Re: Should QUIC have a path-verifiable proof of source address?
Christian Huitema <huitema@huitema.net> Thu, 01 June 2017 18:17 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4AE12F9A8 for <quic@ietfa.amsl.com>; Thu, 1 Jun 2017 11:17:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: No, score=0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ux1PXAnSfLgO for <quic@ietfa.amsl.com>; Thu, 1 Jun 2017 11:17:02 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6146A12F287 for <quic@ietf.org>; Thu, 1 Jun 2017 11:17:02 -0700 (PDT)
Received: from xsmtp01.mail2web.com ([168.144.250.230]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1dGUeY-0007mk-6P for quic@ietf.org; Thu, 01 Jun 2017 20:17:00 +0200
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1dGUeT-00009B-KP for quic@ietf.org; Thu, 01 Jun 2017 14:16:54 -0400
Received: (qmail 28317 invoked from network); 1 Jun 2017 18:16:52 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.56.42.129]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 1 Jun 2017 18:16:52 -0000
To: quic@ietf.org
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <30eb5292-ac11-9772-b088-03b1f2fe372b@huitema.net> <CABkgnnWEg0N0WYsdMzsPT--MpRSQ7g2ysu2DvwenQ+mQpo6Anw@mail.gmail.com> <40dc8d2a-92ec-e6f1-b2b8-f4c447313cf5@tik.ee.ethz.ch> <2856C4A2-FB68-425D-8B34-043A7EF005E9@trammell.ch>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <79aeac00-c1eb-069a-2b21-018a8b393546@huitema.net>
Date: Thu, 01 Jun 2017 11:16:34 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <2856C4A2-FB68-425D-8B34-043A7EF005E9@trammell.ch>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="aaNswS4QI6eTgbo3cwm6DK6dgnVDnnGG3"
Subject: Re: Should QUIC have a path-verifiable proof of source address?
X-Originating-IP: 168.144.250.230
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.39)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJZYP2pkjqshrWYL747BjInHND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23n+Wz3L7GF6SgBODTEyHsdjCwsQwWQaOhgSJE qnWSx1AJGiE90SRKkhjiVTzW0bd3YOEkjsX7F8KmpUaZQHV+SejOO+5k046wqf0SEutzqoO2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpOWca0Z0beD6jMx95O4U5K/6lO4FGen962xgCFRckncKfg1XSK9P 1z/R6plfrFWGyYvxPGJVX/aFUPtNFJEaV/HeNHk15VolAGHS5rCXQKDym+Gab6cuAPzLi/SdAxlO dgkraHgbbAuZgv0Q6mJ3vUcipz1IT62ZEk6+MmovaufbiR3bHfnMCIEU+nrglojKwMr3vOY18GvB wSXAfWcj234Kahp30YSTh5OL3yMqjF0jNdSMuNhZC3X/nGdDKYyg+1Fotn1TGspRGWfHjmaruO0b XpkevaElTi+sCWwmqxHi+BUHXGjp0J8FpT+J6AFTxiSsoNTiR/GmpPv4QzJ0uLs078I0y+3uS4dN KiUgYTBUdXbtWDnUeS4liyqO9jjmooAbiteDwjw8P7mx/NBHSRWxZaHLvUGmD7PXY2RS8idsz7fr MHsNPRylYAkPvY1HttQOF909qtkcRbvucYBIc/RufmJqHIgpwQblHGid2pC00i13zjCiwPgdt77s k1WBMw==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/H_MASkOteraXg4lnf7J9ljCSb5w>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 18:17:15 -0000
On 6/1/2017 6:41 AM, Brian Trammell (IETF) wrote: > Yep. This indicates another way to split this question: how important is it to be able to distinguish spoofed from non-spoofed sources for initial packets in a flow, versus to be able to do so in the middle of a connection? OK. Let's tease that apart a bit more. QUIC runs over UDP. The UDP flow can be observed both during the initial phase and in the middle of the connection. As long as the routing is symmetric, the intermediate nodes can see that there are packets flowing in both directions. That's something of a baseline. I suppose the question is then about assumptions that these intermediate nodes can make. For example, a classic example is the need to separate legitimate traffic from a DOS attack. We can assume that in a basic DOS attack, packets will flow in just one direction, from the attacker to the target. So, a firewall that sees packet flowing in just one direction might detect an attack, and slow it down or filter it completely. It could do that by looking at nothing more than the UDP headers. But there may well be some packets coming back from the server, such as public reset packets. And then the naive firewall might mistakenly think that the traffic is legit, because the server is responding. At that point, there are two lines of thought. One is to provide information from the sever to the intermediate nodes. For example, if a smarter firewall would know that this is QUIC traffic, that public reset packets are not a sign that the server finds the traffic legit, and that the offending traffic should thus be slowed down or cut. But that means reliably distinguishing QUIC from other traffic, and letting nodes distinguish public reset from other packets. There is a slippery slope there, because nodes may also want to understand acknowledgements and progress, not just reset packets. The other line of thought is to place some of the defense against DOS burden on the server, and to ask it to just completely stop responding to any traffic that looks like an attack, so that intermediate firewalls can react to "absence of response". That is, the server can predict how the network will react to blow-back traffic, and thus thinks of consequences before sending packets. I kind of like the second approach. Servers would depend on some well known behavior of intermediate nodes, which would in fact force these nodes to be public about their behavior, even to standardize it. Something like standardizing AQM. That seems like a good path towards sanity. -- Christian Huitema
- Should QUIC have a path-verifiable proof of sourc… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Erik Kline
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Erik Kline
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- RE: Should QUIC have a path-verifiable proof of s… Dave Dolson
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Martin Thomson
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Mirja Kühlewind
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Mirja Kühlewind
- Re: Should QUIC have a path-verifiable proof of s… Eggert, Lars
- Re: Should QUIC have a path-verifiable proof of s… Eggert, Lars
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Watson Ladd