IETF Logo Mail Archive

Re: [Ila] [5gangip] ILA forwaring [Was Re: Problem Statement]

Tom Herbert <tom@quantonium.net> Thu, 03 May 2018 17:46 UTC

Return-Path: <tom@quantonium.net>
X-Original-To: ila@ietfa.amsl.com
Delivered-To: ila@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B98C012EA8F for <ila@ietfa.amsl.com>; Thu, 3 May 2018 10:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=quantonium-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LoG0axX2QoHy for <ila@ietfa.amsl.com>; Thu, 3 May 2018 10:46:18 -0700 (PDT)
Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33C5E124217 for <ila@ietf.org>; Thu, 3 May 2018 10:46:18 -0700 (PDT)
Received: by mail-wr0-x22d.google.com with SMTP id f2-v6so6672872wrm.3 for <ila@ietf.org>; Thu, 03 May 2018 10:46:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=KD5XeQxBIvQe+rzE1Jfyb/F7xX529Yy/9A3H4GSofVA=; b=L+n3uKvGKAbEctV4aC5il91LfrKGPwCcOloesn7LUf8gMfcsCnIcCnAPicyRyhD8Iv T6DodJUl84F6dSnmoPvoGDoMUA7tRqle7FWB0iNJK0bsZxKuIkIEgiUR+S688gcIbRYB QsWnqSyKERxFfZ9RNfWmR8cWXqHHpUsbgXlC1rax6x0DKcNDNr3GsuasIfKhwasGdrzb 1R2GzfjAWJmHma5DhD7B8Ho4k52yUQ27Lk/OWXoSAPdPM/POr70CBzii1iO/cEeAx981 4qo4m8Kuqf/ADLNsPpSgbVgngbsX1pM3U78WlYA5KwJLepAocSux7cfLYoIPNhSZ8IIF Dvcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=KD5XeQxBIvQe+rzE1Jfyb/F7xX529Yy/9A3H4GSofVA=; b=hmdK64pB15BZSaeM1iYS019qCoe8O3sRrHECzbd8S5yuNZms4VqFp3btkvj6eWegI5 PTgyGklUuyfopB4Tkrd2odEjhz5Kyd+aPLiLJFtZH4+C3zpMuweLCVr0bUf1ht9D/wsh es4aoWWfVbIcKpjmYfPMTx9sBls+RrcMoBJvsxq9KXygXaI8Kc3EUoaR5r3SvIOLzMpy kmGQeUDk3UCO3z/XlEAjHXvhOzC7u6wYHN0o0t4O4cGpuiSUY7OuQ7Qdj7PiYnD563ga wNhyZeKEdJvbtMQQU6uCaAoImF+oBshph7SFNcY0v463GhpRlOVN5M02IHhanLfBlF42 R0Ag==
X-Gm-Message-State: ALQs6tD9YOH5JgEJQMUL+8xbC5R2fOn1iTtVzBAJ6XKoLpPgFy03FIgD /UsJ9RVGOdGqGdR1RZZ2bSrkx3oVbbgaAl1OkOiaYA==
X-Google-Smtp-Source: AB8JxZqnReLpwMyWF7blqS45L3Op4GtUuztaZFJ09x6bIh3Dapm+PfHQE/d3D2R1WIKARmlk0ctkebNAAJORT1s+iIw=
X-Received: by 2002:adf:db0b:: with SMTP id s11-v6mr18098526wri.241.1525369576447; Thu, 03 May 2018 10:46:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.128.227 with HTTP; Thu, 3 May 2018 10:46:15 -0700 (PDT)
In-Reply-To: <8aee42db5f0f407c86fda881769ceb77@HE105715.emea1.cds.t-internal.com>
References: <CALx6S37_oce-S0pEUgB8CpkWemcHhrb4HoDXUfPHZMGiokCqcA@mail.gmail.com> <253963a3-9e0b-2cb9-e216-745c6b99766c@joelhalpern.com> <CAPDqMeqsdG5FKtMaq9bjcJYDMw69Ow=OkeqMdba8aqRh9ayPrQ@mail.gmail.com> <08110014-adce-3f88-02d1-643871e46dcb@joelhalpern.com> <CALx6S34=Yeu3-hHTiVCOoQUM7KwvXPpGMmu8Ss-ZHeuOU6b7ug@mail.gmail.com> <CA+YHcKF3z+LoVE=18HMgTNTpCN+23dDjkDx8bhZzWPdTeiX-_Q@mail.gmail.com> <CAPDqMeqcy-9+_Dk0yp=j7icQkDTvYnkYiwAbvRCq3oJ7UPciQA@mail.gmail.com> <fdaafdea-7d59-2542-3bef-ae86e96782dd@joelhalpern.com> <CAPDqMeo+wgHGxn_eiH1c100W_0kN_3cFyfZMRPn5Be42d9F8Cw@mail.gmail.com> <8aee42db5f0f407c86fda881769ceb77@HE105715.emea1.cds.t-internal.com>
From: Tom Herbert <tom@quantonium.net>
Date: Thu, 03 May 2018 10:46:15 -0700
Message-ID: <CAPDqMeqgrOmoTstvJXnKCvG+WogQun_WvQGRg-V3Jm6OrnbFYw@mail.gmail.com>
To: Dirk.von-Hugo@telekom.de
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, Tom Herbert <tom@herbertland.com>, ila@ietf.org, Alberto Rodriguez-Natal <rodrigueznatal@gmail.com>, 5GANGIP <5gangip@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ila/cd5R-TNTsc3dPpvQJgwVcOjRP4U>
Subject: Re: [Ila] [5gangip] ILA forwaring [Was Re: Problem Statement]
X-BeenThere: ila@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Identifier Locator Addressing <ila.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ila>, <mailto:ila-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ila/>
List-Post: <mailto:ila@ietf.org>
List-Help: <mailto:ila-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ila>, <mailto:ila-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 17:46:22 -0000

On Thu, May 3, 2018 at 9:23 AM,  <Dirk.von-Hugo@telekom.de> wrote:
> Hi Tom,
> I understand you correctly that DDOS attacks can never be completely prevented whatever protocol you use.
> It will however always remain related to known IP addresses and the more versatile these are handled a mitigation strategy could be designed.

Dirk,

I disagree. IP addresses can too easily be spoofed, it's easy to hide
identity behind a NAT (see discussion about CGNAT and law enforcement
on int-area list), and trying to turn off individual addresses doesn't
work if it's a DDOS. This is nothing new. For instance, content
providers have long accepted the fact that they can't prevent SYN
attacks and there's little point to trying to go back to source IP
address (they are always spoofed in a SYN attack). The better strategy
is to absorb the attack and minimize the negative effects so that the
attack is not worth the effort.

> As you may have seen we mention improved handling of mapping systems and subsequently of DDOS protection also in the current version of our PS document https://github.com/bsarikaya/atic/blob/master/atick_problemstatement.3.txt which Behcet has announced recently.
> May I ask you to please comment on the ideas outlined there?

I don't see much difference in the latest version. For a problem
statement, I still think there is too much focus on the solutions and
not nearly enough description of what the actual problems are to be
solved.

Tom

> Thanks!

> Best Regards
> Dirk
>
> -----Original Message-----
> From: 5gangip [mailto:5gangip-bounces@ietf.org] On Behalf Of Tom Herbert
> Sent: Mittwoch, 2. Mai 2018 01:20
> To: Joel M. Halpern <jmh@joelhalpern.com>
> Cc: Tom Herbert <tom@herbertland.com>; ila@ietf.org; Alberto Rodriguez-Natal <rodrigueznatal@gmail.com>; 5GANGIP <5gangip@ietf.org>
> Subject: Re: [5gangip] [Ila] ILA forwaring [Was Re: Problem Statement]
>
> On Tue, May 1, 2018 at 3:49 PM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
>> You seem to be saying that even though not all DDOS attacks are
>> structurally the same, and even though if ILA were widely adopted not
>> all ILA networks would be structurally the same, there should
>> nonetheless be one required qay of handling DDOS?
>
> Yes, at least as core default in the protocol. It's precisely _because_ not all DDOS attacks are structurally the same. An attacker is not going to conform to to our expectations of what they should be doing, so if we enable LISP option N to mitigate one form of attack, they will just use another attack that isn't mitigated. For example, if the mitigation is to identify attackers by address when requests from the address exceed a threshold then this works as long as the attacker strikes from one machine, but it falls apart if the attacker launches a DDOS attack from several hosts where requests from none of the hosts exceed the threshold.
>
> The ILA model works because it assumes there is no absolute way to prevent the the worst case attack on a cache which is to completely kill it (i.e. drive it to 0% hit rate). In this state the behavior sub-optimal routing, which is much better than loss of service. This is not dependent on the structure of the attack, network topology, or the network operator getting the configuration just right-- it is inherent in the protocol.
>
> Tom
>
>>
>> Yours,
>> Joel
>>
>>
>> On 5/1/18 6:32 PM, Tom Herbert wrote:
>>>
>>> On Tue, May 1, 2018 at 2:59 PM, Alberto Rodriguez-Natal
>>> <rodrigueznatal@gmail.com> wrote:
>>>>
>>>> On Tue, May 1, 2018 at 10:16 AM, Tom Herbert <tom@herbertland.com> wrote:
>>>>>
>>>>>
>>>>> I think you've misunderstood my position. Caches are _very_
>>>>> important to eliminate the cost triangular routing (latency, average path load).
>>>>> This reduces latency and reduces average load on ILA-Rs. But, and
>>>>> this is the critical part, caches are only an _optimization_ in
>>>>> ILA. That means if the cache is rendered ineffective (like by a
>>>>> well crafted DOS
>>>>> attack) then the only effect is that the optimization is loss (i.e.
>>>>> greater latency due to triangular router)-- this is quantitively
>>>>> the worst effect of the attack on an ILA cache. This can be
>>>>> contrasted that to LISP where the worst case effects of a DOS
>>>>> attack on the cache is loss of service for users (infinite latency
>>>>> since packets can be dropped or indefinitely blocked on a cache miss).
>>>>
>>>>
>>>>
>>>> This can be misleading. This is not comparing LISP vs ILA, this is
>>>> comparing the models of Request/Reply at the edge vs Notifications
>>>> (aka Redirects) at the core. Both LISP-CP and ILAMP support these
>>>> two models.
>>>>
>>>> Besides, this is assuming an scenario where the only feasible DOS
>>>> mitigation is absorbing the attack. There are other scenarios where
>>>> other countermeasures are possible. For instance, if you have a
>>>> deployment where you can prevent address spoofing, counting and
>>>> blocking misbehaving nodes offers similar DOS protection and
>>>> requires way less infrastructure resources.
>>>>
>>> Alberto,
>>>
>>> The answer to my question of how does LISP address DOS attacks seems
>>> to be "there are many options". Some of the options are to assume
>>> that DOS does not exist in the network, some assume external
>>> configuration like address spoofing is enabled, some assume that
>>> attacks can be identified and can be stopped at the source, some
>>> might assume that everything is okay because there's never been a DOS
>>> attack before. I have yet to see the effects of any of these
>>> quantified, and none of these state how the LISP _protocol_ itself
>>> addresses DOS. It may seem counter-intuitive, but offering a bunch of
>>> options really is not necessarily a good thing-- sometime less is
>>> more. To put this another way LISP has been rejected from Linux
>>> precisely because of its susceptibility to DOS. If you were to try
>>> again and the best answer to the DOS question is that it's up to the
>>> operator to figure out the right options to use, then I believe it
>>> would be soundly rejected again. That approach does not work at scale.
>>>
>>> Tom
>>>
>>> _______________________________________________
>>> ila mailing list
>>> ila@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ila
>>>
>>
>
> _______________________________________________
> 5gangip mailing list
> 5gangip@ietf.org
> https://www.ietf.org/mailman/listinfo/5gangip

v2.23.0 | Report a Bug | By Email