IETF Logo Mail Archive

Re: Should QUIC have a path-verifiable proof of source address?

Christian Huitema <huitema@huitema.net> Thu, 01 June 2017 18:17 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B4AE12F9A8 for <quic@ietfa.amsl.com>; Thu, 1 Jun 2017 11:17:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: No, score=0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ux1PXAnSfLgO for <quic@ietfa.amsl.com>; Thu, 1 Jun 2017 11:17:02 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6146A12F287 for <quic@ietf.org>; Thu, 1 Jun 2017 11:17:02 -0700 (PDT)
Received: from xsmtp01.mail2web.com ([168.144.250.230]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1dGUeY-0007mk-6P for quic@ietf.org; Thu, 01 Jun 2017 20:17:00 +0200
Received: from [10.5.2.18] (helo=xmail08.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1dGUeT-00009B-KP for quic@ietf.org; Thu, 01 Jun 2017 14:16:54 -0400
Received: (qmail 28317 invoked from network); 1 Jun 2017 18:16:52 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.56.42.129]) (envelope-sender <huitema@huitema.net>) by xmail08.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 1 Jun 2017 18:16:52 -0000
To: quic@ietf.org
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <30eb5292-ac11-9772-b088-03b1f2fe372b@huitema.net> <CABkgnnWEg0N0WYsdMzsPT--MpRSQ7g2ysu2DvwenQ+mQpo6Anw@mail.gmail.com> <40dc8d2a-92ec-e6f1-b2b8-f4c447313cf5@tik.ee.ethz.ch> <2856C4A2-FB68-425D-8B34-043A7EF005E9@trammell.ch>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <79aeac00-c1eb-069a-2b21-018a8b393546@huitema.net>
Date: Thu, 01 Jun 2017 11:16:34 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <2856C4A2-FB68-425D-8B34-043A7EF005E9@trammell.ch>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="aaNswS4QI6eTgbo3cwm6DK6dgnVDnnGG3"
Subject: Re: Should QUIC have a path-verifiable proof of source address?
X-Originating-IP: 168.144.250.230
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.39)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJZYP2pkjqshrWYL747BjInHND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23n+Wz3L7GF6SgBODTEyHsdjCwsQwWQaOhgSJE qnWSx1AJGiE90SRKkhjiVTzW0bd3YOEkjsX7F8KmpUaZQHV+SejOO+5k046wqf0SEutzqoO2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpOWca0Z0beD6jMx95O4U5K/6lO4FGen962xgCFRckncKfg1XSK9P 1z/R6plfrFWGyYvxPGJVX/aFUPtNFJEaV/HeNHk15VolAGHS5rCXQKDym+Gab6cuAPzLi/SdAxlO dgkraHgbbAuZgv0Q6mJ3vUcipz1IT62ZEk6+MmovaufbiR3bHfnMCIEU+nrglojKwMr3vOY18GvB wSXAfWcj234Kahp30YSTh5OL3yMqjF0jNdSMuNhZC3X/nGdDKYyg+1Fotn1TGspRGWfHjmaruO0b XpkevaElTi+sCWwmqxHi+BUHXGjp0J8FpT+J6AFTxiSsoNTiR/GmpPv4QzJ0uLs078I0y+3uS4dN KiUgYTBUdXbtWDnUeS4liyqO9jjmooAbiteDwjw8P7mx/NBHSRWxZaHLvUGmD7PXY2RS8idsz7fr MHsNPRylYAkPvY1HttQOF909qtkcRbvucYBIc/RufmJqHIgpwQblHGid2pC00i13zjCiwPgdt77s k1WBMw==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/H_MASkOteraXg4lnf7J9ljCSb5w>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 18:17:15 -0000

On 6/1/2017 6:41 AM, Brian Trammell (IETF) wrote:

> Yep. This indicates another way to split this question: how important is it to be able to distinguish spoofed from non-spoofed sources for initial packets in a flow, versus to be able to do so in the middle of a connection?

OK. Let's tease that apart a bit more.

QUIC runs over UDP. The UDP flow can be observed both during the initial
phase and in the middle of the connection. As long as the routing is
symmetric, the intermediate nodes can see that there are packets flowing
in both directions. That's something of a baseline.

I suppose the question is then about assumptions that these intermediate
nodes can make. For example, a classic example is the need to separate
legitimate traffic from a DOS attack. We can assume that in a basic DOS
attack, packets will flow in just one direction, from the attacker to
the target. So, a firewall that sees packet flowing in just one
direction might detect an attack, and slow it down or filter it
completely. It could do that by looking at nothing more than the UDP
headers. But there may well be some packets coming back from the server,
such as public reset packets. And then the naive firewall might
mistakenly think that the traffic is legit, because the server is
responding.

At that point, there are two lines of thought. One is to provide
information from the sever to the intermediate nodes. For example, if a
smarter firewall would know that this is QUIC traffic, that public reset
packets are not a sign that the server finds the traffic legit, and that
the offending traffic should thus be slowed down or cut. But that means
reliably distinguishing QUIC from other traffic, and letting nodes
distinguish public reset from other packets. There is a slippery slope
there, because nodes may also want to understand acknowledgements and
progress, not just reset packets.

The other line of thought is to place some of the defense against DOS
burden on the server, and to ask it to just completely stop responding
to any traffic that looks like an attack, so that intermediate firewalls
can react to "absence of response". That is, the server can predict how
the network will react to blow-back traffic, and thus thinks of
consequences before sending packets.

I kind of like the second approach. Servers would depend on some well
known behavior of intermediate nodes, which would in fact force these
nodes to be public about their behavior, even to standardize it.
Something like standardizing AQM. That seems like a good path towards
sanity.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email