RE: Adding ECN to Transport and Recovery
"Lubashev, Igor" <ilubashe@akamai.com> Tue, 12 June 2018 12:17 UTC
Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790C0130E2C for <quic@ietfa.amsl.com>; Tue, 12 Jun 2018 05:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0o20Njfle5cx for <quic@ietfa.amsl.com>; Tue, 12 Jun 2018 05:17:43 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A37EE130DCA for <quic@ietf.org>; Tue, 12 Jun 2018 05:17:43 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w5CCGp0o012473; Tue, 12 Jun 2018 13:17:30 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=9vBdm4ljcZR4CEMISwdBauIPjttyINL+4zEzMd222FU=; b=VjP2D64NDxwpL/UZ6qxZIoJhPb+Z0dgr6rhySfUQP4eXoOggVoCTfsGkRTbcBTX+Dw4O yesvUiDksiNRzrgVlWB5jOaIvSyokSf7wILxRdcJMJWLxY28zBaW2QS6z/R15nA5uZmn Hl7ooPEIqvLkFfbr/O4Mvt6Lmqs7iCV5RZDT+hKZp70YpApZDdjdDNRe1aYEb5wLohlC tzIBjEdFm1XIS/NwhDVJ+Y+ewj1jWPBdQObxT7R3tzMRIQHjXH851fDOMQElmEmjqBLJ 9sc+11yrW2RCPss4Y2ddvROc1gSTVEOkR/iFh1Yj6OewhDPpqFKuFaurU60napivqGZo 4g==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050096.ppops.net-00190b01. with ESMTP id 2jg7abh7ye-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Jun 2018 13:17:30 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w5CCGGWo028720; Tue, 12 Jun 2018 08:17:29 -0400
Received: from email.msg.corp.akamai.com ([172.27.25.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 2jga7uxkek-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 12 Jun 2018 08:17:29 -0400
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Tue, 12 Jun 2018 07:17:28 -0500
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.27.107]) by ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.27.107]) with mapi id 15.00.1365.000; Tue, 12 Jun 2018 05:17:28 -0700
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "huitema@huitema.net" <huitema@huitema.net>, "magnus.westerlund@ericsson.com" <magnus.westerlund@ericsson.com>, "jri.ietf@gmail.com" <jri.ietf@gmail.com>
CC: "ietf@trammell.ch" <ietf@trammell.ch>, "quic@ietf.org" <quic@ietf.org>, "ianswett@google.com" <ianswett@google.com>
Subject: RE: Adding ECN to Transport and Recovery
Thread-Topic: Adding ECN to Transport and Recovery
Thread-Index: AQHT9sK0H8sBCsQDiUuMTPA/hgyVTqRW+DkAgAAEvoCAABm1gIAAXg8AgAAm5gCAALVPgIAAQ7eAgAADFgCAAa0SAIABLgUA//+cLbCAAcXYgP//zEk/
Date: Tue, 12 Jun 2018 12:17:27 +0000
Message-ID: <af85bf371c9f423d88acc4a674e9e3b0@ustx2ex-dag1mb6.msg.corp.akamai.com>
References: <26584f2a-230b-c55e-db16-d32225c8ee4d@ericsson.com> <5a82e9ef-971f-6510-866c-9886e73796a9@ericsson.com> <20180608150833.GB13418@ubuntu-dmitri> <CAKcm_gM_OHgWcJ+ktAg9BCQx1rtHc9GFg2bZG40-NcO2MoVG9w@mail.gmail.com> <CANatvzySuzK9EO13m_UQxb4wZkYW=+6By3QMU5gKXhq69gaUag@mail.gmail.com> <790ec098-9ec9-5eff-4785-d71d9ac92059@huitema.net> <73B82E99-EFEE-4DBC-A2CA-8FA381F33C5E@trammell.ch> <CAKcm_gN-s0XVsGL2LLusvcm5_hp-Z5_9OFMkwph5m_bGMDbAtQ@mail.gmail.com> <55DA3F1D-2B09-4D25-9630-6BC85B68A3AF@huitema.net> <CACpbDcdTtQBLNhhiX_+wWCo-OzVvBKBpS-8RsYRcZ30xhefQZQ@mail.gmail.com> <1023590e-83d4-bed2-640a-f5cd131677d4@ericsson.com> <c89e100409774521b24cbe0c1167d978@ustx2ex-dag1mb6.msg.corp.akamai.com>, <8cbb589e-860b-9007-4f07-adf7c43f037b@ericsson.com>
In-Reply-To: <8cbb589e-860b-9007-4f07-adf7c43f037b@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_af85bf371c9f423d88acc4a674e9e3b0ustx2exdag1mb6msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-12_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806120144
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-12_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806120144
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/NWIRA7hTiW-xwC5_7Kiu8L-ucJk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 12:17:48 -0000
Thanks. So what you are saying is that a requirement for a on-a-side attacker to race cooked packets is what make this attack hard? I can buy this, especially since such an attacker could interfere with the initial version negotiation, too. The only thing that makes an attack on the congestion window nefarious vs an attack on version negotiation is that it leaves the user with an impression that the service is poor vs that the network is interfering with him connecting to the service. -----Original Message----- From: Magnus Westerlund [magnus.westerlund@ericsson.com] Received: Tuesday, 12 Jun 2018, 4:23AM To: Lubashev, Igor [ilubashe@akamai.com]; huitema@huitema.net [huitema@huitema.net]; jri.ietf@gmail.com [jri.ietf@gmail.com] CC: ietf@trammell.ch [ietf@trammell.ch]; quic@ietf.org [quic@ietf.org]; ianswett@google.com [ianswett@google.com] Subject: Re: Adding ECN to Transport and Recovery Hi, So, if the on-a-side attack manages to race its attack packet with CE set so that it arrives prior to the original packet with an ECT code-point it will affect the congestion window. The same way that if an attack can cause periodic network drop of packets for a QUIC connection the connection can't really distinguish this attack from a legit congestion indication signal. So the PR's current security consideration addition says: 12.7. Explicit Congestion Notification Attacks The ECN bits [RFC3168] are an unauthenticated signal from the network. An on-path attacker may manipulate the value of the field. Thus, affecting the congestion avoidance behavior of the sender. By clearing any CE marks the connection can help drive a bottle neck queue into a loss regime. By setting the ECN field to CE marking it can drive down the senders congestion window thus resulting in reduced throughput. The later could equally be accomplished by dropping packets for the connection. Section 18 and 19 of [RFC3168] discusses the effects of undesired manipulation of the ECN field in more details. If a receiver would not have packet duplication detection and not discard any duplicates an off-path attacker that can receive copies of the connection's packets can manipulate the senders congestion avoidance state. If packet duplicates are dropped, the off-path attacker will need to race the original packet to be successful in this attack. If there is a proper on-path attack, then it can accomplish this already to day by dropping packets, so ECN does not create a new vulnerability. The requirement for an on-the-side attacker to successfully race its modified packets make the attack harder to perform, the right situation must exist where the normal route is longer than the route for the attacker, i.e. tap -> attacker -> receiver. And the attacker must be able to tap the flow. >From my perspective, that makes this an attack with limited applicability. Mitigating the attack in either of the QUIC endpoints are also extremely hard. How does a receiver or sender determine that the congestion signals are manipulated? For an attacker that changes an ECT to ECN-CE I don't see there being any reasonable detection mechanism. One would need to generate parallel flow and statistically compare the behaviour of the flows to determine that one flow was manipulated. But, such a flow is likely to be picked up by an attacker as if I am attacking one I would tap the flows using a single source or destination IP as flow template for the traffic that I as an attacker are interested in. For the case where an attacker removes the CE marks, that would be possible to detect by sender side probes injecting CE marked packets, as discussed in this issue: https://github.com/quicwg/base-drafts/issues/1426<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_quicwg_base-2Ddrafts_issues_1426&d=DwMD-g&c=96ZbZZcaMF4w0F4jpN6LZg&r=Djn3bQ5uNJDPM_2skfL3rW1tzcIxyjUZdn_m55KPmlo&m=fCJNH4_GrpJCEuL__VxRjfVtL0Cs4z66XI5BrJPbYi4&s=2_OCqkf4LQgo0ms4jC0p4xPnRUznLuTGsDfIhwcrcYY&e=> My view is that the PR has the necessary text noting the issue and referencing the far more extensive discussion in RFC 3168. We have an issue to continue to discuss additional mitigation. Such mitigation should be written up in a separate PR in my view. Cheers Magnus Den 2018-06-11 kl. 14:18, skrev Lubashev, Igor: I do not think I have seen this in the PR, so I am wondering what your recommendation is for defending against an on-a-side attacker, who sets CE bits on every EC(*) packet and races that packet to the destination? Should that be a part of this PR? - Igor -----Original Message----- From: Magnus Westerlund [magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>] Received: Monday, 11 Jun 2018, 1:15PM To: Jana Iyengar [jri.ietf@gmail.com<mailto:jri.ietf@gmail.com>]; Christian Huitema [huitema@huitema.net<mailto:huitema@huitema.net>] CC: Brian Trammell (IETF) [ietf@trammell.ch<mailto:ietf@trammell.ch>]; Ian Swett [ianswett@google.com<mailto:ianswett@google.com>]; QUIC WG [quic@ietf.org<mailto:quic@ietf.org>] Subject: Re: Adding ECN to Transport and Recovery Hi, I agree with Jana, as there are not a clear consensus lets take any further modifications of the ACK frames as a separate issue. The PR have from my perspective no open technical content issues. I will await to see if the editors or any of you have any editorial issues. But, otherwise I expect this PR to be merged quite soon. I will now start working on a new section for a separate PR regarding the ECN black hole mitigation. Cheers Magnus Den 2018-06-10 kl. 19:14, skrev Jana Iyengar: Sounds like there's general agreement that modifying the varint to contain a flag bit will add unnecessary complexity. Let's try to get the PR in as it is now, and if anyone really wants to go merge this and the ACK frame or rename things, let's paint that bikeshed separately. On Sat, Jun 9, 2018 at 8:39 AM Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>> wrote: > On Jun 9, 2018, at 8:27 AM, Ian Swett <ianswett@google.com<mailto:ianswett@google.com>> wrote: > > QUIC is complex enough, I think we should just call them ACK and ACK_ECN. A few implementations sending at least one ACK_ECN frame per connection will dispel any belief that ACK_ECN is optional. A small amount of use will be a lot more valuable than clever naming. Also, ECN is just one of the extensions that could be planned for ACK. Timestamps would be nice too, for those who want one-way-delay based congestion control. -- Christian Huitema -- Magnus Westerlund ---------------------------------------------------------------------- Network Architecture & Protocols, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com> ---------------------------------------------------------------------- -- Magnus Westerlund ---------------------------------------------------------------------- Network Architecture & Protocols, Ericsson Research ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Torshamnsgatan 23 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com> ----------------------------------------------------------------------
- Re: Adding ECN to Transport and Recovery Magnus Westerlund
- RE: Adding ECN to Transport and Recovery Lubashev, Igor
- Re: Adding ECN to Transport and Recovery Ian Swett
- Re: Adding ECN to Transport and Recovery Eggert, Lars
- RE: Adding ECN to Transport and Recovery Lubashev, Igor
- Re: Adding ECN to Transport and Recovery Magnus Westerlund
- Re: Adding ECN to Transport and Recovery Dmitri Tikhonov
- Re: Adding ECN to Transport and Recovery Magnus Westerlund
- Re: Adding ECN to Transport and Recovery Ian Swett
- Re: Adding ECN to Transport and Recovery Kazuho Oku
- Re: Adding ECN to Transport and Recovery Brian Trammell (IETF)
- Re: Adding ECN to Transport and Recovery Christian Huitema
- Re: Adding ECN to Transport and Recovery Christian Huitema
- Re: Adding ECN to Transport and Recovery Ian Swett
- Re: Adding ECN to Transport and Recovery Jana Iyengar
- RE: Adding ECN to Transport and Recovery Lubashev, Igor
- Re: Adding ECN to Transport and Recovery Magnus Westerlund
- Adding ECN to Transport and Recovery Magnus Westerlund