Re: Is the invariants draft really standards track?

[Paul Vixie <paul@redbarn.org>]

On Wednesday, 27 May 2020 16:06:57 UTC Lubashev, Igor wrote:
> I’m working on a manageability draft PR for this (how to rate limit UDP to
> reduce disruption to QUIC if you have to rate limit UDP).  ETA end of the
> week (if I do not get pulled into something again).
> 
> The relevant observation is that DDoS with UDP that is indistinguishable
> from QUIC will happen.  UDP is already the most prevalent DDoS vector,
> since it is easy for a compromised non-admin app to send a flood of huge
> UDP packets (with TCP you get throttled by the congestion controller).  So
> there WILL be DDoS protection devices out there to try to mitigate the
> problem, possibly by observing both directions of the flow and deciding
> whether a packet belongs to a valid flow or not.

+1.
 
> Since such middle boxes will be created, the more explicit and normative
> Invariants are about what one can expect, the less such middle boxes may
> decide for themselves.  For example (I did not think long about it), if
> some elements of path validation could land into Invariants (roughly, “no
> more than X packets/bytes can be sent on a new path w/o a return packet”),
> a DDoS middle box may use this fact and active connection migration might
> still have a chance during an attack (NAT rebinding could be linked by DDoS
> boxes to an old connection via unchanged CID).

this thinking ties in closely with my own manageability concern, which is 
policy control by managed private (endpoint) networks. right now the quic 
manageability draft is in a state where QUIC traffic is not identifiable, 
which is a goal for some but a problem for others. i'd like to be able to 
permit outbound QUIC through my firewall for most of the ways i do with TCP 
today, but i can't currently identify QUIC flows. i think that's the same 
problem as for your predicted "middlebox" situation.

-- 
Paul