Re: Is the invariants draft really standards track?

Paul Vixie <paul@redbarn.org> Sat, 20 June 2020 18:34 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C183A08BB for <quic@ietfa.amsl.com>; Sat, 20 Jun 2020 11:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNLMAvJnSIC5 for <quic@ietfa.amsl.com>; Sat, 20 Jun 2020 11:34:47 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75BC23A07EA for <quic@ietf.org>; Sat, 20 Jun 2020 11:34:46 -0700 (PDT)
Received: from linux-9daj.localnet (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 25C9AB07D0 for <quic@ietf.org>; Sat, 20 Jun 2020 18:34:44 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: IETF QUIC WG <quic@ietf.org>
Subject: Re: Is the invariants draft really standards track?
Date: Sat, 20 Jun 2020 18:34:41 +0000
Message-ID: <1621715.PBmxXT1aCC@linux-9daj>
Organization: none
In-Reply-To: <f9e2c611-bb4d-bc80-dfe3-e323a08bfc5b@huitema.net>
References: <CAM4esxQBqfrz24riPQA_VGKcGp_TzW0pqb97KfFMtNdW9pUfDg@mail.gmail.com> <CAM4esxRWVRjVhxyYuuzwDGq_wfTjQHkY6KHG2rEPErO2aHXA0w@mail.gmail.com> <f9e2c611-bb4d-bc80-dfe3-e323a08bfc5b@huitema.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4bvh9jTOoaBA90TK5hP9YoCtWtU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jun 2020 18:34:49 -0000

On Friday, 19 June 2020 23:51:39 UTC Christian Huitema wrote:
> ...
> 
> The DOS box does not have to worry about what kind of traffic is coming
> in. It just has to open a context for the 5 tuple, and check whether it
> sees 1-RTT packets coming back. And then maybe count the volume of 1-RTT
> packets coming back.
> 
> The worry is that one of the bots might start a legitimate connection,
> then disclose its five tuple to the rest of the botnet. The whole botnet
> can then spoof the 5 tuple that was just pin-holed by the DOS box. A
> simple "open-close" logic is thus not good enough. The DOS box must also
> enforce some kind of rate limiting per 5 tuple.
> 
> Which also means that if a botnet can predict the 5 tuple used by a
> legitimate connection and then spoof it, it can DOS it. Once you start
> digging that particular rabbit hole, the joy never stops...

pinholing based on outbound is the worst possible solution to DDoS, except for 
all the others. stateful firewalls of this kind create _almost_ as many 
problems as they solve, and would not be used if an alternative existed. this 
is a BCP38 problem not a QUIC problem. QUIC's only responsibility is to not 
make this known-bad situation worse.

there are two important ways that QUIC can avoid making the situation worse.

first, make connection mobility an outbound-first activity for initiators. the 
new 5-tuple would have to be negotiated in-band, and the first packet of the 
new flow would have to come from the initiator, to create the new pinhole.

second, make the new flow identifiable by the DOS box (or other filtering 
router such as a firewall box) using some low-entropy invariant. at the moment 
all we have to go on for detecting new outbound QUIC flows is a destination 
UDP port number, and that's both constraining and fragile.

-- 
Paul