Re: Is the invariants draft really standards track?

[Martin Duke <martin.h.duke@gmail.com>]

Hi Igor, you might want to check out the "Retry Services" bit of the
QUIC-LB draft. This has something to do with the DDoS use case you discuss.

On Wed, May 27, 2020 at 9:07 AM Lubashev, Igor <ilubashe@akamai.com> wrote:

> I’m working on a manageability draft PR for this (how to rate limit UDP to
> reduce disruption to QUIC if you have to rate limit UDP).  ETA end of the
> week (if I do not get pulled into something again).
>
>
>
> The relevant observation is that DDoS with UDP that is indistinguishable
> from QUIC will happen.  UDP is already the most prevalent DDoS vector,
> since it is easy for a compromised non-admin app to send a flood of huge
> UDP packets (with TCP you get throttled by the congestion controller).  So
> there WILL be DDoS protection devices out there to try to mitigate the
> problem, possibly by observing both directions of the flow and deciding
> whether a packet belongs to a valid flow or not.
>
>
>
> Since such middle boxes will be created, the more explicit and normative
> Invariants are about what one can expect, the less such middle boxes may
> decide for themselves.  For example (I did not think long about it), if
> some elements of path validation could land into Invariants (roughly, “no
> more than X packets/bytes can be sent on a new path w/o a return packet”),
> a DDoS middle box may use this fact and active connection migration might
> still have a chance during an attack (NAT rebinding could be linked by DDoS
> boxes to an old connection via unchanged CID).
>
>
>
>    - Igor
>
>
>
>
>
> *From:* Christian Huitema <huitema@huitema.net>
> *Sent:* Wednesday, May 27, 2020 11:34 AM
>
> On 5/27/2020 8:28 AM, Kyle Rose wrote:
>
> On Wed, May 27, 2020 at 10:34 AM Ian Swett <ianswett=
> 40google.com@dmarc.ietf.org> wrote:
>
> I was agreeing with MT, but I'm happy to see some more MUSTs added if
> people feel that'd be helpful.
>
>
>
> Coincidentally, we were just talking about this internally at Akamai
> yesterday. IMO, an invariants document isn't really helpful if it isn't
> normative, and for it to be normative it (or a related practices doc for
> operators) really needs to spell out clear boundaries for operators with
> MUSTs..
>
>
>
> The example that came up yesterday was around operators filtering QUIC in
> the event of a DDoS: one recommendation based on some conversations going
> back at least to Prague 2019 was to hash packets on 4-tuple and filter
> those below a hash value chosen for a desired ingress limit instead of
> doing what most operators do with UDP today, which is to cap UDP throughput
> and just drop packets randomly or tail drop.
>
> Interesting. Did they consider using the CID, or a fraction of it? This
> looks entirely like the scenario for which we developed stateless retry.
>
>
>
> This recommendation certainly imposes some constraints on future protocol
> development that motivate new invariants: for instance, it would preclude
> sharding a connection across multiple source ports (not that there is
> necessarily a reason to do this; it's just an example). But more
> importantly, it goes beyond invariants: it's one among many practices
> compatible with the current set of invariants, some reasonable and some
> terrible.
>
> This would break the "preferred address" redirection. Preferred address
> migration may or may not be spelled out in the invariants.
>
>
>
> Operators are going to do things to QUIC traffic, so it would be good to
> offer them recommendations that are compatible with broad deployability.
>
>
>
> Yes, we do need the invariants for that.
>
> -- Christian Huitema
>