Re: Is the invariants draft really standards track?
Paul Vixie <paul@redbarn.org> Wed, 27 May 2020 20:44 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C9B3A0B8E for <quic@ietfa.amsl.com>; Wed, 27 May 2020 13:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRiQyIRiVrTn for <quic@ietfa.amsl.com>; Wed, 27 May 2020 13:44:40 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D6B03A0B90 for <quic@ietf.org>; Wed, 27 May 2020 13:44:40 -0700 (PDT)
Received: from linux-9daj.localnet (vixp1.redbarn.org [24.104.150.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 60226B074A; Wed, 27 May 2020 20:44:38 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: Christian Huitema <huitema@huitema.net>, Kyle Rose <krose@krose.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>, quic@ietf.org
Cc: Lars Eggert <lars@eggert.org>, IETF QUIC WG <quic@ietf.org>, Martin Duke <martin.h.duke@gmail.com>, Jared Mauch <jared@puck.nether.net>, "Lubashev, Igor" <ilubashe=40akamai.com@dmarc.ietf.org>
Subject: Re: Is the invariants draft really standards track?
Date: Wed, 27 May 2020 20:44:32 +0000
Message-ID: <4396640.VYLyhTF5Y9@linux-9daj>
Organization: none
In-Reply-To: <f4922cdb59014202900de44cc5fea0ff@usma1ex-dag1mb5.msg.corp.akamai.com>
References: <CAM4esxQBqfrz24riPQA_VGKcGp_TzW0pqb97KfFMtNdW9pUfDg@mail.gmail.com> <9cd91c24-c730-22a4-7aa0-baf61613b3ce@huitema.net> <f4922cdb59014202900de44cc5fea0ff@usma1ex-dag1mb5.msg.corp.akamai.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/62YK8uJsDyXSNkGdcCjAF_13jFg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2020 20:44:44 -0000
On Wednesday, 27 May 2020 16:06:57 UTC Lubashev, Igor wrote: > I’m working on a manageability draft PR for this (how to rate limit UDP to > reduce disruption to QUIC if you have to rate limit UDP). ETA end of the > week (if I do not get pulled into something again). > > The relevant observation is that DDoS with UDP that is indistinguishable > from QUIC will happen. UDP is already the most prevalent DDoS vector, > since it is easy for a compromised non-admin app to send a flood of huge > UDP packets (with TCP you get throttled by the congestion controller). So > there WILL be DDoS protection devices out there to try to mitigate the > problem, possibly by observing both directions of the flow and deciding > whether a packet belongs to a valid flow or not. +1. > Since such middle boxes will be created, the more explicit and normative > Invariants are about what one can expect, the less such middle boxes may > decide for themselves. For example (I did not think long about it), if > some elements of path validation could land into Invariants (roughly, “no > more than X packets/bytes can be sent on a new path w/o a return packet”), > a DDoS middle box may use this fact and active connection migration might > still have a chance during an attack (NAT rebinding could be linked by DDoS > boxes to an old connection via unchanged CID). this thinking ties in closely with my own manageability concern, which is policy control by managed private (endpoint) networks. right now the quic manageability draft is in a state where QUIC traffic is not identifiable, which is a goal for some but a problem for others. i'd like to be able to permit outbound QUIC through my firewall for most of the ways i do with TCP today, but i can't currently identify QUIC flows. i think that's the same problem as for your predicted "middlebox" situation. -- Paul
- Is the invariants draft really standards track? Martin Duke
- Re: Is the invariants draft really standards trac… Martin Thomson
- Re: Is the invariants draft really standards trac… Roberto Peon
- Re: Is the invariants draft really standards trac… Ian Swett
- Re: Is the invariants draft really standards trac… Jana Iyengar
- Re: Is the invariants draft really standards trac… Lars Eggert
- Re: Is the invariants draft really standards trac… Ian Swett
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Kyle Rose
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Jana Iyengar
- RE: Is the invariants draft really standards trac… Lubashev, Igor
- Re: Is the invariants draft really standards trac… Jared Mauch
- Re: Is the invariants draft really standards trac… Paul Vixie
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Martin Duke
- RE: Is the invariants draft really standards trac… Lubashev, Igor
- Re: Is the invariants draft really standards trac… Martin Duke
- RE: Is the invariants draft really standards trac… Lubashev, Igor
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Benjamin Kaduk
- Re: Is the invariants draft really standards trac… Ted Hardie
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Christian Huitema
- Re: Is the invariants draft really standards trac… Martin Duke
- Re: Is the invariants draft really standards trac… Paul Vixie
- RE: Is the invariants draft really standards trac… Mike Bishop
- Re: Is the invariants draft really standards trac… Paul Vixie