Re: Should QUIC have a path-verifiable proof of source address?
Erik Kline <ek@google.com> Wed, 31 May 2017 13:43 UTC
Return-Path: <ek@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE240129406 for <quic@ietfa.amsl.com>; Wed, 31 May 2017 06:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTHykxN3ZqTE for <quic@ietfa.amsl.com>; Wed, 31 May 2017 06:43:35 -0700 (PDT)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDBD1129BF8 for <quic@ietf.org>; Wed, 31 May 2017 06:43:34 -0700 (PDT)
Received: by mail-yb0-x230.google.com with SMTP id r66so3713372yba.2 for <quic@ietf.org>; Wed, 31 May 2017 06:43:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=aOTy3KDXty4f1eA7lQJh8jjaSvjZO+xia1B0HHJ7tTk=; b=HvG3IBOS9H26vbtKJ0UOrZJ9eXtG1E+tt+DOtLhGULUZax67pmEVU4ER/oLbHDHrID oixhqt918D46PHpSnrtEVjCHeejTqgz9frtvJ4tiVfpFVOStVkxOEXA2hG1JePI97Kt/ Ylo648u+7DvHsltK5WaxE5z8T6eB4+wMyuNdI2RwnzJpRWWlUH3H+r/jdqzNR2QxB/b4 kDUHe5DfdlwzGI7tMzWz9TxH4we8uvA/GhiXJURRAcr4PiSXhx8RNLwKWHQsGxTKNVx/ JFA2ZCHPypjRf9v6zJjy0zUwOKJtUW1hB/BOGnDYKyWXOpgj/KP2dysw2Sa7EGnPpJ4y kBSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=aOTy3KDXty4f1eA7lQJh8jjaSvjZO+xia1B0HHJ7tTk=; b=kmrTWY/uWWWy4fRppzzLzlPRWP0E+P0a05FMNWaE3hrZGVmAzIzy4CxfkcegMg3dNU dY8HNwEJhpakaNuwxeiiUneJ4o1x1tlT190ErcgiHNy4uJF8ejilOc1ek42zlaTj9m10 wcKfK9ebzbR2N+m7GaKLeMT9Xv66NtGPluSxZ4HEwoq2dm3+skPGDluAdtveggimB+Ki tQEgDkmELErkdnf2QSUEkJ54uKTqDPeTmHDLn1sheggYL85QPXSj1J34JisKIMiJpKVZ kvnR7csoRQ9Z0hIrOq8QJDGx+KUoSr/Z7IlVWdE4uQjScCIj3TYwRLoK3tenKGAclzBi mAUw==
X-Gm-Message-State: AODbwcBTOsGKa0W4ghfm3mreDpZXOGIxHvLoe4TvD+FE8T+P6HL+Oe5y lzzRVTcW8nLgyu0n4o4DMsG6oF1fTo+Ou4rGcw==
X-Received: by 10.37.122.129 with SMTP id v123mr55088803ybc.157.1496238213862; Wed, 31 May 2017 06:43:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.212.133 with HTTP; Wed, 31 May 2017 06:43:13 -0700 (PDT)
In-Reply-To: <C46523AE-6145-4CF1-9ED3-791F87DE9E3E@trammell.ch>
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <CAAedzxr2VyXpvvz8iyiyUWUZA4TZeWfCY58-tDgNfhRHqg5Oqg@mail.gmail.com> <C46523AE-6145-4CF1-9ED3-791F87DE9E3E@trammell.ch>
From: Erik Kline <ek@google.com>
Date: Wed, 31 May 2017 22:43:13 +0900
Message-ID: <CAAedzxp5bvFDruo4hesa7nXDPiLSet-V8i+yD5JwjEQUg-PUGQ@mail.gmail.com>
Subject: Re: Should QUIC have a path-verifiable proof of source address?
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: QUIC WG <quic@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114baca8440b470550d21b57"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/KkVaL9sCze0bD9cJasZ_UiOflmQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 13:43:37 -0000
On 31 May 2017 at 22:22, Brian Trammell (IETF) <ietf@trammell.ch> wrote: > Hi, Erik, > > > > On 31 May 2017, at 14:04, Erik Kline <ek@google.com> wrote: > > > >> On 31 May 2017 at 20:53, Brian Trammell (IETF) <ietf@trammell.ch> > wrote: > >> Greetings, all, > > <snip> > > >> "Shoud QUIC allow devices on path to distinguish QUIC traffic with > valid source addresses from traffic with spoofed source addresses?" > > <snip> > > > My main concern here would be that preserve the ability to migrate > connections. > > > > Allowing on-path but non-endpoint devices to distinguish traffic as you > describe opens up the opportunity for them to do it incorrectly/badly > thereby making some implementations of connection migration unreliable (at > best). > > > > There may still be ways to support connection migration and support this > kind of traffic analysis, though. > > Okay... so I'll mark that down "this seems useful, but not at the cost of > any flexibility in connection migration." > > Actually, your answer suggests an alternate and potentially more useful > framing for this question: "which design properties are you not willing to > sacrifice to get the ability for devices on path to distinguish QUIC > traffic with valid source addresses from traffic with spoofed source > addresses?", which captures the risk/utility tradeoff nicely. > > Thanks, cheers, > > Brian > A comment and request to make a distinction (though I know it's complicated). [ comment ] Anything on-path boxes can do analytically can become a point of policy control in a vendor's marketing slide deck. There is only embrittlement down this road, I fear. [ (complicated) distinction ] I would like to argue that there is a distinction between: [1] on-path elements that are within the administrative domains of either end-point ("administratively related to an endpoint") and [2] on-path elements in administrative domains not associated (except by peering/transit) with either endpoint. It might be possible to permit analysis (and therefore policy enforcement) by the former and not the latter, if we assume there can be some cooperation with endpoints and on-path elements in their administrative domain. If possible, I think this might give the best of both worlds: the benefits of analysis and policy enforcement but only afforded to the endpoints and their administrative domains (no interference from unrelated parties).
- Should QUIC have a path-verifiable proof of sourc… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Erik Kline
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Erik Kline
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- RE: Should QUIC have a path-verifiable proof of s… Dave Dolson
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Martin Thomson
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Mirja Kühlewind
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Mirja Kühlewind
- Re: Should QUIC have a path-verifiable proof of s… Eggert, Lars
- Re: Should QUIC have a path-verifiable proof of s… Eggert, Lars
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Watson Ladd