IETF Logo Mail Archive

Re: [Marnew] my summary

Brian Trammell <ietf@trammell.ch> Tue, 29 September 2015 13:35 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: marnew@ietfa.amsl.com
Delivered-To: marnew@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBC091B3E62 for <marnew@ietfa.amsl.com>; Tue, 29 Sep 2015 06:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.912
X-Spam-Level:
X-Spam-Status: No, score=-1.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLBhmdVt3wH9 for <marnew@ietfa.amsl.com>; Tue, 29 Sep 2015 06:35:26 -0700 (PDT)
Received: from trammell.ch (trammell.ch [5.148.172.66]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6141B3E5D for <marnew@iab.org>; Tue, 29 Sep 2015 06:35:21 -0700 (PDT)
Received: from [IPv6:2001:67c:10ec:2a49:8000::b9] (unknown [IPv6:2001:67c:10ec:2a49:8000::b9]) by trammell.ch (Postfix) with ESMTPSA id 0F8361A06FF; Tue, 29 Sep 2015 15:34:50 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_0149C246-6010-434E-92AC-B7FDDEDA9910"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5.2
From: Brian Trammell <ietf@trammell.ch>
In-Reply-To: <7B7BA9CF-9ECA-4897-B3AB-37540FA20BBF@cisco.com>
Date: Tue, 29 Sep 2015 15:34:49 +0200
Message-Id: <BAB676F2-367F-463B-8741-6EB2D4731F7A@trammell.ch>
References: <9EA9C328-40DB-41E8-8D85-82755A353745@piuha.net> <82AB329A76E2484D934BBCA77E9F52499A09CB9B@Hydra.office.hd> <CAD6AjGSBZE+EqMS6tee=o8a_DqaA32Xq5ZkxaE51z0jDZQVQtw@mail.gmail.com> <56098074.9050106@vasonanetworks.com> <CAGD1bZbiDqS+koH5ULv8ianzasZ9dw907TbrULGdbQheKB0RcQ@mail.gmail.com> <CAD6AjGRGrBQwn+Q24SBT1FU-Hm8dOJgrmqEQ4kq31dEGYq7=vA@mail.gmail.com> <CAGD1bZZ5H2B7T-Q9HXTj-5UjSEtD8yttz1MNY3OoLbOa88abOA@mail.gmail.com> <7B7BA9CF-9ECA-4897-B3AB-37540FA20BBF@cisco.com>
To: "marnew@iab.org" <marnew@iab.org>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/marnew/9DDCm7oVIcSnBXRVvuGvj5UipFM>
Cc: Vijay Devarapalli <vijay@vasonanetworks.com>, Dirk Kutscher <Dirk.Kutscher@neclab.eu>, Jari Arkko <jari.arkko@piuha.net>, 🔓Dan Wing <dwing@cisco.com>, Jana Iyengar <jri@google.com>, Ca By <cb.list6@gmail.com>
Subject: Re: [Marnew] my summary
X-BeenThere: marnew@iab.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Managing Radio Networks in an Encrypted World <marnew.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/marnew>, <mailto:marnew-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/marnew/>
List-Post: <mailto:marnew@iab.org>
List-Help: <mailto:marnew-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/marnew>, <mailto:marnew-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 13:35:28 -0000

(Catching up on the Marnew threads; really sorry I couldn't make it to Atlanta for the workshop... let me jump in here)

> On 29 Sep 2015, at 01:10, 🔓Dan Wing <dwing@cisco.com> wrote:
> 
> 
> On 28-Sep-2015 03:40 pm, Jana Iyengar <jri@google.com> wrote:
>> Cameron,
>> 
>> I do not believe UDP is the only path to evolve the transport layer.
>> 
>> It is unfortunate that you believe that.
>> 
>> It's not a matter of belief -- SCTP is being deployed over UDP for WebRTC, and so's QUIC, and these are the most significant evolution of deployed end-to-end protocols today. I think this is largely consensus at this point, and I don't think debating this point is particularly interesting. If UDP-based protocols are doomed to fail, we're only going to find out by trying and failing to deploy, and I'm happy to change my perspective at that point. Until then, I'd like to focus conversations on how to get them deployed.
> 
> A distinguisher between 'attack traffic' and 'non attack traffic' is necessary.

We are helped here by the fact that there are bit-strings that are valid in commonly-compromised UDP protocols, and there are bit strings that are invalid. If (1) we presume that the set of commonly-compromised UDP protocols stays constant -- i.e. you can use old, broken stuff to mount amplifying reflection attacks but new protocols will be built with care to avoid amplification -- and (2) we carefully design UDP-based encapsulations and transport protocols such that are guaranteed to contain a string of bits in the first n bits which will not appear on one of the commonly-compromised protocols, then simple bit-string comparison can be used to distinguish SPUD/QUIC'/whatever from "possibly garbage UDP".

This does nothing against compromised machines sending UDP garbage with the SPUD/QUIC'/whatever magic bits, but nothing keeps them from SYN flooding, either. Except perhaps BCP38, which I note has already been mentioned.

>  For the WebRTC data channel there are consent packets (draft-ietf-rtcweb-stun-consent-freshness) and for TCP there are ACKs.

And we presume other transports over UDP will have similar mechanisms; see section 3.7 of https://tools.ietf.org/html/draft-trammell-stackevo-explicit-coop-00 for some initial reflections on this.

Cheers,

Brian


>  If we can't get new protocols into the the OS kernel and thus trust the kernels to prevent attacks, something similarly low level needs to exist for other protocols to enabling filtering of attack traffic versus good traffic.
> 
> -d
> 
> 
> _______________________________________________
> Marnew mailing list
> Marnew@iab.org
> https://www.iab.org/mailman/listinfo/marnew

v2.23.0 | Report a Bug | By Email