs
to make its own design decisions about how to meet the recommendations
and requirements for CC. The
use of these terms does not imply that endpoints need to implement
functions in the current way used by TCP.
Other terminology is directly copied from the cited RFCs.
This includes:
- Endpoints MUST perform congestion control and SHOULD leverage existing techniques .
- If an application or protocol chooses not to use a
CC, it SHOULD control the
rate at which it sends datagrams to a destination host,
to fulfil the requirements of , as
stated in .
- Endpoints
SHOULD control the aggregate traffic that is sent
. An endpoint can become aware of
congestion by various means (including, delay variation, timeout,
ECN, packet loss). A signal that indicates congestion SHOULD result in a
reaction to reduce the sendding rate ).
- Although network devices can be configured to reduce the impact
of multiplexing on other flows, endpoints MUST NOT rely
solely on the presence and correct configuration,
except in a controlled environment.
- A transport that does not target Internet deployment needs to be
constrained to only operate in a controlled environment (e.g., see
Section 3.6 of ) and provide
appropriate mechanisms to prevent this traffic from accidentally leaving the
controlled environment .
Internet transports need to use a CC method designed for
Internet paths.
- Path Capacity: The forward path can be congested in terms of the
number of packets it can support and/or the number of rate of bytes it can transfer.
The return path (towards the sender) can also be congested.
Methods need to operate over paths where capacity in the forward and return directions are
significantly different.
- Path Loss: Paths can experience packet loss for various reasons besides
experiencing congestion
(e.g., link corruption ), but an
endpoint cannot usually reliably disambiguate the
cause of loss.
Whilst mechanisms below the transport
layer can mitigate this loss, the only way to surely confirm that a sending
endpoint has successfully communicated with a remote endpoint is
to utilise a timer (see ) to detect a
lack of response that could result from a change in the path or
the path characteristics. The detection of
congestion and the resulting reduction in rate MUST NOT solely depend upon
reception of a signal from the remote endpoint, because congestion
indications could themselves be lost due to
congestion.
- Path RTT: The RTT from an endpoint cannot be determined a-priori, and must
be measured dynamically (see ).
- Path Change: An endpoint MUST assume that path characteristics can change over time
(i.e. path characteristics and sharing traffic once discovered do not necessarily remain valid in the future).
- Network devices MAY provide mechanisms to mitigate the impact
of congestion by transport flows (e.g., priority
forwarding of control information, and starvation detection), and
ought to mitigate the impact of non-conformant and malicious flows
). These mechanisms complement, but
do not replace, the endpoint congestion avoidance mechanisms.
- Security: Internet endpoints need to be protected from intentional disruption of the
service they provide, and from the exploitation of methods to attack
other endpoints or services (see ).
An endpoint needs to be protected from attacks on the traffic
it generates, or attacks that seek to increase the capacity that it
consumes (impacting other traffic that share a bottleneck).
The following guidance is provided on protection:
- Off-Path Attack: A design MUST protect from
off-path attack to the protocol
(i.e., where the attacker is unable to observe
packets). This can lead to a Denial of Service (DoS) vulnerability for
the flow being controlled and/or other flows that share network
resources along the path.
- On-Path Attack: A protocol can be designed to
protect from on-path attacks (i.e., where an attacker can
observe the packets).
Protecting from on-path attacks can require more complexity
and typically utilises encryption and/or authentication mechanisms (e.g., IPsec
, QUIC ).
- Validation of Signals: To protect from malicious abuse, network signals and
control messages (e.g., ICMP ) MUST
be validated before they are used
(see ).
Transports MUST at least include protection from off-path attack using
signals (e.g., validating the quoted information
in an ICMP message enables checksing that this corresponds to the flow,
before utilising the signalling it contains).
This section summarises the principles for providing CC. It describes principles associated
with preventing persistent congestion, reacting to
incipient congestion and utilising additional path information.
A sender needs to regulate the maximum
volume of data in flight over the interval of the current RTT (the cwnd).
It needs to react to incipient congestion.
- Setting an initial cwnd: A TCP sender
"SHOULD set the congestion window to no more
than the Restart Window (R)" before beginning transmission, if the
sender has not sent data in an interval that exceeds the current
retransmission timeout, i.e., when an application becomes idle
. Congestion Window Validation (CWV)
describes how a TCP sender can tentatively
maintains a cwnd larger than the path has supported in the
last RTT when a flow is application-limited, provided that the endpoint
rapidly reduces the cwnd when congestion is detected.
- Using the cwnd: A
sender that does not use capacity has no understanding whether
previously used capacity remains available, or whether that
capacity has disappeared (e.g., a change in the path that causes a
flow to experience a smaller bottleneck, or when more traffic
emerges that consumes previously available capacity resulting in a
new bottleneck). For this reason, a transport that is limited by
the volume of data available to send, MUST NOT continue to grow its
cwnd when the current cwnd is more than
twice the volume of data acknowledged in the last RTT.
The reduction needs to be commensurate with the increase that preceded it.
This factor of 2 decrease corresponds to an increase factor of 2
in slow start.
- Collateral Damage: Even in the absence of
congestion, statistical multiplexing can result in
transient effects for flows sharing common resources. A sender
SHOULD avoid persistently inducing excessive congestion to other
flows (collateral damage that could result in flow starvation). For example,
avoid a sudden surge in sending rate that lasts for more than one RTT.
- Burst Mitigation: While an endpoint
ought to limit its sending rate at the granularity of the current RTT, this
can be insufficient to satisfy the need to mitigate collateral damage.
Endpoints SHOULD provide mechanisms to regulate the bursts
of transmission that the application/protocol sends
(section 3.1.6 of ). ACK-Clocking
can help mitigate bursts when they
receive continuous feedback of reception (such as
TCP). Sender pacing can also mitigate this , (described in Section 4.6 of ), and has been recommended for TCP in
conditions where ACK-Clocking is not effective, (e.g., , ). SCTP
defines a maximum burst length
(Max.Burst) with a recommended value of 4 segments to limit the
SCTP burst size. QUIC recommends that a sender paces
all in-flight packets based on input from the CC .
When the CC is increasing the cwnd,
it transmits faster than the last confirmed safe
rate. Such an increase needs to be
regarded as tentative and a sender needs to reduce its rate below the
last confirmed safe rate when congestion is detected.
- Increasing the cwnd:
In the absence of congestion, an endpoint MAY increase the sending rate or cwnd.
This limit should only be increased
when there is additional data available to send
(i.e., the sender will utilise the additional capacity in the
next RTT).
- A sender MUST NOT
increase the sending rate for a time longer than one RTT period after
congestion is first detected. This helps manage incipient congestion.
- Avoiding Overshoot: Overshoot of the cwnd
beyond the point of congestion can significantly impact
other flows sharing resources along a path, and can
impact the performance of the flow itself.
As endpoints experience more paths with a large Bandwidth Delay Product (BDP) and
a wider range of potential path RTTs, variability or changes
in the path can significantly impact the appropriate
dynamics for increasing the cwnd (see also burst
mitigation, ). Methods such as
HyStart are designed to avoid overshoot .
- Response to Detected Congestion: The sending rate MUST
be below the previously
confirmed safe rate for multiple RTT periods after a
congestion event. In TCP Reno ,
this is performed by using a conservative (linear)
increase from a slow start threshold that is re-initialised each time
congestion is experienced.
An endpoint can utilise timers to implement transport mechanisms, e.g.,
to recover from loss, to trigger pre-emptive retransmission
and other protocol functions.
An endpoint that does utilise timers needs to follow the rules
in section 3.3 of .
Principles include:
- Initial RTO Interval: When a flow sends the first
packet(s), it has no way to know the RTT of the
path. An initial timer value is needed to detect any
lack of responsiveness from the remote endpoint. In TCP, this is
the starting value of the RTO. A safe initial
value is important for
overall Internet stability . In the absence of any knowledge about
the latency of a path (including the initial value), senders SHOULD
conservatively set the RTO to no less than 1 second.
(Although Linux TCP has deployed a smaller
initial RTO value, the appendix of
confirms that values shorter
than 1 second can be problematic.)
- Initial RTO Expiry: If the RTO timer expires while
awaiting completion of a connection setup, or handshake (e.g., the
ACK of a SYN segment in the three-way handshake in TCP), and the
implementation is using an RTO of less than 3 seconds, the local
endpoint can resend the connection setup.
The RTO MUST then be re-initialized to increase it
to 3 seconds once data transmission begins (i.e., after the
handshake completes) . This conservative increase is necessary
to avoid congestion collapse when many flows retransmit across a
shared bottleneck with restricted capacity.
- Initial Measured RTO: Once an RTT measurement is
available (e.g., through reception of an acknowledgement), the
timeout value must be adjusted. This adjustment MUST take into
account the RTT variance. For the first sample, this variance
cannot be determined, and a local endpoint MUST therefore
initialise the variance to RTT/2 (see equation 2.2 of and related text for UDP in section 3.1.1
of ).
- Updating the Path RTT: Once an endpoint has started
communicating with its peer, the RTT MUST be adjusted by measuring
the actual path RTT. This adjustment MUST include adapting to the
measured RTT variance (see equation 2.3 of ). An RTO interval SHOULD be set based on
recent RTT observations (including the RTT variance)
(e.g., Section 3.1.1 of ).
- Persistent Lack of Feedback:
Persistent lack of feedback (e.g.,
detected by an RTO expiry, or other means) MUST be treated as persistent congestion.
A failure to receive
any specific response could be a
result of a RTT change, change of path, excessive loss, or even
congestion collapse. If there is no response within the RTO
interval, TCP collapses the cwnd to one segment . Other transports MUST similarly respond
when they fail to receive confirmation of feedback.
An endpoint MUST exponentially backoff the RTO
interval each time
persistent congestion is detected ,
until the path characteristics can again be confirmed
.
- Maximum RTO: A maximum value MAY be placed on the
RTO interval. This maximum RTO interval MUST NOT be
less than 60 seconds .
- [[Author Note: Re-check RTO-Consider. ]]
This section describes the principles related to mitigation of incipient congestion (see ).
When a connection to a new destination is first established, the
endpoints have little information about the characteristics of the
network path they will use. The safety and responsiveness of new CC proposals
needs to be evaluated
.
- Flow Start: A new flow between two endpoints needs
to initialise a CC for the path.
The TCP slow-start algorithm is an accepted standard for
flow startup . This uses the notion
of an Initial coingestion Window (IW) , updated
by ). The IW is not the smallest burst size,
nor the smallest cwnd. It t is a safe starting point
for a path that is not suffering persistent congestion, and is
applicable until feedback about the path is received.
- Utilised Capacity: A CC MAY assume
that the recently used capacity between a pair of endpoints is an
indication of future capacity that might be available in the near future between
the same endpoints ().
The CC MUST reduce its rate if this is not
subsequently confirmed to be true. [[Author note: we likely need to bound
this reaction in time or size]].
This section describes mechanisms to detect loss and provide
retransmission, and to protect the network in the absence of timely
feedback.
- Congestion Detection: Loss is typically detected when a sender
cannot confirm delivery within an expected
period (e.g., by observing the time-ordering of the
reception of ACKs, as in TCP DupACK) or by utilising a timer to
detect loss (e.g., a transmission timer with a period less than
the RTO, ) or a combination of the two.
A transport is usually unable
to reliably detect whether
a loss is a result of congestion. For this reason,
loss needs to be treated as incipient congestion, at least until
the cause of loss can be reliably determined.
- Retransmission: When loss is detected,
the sender can choose to retransmit the lost data, ignore the
loss, or send other data (e.g.,
), depending on the
reliability provided by the transport service. All
transmissions consume network capacity, therefore retransmissions
MUST NOT increase the network load in response to congestion loss
(which worsens that congestion) .
Any method that sends additional data following loss is therefore
responsible for CC of the retransmissions (and any
other packets sent, including FEC information) as well as the
original traffic.
In determining an appropriate
congestion response to incipient congestion, designs could consider
the size of the packets that experience congestion .
- Congestion Response: An endpoint MUST promptly
reduce the sending rate when there is an
indication of congestion (e.g., loss) .
TCP Reno established a method that relies on
multiplicative-decrease to halve the sending rate while congestion
is detected. This response to congestion indications is
sufficient for safe Internet operation, but other decrease factors
have also been published in the RFC Series .
- ECN Detection: ECN can help determine an appropriate
cwnd to enable early indication of
incipient congestion when it is supported by routers on the path .
An early detection of incipient congestion
allows a different reaction to an explicit congestion signal
compared to the reaction to a detected packet loss .
Congestion control design should
provide the necessary mechanisms to support ECN
, as described in section 3.1.7 of .
- Response to ECN Congestion Marking:
Simple
feedback of received Congestion Experienced (CE) marks relies only on an indication that
congestion has been experienced within the last RTT. This
response is appropriate when a flow uses ECT(0) .
ABE modified this reaction to ECN . Extended RTP feedback and accurate TCP receiver
feedback more detail about the
CE-marking , supporting a
finer granularity of congestion response.
The L4S architecture
allows routers to use
a different marking
system that can provide early reaction to incipient congestion
and
defines a reaction for this feedback
when packets are marked with ECT(1).
-
provides guidelines
for a sender that does not, or is unable to, adapt the cwnd.
Path information can be cached.
In TCP, this was previously called TCP Control Block (TCB)
sharing, and is now called TCP Control Block Interdependence,
.
A CC can also utilise signals from the network to help determine
how to regulate the traffic it sends.
- Utilising Cached Path Information: A transport
connection between a pair of endpoints can share CC parameters with other
connections that share
the same path. A CC that recently
used a specific path could allow another flow to
take-over the previously consumed capacity.
Information used to accelerate the growth of the cwnd MUST
be viewed as tentative until it is confirmed that the flow
was able to utilise the capacity (i.e., the new flow needs to either
"use or loose" the
capacity). A sender MUST
reduce its rate if the capacity is not confirmed within the
current RTO interval.
- adds "An application that forks multiple
worker processes or otherwise uses multiple sockets to generate UDP
datagrams SHOULD perform congestion control over the aggregate
traffic."
- Utilising Network Signals: A mechanism that utilises signals originating in
the network (e.g., RSVP, NSIS, Quick-Start, ECN), MUST assume that
the set of network devices on the path can change. This motivates
use of soft-state for protocols (e.g., ECN) and includes
context-sensitive treatment of "soft" signals provided
to the endpoint .
Endpoints MUST assume the set of routers and links forming the path
can change and that network devices can be reconfigured or reset.
A changing set of on-path devices can also affect which types of packets traverse a path
(e.g. whether IP options are supported, or a specific treatment applies.)
All endpoints are required to implement mechanisms that avoid
persistent congestion and can demonstrate that they do not induce
starvation and congestion collapse (see ).
Principles include:
- Persistent congestion can
result in congestion collapse, which MUST be aggressively avoided
. Endpoints that experience
persistent congestion and have already reduced their
cwnd to the loss window (e.g., one packet) MUST
further reduce the rate if the RTO timer continues to expire. For
example, TFRC continues to reduce
its sending rate under persistent congestion to one packet per RTT,
and then exponentially backs-off the time between single packet
transmissions if a congestion event continues to persist
. QUIC
does not directly specify a period, but does specify a probe to detect tail loss.
The Tail Loss Probe (TLP) mechanism
determines that persisent congestion is experienced
after a loss for a duration of 2 TLP probes plus the RTO.
Principles include:
- Transports MUST avoid inducing flow starving flows
that share resources along the path.
- Endpoints MUST treat a loss of all feedback (e.g., RTO expiry)
as an indication of persistent
congestion.
- When an endpoint detects persistent congestion, it MUST reduce
the maximum rate/cwnd.
Many designs place the responsibility of rate-adaption
for CC at the
sender (source) endpoint, utilising feedback information provided by
the remote endpoint (receiver). CC can also be
implemented by determining an appropriate rate limit at a receiver
and using this limit to control the maximum transport rate (e.g.,
using methods such as and ).
Applications at an endpoint can send more than one flow. "The specific issue of a
browser opening multiple connections to the same destination has been
addressed by . Section 8.1.4 states that
"Clients that use persistent connections SHOULD limit the number of
simultaneous connections that they maintain to a given server. A
single-user client SHOULD NOT maintain more than 2 connections with
any server or proxy." .
This document owes much to the insight offered by Sally Floyd, both
at the time of writing of RFC2914 and her help and review in the many
years that followed this.
Nicholas Kuhn helped develop the first draft of these guidelines. Tom
Jones and Ana Custura reviewed the first version of this draft. Many discussions
with Michael Welzl and others have provided immeasurable help to get this far. The
University of Aberdeen received funding to support this work from the
European Space Agency.
This memo includes no request to IANA.
RFC Editor Note: If there are no requirements for IANA, the section
will be removed during conversion into an RFC by the RFC Editor.
This document introduces no new security considerations. Each RFC
listed in this document discusses the security considerations of the
specification it contains. The security considerations for the use of
transports are provided in the references section of the cited RFCs.
Security guidance for applications using UDP is provided in the UDP
Usage Guidelines .
describes general requirements
relating to the design of safe protocols and their protection from on
and off path attack.
follows current best practice to
validate ICMP messages prior to use.
Normative References
Informative References
Flow Rate Fairness: Dismantling a Religion, ACM Computer
Communication Review 37(2):63-74
ACM SIGCOMM Computer Communication Review
Congestion Avoidance and Control
Note to RFC-Editor: please remove this entire section prior to
publication.
Previous versions of the document were presented and discsussed in tsvwg, and eveolved through several versions. This version is a refocus towards the newly formed CC Working Group where it is offered as a candidate for progression.
Individual draft -00:
- First draft contributed to CC WG targeting publication as BCP.
- Reduced overlap