Re: [Ila] [5gangip] ILA forwaring [Was Re: Problem Statement]

[Tom Herbert <tom@quantonium.net>]

On Tue, May 1, 2018 at 10:22 AM, Joel M. Halpern <jmh@joelhalpern.com> wrote:
> I am not sure I follow.
> If I am reading you right, you suggest that dropping cache usage during a
> DOS attack is a useful feature.

No, that's not what I am saying. The DOS attack is on the cache in an
attempt to make every packet, including legitimate ones, take a cache
miss. This can be done by downstream devices flooding the cache node
where each packet contains a randomized address in the identifier
locator domain. In the case of ILA the packets are forwarded on the
cache miss and will be dropped if they are being sent to bogus
addresses (no route at ILA-R) packets that have routes are forwarded
as normal.

> If the system is engineered to operate well using local caches in the ILA,
> then dropping cache usage would seem to result in a DOS attack on the ILA-R
> infrastructure as it will have to handle a sustained packet load much higher
> than its design target.
>
Yes, the network needs to be properly provisioned (although these are
basically routers that would have to be in the path anyway). As I
said, if you're assuming that caches will always have some hit rate
that is the opening for a DOS attack.

Tom

> Yours,
> Joel
>
>
> On 5/1/18 1:16 PM, Tom Herbert wrote:
>>
>> On Tue, May 1, 2018 at 9:58 AM, Joel M. Halpern <jmh@joelhalpern.com>
>> wrote:
>>>
>>> If you do not use caches in your ILA-Ns (and yes, I understand your
>>> reasoning for not doing so), then you are constructing an overlay
>>> network.
>>> One of the arguments I was given for using ILA was to enable direct
>>> forwarding of packets effectively without needing to have routing track
>>> the
>>> moving entities.  Without caches, you are pushing all the traffic through
>>> fewer entities.  And you seem to be either using a lot of ILA-R with
>>> concomitant information distribution or few ILA-R restricting the
>>> information distribution problem but instead having traffic concentration
>>> problems.
>>>
>>> I understood from your earlier presentation that the ILA-r using the
>>> packet
>>> as a signal was to avoid dropping the first packet, and as a side-effect
>>> not
>>> needing a separate query message.
>>> Now you seem to be saying that your think it important to support not
>>> having
>>> caches in the ILA-Ns, which is a VERY different trade-off.
>>>
>> Joel,
>>
>> I think you've misunderstood my position. Caches are _very_ important
>> to eliminate the cost triangular routing (latency, average path load).
>> This reduces latency and reduces average load on ILA-Rs. But, and this
>> is the critical part, caches are only an _optimization_ in ILA. That
>> means if the cache is rendered ineffective (like by a well crafted DOS
>> attack) then the only effect is that the optimization is loss (i.e.
>> greater latency due to triangular router)-- this is quantitively the
>> worst effect of the attack on an ILA cache. This can be contrasted
>> that to LISP where the worst case effects of a DOS attack on the cache
>> is loss of service for users (infinite latency since packets can be
>> dropped or indefinitely blocked on a cache miss).
>>
>> Tom
>>
>>> Yours,
>>> Joel
>>>
>>>
>>> On 5/1/18 12:37 PM, Tom Herbert wrote:
>>>>
>>>>
>>>> On Tue, May 1, 2018 at 9:10 AM, Joel M. Halpern <jmh@joelhalpern.com>
>>>> wrote:
>>>>>
>>>>>
>>>>> Three reactions, all personal opinion (in case someone thinks my having
>>>>> helped chair the BoF is in any way relevant; it isn't):
>>>>>
>>>>> 1) If ILA-Ns do not have caches, the ILA-Rs will become hot-spots in
>>>>> the
>>>>> network.  Yes, you have provision for multiple of them sharing load.
>>>>> However, if that sharing gets to be a significant percentage of teh
>>>>> routers
>>>>> in the network, then there is no point in having bothered with ILA, you
>>>>> are
>>>>> just routing on the SIR.
>>>>>
>>>> Joel,
>>>>
>>>> If you provision a network (or any system really) based on an
>>>> assumption that caches will always attain some hit rate this is a
>>>> fundamental mistake. One of the goals of a DOS attack would be to
>>>> drive the hit rate to zero in which case someone will be in a world of
>>>> hurt. Caches and DOS are a hard mix to contend with in nearly any
>>>> context, that's why it's much better to view caches as an optimization
>>>> rather than a requirement. They can be used to alleviate load, but
>>>> that cannot be relied upon.
>>>>
>>>> I would also point out that caches only make sense as internal devices
>>>> for intra domain communications. This does not make sense for edge
>>>> routers that would need to create a working set cache for any
>>>> aribtrary load of traffic from the Internet.
>>>>
>>>>> 2) As far as I can tell, when some ILA-N have caches, the ILA-R have no
>>>>> way
>>>>> of knowing whether the ILA-N have caches or not.  I can understand what
>>>>> happens if all ILA-N in a network have the same cache state (either
>>>>> they
>>>>> all
>>>>> have caches or they all do not have caches).  But I do not know what
>>>>> behavior you expect of an ILA-R if the ILA-N are not uniform. Given the
>>>>> hot-spot issue above, I think you need to really explain why ILA-N
>>>>> would
>>>>> not
>>>>> ahve caches.
>>>>>
>>>> ILA-Rs and ILA-Ns communicate via ILAMP protocol. That can include
>>>> capabilities description.
>>>>
>>>>> 3 - Minor) Your usage of "sharding" seems odd.  You are simply dividing
>>>>> the
>>>>> domain into address blocks, and distributing responsibility for those
>>>>> blocks
>>>>> separately.  In other contexts, sharding seems to be used more
>>>>> generally
>>>>> for
>>>>> having subcollections of the data which can be moved around.
>>>>>
>>>> Sharding is a database term that describes partitioning of the
>>>> database into smaller chunks for manageablibilty. That is what is
>>>> happening here (literally in the implementation since we are use a
>>>> database backend).
>>>>
>>>> Tom
>>>>
>>>
>