Regarding UDP-Lite deprecation and removal

Regarding UDP-Lite deprecation and removal

[Lynne]

Hello,

UDP-Lite was scheduled to be removed in 2025 in commit
be28c14ac8bbe1ff due to a lack of real-world users, and
a long-outstanding security bug being left undiscovered.

I would like to open a discussion to perhaps either avoid this,
or delay it, conditionally.

To give some context, UDP-Lite was designed as an even-more
unreliable protocol, with limited CRC coverage, to enable
very low latency multimedia transmissions. Due to roundtrip
times often being longer than a single frame's duration, it
simply becomes impractical to retransmit corrupt packets.

Instead of simply not showing a frame, it is preferable to
allow corruption within the packet, due to video decoders
themselves being resilient to bitflips, as any differences
within the frame will, at worst, fade away over a number
of frames due to prediction.

UDP-Lite was slow to reach adoption, mainly due to
broadcasting companies still using SDI internally, rather
than IP, and popular applications's own protocols,
like Flash (that one) using TCP (RTMP) or HTTP (HLS/DASH)
instead. MPEG-TS over UDP was preferred for point-to-point
broadcasts over the internet, partially due to potential issues
with incompatible gateways.

An additional limitation of MPEG-TS was its large vulnerability
to bitflips, with it only supporting 188-byte packets, and most
of it being packet headers full of optional branches affecting
demuxing, where a single bitflip could result in missing more
than a single frame due to corrupted state.

For the majority of consumer broadcasts, UDP itself
has only somewhat recently started getting traction, due
to WebRTC becoming a standard.

Due to the limitations of video transmission becoming
more and more visible, as the whole streaming ecosystem
and standards keeps improving, eventually, I think, it is bound
that a use-case will arise for UDP-Lite.

I am an FFmpeg developer and, alongside assistance from developers
from other organizations, VideoLAN and Xiph, we are working on a new
transmission protocol for multimedia, called AVTransport.
The specification can be viewed here: https://cyanreg.github.io/avtransport/
UDP-Lite specific streaming details are on chapter 3.3.2

It was designed from the start to take advantage of UDP-Lite
at its minimum permitted CRC size. All its vital packet data
(such as type, length, timestamps) is protected by LDPC codes,
and not only collections of frames, but individual packets themselves
being able to have FEC, allowing for minimum latency transmission
even over wet unbalanced strings, and meeting the requirements
for long-term archival.

The protocol itself is still in a draft form, and its reference implementation
is only just starting to become functional.
UDP-Lite is already supported, and is tested. The specification actually
recommends using UDP-Lite over UDP, due to the protocol's robustness.

FFmpeg, has also supported UDP-Lite, for RTC or MPEG-TS, for a
very long time, and I cannot say with certainty that no one
is using this without letting us know. What I do know is that
someone cared enough for it to send a patch.

Other operating systems still maintain their UDP-Lite implementations,
and have made no deprecation plans yet.

At the very least, without UDP-Lite, someone may think of a new,
possibly proprietary way, once this problem is encountered.

Given all this, I would like to ask if it would be possible to maintain
UDP-Lite support, even if only partially. I would be fine with its CRC
coverage being fixed to its lowest value, or even doing reviews for
patches or bugs submitted to the LKML.

At the very least, there is already a way for users to retrieve raw,
uncorrected UDP packets (by settings rx-fcs and rx-all on network
interfaces, which most support). Perhaps some compromise could
be reached by giving users the responsibility to check CRC themselves?

Thanks,
Lynne

Re: Regarding UDP-Lite deprecation and removal

[Paolo Abeni]

On Sun, 2024-03-17 at 01:34 +0100, Lynne wrote:
> UDP-Lite was scheduled to be removed in 2025 in commit
> be28c14ac8bbe1ff due to a lack of real-world users, and
> a long-outstanding security bug being left undiscovered.
> 
> I would like to open a discussion to perhaps either avoid this,
> or delay it, conditionally.

I'm not very familiar to the deprecation process, but I guess this kind
of feedback is the sort of thing that could achieve delaying or avoid
the deprecation.

What will help more IMHO is someone stepping in to actually maintain
the protocol. It should not be an high load activity, but a few things
would be required: e.g. writing self-tests and ensuring that 3rd party
changes would not break it. And reviewing patches - but given the
protocol history that would probably be once in a lifetime.

Cheers,

Paolo

Re: Regarding UDP-Lite deprecation and removal

[Denis Kirjanov]

On 3/18/24 13:36, Paolo Abeni wrote:
> On Sun, 2024-03-17 at 01:34 +0100, Lynne wrote:
>> UDP-Lite was scheduled to be removed in 2025 in commit
>> be28c14ac8bbe1ff due to a lack of real-world users, and
>> a long-outstanding security bug being left undiscovered.
>>
>> I would like to open a discussion to perhaps either avoid this,
>> or delay it, conditionally.
> 
> I'm not very familiar to the deprecation process, but I guess this kind
> of feedback is the sort of thing that could achieve delaying or avoid
> the deprecation.
> 
> What will help more IMHO is someone stepping in to actually maintain
> the protocol. It should not be an high load activity, but a few things
> would be required: e.g. writing self-tests and ensuring that 3rd party
> changes would not break it. And reviewing patches - but given the
> protocol history that would probably be once in a lifetime.

That's sounds good enough to try

> 
> Cheers,
> 
> Paolo
> 
> 

Re: Regarding UDP-Lite deprecation and removal

[Florian Westphal]

Lynne <dev@lynne.ee> wrote:
> UDP-Lite was scheduled to be removed in 2025 in commit
> be28c14ac8bbe1ff due to a lack of real-world users, and
> a long-outstanding security bug being left undiscovered.
> 
> I would like to open a discussion to perhaps either avoid this,
> or delay it, conditionally.

Is there any evidence UDP-Lite works in practice?

I am not aware of any HW that will peek into L3/L4 payload to figure out
that the 'udplite' payload should be passed up even though it has bad csum.

So, AFAIU L2 FCS/CRC essentially renders entire 'partial csum' premise moot,
stack will never receive udplite frames that are damaged.

Did things change?

Re: Regarding UDP-Lite deprecation and removal

[Lynne]

Mar 18, 2024, 14:18 by fw@strlen.de:

> Lynne <dev@lynne.ee> wrote:
>
>> UDP-Lite was scheduled to be removed in 2025 in commit
>> be28c14ac8bbe1ff due to a lack of real-world users, and
>> a long-outstanding security bug being left undiscovered.
>>
>> I would like to open a discussion to perhaps either avoid this,
>> or delay it, conditionally.
>>
>
> Is there any evidence UDP-Lite works in practice?
>
> I am not aware of any HW that will peek into L3/L4 payload to figure out
> that the 'udplite' payload should be passed up even though it has bad csum.
>
> So, AFAIU L2 FCS/CRC essentially renders entire 'partial csum' premise moot,
> stack will never receive udplite frames that are damaged.
>
> Did things change?
>

I do somehow get CRC errors past the Ethernet layer on consumer rtl cards,
by default, with no ethtool changes, so maybe things did change.

I haven't sacrificed a good cable yet to get a definitive proof.
The cargo-culted way to be sure is to enable rx-all.

Re: Regarding UDP-Lite deprecation and removal

[Lynne]

Mar 17, 2024, 01:34 by dev@lynne.ee:

> Hello,
>
> UDP-Lite was scheduled to be removed in 2025 in commit
> be28c14ac8bbe1ff due to a lack of real-world users, and
> a long-outstanding security bug being left undiscovered.
>
> I would like to open a discussion to perhaps either avoid this,
> or delay it, conditionally.
>

Ping. To be clear, I am offering to maintain it if the current
maintainers do not have time to.

Should I send a patch to remove the warning? I wanted to
know the opinions of the ones who maintain/deprecated
the code first.

Re: Regarding UDP-Lite deprecation and removal

[Paolo Abeni]

On Mon, 2024-03-18 at 18:58 +0100, Lynne wrote:
> Mar 18, 2024, 14:18 by fw@strlen.de:
> 
> > Lynne <dev@lynne.ee> wrote:
> > 
> > > UDP-Lite was scheduled to be removed in 2025 in commit
> > > be28c14ac8bbe1ff due to a lack of real-world users, and
> > > a long-outstanding security bug being left undiscovered.
> > > 
> > > I would like to open a discussion to perhaps either avoid this,
> > > or delay it, conditionally.
> > > 
> > 
> > Is there any evidence UDP-Lite works in practice?
> > 
> > I am not aware of any HW that will peek into L3/L4 payload to figure out
> > that the 'udplite' payload should be passed up even though it has bad csum.
> > 
> > So, AFAIU L2 FCS/CRC essentially renders entire 'partial csum' premise moot,
> > stack will never receive udplite frames that are damaged.
> > 
> > Did things change?
> > 
> 
> I do somehow get CRC errors past the Ethernet layer on consumer rtl cards,
> by default, with no ethtool changes, so maybe things did change.
> 
> I haven't sacrificed a good cable yet to get a definitive proof.
> The cargo-culted way to be sure is to enable rx-all.

I did not consider the mac-level csum - thanks Florian for bringing
that up.

Yes, you can disable FCS checking on the local host - for some NIC at
least - and AFAIK that is the only way to receive csum corrupted
packets. Delivery packets with bad FCS without F_RXALL set would be a
bug.

And you need to set F_RXALL on all the intermediate hops.

All in all, the use-case looks very thin at best.

In any case, to  step-in to maintain a specific protocol you should
start first contributing. I *guess* a reasonable good start would be
implementing UDP-lite selftests.

Cheers,

Paolo

Re: Regarding UDP-Lite deprecation and removal

[Denis Kirjanov]

On 3/21/24 11:29, Lynne wrote:
> Mar 17, 2024, 01:34 by dev@lynne.ee:
> 
>> Hello,
>>
>> UDP-Lite was scheduled to be removed in 2025 in commit
>> be28c14ac8bbe1ff due to a lack of real-world users, and
>> a long-outstanding security bug being left undiscovered.
>>
>> I would like to open a discussion to perhaps either avoid this,
>> or delay it, conditionally.
>>
> 
> Ping. To be clear, I am offering to maintain it if the current
> maintainers do not have time to.
> 
> Should I send a patch to remove the warning? I wanted to
> know the opinions of the ones who maintain/deprecated
> the code first.Otherwise it doesn't make sense to maintain it if it's going to be deleted :)
BTW if yo have a list of tests to implement please share to avoid stepping on toes 

> 

Re: Regarding UDP-Lite deprecation and removal

[Jakub Kicinski]

On Mon, 18 Mar 2024 18:58:10 +0100 (CET) Lynne wrote:
> Mar 18, 2024, 14:18 by fw@strlen.de:
> > Lynne <dev@lynne.ee> wrote:
> >  
> >> UDP-Lite was scheduled to be removed in 2025 in commit
> >> be28c14ac8bbe1ff due to a lack of real-world users, and
> >> a long-outstanding security bug being left undiscovered.
> >>
> >> I would like to open a discussion to perhaps either avoid this,
> >> or delay it, conditionally.
> >>  
> >
> > Is there any evidence UDP-Lite works in practice?

FWIW I also vote to delete UDP-Lite unless we have real uses that show
benefit, preferably _in production_.

> > I am not aware of any HW that will peek into L3/L4 payload to figure out
> > that the 'udplite' payload should be passed up even though it has bad csum.
> >
> > So, AFAIU L2 FCS/CRC essentially renders entire 'partial csum' premise moot,
> > stack will never receive udplite frames that are damaged.

Plus FEC protection on top of FCS is increasingly common.

I presume someone did mathematical analysis that UDP Lite is sound,
but my engineering senses are tingling at the thought that we're
simultaneously saying that BER is high enough to want to process
damaged packets, and low enough for the internet csum to be
sufficiently strong.

The whole thing feels a little bit like an attempt to preserve
zero-checksum for IPv6. For HW which wants to spit out IP headers
followed by a block of raw unchecksummed data. I've done such things
in the past on an FPGA out of laziness. Nothing to do with receiving
actually damaged frames.

> > Did things change?
> >  
> 
> I do somehow get CRC errors past the Ethernet layer on consumer rtl cards,
> by default, with no ethtool changes, so maybe things did change.

Yes, but that's just the last hop. Is the entire network going
to disable L2 csums? Or are we just going to use the UDP-lite-
-abilities on the last hop?

> I haven't sacrificed a good cable yet to get a definitive proof.
> The cargo-culted way to be sure is to enable rx-all.