IETF Logo Mail Archive

RE: Adding ECN to Transport and Recovery

"Lubashev, Igor" <ilubashe@akamai.com> Tue, 12 June 2018 12:17 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790C0130E2C for <quic@ietfa.amsl.com>; Tue, 12 Jun 2018 05:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0o20Njfle5cx for <quic@ietfa.amsl.com>; Tue, 12 Jun 2018 05:17:43 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37EE130DCA for <quic@ietf.org>; Tue, 12 Jun 2018 05:17:43 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w5CCGp0o012473; Tue, 12 Jun 2018 13:17:30 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=9vBdm4ljcZR4CEMISwdBauIPjttyINL+4zEzMd222FU=; b=VjP2D64NDxwpL/UZ6qxZIoJhPb+Z0dgr6rhySfUQP4eXoOggVoCTfsGkRTbcBTX+Dw4O yesvUiDksiNRzrgVlWB5jOaIvSyokSf7wILxRdcJMJWLxY28zBaW2QS6z/R15nA5uZmn Hl7ooPEIqvLkFfbr/O4Mvt6Lmqs7iCV5RZDT+hKZp70YpApZDdjdDNRe1aYEb5wLohlC tzIBjEdFm1XIS/NwhDVJ+Y+ewj1jWPBdQObxT7R3tzMRIQHjXH851fDOMQElmEmjqBLJ 9sc+11yrW2RCPss4Y2ddvROc1gSTVEOkR/iFh1Yj6OewhDPpqFKuFaurU60napivqGZo 4g==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050096.ppops.net-00190b01. with ESMTP id 2jg7abh7ye-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Jun 2018 13:17:30 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w5CCGGWo028720; Tue, 12 Jun 2018 08:17:29 -0400
Received: from email.msg.corp.akamai.com ([172.27.25.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2jga7uxkek-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 12 Jun 2018 08:17:29 -0400
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 12 Jun 2018 07:17:28 -0500
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.27.107]) by ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.27.107]) with mapi id 15.00.1365.000; Tue, 12 Jun 2018 05:17:28 -0700
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "huitema@huitema.net" <huitema@huitema.net>, "magnus.westerlund@ericsson.com" <magnus.westerlund@ericsson.com>, "jri.ietf@gmail.com" <jri.ietf@gmail.com>
CC: "ietf@trammell.ch" <ietf@trammell.ch>, "quic@ietf.org" <quic@ietf.org>, "ianswett@google.com" <ianswett@google.com>
Subject: RE: Adding ECN to Transport and Recovery
Thread-Topic: Adding ECN to Transport and Recovery
Thread-Index: AQHT9sK0H8sBCsQDiUuMTPA/hgyVTqRW+DkAgAAEvoCAABm1gIAAXg8AgAAm5gCAALVPgIAAQ7eAgAADFgCAAa0SAIABLgUA//+cLbCAAcXYgP//zEk/
Date: Tue, 12 Jun 2018 12:17:27 +0000
Message-ID: <af85bf371c9f423d88acc4a674e9e3b0@ustx2ex-dag1mb6.msg.corp.akamai.com>
References: <26584f2a-230b-c55e-db16-d32225c8ee4d@ericsson.com> <5a82e9ef-971f-6510-866c-9886e73796a9@ericsson.com> <20180608150833.GB13418@ubuntu-dmitri> <CAKcm_gM_OHgWcJ+ktAg9BCQx1rtHc9GFg2bZG40-NcO2MoVG9w@mail.gmail.com> <CANatvzySuzK9EO13m_UQxb4wZkYW=+6By3QMU5gKXhq69gaUag@mail.gmail.com> <790ec098-9ec9-5eff-4785-d71d9ac92059@huitema.net> <73B82E99-EFEE-4DBC-A2CA-8FA381F33C5E@trammell.ch> <CAKcm_gN-s0XVsGL2LLusvcm5_hp-Z5_9OFMkwph5m_bGMDbAtQ@mail.gmail.com> <55DA3F1D-2B09-4D25-9630-6BC85B68A3AF@huitema.net> <CACpbDcdTtQBLNhhiX_+wWCo-OzVvBKBpS-8RsYRcZ30xhefQZQ@mail.gmail.com> <1023590e-83d4-bed2-640a-f5cd131677d4@ericsson.com> <c89e100409774521b24cbe0c1167d978@ustx2ex-dag1mb6.msg.corp.akamai.com>, <8cbb589e-860b-9007-4f07-adf7c43f037b@ericsson.com>
In-Reply-To: <8cbb589e-860b-9007-4f07-adf7c43f037b@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_af85bf371c9f423d88acc4a674e9e3b0ustx2exdag1mb6msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-12_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806120144
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-12_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806120144
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/NWIRA7hTiW-xwC5_7Kiu8L-ucJk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 12:17:48 -0000

Thanks. So what you are saying is that a requirement for a on-a-side attacker to race cooked packets is what make this attack hard? I can buy this, especially since such an attacker could interfere with the initial version negotiation, too. The only thing that makes an attack on the congestion window nefarious vs an attack on version negotiation is that it leaves the user with an impression that the service is poor vs that the network is interfering with him connecting to the service.

-----Original Message-----
From: Magnus Westerlund [magnus.westerlund@ericsson.com]
Received: Tuesday, 12 Jun 2018, 4:23AM
To: Lubashev, Igor [ilubashe@akamai.com]; huitema@huitema.net [huitema@huitema.net]; jri.ietf@gmail.com [jri.ietf@gmail.com]
CC: ietf@trammell.ch [ietf@trammell.ch]; quic@ietf.org [quic@ietf.org]; ianswett@google.com [ianswett@google.com]
Subject: Re: Adding ECN to Transport and Recovery


Hi,

So, if the on-a-side attack manages to race its attack packet with CE set so that it arrives prior to the original packet with an ECT code-point it will affect the congestion window. The same way that if an attack can cause periodic network drop of packets for a QUIC connection the connection can't really distinguish this attack from a legit congestion indication signal.

So the PR's current security consideration addition says:

12.7.  Explicit Congestion Notification Attacks

   The ECN bits [RFC3168] are an unauthenticated signal from the
   network.  An on-path attacker may manipulate the value of the field.
   Thus, affecting the congestion avoidance behavior of the sender.  By
   clearing any CE marks the connection can help drive a bottle neck
   queue into a loss regime.  By setting the ECN field to CE marking it
   can drive down the senders congestion window thus resulting in
   reduced throughput.  The later could equally be accomplished by
   dropping packets for the connection.  Section 18 and 19 of [RFC3168]
   discusses the effects of undesired manipulation of the ECN field in
   more details.

   If a receiver would not have packet duplication detection and not
   discard any duplicates an off-path attacker that can receive copies
   of the connection's packets can manipulate the senders congestion
   avoidance state.  If packet duplicates are dropped, the off-path
   attacker will need to race the original packet to be successful in
   this attack.


If there is a proper on-path attack, then it can accomplish this already
to day by dropping packets, so ECN does not create a new vulnerability.
The requirement for an on-the-side attacker to successfully race its modified
packets make the attack harder to perform, the right situation must exist
where the normal route is longer than the route for the attacker, i.e.
tap -> attacker -> receiver. And the attacker must be able to tap the flow.
>From my perspective, that makes this an attack with limited applicability.

Mitigating the attack in either of the QUIC endpoints are also extremely
hard. How does a receiver or sender determine that the congestion signals
are manipulated? For an attacker that changes an ECT to ECN-CE I don't see
there being any reasonable detection mechanism. One would need to generate
parallel flow and statistically compare the behaviour of the flows to determine
that one flow was manipulated. But, such a flow is likely to be picked up by
an attacker as if I am attacking one I would tap the flows using a single
source or destination IP as flow template for the traffic that I as an
attacker are interested in.

For the case where an attacker removes the CE marks, that would be possible
to detect by sender side probes injecting CE marked packets, as discussed
in this issue: https://github.com/quicwg/base-drafts/issues/1426<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_quicwg_base-2Ddrafts_issues_1426&d=DwMD-g&c=96ZbZZcaMF4w0F4jpN6LZg&r=Djn3bQ5uNJDPM_2skfL3rW1tzcIxyjUZdn_m55KPmlo&m=fCJNH4_GrpJCEuL__VxRjfVtL0Cs4z66XI5BrJPbYi4&s=2_OCqkf4LQgo0ms4jC0p4xPnRUznLuTGsDfIhwcrcYY&e=>

My view is that the PR has the necessary text noting the issue and
referencing the far more extensive discussion in RFC 3168. We have an
issue to continue to discuss additional mitigation. Such mitigation should
be written up in a separate PR in my view.

Cheers

Magnus



Den 2018-06-11 kl. 14:18, skrev Lubashev, Igor:
I do not think I have seen this in the PR, so I am wondering what your recommendation is for defending against an on-a-side attacker, who sets CE bits on every EC(*) packet and races that packet to the destination? Should that be a part of this PR?

- Igor

-----Original Message-----
From: Magnus Westerlund [magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>]
Received: Monday, 11 Jun 2018, 1:15PM
To: Jana Iyengar [jri.ietf@gmail.com<mailto:jri.ietf@gmail.com>]; Christian Huitema [huitema@huitema.net<mailto:huitema@huitema.net>]
CC: Brian Trammell (IETF) [ietf@trammell.ch<mailto:ietf@trammell.ch>]; Ian Swett [ianswett@google.com<mailto:ianswett@google.com>]; QUIC WG [quic@ietf.org<mailto:quic@ietf.org>]
Subject: Re: Adding ECN to Transport and Recovery


Hi,

I agree with Jana, as there are not a clear consensus lets take any further modifications of the ACK frames as a separate issue. The PR have from my perspective no open technical content issues. I will await to see if the editors or any of you have any editorial issues. But, otherwise I expect this PR to be merged quite soon.

I will now start working on a new section for a separate PR regarding the ECN black hole mitigation.

Cheers

Magnus

Den 2018-06-10 kl. 19:14, skrev Jana Iyengar:
Sounds like there's general agreement that modifying the varint to contain a flag bit will add unnecessary complexity.
Let's try to get the PR in as it is now, and if anyone really wants to go merge this and the ACK frame or rename things, let's paint that bikeshed separately.



On Sat, Jun 9, 2018 at 8:39 AM Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>> wrote:


> On Jun 9, 2018, at 8:27 AM, Ian Swett <ianswett@google.com<mailto:ianswett@google.com>> wrote:
>
> QUIC is complex enough, I think we should just call them ACK and ACK_ECN.  A few implementations sending at least one ACK_ECN frame per connection will dispel any belief that ACK_ECN is optional.  A small amount of use will be a lot more valuable than clever naming.

Also, ECN is just one of the extensions that could be planned for ACK. Timestamps would be nice too, for those who want one-way-delay based congestion control.

-- Christian Huitema


--

Magnus Westerlund

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
----------------------------------------------------------------------


--

Magnus Westerlund

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email