IETF Logo Mail Archive

Re: [Dyncast] edge capability feedback

Carsten Bormann <cabo@tzi.org> Fri, 12 March 2021 09:03 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: dyncast@ietfa.amsl.com
Delivered-To: dyncast@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 677F53A1529 for <dyncast@ietfa.amsl.com>; Fri, 12 Mar 2021 01:03:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOkYBCqIrthh for <dyncast@ietfa.amsl.com>; Fri, 12 Mar 2021 01:03:55 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63B253A1520 for <dyncast@ietf.org>; Fri, 12 Mar 2021 01:03:55 -0800 (PST)
Received: from [192.168.217.118] (p5089a828.dip0.t-ipconnect.de [80.137.168.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4Dxfxg4FltzygQ; Fri, 12 Mar 2021 10:03:51 +0100 (CET)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <005cb41e526c4cac9cffd9ad9db5c5da@huawei.com>
Date: Fri, 12 Mar 2021 10:03:51 +0100
Cc: Dirk Trossen <dirk.trossen@huawei.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, dyncast <dyncast@ietf.org>
X-Mao-Original-Outgoing-Id: 637232630.751309-31a4d29ee055923fd74bb753eafcc08c
Content-Transfer-Encoding: quoted-printable
Message-Id: <84BAF6A9-5EA2-46F4-8535-9A8FD74198BD@tzi.org>
References: <20210311102435132657878@chinamobile.com> <9A6BA68B-3916-413E-BD29-62D4096DF1D3@senki.org> <00CCE76F-D3F8-49DD-8E11-29E7DBB956E1@huawei.com> <5EEEA7D8-D4E7-42AE-9D40-2DF6DF744567@chinamobile.com> <ea129e08-d5b2-5edb-a5ee-8362b12dc2b5@joelhalpern.com> <B930F50D-4A0C-4DAB-A3E5-0CD308CEB67F@tzi.org> <b5941a0414144d0ab958cb69b96c3786@huawei.com> <005cb41e526c4cac9cffd9ad9db5c5da@huawei.com>
To: Luigi IANNONE <luigi.iannone@huawei.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dyncast/-ENK2wgwRWJOOSIq9KqiJIOlFvY>
Subject: Re: [Dyncast] edge capability feedback
X-BeenThere: dyncast@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dyncast.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dyncast>, <mailto:dyncast-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dyncast/>
List-Post: <mailto:dyncast@ietf.org>
List-Help: <mailto:dyncast-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dyncast>, <mailto:dyncast-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 09:03:59 -0000

On 2021-03-12, at 09:48, Luigi IANNONE <luigi.iannone@huawei.com> wrote:
> 
> 
> However, I would like to come back to Barry's point: DDoS.
> 
> AFAIR we did not touch that much this issues, yet, it is important to consider the case of a malicious attacker trying to abuse Dyncast.

I think we need to distinguish the client as an attacker and the server as an attacker.

Beyond what any network user can do, the most interesting angle a dyncast client can use is resource exhaustion by creating fake state.
Not creating state per client (Option 5) is probably the only realistic mitigation.

I haven’t really thought about server-side attacks.  Servers will be able to create state, and there needs to be some active state management (not just against attacks, but also against malfunctions such as continuously rebooting or respawning servers).

> What kind of mechanism should Dyncast include? Can DOTS somehow help? (I do not know this technology so I do not have an answer)

DOTS is really about the victim (or their collaterals) talking to the network to mitigate an attack that cannot be otherwise managed.  Let’s try to make that unnecessary :-)

> Certainly in the next version of the architectural document we should start to provide a security analysis at least from an architectural perspective ;-) 

Indeed!

Grüße, Carsten

v2.8.7 | Report a Bug | By Email