IETF Logo Mail Archive

Re: [savnet] Some words about the BoF

"Lubashev, Igor" <ilubashe@akamai.com> Wed, 30 March 2022 05:26 UTC

Return-Path: <ilubashe@akamai.com>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D63813A0BD3; Tue, 29 Mar 2022 22:26:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_RATIO_08=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0xaUX1MGPgg; Tue, 29 Mar 2022 22:26:01 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33FB43A0BCA; Tue, 29 Mar 2022 22:25:58 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22U2EIZH002558; Wed, 30 Mar 2022 06:25:57 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=/YnnE+IZ0hWmHhwo+yn0pO3ynpc5LUNRfBSyn0bjEe4=; b=f+EVN6tqndJbU3ENGEGUHdu8ScjR/3afKMIfym9JLSOCLf0G1Fr6ZL+P3UCT37erkm+T e0G+x4fXPgbwIam4Io+yC4uU0Yej92bKKB+2HG0szTOgvzLPtVh/bSC8iIhSsJ0qA2RQ 1jYB8o4MI4D84Gsg1lG02+XkbWyx2KgaGDnzXtfGDzPJkgV35mxM4wgN5ToS81NRFyIX /Bh9NhYJSF3ugPRoqRlpbUcAyqX6iJ9NOy2h+BuXDB/KW8G22RZMAABNFI2E4qMsOnAZ WTe5upJdQBDpts0OknqKI53TwBcGTWBE2cE3txnkc4lg5JzuUQtx7m1kl8HOf3JPnoyf 2Q==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by mx0b-00190b01.pphosted.com (PPS) with ESMTPS id 3f1uc37ubg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 30 Mar 2022 06:25:56 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.1.2/8.16.1.2) with SMTP id 22U5KB1N011490; Wed, 30 Mar 2022 01:25:55 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.30]) by prod-mail-ppoint1.akamai.com with ESMTP id 3f1x5ypkxy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 30 Mar 2022 01:25:55 -0400
Received: from USTX2EX-DAG1MB4.msg.corp.akamai.com (172.27.165.122) by usma1ex-dag4mb6.msg.corp.akamai.com (172.27.91.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.986.5; Wed, 30 Mar 2022 01:25:54 -0400
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com (172.27.165.123) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.165.122) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 30 Mar 2022 00:25:52 -0500
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com ([172.27.165.123]) by ustx2ex-dag1mb5.msg.corp.akamai.com ([172.27.165.123]) with mapi id 15.00.1497.033; Wed, 30 Mar 2022 00:25:52 -0500
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: Aijun Wang <wangaijun@tsinghua.org.cn>, "tolidan@tsinghua.edu.cn" <tolidan@tsinghua.edu.cn>, "'Eric Vyncke (evyncke)'" <evyncke=40cisco.com@dmarc.ietf.org>
CC: "savnet@ietf.org" <savnet@ietf.org>
Thread-Topic: [savnet] Some words about the BoF
Thread-Index: Adg/6HrCTcsXaaJTXUOtTzid7uMzCQDA5L8wABJ4UoAAL2Cm0A==
Date: Wed, 30 Mar 2022 05:25:51 +0000
Message-ID: <6c61fe61490c4fa29721dadb71e52a4e@ustx2ex-dag1mb5.msg.corp.akamai.com>
References: <004501d83fe9$ee7d0450$cb770cf0$@tsinghua.edu.cn> <693b2430820743cf96dc395a482bc163@ustx2ex-dag1mb5.msg.corp.akamai.com> <009401d8430c$06a7fa10$13f7ee30$@tsinghua.org.cn>
In-Reply-To: <009401d8430c$06a7fa10$13f7ee30$@tsinghua.org.cn>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.118.139]
Content-Type: multipart/related; boundary="_004_6c61fe61490c4fa29721dadb71e52a4eustx2exdag1mb5msgcorpak_"; type="multipart/alternative"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-29_10:2022-03-29, 2022-03-29 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 spamscore=0 suspectscore=0 adultscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203300026
X-Proofpoint-ORIG-GUID: EPha04GvkI66H4DABSVT0VHKv237S3fX
X-Proofpoint-GUID: EPha04GvkI66H4DABSVT0VHKv237S3fX
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-29_10,2022-03-29_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 malwarescore=0 bulkscore=0 clxscore=1015 suspectscore=0 mlxscore=0 adultscore=0 mlxlogscore=999 spamscore=0 impostorscore=0 lowpriorityscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203300026
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/wTNn2mvxlBgZG7ETXm2P0ketjPY>
Subject: Re: [savnet] Some words about the BoF
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 05:26:08 -0000

Aijun,

Unfortunately, no, advertising real prefixes from edge locations is not enough.  To ensure that DSR works, the edge servers must originate TCP packets with Anycast as a Source Address.  But since they never advertised those prefixes, an intermediary ISP router with strict uRPF would block these packets before they reach the user.  (If real edge prefixes and anycast prefixes were using the same ASN, and the ISP doing SAV were using rfc8704 algorithms, there would be a higher change for the DSR packets to reach users.)


  *   Igor

[cid:image001.png@01D843D3.AAB356F0]


From: Aijun Wang <wangaijun@tsinghua.org.cn>
Sent: Monday, March 28, 2022 9:27 PM

Hi, Igor:
Would you like to provide one diagram to show the situation?
From your description, my understanding is that if you advertise the prefixes(real IP address of the server, not anycast address, ) from each edge locations, then the upstream ISP that turned on strict uRPF will not block your DSR traffic.
Is that right?


Best Regards

Aijun Wang
China Telecom

From: Lubashev, Igor <ilubashe@akamai.com<mailto:ilubashe@akamai.com>>
Sent: Tuesday, March 29, 2022 6:11 AM
To: tolidan@tsinghua.edu.cn<mailto:tolidan@tsinghua.edu.cn>; 'Aijun Wang' <wangaijun@tsinghua.org.cn<mailto:wangaijun@tsinghua.org.cn>>; 'Eric Vyncke (evyncke)' <evyncke=40cisco.com@dmarc.ietf.org<mailto:evyncke=40cisco.com@dmarc.ietf.org>>
Cc: savnet@ietf.org<mailto:savnet@ietf.org>
Subject: RE: [savnet] Some words about the BoF

Indeed, uRPF has a limited set of deployments where it can work well. But elsewhere it can cause harm.

For one of the services we have, anycast IPs are announced only from some locations with a lot of connectivity, and then packets are tunneled to edge locations, where the content is, and the edge locations do direct server return (DSR) sending the content to the users.  We do not want to announce anycast IPs from the edge locations, since we would not be able to control the incoming traffic.  In effect, we have an asymmetric routing situation, and our DSR traffic from some edge locations is blocked by upstream ISPs that turned on strict uRPF.  That results in those ISPs’ customers served from locations further away.  It is a pity that ISPs that are trying to do the “right thing” are getting penalized. (Such situations are usually solved with an email or a phone call, but the resulting manual configurations are fragile.)

Costs-wise, DSAV looks on-par with uRPF for the data plane.  Relative to no SAV at all, however, uPRF and DSAV are costly (they require an extra lookup for the source address), so you need more ASIC and RAM for the same data plane throughput.  But when ISPs decide to use SAV for whatever reason, it would be great if the system actually worked well and caused no harm.  I would be happy to work on this.

-          Igor

From: tolidan@tsinghua.edu.cn<mailto:tolidan@tsinghua.edu.cn> <tolidan@tsinghua.edu.cn<mailto:tolidan@tsinghua.edu.cn>>
Sent: Thursday, March 24, 2022 9:45 PM
Thanks Aijun. Indeed, DSAV wants to find a general solution to the source address spoofing problem, since uRPF is only effective in certain scenarios. It is inevitable to introduce additional cost. But note that:
1) all the costs are in the control plane plus a SAV table in routers. DSAV does not modify the packet or reduce the packet forwarding speed. So the data-plane traffic are not affected at all.
2) Even for the control-plane cost, we are trying to minimize the number of protocol messages. The computation operation is simple, so there is not much computation cost.
3) We are designing incremental deployment ways, and operators can get benefit from incremental deployment. So they have incentive.

An obvious advantage of DSAV is that it well matches the MANRS Initiative, i.e., blocking spoofing traffic as close to the source as possible. If the access networks cannot block, then we hope the spoofing traffic can be blocked by intermediate routers, instead of processing them at the final destination. If we only rely on the final destination to resist DDoS attack, actually DDoS attack is successful.

Best,
Dan

发件人: savnet-bounces@ietf.org<mailto:savnet-bounces@ietf.org> <savnet-bounces@ietf.org<mailto:savnet-bounces@ietf.org>> 代表 Aijun Wang
发送时间: 2022年3月24日 20:26
收件人: Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org<mailto:evyncke=40cisco.com@dmarc.ietf.org>>
抄送: savnet@ietf.org<mailto:savnet@ietf.org>
主题: Re: [savnet] Some words about the BoF

Hi, Eric:
For the problem space, I think SAVNET wants just to find the general solution for validating the source, which can be deployed incrementally and in wider scenarios than the current existing mechanisms.
If we can finalize such solutions, the network operators will be free of DDoS attack for the services that runs on their networks.
There are challenges to accomplish this aim, but it deserves us to achieve it.
Aijun Wang
China Telecom

On Mar 24, 2022, at 20:09, Eric Vyncke (evyncke) <evyncke=40cisco.com@dmarc.ietf.org<mailto:evyncke=40cisco.com@dmarc.ietf.org>> wrote:

As the responsible AD for this BoF, I would like to thank the chairs and presenters for a well-run BoF and clear and articulated presentations. I also appreciated the many questions, i.e., there is interest in this domain.

Just to clarify what I said in the mike, as an individual contributor [1]:
1)      Well-defined problem space
2)      Are there only 2 solutions in this problem space ?

So, my *personal* conclusion is that it is too early to create a WG but this decision is not mine but IESG one.

Regards

-éric

[1] as we were running out of time, I forgot to mention that those comments were without my AD hat. Sorry for the confusion.
--
savnet mailing list
savnet@ietf.org<mailto:savnet@ietf.org>
https://www.ietf.org/mailman/listinfo/savnet<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/savnet__;!!GjvTz_vk!G5x2uVJD_F-BwblnY_WhCkjntUTXeSA2MEv_hV5HhlWMIz7RK8MVk49TNLBf1Lk$>

v2.8.7 | Report a Bug | By Email