IETF Logo Mail Archive

Re: Should QUIC have a path-verifiable proof of source address?

"Eggert, Lars" <lars@netapp.com> Sat, 03 June 2017 14:53 UTC

Return-Path: <lars@netapp.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42050129AEE for <quic@ietfa.amsl.com>; Sat, 3 Jun 2017 07:53:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netapp.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qb6n-GlaOVmU for <quic@ietfa.amsl.com>; Sat, 3 Jun 2017 07:53:54 -0700 (PDT)
Received: from mx142.netapp.com (mx142.netapp.com [216.240.21.19]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13E351286CA for <quic@ietf.org>; Sat, 3 Jun 2017 07:53:54 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.39,290,1493708400"; d="asc'?scan'208";a="192238111"
Received: from vmwexchts01-prd.hq.netapp.com ([10.122.105.12]) by mx142-out.netapp.com with ESMTP; 03 Jun 2017 07:31:47 -0700
Received: from VMWEXCCAS06-PRD.hq.netapp.com (10.122.105.22) by VMWEXCHTS01-PRD.hq.netapp.com (10.122.105.12) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sat, 3 Jun 2017 07:48:47 -0700
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.120.60.153) by VMWEXCCAS06-PRD.hq.netapp.com (10.122.105.22) with Microsoft SMTP Server (TLS) id 15.0.1210.3 via Frontend Transport; Sat, 3 Jun 2017 07:48:47 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netapp.onmicrosoft.com; s=selector1-netapp-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ru+zrY7z1fc5trVZwleWd7M7kRhOWlSyglDb38A94Wk=; b=UGQxBGdmb+fGVEnsSUjkpDzHGsQ0TjSKchowNafqKaZbE6dK+UR+vSs9/oKf01ZuUpd7ItKv705MDbfUkjUBIDrN+m8Ih6BWiFxbgsZi5bjuCJmsgNmTOTphTYqNO2uyaEo3GpEi3kqaWZQmkTa2Em7uu4lB7axhxKJn3GVdqnA=
Received: from BLUPR06MB1764.namprd06.prod.outlook.com (10.162.224.150) by BLUPR06MB1762.namprd06.prod.outlook.com (10.162.224.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1143.10; Sat, 3 Jun 2017 14:48:45 +0000
Received: from BLUPR06MB1764.namprd06.prod.outlook.com ([10.162.224.150]) by BLUPR06MB1764.namprd06.prod.outlook.com ([10.162.224.150]) with mapi id 15.01.1143.016; Sat, 3 Jun 2017 14:48:45 +0000
From: "Eggert, Lars" <lars@netapp.com>
To: Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
CC: Christian Huitema <huitema@huitema.net>, "quic@ietf.org" <quic@ietf.org>
Subject: Re: Should QUIC have a path-verifiable proof of source address?
Thread-Topic: Should QUIC have a path-verifiable proof of source address?
Thread-Index: AQHS2gSLRAiruyrEeEuTZne3W0LFa6IO34mAgABZeYCAAHeogIAAVMmAgABM6gCAAuNXAIAAB0CA
Date: Sat, 03 Jun 2017 14:48:44 +0000
Message-ID: <77A01CE3-5779-470F-A9EF-E49B057D5381@netapp.com>
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <30eb5292-ac11-9772-b088-03b1f2fe372b@huitema.net> <CABkgnnWEg0N0WYsdMzsPT--MpRSQ7g2ysu2DvwenQ+mQpo6Anw@mail.gmail.com> <40dc8d2a-92ec-e6f1-b2b8-f4c447313cf5@tik.ee.ethz.ch> <2856C4A2-FB68-425D-8B34-043A7EF005E9@trammell.ch> <79aeac00-c1eb-069a-2b21-018a8b393546@huitema.net> <B49EEE9E-A985-4235-A7AF-3BD13159E21D@tik.ee.ethz.ch>
In-Reply-To: <B49EEE9E-A985-4235-A7AF-3BD13159E21D@tik.ee.ethz.ch>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
authentication-results: tik.ee.ethz.ch; dkim=none (message not signed) header.d=none;tik.ee.ethz.ch; dmarc=none action=none header.from=netapp.com;
x-originating-ip: [2001:a61:319c:bf01:d8d7:6a84:aba9:6ae0]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BLUPR06MB1762; 7:bM/F7i1RZjqElkmhkPxTMPDFICVHb7F3Jn4TD5s99SzZkr7DYczjdWrYW+jSXM+lwQ8/Y1tO3braBmHeiYrywKUNuIRAgb+BlAMQzN5qglK3Z80ppxTZvimhC1MPPnkFwcG7e4e4xJnyQHdk2nT81Tp4LUlea1nfOMsWIqrtnFiNshqB/Drek+nNpFjZZ8SBZ5e5SJecx5gls/a6oXUYk5/9PAPdllO12vMRp+Jc5pKVqV1onbuNNb5pBE6oBsByJwh9N5l6++Vqu971IMvwuZeFVOTzHRtlvSWU8XASdj5Zh1pOVlR/22a7BzEsHTMX7m+H7GuZ9hxuCfRU4Li5jQ==
x-ms-traffictypediagnostic: BLUPR06MB1762:
x-ms-office365-filtering-correlation-id: 3482fb20-d769-4907-150b-08d4aa8fa2a0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:BLUPR06MB1762;
x-microsoft-antispam-prvs: <BLUPR06MB17627C4E9FC8FF7352A54C8AA7F40@BLUPR06MB1762.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(102415395)(6040450)(601004)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BLUPR06MB1762; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BLUPR06MB1762;
x-forefront-prvs: 0327618309
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39850400002)(39400400002)(39840400002)(39410400002)(39450400003)(24454002)(377424004)(2906002)(6436002)(189998001)(99286003)(6916009)(2950100002)(2900100001)(6512007)(54906002)(305945005)(102836003)(86362001)(8676002)(8936002)(81166006)(4326008)(14454004)(82746002)(4001150100001)(7736002)(25786009)(122556002)(50226002)(83716003)(3280700002)(99936001)(76176999)(3660700001)(50986999)(53546009)(53936002)(93886004)(33656002)(6506006)(229853002)(6486002)(77096006)(110136004)(36756003)(5660300001)(38730400002)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR06MB1762; H:BLUPR06MB1764.namprd06.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_61C5D3BE-53A2-4387-A842-393D5A383EF4"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jun 2017 14:48:44.9340 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4b0911a0-929b-4715-944b-c03745165b3a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR06MB1762
X-OriginatorOrg: netapp.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/_wIEYwRe_EGbj2V94NBc1y7uq1s>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jun 2017 14:53:55 -0000

Hi,

On 2017-6-3, at 16:22, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> wrote:
> Are you proposing that if you don’t see a reply from the server (leg 2) for a while (whatever a while means), you block the incoming traffic from that IP address. That sounds dangerous to me as a middlebox function.

but that's what middleboxes already do - they drop the binding if there is no bidirectional traffic for a while. Maybe the timeout for this is longer than is needed for DDoS defense, but it's not a new behavior.

Lars

v2.23.0 | Report a Bug | By Email