Re: [re-ECN] Preferential Dropping
Bob Briscoe <rbriscoe@jungle.bt.co.uk> Thu, 20 May 2010 17:22 UTC
Return-Path: <rbriscoe@jungle.bt.co.uk>
X-Original-To: re-ecn@core3.amsl.com
Delivered-To: re-ecn@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FA213A6C06 for <re-ecn@core3.amsl.com>; Thu, 20 May 2010 10:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.738
X-Spam-Level:
X-Spam-Status: No, score=0.738 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_60=1, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3Bedhp2C98B for <re-ecn@core3.amsl.com>; Thu, 20 May 2010 10:22:24 -0700 (PDT)
Received: from smtp2.smtp.bt.com (smtp2.smtp.bt.com [217.32.164.150]) by core3.amsl.com (Postfix) with ESMTP id 39CEC3A6960 for <re-ecn@ietf.org>; Thu, 20 May 2010 10:20:56 -0700 (PDT)
Received: from i2kc06-ukbr.domain1.systemhost.net ([193.113.197.70]) by smtp2.smtp.bt.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 20 May 2010 18:20:49 +0100
Received: from cbibipnt05.iuser.iroot.adidom.com ([147.149.196.177]) by i2kc06-ukbr.domain1.systemhost.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 20 May 2010 18:20:49 +0100
Received: From bagheera.jungle.bt.co.uk ([132.146.168.158]) by cbibipnt05.iuser.iroot.adidom.com (WebShield SMTP v4.5 MR1a P0803.399); id 1274376048454; Thu, 20 May 2010 18:20:48 +0100
Received: from MUT.jungle.bt.co.uk ([10.73.131.68]) by bagheera.jungle.bt.co.uk (8.13.5/8.12.8) with ESMTP id o4KHKipS013825; Thu, 20 May 2010 18:20:45 +0100
Message-Id: <201005201720.o4KHKipS013825@bagheera.jungle.bt.co.uk>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 20 May 2010 18:20:51 +0100
To: McCann Peter-A001034 <pete.mccann@motorola.com>
From: Bob Briscoe <rbriscoe@jungle.bt.co.uk>
In-Reply-To: <274D46DDEB9F2244B2F1EA66B3FF54BC06B2FA2F@de01exm70.ds.mot. com>
References: <20100517143717.GF2670@verdi> <274D46DDEB9F2244B2F1EA66B3FF54BC06B2F753@de01exm70.ds.mot.com> <20100517162109.GH2670@verdi> <201005171741.o4HHf4fM001778@bagheera.jungle.bt.co.uk> <274D46DDEB9F2244B2F1EA66B3FF54BC06B2FA2F@de01exm70.ds.mot.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.56 on 132.146.168.158
X-OriginalArrivalTime: 20 May 2010 17:20:49.0607 (UTC) FILETIME=[CAB70D70:01CAF840]
Cc: re-ecn@ietf.org
Subject: Re: [re-ECN] Preferential Dropping
X-BeenThere: re-ecn@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: re-inserted explicit congestion notification <re-ecn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/re-ecn>, <mailto:re-ecn-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/re-ecn>
List-Post: <mailto:re-ecn@ietf.org>
List-Help: <mailto:re-ecn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/re-ecn>, <mailto:re-ecn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 17:22:34 -0000
Pete, Still off the topic of chartering... At 21:11 17/05/2010, McCann Peter-A001034 wrote: >Hi, Bob, > >Thanks for the explanation. > >Bob Briscoe wrote: > > The analysis I did on this showed that re-ECN can raise the bar > > against DDoS so that the army has to be N times bigger to achieve the > > same *sustained* attack force, where N=1/p and p is the 'normal' > > level of congestion in the network. E.g. if normal congestion is > > 0.001%, a sustained attack against a re-ECN internetwork has to be > > 100,000 times bigger to cause the same damage as it could against a > > network without re-ECN. > > > > Obviously, there are assumptions and details, but that was the > > take-home message. If anyone wants more details, just ask. > >I'm curious about your definition of "damage". Was it just "causing >a given loss probability on a particular target link"? Correct >It seems like >there are other costs in a DDoS attack on a re-ECN enabled network, such >as causing well-behaving users to consume their black token allotment, Correct. Or slowing their bit-rate to consume their token allotment more slowly. >making them less able to respond to congestion for some time after the >attack. I think you mean "less able to contribute to congestion..." >But then, I guess the philosophy of re-ECN is that if you >experience >congestion, you are also causing it, so those well-behaving users that >marked near 100% should also be "held responsible" for the DoS attack... Indeed. I have pointed out before that attacking during a flash crowd is the most cost-effective strategy an attacker can adopt then the infrastructure is most valuable to most genuine users, and it takes least extra malicious effort to tip it into overload. See <http://www.bobbriscoe.net/projects/refb/#refb_dplinc> Imagine three types of users in such a situation: 1) a 'genuine' member of the flash crowd who slows in response to congestion 2) a 'genuine' member of the flash crowd who is unresponsive to congestion 3) an attacker who is unresponsive to congestion IMHO it is not unreasonable for the system to throttle down 2 & 3 the same, at least by default. They may have different intent (selfishness as opposed to malice), but they have the same outward effect on everyone else. >My assumption was that this dropping should happen at any congested >link, not just the egress, for maximum effectiveness. (Btw, is this >different from the behavior you propose for an "egress dropper"? That >wasn't clear to me from the documentation.) Sorry; I'll be clearer: This OPTIONAL preferential dropping could be at any IP-aware link vulnerable to DDoS. It's not needed at all for re-ECN to work. It's not proposed for initial chartering (this thread is for light techie relief). Nonetheless, if a network is using re-ECN already for other reasons, and a queue under attack has to drop stuff, re-ECN is designed so that a router can easily distinguish stuff not obeying the protocol and drop it first. The 'egress dropper' proposed in draft-briscoe-re-ecn-tcp-motivation is very different. It uses drop to punish cheating (not because it's overloaded itself). This egress dropper (or something like it) is needed to asssure the integrity of re-ECN markings against cheaters. It's only needed at the egress of the internetwork, not at every link. A simplifed variant could be useful at an interior egress (border), but may not be necessary. >How often do you think this technique would need >to be invoked on a core Internet router? You might be able to protect core routers from DDoS by good network design (e.g. ECMP and over-provisioning). But if this still isn't enough, preferential drop based on re-ECN might be the lightest possible *self-protection* a core router could adopt against DDoS. It doesn't rely on the addresses in packets so we claim it is robust against SYN attacks and spoofed source addresses (unlike the scrubbing solutions used today, which rely on attacks not bothering to obfuscate themselves very well). >Do you agree that an out-of-band per-flow signaling >solution >would have difficulty supporting this feature, if the core routers >needed to implement it? I can't imagine how an OOB solution would allow the data plane to discriminate attack traffic, but... <RANT> <!--not against you--> We cannot know whether an OOB per-flow signalling solution support any feature, because it's currently vapourware. People have proposed systems of echo-reflectors to check the QoS performance of networks. None I've seen have been designed to be robust against even simple cheating strategies. Katarina Argyraki's Loss & Delay accountability idea is the only example I know designed to be robust (see my posting to Stewart Bryant on 17-May). But all these things only address the easy half of the ConEx problem: holding networks accountable for too little capacity, not also holding users accountable for too much traffic. Despite this, they are already highly complicated beasts. It took literally years to solve the really hard problem of making inter-domain congestion exposure robust to self-interest and attacks, including DDoS. Then as people came up with some really perverse attacks against it, we spent a further year working out how to harden it (and simplified it in the process). I'm not saying it's perfect, but it's pretty damn solid. Hey, I'm open to someone solving this problem a different way. But let's see it before we believe it. Yes, I'm grateful to the guys from the IESG who have opened up with their concerns and engaged in debate. But, let's keep this in perspective... Re-ECN has been accused of being research. I hope it's accepted that was a confusion - "an output of research" rather than "still needing more research".... But now we're discussing an OOB solution, without even a vaguest whiff of where a design might start, let alone any research, evaluation, running code, yada yada. </RANT> >(I agree this is all out-of-scope of the charter discussion and that >preferential dropping shouldn't be in the initial charter anyway. I >am just trying to understand whether this feature would be a motivation >for per-packet as opposed to out-of-band signaling solutions). Understood Cheers Bob >-Pete ________________________________________________________________ Bob Briscoe, BT Innovate & Design
- [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question bmanning
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question bmanning
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question Woundy, Richard
- Re: [re-ECN] Charter Question Stewart Bryant
- Re: [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question Woundy, Richard
- Re: [re-ECN] Charter Question Ron Bonica
- Re: [re-ECN] Charter Question bmanning
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question Bob Briscoe
- Re: [re-ECN] Charter Question David Harrington
- Re: [re-ECN] Charter Question John Leslie
- Re: [re-ECN] Charter Question McCann Peter-A001034
- [re-ECN] Preferential Dropping John Leslie
- Re: [re-ECN] Charter Question Bob Briscoe
- Re: [re-ECN] Preferential Dropping McCann Peter-A001034
- Re: [re-ECN] Preferential Dropping John Leslie
- Re: [re-ECN] Preferential Dropping Bob Briscoe
- Re: [re-ECN] Preferential Dropping McCann Peter-A001034
- Re: [re-ECN] Preferential Dropping Bob Briscoe
- Re: [re-ECN] Preferential Dropping McCann Peter-A001034