IETF Logo Mail Archive

Re: [savnet] Some words about the BoF

Aijun Wang <wangaijun@tsinghua.org.cn> Wed, 30 March 2022 08:53 UTC

Return-Path: <wangaijun@tsinghua.org.cn>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2514D3A160D for <savnet@ietfa.amsl.com>; Wed, 30 Mar 2022 01:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.806
X-Spam-Level:
X-Spam-Status: No, score=-1.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wGCfI9oWiOGj for <savnet@ietfa.amsl.com>; Wed, 30 Mar 2022 01:53:40 -0700 (PDT)
Received: from mail-m17638.qiye.163.com (mail-m17638.qiye.163.com [59.111.176.38]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FD6E3A15FD for <savnet@ietf.org>; Wed, 30 Mar 2022 01:53:38 -0700 (PDT)
Received: from DESKTOP2IOH5QC (unknown [219.142.69.75]) by mail-m17638.qiye.163.com (Hmail) with ESMTPA id EB2E01C0361; Wed, 30 Mar 2022 16:53:34 +0800 (CST)
From: "Aijun Wang" <wangaijun@tsinghua.org.cn>
To: "'Lubashev, Igor'" <ilubashe=40akamai.com@dmarc.ietf.org>, <tolidan@tsinghua.edu.cn>, "'Eric Vyncke \(evyncke\)'" <evyncke=40cisco.com@dmarc.ietf.org>
Cc: <savnet@ietf.org>
References: <004501d83fe9$ee7d0450$cb770cf0$@tsinghua.edu.cn> <693b2430820743cf96dc395a482bc163@ustx2ex-dag1mb5.msg.corp.akamai.com> <009401d8430c$06a7fa10$13f7ee30$@tsinghua.org.cn> <6c61fe61490c4fa29721dadb71e52a4e@ustx2ex-dag1mb5.msg.corp.akamai.com>
In-Reply-To: <6c61fe61490c4fa29721dadb71e52a4e@ustx2ex-dag1mb5.msg.corp.akamai.com>
Date: Wed, 30 Mar 2022 16:53:34 +0800
Message-ID: <004301d84413$a38501e0$ea8f05a0$@tsinghua.org.cn>
MIME-Version: 1.0
Content-Type: multipart/related; boundary="----=_NextPart_000_0044_01D84456.B1ADC020"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHO4BDnKamjkqR4b4OhObaqPI/8igD2LZ/FArZlHuwCVThAf6y6V5Rw
Content-Language: zh-cn
X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgPGg8OCBgUHx5ZQUlOS1dZCBgUCR5ZQVlLVUtZV1 kWDxoPAgseWUFZKDYvK1lXWShZQUpMS0tKN1dZLVlBSVdZDwkaFQgSH1lBWUJCGkxWSh1KTU0dSR 1OHklKVRMBExYaEhckFA4PWVdZFhoPEhUdFFlBWU9LSFVKSktITUpVS1kG
X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6OQg6Hhw5SD5RTgg0KyEKLxgh TTUaCh9VSlVKTU9DTUhLT0pOQ0lIVTMWGhIXVQwaFRwaEhEOFTsPCBIVHBMOGlUUCRxVGBVFWVdZ EgtZQVlJSkJVSk9JVU1CVUxOWVdZCAFZQUlISkJMTTcG
X-HM-Tid: 0a7fda07befcd993kuwseb2e01c0361
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/01BYigwkBxvTbmqEyXBGZoZ2EsY>
Subject: Re: [savnet] Some words about the BoF
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 08:53:45 -0000

Hi, Igor:

Understand, Thanks!

Separate the advertisement of Anycast prefixes(via BGP for example) and establishment of SAV filter table(via DSAV control message) will solve your request then.

 

Best Regards

 

Aijun Wang

China Telecom

 

From: savnet-bounces@ietf.org <savnet-bounces@ietf.org> On Behalf Of Lubashev, Igor
Sent: Wednesday, March 30, 2022 1:26 PM
To: Aijun Wang <wangaijun@tsinghua.org.cn>cn>; tolidan@tsinghua.edu.cn; 'Eric Vyncke (evyncke)' <evyncke=40cisco.com@dmarc.ietf.org>
Cc: savnet@ietf.org
Subject: Re: [savnet] Some words about the BoF

 

Aijun,

 

Unfortunately, no, advertising real prefixes from edge locations is not enough.  To ensure that DSR works, the edge servers must originate TCP packets with Anycast as a Source Address.  But since they never advertised those prefixes, an intermediary ISP router with strict uRPF would block these packets before they reach the user.  (If real edge prefixes and anycast prefixes were using the same ASN, and the ISP doing SAV were using rfc8704 algorithms, there would be a higher change for the DSR packets to reach users.)

 

-          Igor

 



 

 

From: Aijun Wang <wangaijun@tsinghua.org.cn <mailto:wangaijun@tsinghua.org.cn> > 
Sent: Monday, March 28, 2022 9:27 PM

Hi, Igor:

Would you like to provide one diagram to show the situation?

>From your description, my understanding is that if you advertise the prefixes(real IP address of the server, not anycast address, ) from each edge locations, then the upstream ISP that turned on strict uRPF will not block your DSR traffic.

Is that right?

 

 

Best Regards

 

Aijun Wang

China Telecom

 

From: Lubashev, Igor <ilubashe@akamai.com <mailto:ilubashe@akamai.com> > 
Sent: Tuesday, March 29, 2022 6:11 AM
To: tolidan@tsinghua.edu.cn <mailto:tolidan@tsinghua.edu.cn> ; 'Aijun Wang' <wangaijun@tsinghua.org.cn <mailto:wangaijun@tsinghua.org.cn> >; 'Eric Vyncke (evyncke)' <evyncke=40cisco.com@dmarc.ietf.org <mailto:evyncke=40cisco.com@dmarc.ietf.org> >
Cc: savnet@ietf.org <mailto:savnet@ietf.org> 
Subject: RE: [savnet] Some words about the BoF

 

Indeed, uRPF has a limited set of deployments where it can work well. But elsewhere it can cause harm.

 

For one of the services we have, anycast IPs are announced only from some locations with a lot of connectivity, and then packets are tunneled to edge locations, where the content is, and the edge locations do direct server return (DSR) sending the content to the users.  We do not want to announce anycast IPs from the edge locations, since we would not be able to control the incoming traffic.  In effect, we have an asymmetric routing situation, and our DSR traffic from some edge locations is blocked by upstream ISPs that turned on strict uRPF.  That results in those ISPs’ customers served from locations further away.  It is a pity that ISPs that are trying to do the “right thing” are getting penalized. (Such situations are usually solved with an email or a phone call, but the resulting manual configurations are fragile.)

 

Costs-wise, DSAV looks on-par with uRPF for the data plane.  Relative to no SAV at all, however, uPRF and DSAV are costly (they require an extra lookup for the source address), so you need more ASIC and RAM for the same data plane throughput.  But when ISPs decide to use SAV for whatever reason, it would be great if the system actually worked well and caused no harm.  I would be happy to work on this.

 

-          Igor

 

From: tolidan@tsinghua.edu.cn <mailto:tolidan@tsinghua.edu.cn>  <tolidan@tsinghua.edu.cn <mailto:tolidan@tsinghua.edu.cn> > 
Sent: Thursday, March 24, 2022 9:45 PM

Thanks Aijun. Indeed, DSAV wants to find a general solution to the source address spoofing problem, since uRPF is only effective in certain scenarios. It is inevitable to introduce additional cost. But note that: 

1) all the costs are in the control plane plus a SAV table in routers. DSAV does not modify the packet or reduce the packet forwarding speed. So the data-plane traffic are not affected at all.

2) Even for the control-plane cost, we are trying to minimize the number of protocol messages. The computation operation is simple, so there is not much computation cost.

3) We are designing incremental deployment ways, and operators can get benefit from incremental deployment. So they have incentive.

 

An obvious advantage of DSAV is that it well matches the MANRS Initiative, i.e., blocking spoofing traffic as close to the source as possible. If the access networks cannot block, then we hope the spoofing traffic can be blocked by intermediate routers, instead of processing them at the final destination. If we only rely on the final destination to resist DDoS attack, actually DDoS attack is successful.

 

Best,

Dan

 

发件人: savnet-bounces@ietf.org <mailto:savnet-bounces@ietf.org>  <savnet-bounces@ietf.org <mailto:savnet-bounces@ietf.org> > 代表 Aijun Wang
发送时间: 2022年3月24日 20:26
收件人: Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org <mailto:evyncke=40cisco.com@dmarc.ietf.org> >
抄送: savnet@ietf.org <mailto:savnet@ietf.org> 
主题: Re: [savnet] Some words about the BoF

 

Hi, Eric:

For the problem space, I think SAVNET wants just to find the general solution for validating the source, which can be deployed incrementally and in wider scenarios than the current existing mechanisms.

If we can finalize such solutions, the network operators will be free of DDoS attack for the services that runs on their networks.

There are challenges to accomplish this aim, but it deserves us to achieve it.

Aijun Wang

China Telecom

 

On Mar 24, 2022, at 20:09, Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org <mailto:evyncke=40cisco.com@dmarc.ietf.org> > wrote:

 

As the responsible AD for this BoF, I would like to thank the chairs and presenters for a well-run BoF and clear and articulated presentations. I also appreciated the many questions, i.e., there is interest in this domain.

 

Just to clarify what I said in the mike, as an individual contributor [1]:

1)      Well-defined problem space

2)      Are there only 2 solutions in this problem space ?

 

So, my *personal* conclusion is that it is too early to create a WG but this decision is not mine but IESG one.

 

Regards

 

-éric

 

[1] as we were running out of time, I forgot to mention that those comments were without my AD hat. Sorry for the confusion.

-- 
savnet mailing list
savnet@ietf.org <mailto:savnet@ietf.org> 
https://www.ietf.org/mailman/listinfo/savnet <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/savnet__;!!GjvTz_vk!G5x2uVJD_F-BwblnY_WhCkjntUTXeSA2MEv_hV5HhlWMIz7RK8MVk49TNLBf1Lk$>

v2.8.7 | Report a Bug | By Email