RE: Proposal: Increase QUIC Amplification Limit to 5x

Nick Banks <nibanks@microsoft.com> Wed, 31 July 2024 16:41 UTC

Return-Path: <nibanks@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDB76C14F6E9 for <quic@ietfa.amsl.com>; Wed, 31 Jul 2024 09:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Tut7-4SI4Hk for <quic@ietfa.amsl.com>; Wed, 31 Jul 2024 09:41:31 -0700 (PDT)
Received: from BYAPR05CU005.outbound.protection.outlook.com (mail-westusazon11020143.outbound.protection.outlook.com [52.101.85.143]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C96AC14F686 for <quic@ietf.org>; Wed, 31 Jul 2024 09:41:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=otQv4cJzSRsjT7BdyTYKodqLvb9lmpgYNYJkag7iJ0NRqHPpMWhXh3/Aj+lC6CQTArUqWPLTdSa2KdLZeDStNheaffmQOWiGw2+gdEoF3K8+eKsDlWLOEmDoNyC3AYzpdehnBg7QFN/CoXZCRtlAFoySkulOgVZMi4xEloshryWQYnuM8jUv08jpLqxefwLBHk0z09JLobd8T/xjZ/PSFzRrTaL0BJnwPEIXoLC43RPCxryJQxf6BjjVSfeuWE0v+Pva9K9ZshS8QSQaNe/YCMaZsMoPGWMZuAMGpVM1yi6vkFro0klkL9TtEKSwvtCNIR5XGX/hlCh1kb7F57iUoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RfFMf+BVgHuSYv1/ICdaflE2lTYXGn6D1+YyN00xOPI=; b=BbHXHhfjt4senGSIeapYMCnHU2D6KXQybgG3tO7S7pSRZqyytIgmCjW2QbXJuG2MF+HhFWeQ5drLLbYGmMl5+COJB07/+aBAERjfNizCzJOA0v5dxdiDIYEOKEAzPVlz7/8JnihR32QZsmznepg3S/QETX8AsTBKbB2VVIm5rVjV91Vua93/Vlt690QmaK+eaFPg8iDxl1eZr/kUb1eJxmBAYucIS5MplgWsHRQUliOBVXQ7YaZJ5JBGFQy7tmkLcOOEi+KQ/HRjweFeQdWBJSudwWaO+jIM9GBQecCyQA8WqBd7dflqPXcBn/IyT9onsNyQ+CdUIU6PGbygFtcQbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RfFMf+BVgHuSYv1/ICdaflE2lTYXGn6D1+YyN00xOPI=; b=O1lORdjC3nAoeXkUgftT9i1zwQZ4y58O0DmrqDJFx7ygROwfmBfu6LmAB09wAIUru3/BTWwatMn3MIJ48dfv4RAERyjHn6yfhz8U2keJfVCg2L0vMjRTxHVWbOg8aNQoLUIRDlSAF5WSEdIQejmdbofNpo4/pWkcyiEF9IMZsEI=
Received: from DM4PR21MB3130.namprd21.prod.outlook.com (2603:10b6:8:63::17) by LV2PR21MB3254.namprd21.prod.outlook.com (2603:10b6:408:170::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7849.5; Wed, 31 Jul 2024 16:41:29 +0000
Received: from DM4PR21MB3130.namprd21.prod.outlook.com ([fe80::bcdd:4bc2:879e:4485]) by DM4PR21MB3130.namprd21.prod.outlook.com ([fe80::bcdd:4bc2:879e:4485%7]) with mapi id 15.20.7849.002; Wed, 31 Jul 2024 16:41:28 +0000
From: Nick Banks <nibanks@microsoft.com>
To: Ian Swett <ianswett=40google.com@dmarc.ietf.org>, Christian Huitema <huitema@huitema.net>
Subject: RE: Proposal: Increase QUIC Amplification Limit to 5x
Thread-Topic: Proposal: Increase QUIC Amplification Limit to 5x
Thread-Index: AdriijZ1pCmLiPsHR82ehJiwiMM47gAWcZ+AAB4VEQAAAdcHgAABLbVg
Date: Wed, 31 Jul 2024 16:41:28 +0000
Message-ID: <DM4PR21MB3130A7C56A8D0D5C41FA9F59B3B12@DM4PR21MB3130.namprd21.prod.outlook.com>
References: <BL1PR21MB31152570F4497EBE91B3AF9FB3B02@BL1PR21MB3115.namprd21.prod.outlook.com> <4aac2fae-ddc6-453c-b974-751a7a37967c@redbarn.org> <ac725575-da13-4365-90ce-8ea55bc46e72@huitema.net> <CAKcm_gOCJha0ey38+L3MUEmCxdid4NoJQUVXzp=qaVM0Sh-QCg@mail.gmail.com>
In-Reply-To: <CAKcm_gOCJha0ey38+L3MUEmCxdid4NoJQUVXzp=qaVM0Sh-QCg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=38b65078-a694-4438-ba5a-93e6d7738372;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-31T16:40:45Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM4PR21MB3130:EE_|LV2PR21MB3254:EE_
x-ms-office365-filtering-correlation-id: 20e52142-d07e-458a-4eaf-08dcb17fa058
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|3613699012|38070700018;
x-microsoft-antispam-message-info: 6IBrKIQ1+3WIuKDRJWCBksj7zUpWzIoXNTKvFzZVMozRgdSveckcMA4KOhVEx84t0JBINMEzf5i+aB0cOJvyK9PyV6tbW6PxnhbW5+iYppziDSfuTcOeaghG5pZNNXPxFgmhBnYILRPGGOzOWQbaKVJZG+wIe33cv2urGoCMvnjR6J7Zhqn+2B3jrwkaPSVx+J/jl3mSQgCpWJ6ESFcUStvzAl9MsvjCcevl1YK5/73M9zAssZivecJgH6MRahDlkZYoFpPxHcSyhQBjDvJmCXgnYEy3UlpAM0miHSMNe99H7AIrYUcrmBPm8oEqz6yn0w/G2Nqvtoaf9BclWCPsBffDZ53+PDChC1bpNC5+ozvlDyo7W1wvpz9/LxyhxZMG8z9VOTNzGycZv2uhvWFuro7mwUflR8UOmtd3TmTq28HIRITYyC2vNcfIgR8iNp+c3B6wVEAycljkmffLbUwwJT35xH6jg/AjEUS8+t1CMmfLBIaQU9hc66KKdsSwwvVR9MGoxJg+HwJybkddfhnLTkGXFjCoqsOUpJRg2ahmxTYhFYoeRnk/3r9ym6ZxdN1m/ITtgZgV4BCyg8hW60QyrwUc5+Y6f2Nwim8VAxvc4qc6HFnYRLU6Hxc/QmDGFIZGUo83rc35ZOKpWUXx9eFtVkOnWr0Pvo+zsiSxu4Gok+rUahXyhbnIN20Cy+mdHN5XlRWrTe9Z0l6IZn6BSY3GiWEtAbJg082KXEtLiRtUYSz5XbNqPQpmr71xxQutaB4kpLnNhuc27MBsMT3P42bBq/ZS8MWJIDKxnAQBnew/e+guocKfpnA5jk8oIN3gIP2BBTJARo4sP8yICj8CyfOGPtrO4D/Rs/Z/eoH+mTWoAk6DRG5F2ZwqTOIHSR2WW17k9bFTXpyTNQIbmK03qDLFRcilzLBkqYW3TbwFPIut10y50uaRLi9QuWRcu0sEKhu9HBZaLV4M69Lk8TANRNSsaasunsQHMb3jWGzUBgcjoXwNPsk/tb5YWcctsGDu6kxMSOBq35MF6WmFuTt0YAkYpQ8PlwyD6Xf2i6qOLRNVje5F3e5znsgzw0OVQwv6v/j9hSs/iUSoH5vD90u/fL1GiOH1Ogutk15CzKYUw+6UootQMJnJSzIbGvgkh0jXPX27ehgAT82GWGyyi5QXQlSYgM6LRoSjTuGGfRDzc533F+35Y6AiFyCOfyw6EXQUGyEmosb/gY9xLl7uG5kVU4kI5JJyq84wi1FvoecEXRSwfW2bfu7xy1ym7ihR41xhbmAqrmptQs4XHqFojzwoYrPHFtxHEpm3tt/4/9S8QcZJHAdxJFD2kw2Ul4CLtArADxzi1QGzbYztfJNBMYf15k7Qg7LdW5DlsbiEARiUa1dY38l0t8yVVrcniS9z74U78a0C
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM4PR21MB3130.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(3613699012)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: By3BH7i0hTKH5rH6VsHnMCkU+9gRDorYQ9/AkY1OXLWWg7I9DKiLDJEUN2C2K4U5KGifdieJ9rPTQZ5DbR0WThAVDVGaXDBUy0VPh5gXvoAzO5Hl1NIC7v5C9GJZP7cgARaKQg1/BLh4mjNg7M5IuL/89/s+74cLzJqVXM4vD1q2R1+Iqf/xb5Rel932taTv0Dq8s6F9+vCRryohF1HsNzOlzvJSIC3axTnQlrNhJQYDcP9yhuqAlkQE7ChfHX4Tj/Q6V+4+EHhAiDIjKgKUii/p0wVH4po8X4B0DzFmWLgW/rggZPouIYoF8QTOCzeTQ3vzPnUy6Orfq4aUxTFtkSo6N9E35HUhOD0TyAAThfEXCeFSj7LeSBgCFpknl0nBqnBg0gQnRW+3Ldw+b8ielbPIHkN+OjPe1uH7f4RSlIMytdQhhKwmMIW1Wd/eHnx7eZeLkT7C+Vg0I45nWl8NwgX9Wv7tjQCCIedmSBuQdmjhylMtL47EMpC1DKAGQAz1glxztFB3uAAOU8I4/VcIRciBCcxl08eumGBPtedxi5cdTgwfN39TN8XWb1pO9EYTn56LVJOuBuFaLHWaxttxh1ihhthsd6dKWihvBNztEDNNJ2D9WBgSeHT7DKNRu4tt/V/rw2BYg74wAS984HSp1fxi/8/S2VIWogsxdarTJdM30xvxdTK47eME/mpva98e58kGzyxhQP9Xre1JX3jBiPsprtkmZ6OBKWWub5IKQQ7NA61C5i0CEIXl28lbZP79s9wEYuA6DB6PgaAsWIcywX11hRBvoo0aleR45daLcyX3qdMaw1dtq7y0iyKHd2SSkRpMcUdnj10Np9ua3W1yzmPXElnN6EeRWexOjpZozFfEW/2Fvj4pcOx+CXUVrXL3EjU3tL6syhAFrXYybAJ7Fl62CcPs36Azybuqm2ZzJYD/AxiP1fs4rWw+4OFmUw/nwddvL5p57xeJ3dtN56PZCDFkA4Ao5VyDcGYDLTPMXgR1gkRNdmufo7XLW3hh3A0lHwaicmI/cSW+GbS1iRyzCbNuqf7uP9dMLnoXpm597L9u34yp9z1yVYp+gfYRjTwaHINAft7tFHYZrij92X43kCsqV3rOBQwlMPYBDLcTpru7nf7lWIzo9y87j8yqZdld/dhYWOVNvZHU4fZTYxKGa/MhDh6UrV7m4PUKNDfCfPrct31FH3beM5p7sKxrZ6P9cmS+HbJzgqX+cOjthQh1PiGGX38RwxYl2cJzxWOlCIP/RUsgvNv8VwYbClHgXbAofXHDPkMcA+iDkZcY1kww0kK5uQcbf+DxY7LkdhJIpFFeK3RaRw9kZc13FhwsQCOEydB+KaXeoApow+zkXT7Z8SsGGaLHDfdogGT1u1Up30o5HJ/yJKsMhSdjv0D3HFpYpdIj6xb3f3AvZvatKEWKm3uE1H1lwIOIfFsmndtheAI5AMdC2WRjfAdljzyKf3ATwB3tQ9D2COeT8jtcJ/gpka+XoS94og0sw9dJhlPLVzYnEfXJ92LaMTF8JHGAQxA+BAhbc0N0QtCpAKJQY4bFEjxjBSxoF+c5I6r4mY3PG4FkGSLSZopnrVg/h9ywGi4A7oteEeKvoTAbgQ8mCLL7dKJEiLdbmTT9n8D+1ZHu/7t+5hOBTft9wfgbw5FCn79F
Content-Type: multipart/alternative; boundary="_000_DM4PR21MB3130A7C56A8D0D5C41FA9F59B3B12DM4PR21MB3130namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR21MB3130.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 20e52142-d07e-458a-4eaf-08dcb17fa058
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2024 16:41:28.8490 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PfHSEZR6hCB+1fzvSvDcqqwNaov049Myp1pbzPsEayDRm/x7NWGUB3xnu6r/4rzADBObSdwHPk5mK5g4VPG/Yw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR21MB3254
Message-ID-Hash: 7JWB7QTQ5657RPOSFS4RYTOBSSGOUYYT
X-Message-ID-Hash: 7JWB7QTQ5657RPOSFS4RYTOBSSGOUYYT
X-MailFrom: nibanks@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-quic.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Vixie <paul@redbarn.org>, IETF QUIC WG <quic@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/gQgGDZNumX93UISVrtB5Tc9vVvM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Owner: <mailto:quic-owner@ietf.org>
List-Post: <mailto:quic@ietf.org>
List-Subscribe: <mailto:quic-join@ietf.org>
List-Unsubscribe: <mailto:quic-leave@ietf.org>

Unfortunately, we don’t support certificate compression yet. I’d also be interested in seeing the data with that enabled. I need to go see if/how I can use that with OpenSSL.

- Nick

Sent from Outlook<http://aka.ms/weboutlook>
From: Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Sent: Wednesday, July 31, 2024 12:07 PM
To: Christian Huitema <huitema@huitema.net>
Cc: Paul Vixie <paul@redbarn.org>; IETF QUIC WG <quic@ietf.org>; Nick Banks <nibanks@microsoft.com>
Subject: Re: Proposal: Increase QUIC Amplification Limit to 5x

We found that once we deployed certificate compression, we could typically keep the cert under 3 packets, but without it, we typically went over.  I believe one reason the QUIC WG chose 3 is because we had data to show that most certificates were small enough once compressed to enable a 1 RTT handshake.

I'd be curious what your results are with and without certificate compression in your client?

On Wed, Jul 31, 2024 at 11:15 AM Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>> wrote:


On 7/30/2024 5:52 PM, Paul Vixie wrote:
> Do we know a reason why the system's behavior won't move beyond the new
> limit the same way it moved beyond the old one? If it's some bizarre
> kind of leaky bucket let's have the showdown now rather than later when
> everything is larger and ossification has begun.

The concern is that the wily hackers will send a single UDP "initial"
packet to a server, and the the server will reply with a complete flight
of packets including key exchanges, parameters and certificates. Send
1.2KB to the server, see the server send back 5, 6 or maybe 10 packets
to the source IP of the UDP packet. With that the DDOS attack has been
"amplified" 5, 6 or maybe 10 times.

The amplification limit is there to limit the usefulness of QUIC servers
for these DDOS attackers. The value 3 was chosen because with
"reasonable" configurations the server's first flight fits in 2 or 3
packets, and that there are many UDP services that provide more than 3x
amplification (see
https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks)

But if we loosen the QUIC amplification limit while other services are
tightening, that situation will change.

-- Christian Huitema