IETF Logo Mail Archive

Re: Quic: the elephant in the room

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 12 April 2021 16:48 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9BE3A0A1F for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 09:48:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8r3T7bbYsg1d for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 09:48:39 -0700 (PDT)
Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCAA33A0A25 for <ietf@ietf.org>; Mon, 12 Apr 2021 09:48:39 -0700 (PDT)
Received: by mail-qk1-f176.google.com with SMTP id o5so14899703qkb.0 for <ietf@ietf.org>; Mon, 12 Apr 2021 09:48:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I1ATlebUyph7M9YyGGCgjIXDNNroiGqTwClR68Byy4E=; b=UDYgmRTNj987VDza7p/XO8aF3772/HJ+mChc+evWj+CCrmGCvi2h59osu6LXoMTSCJ tlY6sOU6X78/3lkelLljn3mT2fSemf9lqStBBRF6wMNEoztlyCuFCETGIMJu1l7znefn yFqIwX+Fq9uiU+WBK/fKXhPjiE/GjxQIdXJ3Dys9rHNjY0HxpXU0Gr51v8b2Q+nTjQpL BUMe1/LdIH/9esMxk/PmCXvKp1tyo/WRCy335WU8KcGEjaxoN+w2WV36JfVkO3CXaZGO aCfqr6UeLNpPryoPgl8sqMd4C2kWRJMimQAOjsOGgIGQ/6M5VNr+5FODPjrNqH2pCtja b4Yw==
X-Gm-Message-State: AOAM532HelwoiaWfduCnA5I7wemk/SQL5ZIVeqgO/cEJxeOxoZLIw8TF 6G6Hxcu1KRNAIo2SJVdXzMQRvYsmHjkJJeb1IWo=
X-Google-Smtp-Source: ABdhPJx3LVXIa17fJEDivEvUiPUfypDG2yfpXkGc2u1w3PkjvPxPG2qdVD3AcBzMvhOwRN5yxFXcgMwHXywp8NQ8r+I=
X-Received: by 2002:a5b:48c:: with SMTP id n12mr39672692ybp.273.1618246118672; Mon, 12 Apr 2021 09:48:38 -0700 (PDT)
MIME-Version: 1.0
References: <3b25c77d-e721-e86d-6c34-a90039aab0e2@mtcc.com> <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <14cd802e-2a1b-97d4-c80d-b57f93e8cc21@mtcc.com> <E4374100-265E-4426-9F9A-AC437DA31D2B@depht.com> <15059e21-b7c2-4211-869e-df3ffdf7c34a@mtcc.com> <CAMm+LwgnoqXKNSKxt0-rDa8ze6J9LsZz0jVeogBXAWNDveC_ZQ@mail.gmail.com> <20210412155121.GQ9612@localhost> <CAMm+LwhndGSN=V3j8-DAYo5WdtSJXHCh7TyQ3uZXEKn_0AoA6g@mail.gmail.com> <20210412161009.GS9612@localhost>
In-Reply-To: <20210412161009.GS9612@localhost>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Mon, 12 Apr 2021 12:48:28 -0400
Message-ID: <CAMm+LwiLA0ynqFoniSfn0TumFaQB2SS-OKrtkjyJJonJF7Hq5w@mail.gmail.com>
Subject: Re: Quic: the elephant in the room
To: Nico Williams <nico@cryptonector.com>
Cc: Michael Thomas <mike@mtcc.com>, IETF Discussion Mailing List <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000100c1305bfc94931"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/jN-OXvQpOvcUdHsKY73z3nNr-JQ>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 16:48:44 -0000

On Mon, Apr 12, 2021 at 12:10 PM Nico Williams <nico@cryptonector.com>
wrote:

> On Mon, Apr 12, 2021 at 11:59:58AM -0400, Phillip Hallam-Baker wrote:
>


> > > As long as it's not over UDP, or otherwise first has a return
> > > routability check.
> >
> > I don't follow.
>
> "No magnification DDoS please"
>

Oh, I have that built into the key exchange phase.


> If you have a low level IoT device, you are probably better off doing
> > path math properly in one trusted device in your network than relying
> > on whatever embedded code is running in your toaster.
>
> Absolutely.  There is a trade-off to make.  Low-power && low-value RPs
> should prefer stapling, or even a local caching recursive resolver to do
> all the lookups and signature verification too.
>

If I was still doing PKIX, my long term plan would be to get rid of OCSP
and move to short lived certs created using thresholded techniques. But I
am not and nobody is paying me to think about that world any more.

v2.23.0 | Report a Bug | By Email