IETF Logo Mail Archive

Re: [savnet] Some words about the BoF

"Lubashev, Igor" <ilubashe@akamai.com> Thu, 31 March 2022 02:46 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 895663A109F for <savnet@ietfa.amsl.com>; Wed, 30 Mar 2022 19:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGcYWAI4l4QO for <savnet@ietfa.amsl.com>; Wed, 30 Mar 2022 19:46:36 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F693A10A2 for <savnet@ietf.org>; Wed, 30 Mar 2022 19:46:35 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22V15cRB016173; Thu, 31 Mar 2022 03:46:32 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=j+GXtbiDoW5TDJfQuB/gbNwI2DCPTFCh/tyuIguqvwA=; b=LxUbQhTopZ6njjPcZyNiFngBJ/riBn7sOIwbKDDCkgVWGYWgpOPOFbou1hLqPhDahDcj 1Woml1KrDtTtSKd9aYMQiOfzfohkPRuBb9Xub0lweNe6xZp32DXeWJBPgQW2BVXiwzDU acAaUDZYfkCuJwHiFkk4+LGPfaGg1xWyLCezP3RzUQvpKIf13WIGIrO4qC5U3nV0fbsD nnzZDujGnBijbdZD/mpqu5OiDlYGJ0kiDraQnLSXFXnci08dDYBNlk5mwTY9wHHjdGlY Y7c2/gaqwNvQG1YbrJsCo1KwOM/cWzLg+huPjzTHduV5gftM4TF6jWNuP5dW7QlExolY KA==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3f1uc42bk6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 31 Mar 2022 03:46:31 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 22V2Zu19017539; Wed, 30 Mar 2022 22:46:31 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint2.akamai.com with ESMTP id 3f1x5y841s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 30 Mar 2022 22:46:30 -0400
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com (172.27.165.123) by usma1ex-dag4mb3.msg.corp.akamai.com (172.27.91.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.5; Wed, 30 Mar 2022 22:46:30 -0400
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com (172.27.165.123) by ustx2ex-dag1mb5.msg.corp.akamai.com (172.27.165.123) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 30 Mar 2022 21:46:29 -0500
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com ([172.27.165.123]) by ustx2ex-dag1mb5.msg.corp.akamai.com ([172.27.165.123]) with mapi id 15.00.1497.033; Wed, 30 Mar 2022 21:46:29 -0500
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "tolidan@tsinghua.edu.cn" <tolidan@tsinghua.edu.cn>, "'Eric Vyncke (evyncke)'" <evyncke@cisco.com>, Aijun Wang <wangaijun@tsinghua.org.cn>
CC: "savnet@ietf.org" <savnet@ietf.org>
Thread-Topic: [savnet] Some words about the BoF
Thread-Index: Adg/6HrCTcsXaaJTXUOtTzid7uMzCQDA5L8wABJ4UoAAL2Cm0AAShpgAABr+ZKo=
Date: Thu, 31 Mar 2022 02:46:28 +0000
Message-ID: <608c1ff5-5876-4e95-b539-0eba34729b5a@akamai.com>
References: <004501d83fe9$ee7d0450$cb770cf0$@tsinghua.edu.cn> <693b2430820743cf96dc395a482bc163@ustx2ex-dag1mb5.msg.corp.akamai.com> <009401d8430c$06a7fa10$13f7ee30$@tsinghua.org.cn> <6c61fe61490c4fa29721dadb71e52a4e@ustx2ex-dag1mb5.msg.corp.akamai.com>, <004301d84413$a38501e0$ea8f05a0$@tsinghua.org.cn>
In-Reply-To: <004301d84413$a38501e0$ea8f05a0$@tsinghua.org.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/related; boundary="_004_608c1ff558764e95b5390eba34729b5aakamaicom_"; type="multipart/alternative"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-30_06:2022-03-29, 2022-03-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 phishscore=0 bulkscore=0 suspectscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203310015
X-Proofpoint-ORIG-GUID: 0Dk_2Y_HXPVJM_LNtJppnjEqQQXzIOQu
X-Proofpoint-GUID: 0Dk_2Y_HXPVJM_LNtJppnjEqQQXzIOQu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-30_06,2022-03-30_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 malwarescore=0 bulkscore=0 clxscore=1011 suspectscore=0 mlxscore=0 adultscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203310016
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/vUD7IbvYEzCsxeDomOZRryxQ4FI>
Subject: Re: [savnet] Some words about the BoF
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 02:46:42 -0000

That is right, Aijun. An explicit SAV signal would solve this SAV problem. The existing address reachability signal (today 's BGP) just does not contain sufficient information to infer SAV signal in many cases.

Best,

- Igor

On Mar 30, 2022 4:53 AM, Aijun Wang <wangaijun@tsinghua.org.cn> wrote:
Hi, Igor:
Understand, Thanks!
Separate the advertisement of Anycast prefixes(via BGP for example) and establishment of SAV filter table(via DSAV control message) will solve your request then.

Best Regards

Aijun Wang
China Telecom

From: savnet-bounces@ietf.org <savnet-bounces@ietf.org> On Behalf Of Lubashev, Igor
Sent: Wednesday, March 30, 2022 1:26 PM
To: Aijun Wang <wangaijun@tsinghua.org.cn>cn>; tolidan@tsinghua.edu.cn; 'Eric Vyncke (evyncke)' <evyncke=40cisco.com@dmarc.ietf.org>
Cc: savnet@ietf.org
Subject: Re: [savnet] Some words about the BoF

Aijun,

Unfortunately, no, advertising real prefixes from edge locations is not enough.  To ensure that DSR works, the edge servers must originate TCP packets with Anycast as a Source Address.  But since they never advertised those prefixes, an intermediary ISP router with strict uRPF would block these packets before they reach the user.  (If real edge prefixes and anycast prefixes were using the same ASN, and the ISP doing SAV were using rfc8704 algorithms, there would be a higher change for the DSR packets to reach users.)

-          Igor

[cid:image002.jpg@01D84456.B10F3630]


From: Aijun Wang <wangaijun@tsinghua.org.cn<mailto:wangaijun@tsinghua.org.cn>>
Sent: Monday, March 28, 2022 9:27 PM
Hi, Igor:
Would you like to provide one diagram to show the situation?
>From your description, my understanding is that if you advertise the prefixes(real IP address of the server, not anycast address, ) from each edge locations, then the upstream ISP that turned on strict uRPF will not block your DSR traffic.
Is that right?


Best Regards

Aijun Wang
China Telecom

From: Lubashev, Igor <ilubashe@akamai.com<mailto:ilubashe@akamai.com>>
Sent: Tuesday, March 29, 2022 6:11 AM
To: tolidan@tsinghua.edu.cn<mailto:tolidan@tsinghua.edu.cn>; 'Aijun Wang' <wangaijun@tsinghua.org.cn<mailto:wangaijun@tsinghua.org.cn>>; 'Eric Vyncke (evyncke)' <evyncke=40cisco.com@dmarc.ietf.org<mailto:evyncke=40cisco.com@dmarc.ietf.org>>
Cc: savnet@ietf.org<mailto:savnet@ietf.org>
Subject: RE: [savnet] Some words about the BoF

Indeed, uRPF has a limited set of deployments where it can work well. But elsewhere it can cause harm.

For one of the services we have, anycast IPs are announced only from some locations with a lot of connectivity, and then packets are tunneled to edge locations, where the content is, and the edge locations do direct server return (DSR) sending the content to the users.  We do not want to announce anycast IPs from the edge locations, since we would not be able to control the incoming traffic.  In effect, we have an asymmetric routing situation, and our DSR traffic from some edge locations is blocked by upstream ISPs that turned on strict uRPF.  That results in those ISPs’ customers served from locations further away.  It is a pity that ISPs that are trying to do the “right thing” are getting penalized. (Such situations are usually solved with an email or a phone call, but the resulting manual configurations are fragile.)

Costs-wise, DSAV looks on-par with uRPF for the data plane.  Relative to no SAV at all, however, uPRF and DSAV are costly (they require an extra lookup for the source address), so you need more ASIC and RAM for the same data plane throughput.  But when ISPs decide to use SAV for whatever reason, it would be great if the system actually worked well and caused no harm.  I would be happy to work on this.

-          Igor

From: tolidan@tsinghua.edu.cn<mailto:tolidan@tsinghua.edu.cn> <tolidan@tsinghua.edu.cn<mailto:tolidan@tsinghua.edu.cn>>
Sent: Thursday, March 24, 2022 9:45 PM
Thanks Aijun. Indeed, DSAV wants to find a general solution to the source address spoofing problem, since uRPF is only effective in certain scenarios. It is inevitable to introduce additional cost. But note that:
1) all the costs are in the control plane plus a SAV table in routers. DSAV does not modify the packet or reduce the packet forwarding speed. So the data-plane traffic are not affected at all.
2) Even for the control-plane cost, we are trying to minimize the number of protocol messages. The computation operation is simple, so there is not much computation cost.
3) We are designing incremental deployment ways, and operators can get benefit from incremental deployment. So they have incentive.

An obvious advantage of DSAV is that it well matches the MANRS Initiative, i.e., blocking spoofing traffic as close to the source as possible. If the access networks cannot block, then we hope the spoofing traffic can be blocked by intermediate routers, instead of processing them at the final destination. If we only rely on the final destination to resist DDoS attack, actually DDoS attack is successful.

Best,
Dan

???: savnet-bounces@ietf.org<mailto:savnet-bounces@ietf.org> <savnet-bounces@ietf.org<mailto:savnet-bounces@ietf.org>> ?? Aijun Wang
????: 2022?3?24? 20:26
???: Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org<mailto:evyncke=40cisco.com@dmarc.ietf.org>>
??: savnet@ietf.org<mailto:savnet@ietf.org>
??: Re: [savnet] Some words about the BoF

Hi, Eric:
For the problem space, I think SAVNET wants just to find the general solution for validating the source, which can be deployed incrementally and in wider scenarios than the current existing mechanisms.
If we can finalize such solutions, the network operators will be free of DDoS attack for the services that runs on their networks.
There are challenges to accomplish this aim, but it deserves us to achieve it.
Aijun Wang
China Telecom

On Mar 24, 2022, at 20:09, Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org<mailto:evyncke=40cisco.com@dmarc.ietf.org>> wrote:
?
As the responsible AD for this BoF, I would like to thank the chairs and presenters for a well-run BoF and clear and articulated presentations. I also appreciated the many questions, i.e., there is interest in this domain.

Just to clarify what I said in the mike, as an individual contributor [1]:
1)      Well-defined problem space
2)      Are there only 2 solutions in this problem space ?

So, my *personal* conclusion is that it is too early to create a WG but this decision is not mine but IESG one.

Regards

-éric

[1] as we were running out of time, I forgot to mention that those comments were without my AD hat. Sorry for the confusion.
--
savnet mailing list
savnet@ietf.org<mailto:savnet@ietf.org>
https://www.ietf.org/mailman/listinfo/savnet<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/savnet__;!!GjvTz_vk!G5x2uVJD_F-BwblnY_WhCkjntUTXeSA2MEv_hV5HhlWMIz7RK8MVk49TNLBf1Lk$>

v2.8.7 | Report a Bug | By Email