Re: Is the invariants draft really standards track?

Martin Duke <martin.h.duke@gmail.com> Thu, 18 June 2020 00:17 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB983A07AF for <quic@ietfa.amsl.com>; Wed, 17 Jun 2020 17:17:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXg9SZxUdST3 for <quic@ietfa.amsl.com>; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
Received: from mail-il1-x12a.google.com (mail-il1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85773A07A5 for <quic@ietf.org>; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
Received: by mail-il1-x12a.google.com with SMTP id b5so4142184iln.5 for <quic@ietf.org>; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SJJvauAYKKKDk/0UjyDGqOOvhkWIGSs6w+RuK6gGFv4=; b=u96JxUmdM2p+2VmcU0Lk0HdccRu4VvnklFJ6gwUhZ5bvBjV5CuG5d6frpqCBu2isU4 G/Kk3LLc2sMK8kVkalWC9eEIvX+cK2HaW094O3WcxoZ+RKdYsc+tBHlYPzYeO+98wz4o /V6iLJpd9/a1di1fx7IJGlKfwV7BXF0rj00vxEjOsRoOnT7ue1VpV0k8x5JBY0TQtm1j USjLyHkt+LZnj+a1euqfU8k1qCFZqI4ohsY5IRaWGAqmvEoMFY3H36c/U7zM19UM9iSp L+nhkTaRMojdfgvnlxGUDdrqtdd911GSOnE3zWafjW9RKJHKOYTkCd0FFb6cbEaIhcOs WlRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SJJvauAYKKKDk/0UjyDGqOOvhkWIGSs6w+RuK6gGFv4=; b=kzj1IZFNL+6OF3P/6JCYTiS4mHgZ+HJOnkHq2kkivxnYNYY/9XbCQ2Vf8Wit+WyZFF fw5j0XQEkKWn0Hm/CiQAoc4A1xh9DE2DlZS0lXORQjiz4tW7koB1J3ybW21A0uwG4T/L FnhY25fT/y7DILfKzlxBMKwKAT+F38xc/xVZBYedpwflMxuiuWhQUlCQLfYASR96bsGl /R4x6CAfnJR3Im1L5mffJcXeY+WOcBiUDjN+uUoRutcxcTX+kELkERzRFVLpjLQfVPcH DhJOsRB0MiO2zW4LSiKVGmG25gXE/2qQkdpmyzM7915nZhi3V+Sk3FEvw9PSEagNi5SC PBmA==
X-Gm-Message-State: AOAM532ekF6J3qzy9On2P5gsxXiTAH2L/5R+WYm580JrpQMobfjJbbr+ T1U1cpr1WFMlu4MEBTVcBhngP0hEA+e6a/2SSUE3LWTX
X-Google-Smtp-Source: ABdhPJzj8EERVVHMclBXNLqPf81pX1db/FoPGgDslFtMFhxBaExwYfHbI8EtWgyRidH/KyYV935JIAbr/mmSai+qHkU=
X-Received: by 2002:a05:6e02:f44:: with SMTP id y4mr1591602ilj.237.1592439425199; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxQBqfrz24riPQA_VGKcGp_TzW0pqb97KfFMtNdW9pUfDg@mail.gmail.com> <833A693C-62E6-4889-9954-FCE65A839A7C@eggert.org> <CAKcm_gPMO2DtqvKucqVw0zDjSniSOmFD4p1Tp4YLjr9WSWdEUw@mail.gmail.com> <CAJU8_nUN42gGmQof24XD9-EjXedyzcarDyRP8MGe1qW-BZ=+Aw@mail.gmail.com> <9cd91c24-c730-22a4-7aa0-baf61613b3ce@huitema.net> <f4922cdb59014202900de44cc5fea0ff@usma1ex-dag1mb5.msg.corp.akamai.com> <CAM4esxQvwkTvpUcu6-+W5zWo22m-R1jvN7DcCpXfuw8Hb55qsw@mail.gmail.com>
In-Reply-To: <CAM4esxQvwkTvpUcu6-+W5zWo22m-R1jvN7DcCpXfuw8Hb55qsw@mail.gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 17 Jun 2020 17:16:54 -0700
Message-ID: <CAM4esxTB9Pt4345-jUozUUE0i1Z-ccO2cwAaVEJGZAyvpsC4sg@mail.gmail.com>
Subject: Re: Is the invariants draft really standards track?
To: "Lubashev, Igor" <ilubashe@akamai.com>
Cc: Christian Huitema <huitema@huitema.net>, Kyle Rose <krose@krose.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Lars Eggert <lars@eggert.org>, IETF QUIC WG <quic@ietf.org>, Jared Mauch <jared@puck.nether.net>
Content-Type: multipart/alternative; boundary="00000000000043f30105a850b2e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ClOoCD7ir-c1jKbMmTI_gX_9FSw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 00:17:08 -0000

filed issue #3773 <https://github.com/quicwg/base-drafts/issues/3773> and
PR #3774 <https://github.com/quicwg/base-drafts/pull/3774>.

On Wed, Jun 17, 2020 at 5:15 PM Martin Duke <martin.h.duke@gmail.com> wrote:

> Hi Igor, you might want to check out the "Retry Services" bit of the
> QUIC-LB draft. This has something to do with the DDoS use case you discuss.
>
> On Wed, May 27, 2020 at 9:07 AM Lubashev, Igor <ilubashe@akamai.com>
> wrote:
>
>> I’m working on a manageability draft PR for this (how to rate limit UDP
>> to reduce disruption to QUIC if you have to rate limit UDP).  ETA end of
>> the week (if I do not get pulled into something again).
>>
>>
>>
>> The relevant observation is that DDoS with UDP that is indistinguishable
>> from QUIC will happen.  UDP is already the most prevalent DDoS vector,
>> since it is easy for a compromised non-admin app to send a flood of huge
>> UDP packets (with TCP you get throttled by the congestion controller).  So
>> there WILL be DDoS protection devices out there to try to mitigate the
>> problem, possibly by observing both directions of the flow and deciding
>> whether a packet belongs to a valid flow or not.
>>
>>
>>
>> Since such middle boxes will be created, the more explicit and normative
>> Invariants are about what one can expect, the less such middle boxes may
>> decide for themselves.  For example (I did not think long about it), if
>> some elements of path validation could land into Invariants (roughly, “no
>> more than X packets/bytes can be sent on a new path w/o a return packet”),
>> a DDoS middle box may use this fact and active connection migration might
>> still have a chance during an attack (NAT rebinding could be linked by DDoS
>> boxes to an old connection via unchanged CID).
>>
>>
>>
>>    - Igor
>>
>>
>>
>>
>>
>> *From:* Christian Huitema <huitema@huitema.net>
>> *Sent:* Wednesday, May 27, 2020 11:34 AM
>>
>> On 5/27/2020 8:28 AM, Kyle Rose wrote:
>>
>> On Wed, May 27, 2020 at 10:34 AM Ian Swett <ianswett=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>> I was agreeing with MT, but I'm happy to see some more MUSTs added if
>> people feel that'd be helpful.
>>
>>
>>
>> Coincidentally, we were just talking about this internally at Akamai
>> yesterday. IMO, an invariants document isn't really helpful if it isn't
>> normative, and for it to be normative it (or a related practices doc for
>> operators) really needs to spell out clear boundaries for operators with
>> MUSTs..
>>
>>
>>
>> The example that came up yesterday was around operators filtering QUIC in
>> the event of a DDoS: one recommendation based on some conversations going
>> back at least to Prague 2019 was to hash packets on 4-tuple and filter
>> those below a hash value chosen for a desired ingress limit instead of
>> doing what most operators do with UDP today, which is to cap UDP throughput
>> and just drop packets randomly or tail drop.
>>
>> Interesting. Did they consider using the CID, or a fraction of it? This
>> looks entirely like the scenario for which we developed stateless retry.
>>
>>
>>
>> This recommendation certainly imposes some constraints on future protocol
>> development that motivate new invariants: for instance, it would preclude
>> sharding a connection across multiple source ports (not that there is
>> necessarily a reason to do this; it's just an example). But more
>> importantly, it goes beyond invariants: it's one among many practices
>> compatible with the current set of invariants, some reasonable and some
>> terrible.
>>
>> This would break the "preferred address" redirection. Preferred address
>> migration may or may not be spelled out in the invariants.
>>
>>
>>
>> Operators are going to do things to QUIC traffic, so it would be good to
>> offer them recommendations that are compatible with broad deployability.
>>
>>
>>
>> Yes, we do need the invariants for that.
>>
>> -- Christian Huitema
>>
>