Re: Re: Fast Address Validation - about
Töma Gavrichenkov <ximaera@gmail.com> Fri, 01 November 2019 16:35 UTC
Return-Path: <ximaera@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52E95120A1D for <quic@ietfa.amsl.com>; Fri, 1 Nov 2019 09:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zk2rVEweboUH for <quic@ietfa.amsl.com>; Fri, 1 Nov 2019 09:35:20 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3092120A08 for <quic@ietf.org>; Fri, 1 Nov 2019 09:35:20 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id g38so3763741ybe.11 for <quic@ietf.org>; Fri, 01 Nov 2019 09:35:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=YQ6hErgG9o9h6FHQQtuwtOhv/cD4WTyAucPFiYfaj84=; b=WV1YR68A5SF2BtnnttDzcvXLWxgNvf987EOw9sXWTYuEDLnPinR73AUiELgXzuUpBT qAN4twXskXQRzYqgBI8kFetxw1+DygqrhgwmAQA5cRVQec32rmswifIhQDmvPo6npXgN So7fecRWHCkrmhgLdiuOajz1t3JtWGpZSl4YrBmd15rE0aQOrd+WfUJ/wVb771r9NsPw vkDWAPH4j9hv48XOKhm1zHWu3jqctnY8RQHjasSBqfafsxY3PRhH5qNk+olBOZTeOiw0 UIzfH7AGjnotI3K1FktrDoF7iYXi5XeI0Y1kZaYBQqcXoHZGKPX7zXaifcB3T1HoskuF nDYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=YQ6hErgG9o9h6FHQQtuwtOhv/cD4WTyAucPFiYfaj84=; b=K3We/zRZZpycbcTqqZeqWyD975EEzTrJCSPgR+MLpAfidNN9sa8CZM/QEkmZbml8P3 fm9+SJgGihpveyyTES1c5wLwMrcCAl1hWJi3O7KM4L5CWl6vGNoD88MqX2KkRAfnOdsP nkfBfOIPyJ1RcJ/GFYTAoaxSM0K3CCBNLH9tmwP6773tzn5FCfWrMJF47e+4TLDBssEj F0VWm2EfJzFhCEAEpBXYO5me6yDnSYS+1K8fei5/jIdJ0yoxA9Ni6hFVj1FA1kLXwmux DDnzZa/aOYfkwv9jJamHuMZDixajD8elDrUbCN+O4cLIj/gW3QG2zw27WBu46luGgnvi dQ3Q==
X-Gm-Message-State: APjAAAVWcTfAHui06ziCHCjFBZOwLWaPwXZHH01Zcl/IOfjzi9M2noaa C5Q8pEZh5eCp3L8JR2tBF3Q2EZ0iLCYmm+paV4E=
X-Google-Smtp-Source: APXvYqwxsau2XkJPjiNgX4Mv6hSCiria/kfh4bhDxGvHscHrMxhB+DdrYe2EYE+fXFUtnRnlzt6r+erTtCWLxUFJPQA=
X-Received: by 2002:a25:14d6:: with SMTP id 205mr9604686ybu.230.1572626119465; Fri, 01 Nov 2019 09:35:19 -0700 (PDT)
MIME-Version: 1.0
References: <4974ed86-0fa9-435d-880f-80af637ef180.anqing.aq@alibaba-inc.com> <CALZ3u+YyOQxA5zBxkhDj9-wObfqjxPxPyXH9PumaW79DNkKjsg@mail.gmail.com> <6ab3b6d6-7638-4b96-b2a3-4212f747a7af.anqing.aq@alibaba-inc.com> <CALZ3u+ZaHzbNEzUsUa2bYXy2eB+fgkyzSDQir_mtTyLrrcAm7A@mail.gmail.com> <cee17fee-fed3-497b-82fc-5deda3d0f565.anqing.aq@alibaba-inc.com>
In-Reply-To: <cee17fee-fed3-497b-82fc-5deda3d0f565.anqing.aq@alibaba-inc.com>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Fri, 01 Nov 2019 19:35:05 +0300
Message-ID: <CALZ3u+ZdOrdAJXDEemsemEuikdfeEWkeBfYhPW1CfwFsn-Ahzg@mail.gmail.com>
Subject: Re: Re: Fast Address Validation - about
To: Qing An <anqing.aq@alibaba-inc.com>
Cc: IETF QUIC WG <quic@ietf.org>, "jri.ietf" <jri.ietf@gmail.com>, mt <mt@lowentropy.net>, Max <max.ldp@alibaba-inc.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/nnf-UtEzCKbL4N2YmA6gD_If9Gw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 16:35:22 -0000
On Fri, Nov 1, 2019 at 5:47 PM Qing An <anqing.aq@alibaba-inc.com> wrote: > For initial flood, there are approaches like > source address statistics This is a very rough and biased method at best. Generally (which would be IMNSHO 98% of the cases), the statistics about past events doesn't tell you with an accuracy anywhere close to being reliable if this particular new packet could be from spoofed source or not. E.g. an attacker who would generate spoofed packets from the typical source addresses for your type of business in your country (e.g. popular cellular NAT pools for news sites) would circumvent that check easily. With the overwhelming majority of HTTPS resources there's hardly any point in giving the latter a shot. > and speed limitation. And you'll be limiting the speed for legitimate clients as well in the above example (and many other scenarios). This is a nice way to amplify the effects of an attack, much less to handle those. *** With the greatest of respect, speaking more broadly, please take into account that a good engineering practice (no matter if it's Internet engineering or whatever) must not rely on the assumption that something which is perceived as typical would always happen, and something perceived as non-typical would never occur just because it has to date never occurred in the past. The example commonly seen in university books on engineering would be e.g. the Oppau explosion — caused by the factory workers tearing through ammonium with dynamite, just because ammonium has never detonated during that operation before and was thus believed to be unlikely to explode in future. An example more close to the content of this WG would be middlebox vendors hard-coding "typical" protocol behaviour into their products (causing transport protocol ossification which the WG spends I believe no less than 50% of time fighting against) just because the said vendors do not appear to see the standard but non-typical behaviour in their sample network dumps. Both approaches you propose are vulnerable to a few simple circumvention techniques, and while I totally accept that probably you've never seen those techniques applied against your network, they are quite extensively documented. Therefore it's hard to see, at least for me, why the IETF should account for the flawed mitigation approaches during the transport protocol design. -- Töma
- Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- RE: Fast Address Validation - about Mike Bishop
- Re: Fast Address Validation - about Martin Thomson
- Re: Fast Address Validation - about Qing An
- RE: Fast Address Validation - about Mike Bishop
- Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Marten Seemann
- Re: Fast Address Validation - about Töma Gavrichenkov
- Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- Re: Fast Address Validation - about Töma Gavrichenkov
- Re:Re: Fast Address Validation - about Qing An
- Re:Re: Fast Address Validation - about Qing An
- Re:Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- Re: Re: Fast Address Validation - about Töma Gavrichenkov
- Re: Fast Address Validation - about Töma Gavrichenkov
- Re: Fast Address Validation - about Jana Iyengar
- Re:Re: Fast Address Validation - about Qing An
- Re:Re:Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Christian Huitema
- Re:Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Christian Huitema
- Re:Re:Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- Re: Fast Address Validation - about Christian Huitema