IETF Logo Mail Archive

Should QUIC have a path-verifiable proof of source address?

"Brian Trammell (IETF)" <ietf@trammell.ch> Wed, 31 May 2017 11:53 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4384212EA8D for <quic@ietfa.amsl.com>; Wed, 31 May 2017 04:53:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KMBLJbXmZ1Ei for <quic@ietfa.amsl.com>; Wed, 31 May 2017 04:53:26 -0700 (PDT)
Received: from capri.iway.ch (capri.iway.ch [IPv6:2001:8e0:40:325::45]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04B84126CC7 for <quic@ietf.org>; Wed, 31 May 2017 04:53:26 -0700 (PDT)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 2AB59340534 for <quic@ietf.org>; Wed, 31 May 2017 13:53:22 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/7408.23201); Wed, 31 May 2017 13:53:22 +0200 (CEST)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS for <quic@ietf.org>; Wed, 31 May 2017 13:53:22 +0200 (CEST)
Received: from nb-10604.ethz.ch (account ietf@trammell.ch [82.130.102.91] verified) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.14) with ESMTPSA id 19240927 for quic@ietf.org; Wed, 31 May 2017 13:53:22 +0200
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_7CD826ED-D093-4CDC-8699-B5844E1B969F"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Subject: Should QUIC have a path-verifiable proof of source address?
Date: Wed, 31 May 2017 13:53:21 +0200
Message-Id: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch>
To: QUIC WG <quic@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/KykUBUaMPS51RotDMyCc2Z7Ffvk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 11:53:28 -0000

Greetings, all,

We have a few contentious points in the design of QUIC, and how that design interacts with devices deployed in the Internet. I'd like to start the discussion on two such points, to see if we can come to some kind of consensus as to what we want QUIC to do without regard to how it does it, keeping in mind our charter requirement that QUIC have "security and privacy properties that are at least as good as a stack composed of TLS 1.3 using TCP (or MPTCP when using multipath)."

I'll start with the easier one:

"Shoud QUIC allow devices on path to distinguish QUIC traffic with valid source addresses from traffic with spoofed source addresses?"

The utility of this property is obvious: it would allow in-network reflection/amplification, backscatter, and spoofed-DoS protection equivalent to that available with TCP. This is already provided by TCP state tracking devices for TCP endpoints more or less as a side effect of their operation.

One could argue that this is pointless, since botnets-of-things have made spoofing irrelevant, and careful design (of new UDP protocols), aggressive patching (e.g. of ntpd), and lagging DNSSEC deployment are taking care of the most severe amplification vectors. The other side of that argument is essentially that every little bit helps.

The risks and efficiency tradeoffs are a matter of the exact design used, of course. However, it seems to me that establishing whether this is a desirable feature, and at what cost, seems like a good way to decide whether we should design for it, as opposed to letting discussion of mechanisms drive discussion of requirements.

Cheers,

Brian

v2.23.0 | Report a Bug | By Email