IETF Logo Mail Archive

Re: [re-ECN] Preferential Dropping

Bob Briscoe <rbriscoe@jungle.bt.co.uk> Thu, 20 May 2010 17:22 UTC

Return-Path: <rbriscoe@jungle.bt.co.uk>
X-Original-To: re-ecn@core3.amsl.com
Delivered-To: re-ecn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FA213A6C06 for <re-ecn@core3.amsl.com>; Thu, 20 May 2010 10:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.738
X-Spam-Level:
X-Spam-Status: No, score=0.738 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_60=1, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3Bedhp2C98B for <re-ecn@core3.amsl.com>; Thu, 20 May 2010 10:22:24 -0700 (PDT)
Received: from smtp2.smtp.bt.com (smtp2.smtp.bt.com [217.32.164.150]) by core3.amsl.com (Postfix) with ESMTP id 39CEC3A6960 for <re-ecn@ietf.org>; Thu, 20 May 2010 10:20:56 -0700 (PDT)
Received: from i2kc06-ukbr.domain1.systemhost.net ([193.113.197.70]) by smtp2.smtp.bt.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 20 May 2010 18:20:49 +0100
Received: from cbibipnt05.iuser.iroot.adidom.com ([147.149.196.177]) by i2kc06-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 20 May 2010 18:20:49 +0100
Received: From bagheera.jungle.bt.co.uk ([132.146.168.158]) by cbibipnt05.iuser.iroot.adidom.com (WebShield SMTP v4.5 MR1a P0803.399); id 1274376048454; Thu, 20 May 2010 18:20:48 +0100
Received: from MUT.jungle.bt.co.uk ([10.73.131.68]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id o4KHKipS013825; Thu, 20 May 2010 18:20:45 +0100
Message-Id: <201005201720.o4KHKipS013825@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 20 May 2010 18:20:51 +0100
To: McCann Peter-A001034 <pete.mccann@motorola.com>
From: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
In-Reply-To: <274D46DDEB9F2244B2F1EA66B3FF54BC06B2FA2F@de01exm70.ds.mot. com>
References: <20100517143717.GF2670@verdi> <274D46DDEB9F2244B2F1EA66B3FF54BC06B2F753@de01exm70.ds.mot.com> <20100517162109.GH2670@verdi> <201005171741.o4HHf4fM001778@bagheera.jungle.bt.co.uk> <274D46DDEB9F2244B2F1EA66B3FF54BC06B2FA2F@de01exm70.ds.mot.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
X-OriginalArrivalTime: 20 May 2010 17:20:49.0607 (UTC) FILETIME=[CAB70D70:01CAF840]
Cc: re-ecn@ietf.org
Subject: Re: [re-ECN] Preferential Dropping
X-BeenThere: re-ecn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: re-inserted explicit congestion notification <re-ecn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/re-ecn>, <mailto:re-ecn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/re-ecn>
List-Post: <mailto:re-ecn@ietf.org>
List-Help: <mailto:re-ecn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/re-ecn>, <mailto:re-ecn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 17:22:34 -0000

Pete,

Still off the topic of chartering...

At 21:11 17/05/2010, McCann Peter-A001034 wrote:
>Hi, Bob,
>
>Thanks for the explanation.
>
>Bob Briscoe wrote:
> > The analysis I did on this showed that re-ECN can raise the bar
> > against DDoS so that the army has to be N times bigger to achieve the
> > same *sustained* attack force, where N=1/p and p is the 'normal'
> > level of congestion in the network. E.g. if normal congestion is
> > 0.001%, a sustained attack against a re-ECN internetwork has to be
> > 100,000 times bigger to cause the same damage as it could against a
> > network without re-ECN.
> >
> > Obviously, there are assumptions and details, but that was the
> > take-home message. If anyone wants more details, just ask.
>
>I'm curious about your definition of "damage".  Was it just "causing
>a given loss probability on a particular target link"?

Correct

>It seems like
>there are other costs in a DDoS attack on a re-ECN enabled network, such
>as causing well-behaving users to consume their black token allotment,

Correct. Or slowing their bit-rate to consume 
their token allotment more slowly.

>making them less able to respond to congestion for some time after the
>attack.

I think you mean "less able to contribute to congestion..."

>But then, I guess the philosophy of re-ECN is that if you
>experience
>congestion, you are also causing it, so those well-behaving users that
>marked near 100% should also be "held responsible" for the DoS attack...

Indeed.

I have pointed out before that attacking during a 
flash crowd is the most cost-effective strategy 
an attacker can adopt — then the infrastructure 
is most valuable to most genuine users, and it 
takes least extra malicious effort to tip it into 
overload. See <http://www.bobbriscoe.net/projects/refb/#refb_dplinc>

Imagine three types of users in such a situation:
1) a 'genuine' member of the flash crowd who slows in response to congestion
2) a 'genuine' member of the flash crowd who is unresponsive to congestion
3) an attacker who is unresponsive to congestion

IMHO it is not unreasonable for the system to 
throttle down 2 & 3 the same, at least by 
default. They may have different intent 
(selfishness as opposed to malice), but they have 
the same outward effect on everyone else.


>My assumption was that this dropping should happen at any congested
>link, not just the egress, for maximum effectiveness.  (Btw, is this
>different from the behavior you propose for an "egress dropper"?  That
>wasn't clear to me from the documentation.)

Sorry; I'll be clearer: This OPTIONAL 
preferential dropping could be at any IP-aware 
link vulnerable to DDoS. It's not needed at all 
for re-ECN to work. It's not proposed for initial 
chartering (this thread is for light techie 
relief). Nonetheless, if a network is using 
re-ECN already for other reasons, and a queue 
under attack has to drop stuff, re-ECN is 
designed so that a router can easily distinguish 
stuff not obeying the protocol and drop it first.

The 'egress dropper' proposed in 
draft-briscoe-re-ecn-tcp-motivation is very 
different. It uses drop to punish cheating (not 
because it's overloaded itself). This egress 
dropper (or something like it) is needed to 
asssure the integrity of re-ECN markings against 
cheaters. It's only needed at the egress of the 
internetwork, not at every link. A simplifed 
variant could be useful at an interior egress 
(border), but may not be necessary.


>How often do you think this technique would need 
>to be invoked on a core Internet router?

You might be able to protect core routers from 
DDoS by good network design (e.g. ECMP and 
over-provisioning). But if this still isn't 
enough, preferential drop based on re-ECN might 
be the lightest possible *self-protection* a core 
router could adopt against DDoS. It doesn't rely 
on the addresses in packets so we claim it is 
robust against SYN attacks and spoofed source 
addresses (unlike the scrubbing solutions used 
today, which rely on attacks not bothering to obfuscate themselves very well).

>Do you agree that an out-of-band per-flow signaling
>solution
>would have difficulty supporting this feature, if the core routers
>needed to implement it?

I can't imagine how an OOB solution would allow 
the data plane to discriminate attack traffic, but...

<RANT> <!--not against you-->
We cannot know whether an OOB per-flow signalling 
solution support any feature, because it's currently vapourware.

People have proposed systems of echo-reflectors 
to check the QoS performance of networks. None 
I've seen have been designed to be robust against 
even simple cheating strategies. Katarina 
Argyraki's Loss & Delay accountability idea is 
the only example I know designed to be robust 
(see my posting to Stewart Bryant on 17-May). But 
all these things only address the easy half of 
the ConEx problem: holding networks accountable 
for too little capacity, not also holding users 
accountable for too much traffic. Despite this, 
they are already highly complicated beasts.

It took literally years to solve the really hard 
problem of making inter-domain congestion 
exposure robust to self-interest and attacks, 
including DDoS. Then as people came up with some 
really perverse attacks against it, we spent a 
further year working out how to harden it (and 
simplified it in the process). I'm not saying 
it's perfect, but it's pretty damn solid.

Hey, I'm open to someone solving this problem a 
different way. But let's see it before we believe it.

Yes, I'm grateful to the guys from the IESG who 
have opened up with their concerns and engaged in 
debate. But, let's keep this in perspective...

Re-ECN has been accused of being research. I hope 
it's accepted that was a confusion - "an output 
of research" rather than "still needing more research"....

But now we're discussing an OOB solution, without 
even a vaguest whiff of where a design might 
start, let alone any research, evaluation, running code, yada yada.

</RANT>



>(I agree this is all out-of-scope of the charter discussion and that
>preferential dropping shouldn't be in the initial charter anyway.  I
>am just trying to understand whether this feature would be a motivation
>for per-packet as opposed to out-of-band signaling solutions).

Understood

Cheers



Bob


>-Pete

________________________________________________________________
Bob Briscoe,                                BT Innovate & Design

v2.23.0 | Report a Bug | By Email