IETF Logo Mail Archive

Re: Should QUIC have a path-verifiable proof of source address?

"Brian Trammell (IETF)" <ietf@trammell.ch> Wed, 31 May 2017 15:31 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 348981243F6 for <quic@ietfa.amsl.com>; Wed, 31 May 2017 08:31:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzisTJt59jCW for <quic@ietfa.amsl.com>; Wed, 31 May 2017 08:31:19 -0700 (PDT)
Received: from capri.iway.ch (capri.iway.ch [IPv6:2001:8e0:40:325::45]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8B51293E3 for <quic@ietf.org>; Wed, 31 May 2017 08:31:19 -0700 (PDT)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 21DEA340D4D; Wed, 31 May 2017 17:31:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/7408.4874); Wed, 31 May 2017 17:31:16 +0200 (CEST)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Wed, 31 May 2017 17:31:16 +0200 (CEST)
Received: from [195.176.110.241] (account ietf@trammell.ch HELO public-docking-etx-2691.ethz.ch) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.14) with ESMTPSA id 19273288; Wed, 31 May 2017 17:31:16 +0200
Subject: Re: Should QUIC have a path-verifiable proof of source address?
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_FACF53B4-4CD2-49B0-B279-97A207A86E20"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
In-Reply-To: <CAAedzxp5bvFDruo4hesa7nXDPiLSet-V8i+yD5JwjEQUg-PUGQ@mail.gmail.com>
Date: Wed, 31 May 2017 17:31:15 +0200
Cc: QUIC WG <quic@ietf.org>
Message-Id: <54DB143C-3E91-4AB0-9132-8194A9AB0010@trammell.ch>
References: <179F2CCB-89DB-4E6E-9175-F850F89B4E5F@trammell.ch> <CAAedzxr2VyXpvvz8iyiyUWUZA4TZeWfCY58-tDgNfhRHqg5Oqg@mail.gmail.com> <C46523AE-6145-4CF1-9ED3-791F87DE9E3E@trammell.ch> <CAAedzxp5bvFDruo4hesa7nXDPiLSet-V8i+yD5JwjEQUg-PUGQ@mail.gmail.com>
To: Erik Kline <ek@google.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/dKkuQFB52E8Lx4UOBb3LBp6Zu18>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 15:31:22 -0000

> On 31 May 2017, at 15:43, Erik Kline <ek@google.com> wrote:
> 
> A comment and request to make a distinction (though I know it's complicated).
> 
> [ comment ]
> Anything on-path boxes can do analytically can become a point of policy control in a vendor's marketing slide deck.  There is only embrittlement down this road, I fear.

Of course.

The higher-level argument I'm making behind this whole line of questioning is that there is a principle of conservation of (perceived) control in the deployed Internet, and that this will cause embrittlement to happen anyway. By being explicit and conservative about our aims for what can be done with the QUIC wire image by devices on path, we as protocol designers gain some measure of control over where this embrittlement occurs.

> [ (complicated) distinction ]
> I would like to argue that there is a distinction between:
> 
>     [1] on-path elements that are within the administrative domains of either end-point ("administratively related to an endpoint") and
> 
>     [2] on-path elements in administrative domains not associated (except by peering/transit) with either endpoint.
> 
> It might be possible to permit analysis (and therefore policy enforcement) by the former and not the latter, if we assume there can be some cooperation with endpoints and on-path elements in their administrative domain.  If possible, I think this might give the best of both worlds: the benefits of analysis and policy enforcement but only afforded to the endpoints and their administrative domains (no interference from unrelated parties).

In general, I agree with you that there's a useful distinction here. And I agree completely that this function, spoofed traffic recognition and rejection, only really makes sense within the receiver's administrative domain.

(...and now, ignoring my own entreaty to focus on requirements as opposed to mechanisms in this aside...)

Making this distinction leveragable at runtime, however, is tricky: you need some way to establish trust with those devices; and either something like out-of-band like PCP, relying on on the "local to the path" endpoint to use it; or a much more elaborate inline signaling mechanism than IMO it makes sense to wedge into QUIC.

With respect to this *specific* question, though, I don't see how this would work with respect to spoofed traffic detection/rejection, since any design pattern leveraging this distinction necessarily involves the endpoints, and the whole point of spoof rejection as it's currently deployed is to reduce load on the endpoints.

Cheers,

Brian

v2.23.0 | Report a Bug | By Email