IETF Logo Mail Archive

Re: Expected Client Response to SERVER_BUSY

Ian Swett <ianswett@google.com> Wed, 20 February 2019 18:52 UTC

Return-Path: <ianswett@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED96130E57 for <quic@ietfa.amsl.com>; Wed, 20 Feb 2019 10:52:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emppOkrJuXEw for <quic@ietfa.amsl.com>; Wed, 20 Feb 2019 10:52:30 -0800 (PST)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74899130DBE for <quic@ietf.org>; Wed, 20 Feb 2019 10:52:30 -0800 (PST)
Received: by mail-wm1-x32b.google.com with SMTP id v26so7479955wmh.3 for <quic@ietf.org>; Wed, 20 Feb 2019 10:52:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=e5cOpo9KGwEkjKqrDixl1D4vqnFKNKsTHg4Inv4/eQg=; b=h3L0z19Eqdjx4eqO/UIXWt+Ia+hdkDUFX8q3ycs9RVcAcllrz9npyr4mdFzMeXVoOh B4LVreQwEXwG15cQR4a4ELy8mxkZJVdYs6xpfwZm/+NjW+tEucE3q5ln0v7PcWtiKv4u fR60lr5xy9KP0abxRxQ+dUAb4VL//exr4V08tf/vmyRXj74yrPWmKJjVY72fMI5pVIE7 cj8ZdZunU1kIWqPXZYZVTRwaUn12F7IWSALn5/f1T39RN/RC2S1GlCUxKeGHC0RD1pyU /x8L76JUEDdJsk4lfqKazai7FG3l6s+JR9k5hbCGo8PjrbCjTFVk+JF5C9dgKyonDTJg arSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=e5cOpo9KGwEkjKqrDixl1D4vqnFKNKsTHg4Inv4/eQg=; b=m7Oa4qhSQzQ31AnLi9XevgTJ85BJj8aI/Zgeh9uOKzDPKJwLfY9bMdtXEXb37Hs+9O N0geFYdv8WpmS5Vzx0ttG3oeiPOGjpyme5SkUC0Y+nFd8Ws1WNqRcpjBq+1CaxiilO0Q rR/HYAYXIRZhvC4cpcfKtSk/YdRNT1ZFgA6n6t7UeXZAPqHye/G1AuOFOWXEnKRIWTKX BFu4EgtMu7uxEXFmo1fAAfw79XRP0I7ztgPh7OkF1bzZsmOFP32NMH//LAsSKbsBeHjo F4dneE9KUB43K1TOSoxWmcOgSURPY3sxMKD82hbqo59XJM+04te3YVvUPofj+4TYhNhh Smvg==
X-Gm-Message-State: AHQUAuYupKsBBrbAibrktFh54O8/5DWsoY67CdTR2gidplrxBHc+K6dF msBL6tBIYOJk9rdalHmRPweGnxK06sY/7FdJbfPIHw==
X-Google-Smtp-Source: AHgI3IZGINHTiq59JJ3LbNVMWJIU1c4cBOWQ3CiT8/omBK28gai08brd+pBVqdw08T19nHFpxaI09nE5JUFCN20KBLo=
X-Received: by 2002:a1c:6789:: with SMTP id b131mr7583624wmc.22.1550688748391; Wed, 20 Feb 2019 10:52:28 -0800 (PST)
MIME-Version: 1.0
References: <CY4PR21MB0854341128C64E450E7C2DA2B37C0@CY4PR21MB0854.namprd21.prod.outlook.com> <CAKcm_gPmQiMhzfXnkEB4u+X+84bCbL8FE3Lj3ZdPPQBBu+4uPg@mail.gmail.com> <1AF7E952-4542-4C40-8652-BFFBFA61784A@trammell.ch> <CAKcm_gN11=DcV2v-JrX+Ym88D7P1Ey3rDvYomTf1seemsWDSwA@mail.gmail.com> <CY4PR21MB0854D8F7383CDF72EEDAE9FBB37D0@CY4PR21MB0854.namprd21.prod.outlook.com> <CALZ3u+Zmau+167msd9+OGcU+V00+__yLK83ByNEqvWhm7yFORg@mail.gmail.com> <CY4PR21MB0854E1E9AAF564CD8B12305CB37D0@CY4PR21MB0854.namprd21.prod.outlook.com> <CALZ3u+b_NqyrSAkqiuXnnVVL+T0XiExPDUP5JyuzvZVaXqHtCA@mail.gmail.com> <a861dc7b-c1a4-fa72-649a-4f98050aa6f5@huitema.net>
In-Reply-To: <a861dc7b-c1a4-fa72-649a-4f98050aa6f5@huitema.net>
From: Ian Swett <ianswett@google.com>
Date: Wed, 20 Feb 2019 13:52:16 -0500
Message-ID: <CAKcm_gP5Oh5COQhybaAJXaPEtQQbkdAd6_yrPALbZ9ZGxwHz7A@mail.gmail.com>
Subject: Re: Expected Client Response to SERVER_BUSY
To: Christian Huitema <huitema@huitema.net>
Cc: Töma Gavrichenkov <ximaera@gmail.com>, Nick Banks <nibanks@microsoft.com>, "Brian Trammell (IETF)" <ietf@trammell.ch>, IETF QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Content-Type: multipart/alternative; boundary="00000000000001bf17058257dc1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/yb8CkWjMqFn9I9zrI2ZE3asEyp8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 18:52:34 -0000

Agreed it's not amazing, but stateless reset isn't available until the
handshake completes.  Did you have any suggestions?

On Wed, Feb 20, 2019 at 1:49 PM Christian Huitema <huitema@huitema.net>
wrote:

> Can we do better than an unauthenticated signal to "drop QUIC
> immediately and use something else"?
>
> I understand the desire of protecting servers against DOS attacks, but
> the proposition here allows a middle-box or a man-on-the-side to send an
> unencrypted signal and have the client immediately immediately drop the
> connection. That does not feel right.
>
> -- Christian Huitema
>
>
> On 2/20/2019 7:38 AM, Töma Gavrichenkov wrote:
> > I mean, yes, handling such a case explicitly totally makes sense. I
> > just wanted to point out that there's an additional use case when UDP
> > transmission just suddenly stops under an attack.
> >
> > Note that a DDoS attack towards a QUIC server isn't the only possible
> > scenario, the other one being a DDoS towards a client. In the latter
> > scenario, given the not-so-likely-but-completely-possible case when a
> > newly discovered DDoS amplifying protocol would be using port 443/udp,
> > even selective blackholing won't help to preserve QUIC connectivity.
> > As a matter of fact, there's no way to handle it
> > transport-protocol-wise, but maybe adding a timeout-related suggestion
> > of a SHOULD CONSIDER style to the spec would be a good idea.
> >
> > | Töma Gavrichenkov
> > | gpg: 2deb 97b1 0a3c 151d b67f 1ee5 00e7 94bc 4d08 9191
> > | mailto: ximaera@gmail.com
> > | fb: ximaera
> > | telegram: xima_era
> > | skype: xima_era
> > | tel. no: +7 916 515 49 58
> >
> > On Wed, Feb 20, 2019 at 7:19 AM Nick Banks <nibanks@microsoft.com>
> wrote:
> >> I want to support something a bit more efficient than simple rate
> limiting and packet drops. The client might have relatively large timeout
> in that case before falling back to TCP. If possible, I want to be able to
> give an immediate indication that it should try to fallback.
> >>
> >> - Nick
> >>
> >> -----Original Message-----
> >> From: Töma Gavrichenkov <ximaera@gmail.com>
> >> Sent: Wednesday, February 20, 2019 7:04 AM
> >> To: Nick Banks <nibanks@microsoft.com>
> >> Cc: Ian Swett <ianswett@google.com>; Brian Trammell (IETF)
> <ietf@trammell..ch>; IETF QUIC WG <quic@ietf.org>; Mirja Kühlewind <
> mirja.kuehlewind@tik.ee.ethz.ch>
> >> Subject: Re: Expected Client Response to SERVER_BUSY
> >>
> >> On Wed, Feb 20, 2019 at 6:50 AM Nick Banks <nibanks=
> 40microsoft.com@dmarc.ietf.org> wrote:
> >>> It would be nice to have a way for the server to say “QUIC is
> >>> temporarily unavailable right now, please go use TCP instead.”
> >> One issue here is that under a DDoS attack an ISP would just apply
> selective blackholing or flow specification which would simply drop all the
> incoming UDP traffic to protect the last mile. Depends on the attack
> pattern somewhat, sometimes blackholing might be more granular, but all in
> all you should expect that.
> >>
> >> The only hope here is that a client would interpret response timeout in
> the same way as SERVER_BUSY.
> >>
> >> --
> >> Töma
>

v2.23.0 | Report a Bug | By Email