Re: Is the invariants draft really standards track?

Martin Duke <> Thu, 18 June 2020 00:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0E4CE3A07A6 for <>; Wed, 17 Jun 2020 17:16:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HxCpDr4Of_gx for <>; Wed, 17 Jun 2020 17:16:04 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7DF673A07A5 for <>; Wed, 17 Jun 2020 17:16:04 -0700 (PDT)
Received: by with SMTP id u13so5043587iol.10 for <>; Wed, 17 Jun 2020 17:16:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/ojIUdKSGVERBw0J90WiAOag/iigwn+Ud6qmNa/2E30=; b=pe+eSgdv/plu9JRdASzrF7bL8UX7JIQQZVoas9rEs8YOs8uBf8ClibUuDDT0SFf1kE 7fn7l6l5NW/cpmT0HAnx3nTlBU8avpA5vs6rOvD0pLFXsnkJwWBNpmD6hTPXw8AKpBGD CFIPJIberkRU6mu/dlpPwrp3mnjkPWkFIh2HzgEMhr0RNfHnIQ1gb7n87LtIJsoId2yO n3mlKKKy8IkRay2QfpwHC8Kr1FCIEHX/nsmXMoUxEgPbrqfYPVo1wN9p5PfeFRN+UHVc oc2PvdW4ofV+GloEa6jKpHBxpopa1AnJlXRUGAKdmKh9UWeN0kmjZCkzclZprVMYXoF2 kfEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/ojIUdKSGVERBw0J90WiAOag/iigwn+Ud6qmNa/2E30=; b=PgAxpUOGqjD1colUHfP0XUHwEHoQ3IRlgBabmBkVMjmTRWMeObGwJcVetW7mXLkdYT FmZtK5yaZwg60i2FOVJAN9rzDpp2Pqr+3nSF7H5idwFXbuq7Ja8YiR+99bWdU2XWTZ3O tF25rsUT5nXDtHzRSgC5k2PDk9/dR97lJoo7TcCDtS9NIq16GLhCltVxUa8c732uiMR3 /qi++Cg7TG1eNWyGPMNm76Y6EcK94i+3k3tr49W9Psn/Q4InWPqZl9IQmmRo/+u3R7uo cf/diyqfj8z5AIHq+epRnMu2CGnPVnuISKG5Fga6QdQBd+DLH9lybJzlHWPmXPMQaIo2 d4Vw==
X-Gm-Message-State: AOAM532ZOUUVxu4jRQk/Zx16Ur9tieJX4na1JWbJ8fazTEtM3tlecwBc wFeWVoFlrxKw5l+BLqhGIsYE5tPIiSYRD8/c7UeIbhqj
X-Google-Smtp-Source: ABdhPJwfGDYC2pZk61A2NlUeyhL6K0cf0CpcP3KuF19V7Aoo4x+Hj9VKlIIbtmgrjxv8xXTZRi/RXzEif7Larqriymo=
X-Received: by 2002:a02:3908:: with SMTP id l8mr1516012jaa.121.1592439363497; Wed, 17 Jun 2020 17:16:03 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <>
In-Reply-To: <>
From: Martin Duke <>
Date: Wed, 17 Jun 2020 17:15:52 -0700
Message-ID: <>
Subject: Re: Is the invariants draft really standards track?
To: "Lubashev, Igor" <>
Cc: Christian Huitema <>, Kyle Rose <>, Ian Swett <>, Lars Eggert <>, IETF QUIC WG <>, Jared Mauch <>
Content-Type: multipart/alternative; boundary="00000000000096764d05a850ae80"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Jun 2020 00:16:06 -0000

Hi Igor, you might want to check out the "Retry Services" bit of the
QUIC-LB draft. This has something to do with the DDoS use case you discuss.

On Wed, May 27, 2020 at 9:07 AM Lubashev, Igor <> wrote:

> I’m working on a manageability draft PR for this (how to rate limit UDP to
> reduce disruption to QUIC if you have to rate limit UDP).  ETA end of the
> week (if I do not get pulled into something again).
> The relevant observation is that DDoS with UDP that is indistinguishable
> from QUIC will happen.  UDP is already the most prevalent DDoS vector,
> since it is easy for a compromised non-admin app to send a flood of huge
> UDP packets (with TCP you get throttled by the congestion controller).  So
> there WILL be DDoS protection devices out there to try to mitigate the
> problem, possibly by observing both directions of the flow and deciding
> whether a packet belongs to a valid flow or not.
> Since such middle boxes will be created, the more explicit and normative
> Invariants are about what one can expect, the less such middle boxes may
> decide for themselves.  For example (I did not think long about it), if
> some elements of path validation could land into Invariants (roughly, “no
> more than X packets/bytes can be sent on a new path w/o a return packet”),
> a DDoS middle box may use this fact and active connection migration might
> still have a chance during an attack (NAT rebinding could be linked by DDoS
> boxes to an old connection via unchanged CID).
>    - Igor
> *From:* Christian Huitema <>
> *Sent:* Wednesday, May 27, 2020 11:34 AM
> On 5/27/2020 8:28 AM, Kyle Rose wrote:
> On Wed, May 27, 2020 at 10:34 AM Ian Swett <ianswett=
>> wrote:
> I was agreeing with MT, but I'm happy to see some more MUSTs added if
> people feel that'd be helpful.
> Coincidentally, we were just talking about this internally at Akamai
> yesterday. IMO, an invariants document isn't really helpful if it isn't
> normative, and for it to be normative it (or a related practices doc for
> operators) really needs to spell out clear boundaries for operators with
> MUSTs..
> The example that came up yesterday was around operators filtering QUIC in
> the event of a DDoS: one recommendation based on some conversations going
> back at least to Prague 2019 was to hash packets on 4-tuple and filter
> those below a hash value chosen for a desired ingress limit instead of
> doing what most operators do with UDP today, which is to cap UDP throughput
> and just drop packets randomly or tail drop.
> Interesting. Did they consider using the CID, or a fraction of it? This
> looks entirely like the scenario for which we developed stateless retry.
> This recommendation certainly imposes some constraints on future protocol
> development that motivate new invariants: for instance, it would preclude
> sharding a connection across multiple source ports (not that there is
> necessarily a reason to do this; it's just an example). But more
> importantly, it goes beyond invariants: it's one among many practices
> compatible with the current set of invariants, some reasonable and some
> terrible.
> This would break the "preferred address" redirection. Preferred address
> migration may or may not be spelled out in the invariants.
> Operators are going to do things to QUIC traffic, so it would be good to
> offer them recommendations that are compatible with broad deployability.
> Yes, we do need the invariants for that.
> -- Christian Huitema