IETF Logo Mail Archive

Re: Naive question on multiple TCP/IP channels

Christopher Morrow <morrowc.lists@gmail.com> Wed, 04 February 2015 22:00 UTC

Return-Path: <christopher.morrow@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0811A8A59; Wed, 4 Feb 2015 14:00:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWsvtPXcvvaA; Wed, 4 Feb 2015 14:00:06 -0800 (PST)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 013EE1A8A15; Wed, 4 Feb 2015 14:00:05 -0800 (PST)
Received: by mail-qg0-f51.google.com with SMTP id z107so3496196qgd.10; Wed, 04 Feb 2015 14:00:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=7qJfQGGo9mW/atzOBNoG4f8/z0kuyllG1P6OeFPk7vI=; b=gM59drXuOjgMq5MBd/1ArNwZRzTYJiEONnT9RLu+26ob2ML4DbdHNi93zAC+Gdx//D X8OliZhqODAUnGp7fLuH/GjVqXtWXNfd0byjXuaIoOinMHxdikak31ge+7QomF4nppVF xF4NICATMTCWYOcMgWw6OvQx+xOF7iH58KwEsQ1CdpK3+fgdstXAey5ZuUJXdpf9yhts M9o70r2/B5YQ3Gmt6NSf9lMe6wJvweYC0BuQQgI5Rj+i+oluEL+Dj3qeRHv7Aqomjwb6 GX7GjtdXHV13on29K6CN0MX94VFdifXbU+ZZfRl/N4/DkQw4RyjCGEja0hkiyJCQaCLl QUTw==
MIME-Version: 1.0
X-Received: by 10.140.97.38 with SMTP id l35mr945949qge.47.1423087205219; Wed, 04 Feb 2015 14:00:05 -0800 (PST)
Sender: christopher.morrow@gmail.com
Received: by 10.140.49.33 with HTTP; Wed, 4 Feb 2015 14:00:04 -0800 (PST)
In-Reply-To: <CAMm+LwhcQfbCjimzj59VYM1w1L6dNm8aKFbk4TOeeJv5u20NnQ@mail.gmail.com>
References: <CAMm+Lwgb9L9bUG6ommBDYJzQTCU1cC_zLSEf_5JPeJ+c=yrYmA@mail.gmail.com> <5DF6DC77-E476-408F-9FA5-F107DDC9F857@netapp.com> <CAMm+LwjM412i4NbXhYajSKdrP2FTa7sBbu8Fca1yA9g6QWjYGQ@mail.gmail.com> <CAL9jLaaxapXeCBE3cNJeO6b6RXHoc+RJdSLsb046qz+nvQk-3Q@mail.gmail.com> <CAMm+LwhcQfbCjimzj59VYM1w1L6dNm8aKFbk4TOeeJv5u20NnQ@mail.gmail.com>
Date: Wed, 04 Feb 2015 17:00:04 -0500
X-Google-Sender-Auth: 8vJmhKwLG_NfOxqYWUZ7SpxOrIY
Message-ID: <CAL9jLaYioLOcC-vbSqH6EVjTpyso8yGue5cyyguqQGp8mUp7hA@mail.gmail.com>
Subject: Re: Naive question on multiple TCP/IP channels
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/31mCJymJoykkRrp4SLUH3eEcl_4>
Cc: IETF Discussion Mailing List <ietf@ietf.org>, "tsvwg@ietf.org" <tsvwg@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 22:00:11 -0000

On Wed, Feb 4, 2015 at 4:23 PM, Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
>
>
> On Wed, Feb 4, 2015 at 4:00 PM, Christopher Morrow <morrowc.lists@gmail.com>
> wrote:
>>
>> On Wed, Feb 4, 2015 at 3:47 PM, Phillip Hallam-Baker
>> <phill@hallambaker.com> wrote:
>>
>> > I know that traditionally we have considered congestion control to be a
>> > per
>> > connection thing rather than per process or per user. Those don't
>> > exactly
>> > exist in the Internet model. But if we consider DDoS to be an extreme
>> > form
>> > of congestion, we have to look at the O/S implementing broader rate
>> > limiting
>> > anyway.
>>
>> I'm not sure this scales in a useful manner...especially if you want
>> (for instance) to be able to read from your cloud/nas/etc at 'line
>> rate' but then limit access rates to other places because of 'dos'
>> concerns.
>
>
> No it is not simple at all!

I'm glad we agree about this.

> At a gut level, there is something wrong if a node is generating vast
> numbers of
> SYN messages and never doing anything more. But only looking for SYN floods
> at the network border means the attackers will attempt some Data as well.
>
> Working at the endpoint is a lot simpler but then we rely on the endpoint
> not
> being compromised which is a bad assumption for a machine doing DDoS
> attacks.
>

yes. there are a god number of 'not compromised' endpoints which also
are used for dos attacks. Complicit users are also a 'problem' to keep
in mind.

> The reason I am doing this work is to try to work out what controls to place
> where.Traditionally a firewall has been seen as a device that protects the
> local
> network from attacks coming in. But preventing outbound attacks is equally
> important. Nobody is going to bother attacking Comcast's customers if
> all their residential gateways have egress controls that make them
> useless as bots. Conversely nobody is going to pay for Comcast service
> if the egress controls makes it useless for browsing etc.
>

Right, this was my 'the controls are not that simple nor reasonable' comment.
ArborNetworks (for one simple example) has some decent heuristics in
place for 'anomalous traffic identification', you might ask them about
how some of that scales to 'residential gateway' sorts of locations.

Keep in mind that if you have 100,000 bots 10pps of icmp which seems
'reasonable' is 1mpps of icmp in aggregate at the far end of the
network. Individual end systems don't have to contribute much to cause
a problem.

Change icmp (becuse icmp is evil, right?) to http or https .. and
change 10pps to 1pps ... you still have a significant canon to aim
that will cause an outage for almost all websites (over 95% probably?
[note no citation] enough that 'almost all' counts). You also,
clearly, don't have to aim your http request to an actual webserver...
100kpps if syn traffic is really quite a lot for 'almost all'
endpoints on the internet to sink.

The problem of classification of traffic like this, without
coordination amongst your monitoring nodes, is ... hard.

>> Policy for that is not going to be clear, or simple, or reasonable.
>>
>> > If the case for multiple streams is better performance based on
>> > friendlier
>> > slow start parameters, maybe these should be allowed without the end
>> > run. If
>> > the net is surviving with people starting five streams instead of one,
>> > maybe
>> > the slow start parameters could start at five packets per destination
>> > host
>> > instead of one per connection. It would be a little more code to
>> > implement
>> > but speed is hardly an issue where its purpose is throttling anyway.
>>
>> More connections means you may avoid the 'random early drop' problem
>> for some of your connections, right? Presuming somewhere between
>> src/dest there's a thinner pipe (or more full pipe) and RED/etc is
>> employed (or just queue drops in general), putting all your eggs in
>> one connection basket is less helpful than 5 connection baskets.
>
>
> Hmm, again sounds like gaming the congestion parameters rather than
> an argument for a particular approach.
>

maybe? but if you look at SPDY/http2 I think the goal there is to stop
serializing, change to a binary and compressed format for data and add
channels inside the single tcp/udp stream. Fill the pipe as quickly as
possible and keep it full for the maximal amount of time.

>> One connection (one traditional http/tcp connection) also means object
>> serialization gets you as well. (I think roberto alludes to this
>> above)
>
>
> There are several necessary functions. One of them is MUX and another of
> them is serializing data from API calls. The question being which function
> each belongs at which layer.

v2.23.0 | Report a Bug | By Email