Re: Is the invariants draft really standards track?
Paul Vixie <paul@redbarn.org> Sat, 20 June 2020 18:34 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C183A08BB for <quic@ietfa.amsl.com>; Sat, 20 Jun 2020 11:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNLMAvJnSIC5 for <quic@ietfa.amsl.com>; Sat, 20 Jun 2020 11:34:47 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75BC23A07EA for <quic@ietf.org>; Sat, 20 Jun 2020 11:34:46 -0700 (PDT)
Received: from linux-9daj.localnet (dhcp-166.access.rits.tisf.net [24.104.150.166]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (1024 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 25C9AB07D0 for <quic@ietf.org>; Sat, 20 Jun 2020 18:34:44 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: IETF QUIC WG <quic@ietf.org>
Subject: Re: Is the invariants draft really standards track?
Date: Sat, 20 Jun 2020 18:34:41 +0000
Message-ID: <1621715.PBmxXT1aCC@linux-9daj>
Organization: none
In-Reply-To: <f9e2c611-bb4d-bc80-dfe3-e323a08bfc5b@huitema.net>
References: <CAM4esxQBqfrz24riPQA_VGKcGp_TzW0pqb97KfFMtNdW9pUfDg@mail.gmail.com> <CAM4esxRWVRjVhxyYuuzwDGq_wfTjQHkY6KHG2rEPErO2aHXA0w@mail.gmail.com> <f9e2c611-bb4d-bc80-dfe3-e323a08bfc5b@huitema.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4bvh9jTOoaBA90TK5hP9YoCtWtU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Jun 2020 18:34:49 -0000
On Friday, 19 June 2020 23:51:39 UTC Christian Huitema wrote: > ... > > The DOS box does not have to worry about what kind of traffic is coming > in. It just has to open a context for the 5 tuple, and check whether it > sees 1-RTT packets coming back. And then maybe count the volume of 1-RTT > packets coming back. > > The worry is that one of the bots might start a legitimate connection, > then disclose its five tuple to the rest of the botnet. The whole botnet > can then spoof the 5 tuple that was just pin-holed by the DOS box. A > simple "open-close" logic is thus not good enough. The DOS box must also > enforce some kind of rate limiting per 5 tuple. > > Which also means that if a botnet can predict the 5 tuple used by a > legitimate connection and then spoof it, it can DOS it. Once you start > digging that particular rabbit hole, the joy never stops... pinholing based on outbound is the worst possible solution to DDoS, except for all the others. stateful firewalls of this kind create _almost_ as many problems as they solve, and would not be used if an alternative existed. this is a BCP38 problem not a QUIC problem. QUIC's only responsibility is to not make this known-bad situation worse. there are two important ways that QUIC can avoid making the situation worse. first, make connection mobility an outbound-first activity for initiators. the new 5-tuple would have to be negotiated in-band, and the first packet of the new flow would have to come from the initiator, to create the new pinhole. second, make the new flow identifiable by the DOS box (or other filtering router such as a firewall box) using some low-entropy invariant. at the moment all we have to go on for detecting new outbound QUIC flows is a destination UDP port number, and that's both constraining and fragile. -- Paul
- Is the invariants draft really standards track? Martin Duke
- Re: Is the invariants draft really standards trac… Martin Thomson
- Re: Is the invariants draft really standards trac… Roberto Peon
- Re: Is the invariants draft really standards trac… Ian Swett
- Re: Is the invariants draft really standards trac… Jana Iyengar
- Re: Is the invariants draft really standards trac… Lars Eggert
- Re: Is the invariants draft really standards trac… Ian Swett
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Kyle Rose
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Jana Iyengar
- RE: Is the invariants draft really standards trac… Lubashev, Igor
- Re: Is the invariants draft really standards trac… Jared Mauch
- Re: Is the invariants draft really standards trac… Paul Vixie
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Martin Duke
- RE: Is the invariants draft really standards trac… Lubashev, Igor
- Re: Is the invariants draft really standards trac… Martin Duke
- RE: Is the invariants draft really standards trac… Lubashev, Igor
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Benjamin Kaduk
- Re: Is the invariants draft really standards trac… Ted Hardie
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Paul Vixie
- RE: Is the invariants draft really standards trac… Mike Bishop
- Re: Is the invariants draft really standards trac… Paul Vixie