Re: Is the invariants draft really standards track?

Martin Duke <> Thu, 18 June 2020 00:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9DB983A07AF for <>; Wed, 17 Jun 2020 17:17:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FXg9SZxUdST3 for <>; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C85773A07A5 for <>; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
Received: by with SMTP id b5so4142184iln.5 for <>; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SJJvauAYKKKDk/0UjyDGqOOvhkWIGSs6w+RuK6gGFv4=; b=u96JxUmdM2p+2VmcU0Lk0HdccRu4VvnklFJ6gwUhZ5bvBjV5CuG5d6frpqCBu2isU4 G/Kk3LLc2sMK8kVkalWC9eEIvX+cK2HaW094O3WcxoZ+RKdYsc+tBHlYPzYeO+98wz4o /V6iLJpd9/a1di1fx7IJGlKfwV7BXF0rj00vxEjOsRoOnT7ue1VpV0k8x5JBY0TQtm1j USjLyHkt+LZnj+a1euqfU8k1qCFZqI4ohsY5IRaWGAqmvEoMFY3H36c/U7zM19UM9iSp L+nhkTaRMojdfgvnlxGUDdrqtdd911GSOnE3zWafjW9RKJHKOYTkCd0FFb6cbEaIhcOs WlRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SJJvauAYKKKDk/0UjyDGqOOvhkWIGSs6w+RuK6gGFv4=; b=kzj1IZFNL+6OF3P/6JCYTiS4mHgZ+HJOnkHq2kkivxnYNYY/9XbCQ2Vf8Wit+WyZFF fw5j0XQEkKWn0Hm/CiQAoc4A1xh9DE2DlZS0lXORQjiz4tW7koB1J3ybW21A0uwG4T/L FnhY25fT/y7DILfKzlxBMKwKAT+F38xc/xVZBYedpwflMxuiuWhQUlCQLfYASR96bsGl /R4x6CAfnJR3Im1L5mffJcXeY+WOcBiUDjN+uUoRutcxcTX+kELkERzRFVLpjLQfVPcH DhJOsRB0MiO2zW4LSiKVGmG25gXE/2qQkdpmyzM7915nZhi3V+Sk3FEvw9PSEagNi5SC PBmA==
X-Gm-Message-State: AOAM532ekF6J3qzy9On2P5gsxXiTAH2L/5R+WYm580JrpQMobfjJbbr+ T1U1cpr1WFMlu4MEBTVcBhngP0hEA+e6a/2SSUE3LWTX
X-Google-Smtp-Source: ABdhPJzj8EERVVHMclBXNLqPf81pX1db/FoPGgDslFtMFhxBaExwYfHbI8EtWgyRidH/KyYV935JIAbr/mmSai+qHkU=
X-Received: by 2002:a05:6e02:f44:: with SMTP id y4mr1591602ilj.237.1592439425199; Wed, 17 Jun 2020 17:17:05 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Martin Duke <>
Date: Wed, 17 Jun 2020 17:16:54 -0700
Message-ID: <>
Subject: Re: Is the invariants draft really standards track?
To: "Lubashev, Igor" <>
Cc: Christian Huitema <>, Kyle Rose <>, Ian Swett <>, Lars Eggert <>, IETF QUIC WG <>, Jared Mauch <>
Content-Type: multipart/alternative; boundary="00000000000043f30105a850b2e3"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Jun 2020 00:17:08 -0000

filed issue #3773 <> and
PR #3774 <>.

On Wed, Jun 17, 2020 at 5:15 PM Martin Duke <> wrote:

> Hi Igor, you might want to check out the "Retry Services" bit of the
> QUIC-LB draft. This has something to do with the DDoS use case you discuss.
> On Wed, May 27, 2020 at 9:07 AM Lubashev, Igor <>
> wrote:
>> I’m working on a manageability draft PR for this (how to rate limit UDP
>> to reduce disruption to QUIC if you have to rate limit UDP).  ETA end of
>> the week (if I do not get pulled into something again).
>> The relevant observation is that DDoS with UDP that is indistinguishable
>> from QUIC will happen.  UDP is already the most prevalent DDoS vector,
>> since it is easy for a compromised non-admin app to send a flood of huge
>> UDP packets (with TCP you get throttled by the congestion controller).  So
>> there WILL be DDoS protection devices out there to try to mitigate the
>> problem, possibly by observing both directions of the flow and deciding
>> whether a packet belongs to a valid flow or not.
>> Since such middle boxes will be created, the more explicit and normative
>> Invariants are about what one can expect, the less such middle boxes may
>> decide for themselves.  For example (I did not think long about it), if
>> some elements of path validation could land into Invariants (roughly, “no
>> more than X packets/bytes can be sent on a new path w/o a return packet”),
>> a DDoS middle box may use this fact and active connection migration might
>> still have a chance during an attack (NAT rebinding could be linked by DDoS
>> boxes to an old connection via unchanged CID).
>>    - Igor
>> *From:* Christian Huitema <>
>> *Sent:* Wednesday, May 27, 2020 11:34 AM
>> On 5/27/2020 8:28 AM, Kyle Rose wrote:
>> On Wed, May 27, 2020 at 10:34 AM Ian Swett <ianswett=
>>> wrote:
>> I was agreeing with MT, but I'm happy to see some more MUSTs added if
>> people feel that'd be helpful.
>> Coincidentally, we were just talking about this internally at Akamai
>> yesterday. IMO, an invariants document isn't really helpful if it isn't
>> normative, and for it to be normative it (or a related practices doc for
>> operators) really needs to spell out clear boundaries for operators with
>> MUSTs..
>> The example that came up yesterday was around operators filtering QUIC in
>> the event of a DDoS: one recommendation based on some conversations going
>> back at least to Prague 2019 was to hash packets on 4-tuple and filter
>> those below a hash value chosen for a desired ingress limit instead of
>> doing what most operators do with UDP today, which is to cap UDP throughput
>> and just drop packets randomly or tail drop.
>> Interesting. Did they consider using the CID, or a fraction of it? This
>> looks entirely like the scenario for which we developed stateless retry.
>> This recommendation certainly imposes some constraints on future protocol
>> development that motivate new invariants: for instance, it would preclude
>> sharding a connection across multiple source ports (not that there is
>> necessarily a reason to do this; it's just an example). But more
>> importantly, it goes beyond invariants: it's one among many practices
>> compatible with the current set of invariants, some reasonable and some
>> terrible.
>> This would break the "preferred address" redirection. Preferred address
>> migration may or may not be spelled out in the invariants.
>> Operators are going to do things to QUIC traffic, so it would be good to
>> offer them recommendations that are compatible with broad deployability.
>> Yes, we do need the invariants for that.
>> -- Christian Huitema