RE: Should QUIC have a path-verifiable proof of source address?
Dave Dolson <ddolson@sandvine.com> Wed, 31 May 2017 17:14 UTC
Return-Path: <ddolson@sandvine.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 445D8129AB2 for <quic@ietfa.amsl.com>; Wed, 31 May 2017 10:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJUnLzizIKls for <quic@ietfa.amsl.com>; Wed, 31 May 2017 10:14:12 -0700 (PDT)
Received: from mail1.sandvine.com (Mail1.sandvine.com [64.7.137.134]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 258F3129A96 for <quic@ietf.org>; Wed, 31 May 2017 10:14:04 -0700 (PDT)
Received: from WTL-EXCHP-1.sandvine.com ([fe80::ac6b:cc1e:f2ff:93aa]) by wtl-exchp-2.sandvine.com ([::1]) with mapi id 14.03.0319.002; Wed, 31 May 2017 13:14:01 -0400
From: Dave Dolson <ddolson@sandvine.com>
To: "Brian Trammell (IETF)" <ietf@trammell.ch>, Erik Kline <ek@google.com>
CC: QUIC WG <quic@ietf.org>
Subject: RE: Should QUIC have a path-verifiable proof of source address?
Thread-Topic: Should QUIC have a path-verifiable proof of source address?
Thread-Index: AQHS2gSJtVPz9+3NT0qZMF6P90IGe6IOmwKAgAAV9wCAAAW+gIAAHi+A///Y8nA=
Date: Wed, 31 May 2017 17:14:01 +0000
Message-ID: <E8355113905631478EFF04F5AA706E98705F9220@wtl-exchp-1.sandvine.com>
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <CAAedzxr2VyXpvvz8iyiyUWUZA4TZeWfCY58-tDgNfhRHqg5Oqg@mail.gmail.com> <C46523AE-6145-4CF1-9ED3-791F87DE9E3E@trammell.ch> <CAAedzxp5bvFDruo4hesa7nXDPiLSet-V8i+yD5JwjEQUg-PUGQ@mail.gmail.com> <54DB143C-3E91-4AB0-9132-8194A9AB0010@trammell.ch>
In-Reply-To: <54DB143C-3E91-4AB0-9132-8194A9AB0010@trammell.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.200.114]
x-c2processedorg: b2f06e69-072f-40ee-90c5-80a34e700794
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/RInetBYwlajy0QyFdkYSJ1df38A>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 17:14:13 -0000
> ... the whole point of spoof rejection as it's currently deployed is to reduce load on the endpoints I would add, to also reduce load on the network. In many cases the network (or one link thereof) presents more of a bottleneck than the capacity of the endpoint. In such cases, mitigation at the receiver is too late. -Dave -----Original Message----- From: QUIC [mailto:quic-bounces@ietf.org] On Behalf Of Brian Trammell (IETF) Sent: Wednesday, May 31, 2017 11:31 AM To: Erik Kline Cc: QUIC WG Subject: Re: Should QUIC have a path-verifiable proof of source address? > On 31 May 2017, at 15:43, Erik Kline <ek@google.com> wrote: > > A comment and request to make a distinction (though I know it's complicated). > > [ comment ] > Anything on-path boxes can do analytically can become a point of policy control in a vendor's marketing slide deck. There is only embrittlement down this road, I fear. Of course. The higher-level argument I'm making behind this whole line of questioning is that there is a principle of conservation of (perceived) control in the deployed Internet, and that this will cause embrittlement to happen anyway. By being explicit and conservative about our aims for what can be done with the QUIC wire image by devices on path, we as protocol designers gain some measure of control over where this embrittlement occurs. > [ (complicated) distinction ] > I would like to argue that there is a distinction between: > > [1] on-path elements that are within the administrative domains of either end-point ("administratively related to an endpoint") and > > [2] on-path elements in administrative domains not associated (except by peering/transit) with either endpoint. > > It might be possible to permit analysis (and therefore policy enforcement) by the former and not the latter, if we assume there can be some cooperation with endpoints and on-path elements in their administrative domain. If possible, I think this might give the best of both worlds: the benefits of analysis and policy enforcement but only afforded to the endpoints and their administrative domains (no interference from unrelated parties). In general, I agree with you that there's a useful distinction here. And I agree completely that this function, spoofed traffic recognition and rejection, only really makes sense within the receiver's administrative domain. (...and now, ignoring my own entreaty to focus on requirements as opposed to mechanisms in this aside...) Making this distinction leveragable at runtime, however, is tricky: you need some way to establish trust with those devices; and either something like out-of-band like PCP, relying on on the "local to the path" endpoint to use it; or a much more elaborate inline signaling mechanism than IMO it makes sense to wedge into QUIC. With respect to this *specific* question, though, I don't see how this would work with respect to spoofed traffic detection/rejection, since any design pattern leveraging this distinction necessarily involves the endpoints, and the whole point of spoof rejection as it's currently deployed is to reduce load on the endpoints. Cheers, Brian
- Should QUIC have a path-verifiable proof of sourc… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Erik Kline
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Erik Kline
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- RE: Should QUIC have a path-verifiable proof of s… Dave Dolson
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Martin Thomson
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Mirja Kühlewind
- Re: Should QUIC have a path-verifiable proof of s… Brian Trammell (IETF)
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Mirja Kühlewind
- Re: Should QUIC have a path-verifiable proof of s… Eggert, Lars
- Re: Should QUIC have a path-verifiable proof of s… Eggert, Lars
- Re: Should QUIC have a path-verifiable proof of s… Christian Huitema
- Re: Should QUIC have a path-verifiable proof of s… Watson Ladd