IETF Logo Mail Archive

Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Stewart Bryant <stewart.bryant@gmail.com> Thu, 06 December 2018 10:28 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A8C130DE8; Thu, 6 Dec 2018 02:28:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AmLGNgmFVyaP; Thu, 6 Dec 2018 02:28:57 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38CFB130DCE; Thu, 6 Dec 2018 02:28:57 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id b14so9101388wru.12; Thu, 06 Dec 2018 02:28:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=8/Bg1tnpWGkoQ1A1hOlCERrkoorcb5TSRchrMu/RGCo=; b=Kp2zs9p8k/MtX0KZdaYigaB+hVqkMtFROXMF+EJ0WmyFKlvPespt8C3TVHrWqlUT3F agyMw4UXedj0PctMFua3I1EeBY2Ze/T0/xDxuuDPwz5d82rA94wbM3wAPbkIwD4sbTiA 9bgc6wBViJW8DWcpt5tatRq0sxd3Iwrv40DypgB5JU9Jt3TZvhNjH4kHt4V7PAKdN3/r IDiCXwv7Ay4Ms5eMbnrIxYNZAevsDsgd/qHfK1f+MZwfJIpAcK6k8ZDRBGarHhetyqiJ UXSabJ+Wo/vg/u1B2tIWR2bONbtReeFXU5IKcZQLQDyMxhIlSQNUS8UUIkFPd8nCtXHt PjyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=8/Bg1tnpWGkoQ1A1hOlCERrkoorcb5TSRchrMu/RGCo=; b=YWkDKQv9t53W8vPnyDuIZiFxUZ8L4Y1GKa11PqmG9TWMiRz16uUGq0w/o75o0uOasm f2tAclEWVgLKMBJ/ByRIM0acsjk4gi8MmLo2O5qvq/4EiogigKZwp3VJJJF/KggaFBff 4ziCw1I3KYRx9nsyo/jvBEBtQjBJtSkczXeyxNox6p2MJmgPFgwiYxShv7GkM05+f+ib aviJC0GmLICNVf/ts68Sl9IbYi0/9theO6ZMlBIaP749zw0sF4NDLgr6cN4FgWUq/yae LBLmeGudeQ13ZBXGO043aWlNRIpR7HJ6CMFAJhbzbDow3ENhRsy2OIu+h4u2kVyckV+F JIFQ==
X-Gm-Message-State: AA+aEWa3nuChL1G8//mzCPOoeIFk2sVkyhsolC/nXg5OuelpwFZWWrjF zgTHudbYdG70UircJrgA3R9o5szU
X-Google-Smtp-Source: AFSGD/V/P3FbOYrL81/SamuNsfHUmEYlHbzmkqEK/DMN6fjsI1JmOarfeYkHgm+EOaY/Lmi8Gyisjg==
X-Received: by 2002:a5d:56d2:: with SMTP id m18mr26498987wrw.113.1544092135281; Thu, 06 Dec 2018 02:28:55 -0800 (PST)
Received: from [192.168.2.198] (host213-123-124-182.in-addr.btopenworld.com. [213.123.124.182]) by smtp.gmail.com with ESMTPSA id b131sm548630wma.21.2018.12.06.02.28.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Dec 2018 02:28:54 -0800 (PST)
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Gert Doering <gert@space.net>, Christopher Morrow <morrowc.lists@gmail.com>
Cc: heard@pobox.com, tsv-art@ietf.org, opsec wg mailing list <opsec@ietf.org>, ietf <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org
References: <CACL_3VGeJPzDhS0RVAvpQs9W8b4EODft-qJRwBD6Xxm+X6BZ6A@mail.gmail.com> <CAL9jLabK0bZz2nki=oFNHT0OrpVAB8pw7emAj2BtkHRCzkfmqQ@mail.gmail.com> <cf64abbf-e447-71e3-b983-4e525cc139aa@gmail.com> <CAL9jLaYMRDGFa7Qzj4ukRV1FPbJM40qbuZ34SYxoA30Z+h3EWw@mail.gmail.com> <20181205085227.GG1543@Space.Net> <9ba948f9-f286-1016-2dbd-f7056a15e744@gmail.com>
From: Stewart Bryant <stewart.bryant@gmail.com>
Message-ID: <74d89efc-bfba-6e54-ebb2-d688e45b139f@gmail.com>
Date: Thu, 06 Dec 2018 10:28:53 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <9ba948f9-f286-1016-2dbd-f7056a15e744@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/4XCLhVEsnRFBqN-RgYX4aXM5PqA>
Subject: Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 10:29:00 -0000


On 06/12/2018 00:14, Brian E Carpenter wrote:
> On 2018-12-05 21:52, Gert Doering wrote:
>> Hi,
>>
>> On Tue, Dec 04, 2018 at 10:57:43PM -0500, Christopher Morrow wrote:
>>> HA! ok. As gert/nick noted ... we have Nx100G links today (at the edge) and
>>> coming nx400G ... there's just not a reasonable story for "dpi" there. (I
>>> suppose: "yet" and "without paying the approximate value Coca-Cola
>>> Companies yearly advertising budget")
>> Indeed.
>>
>> Unfortunately, there *is* a story for being able to rate-limit incoming
>> crap by protocol type - "give me no more than 200 Mbit/s of UDP packets
>> coming from source port 53".
>>
>> Which implies that as soon as the evil guys out there find a way to
>> generate DDoS streams carrying EHs that our border routers will (have to)
>> apply very strict rate limiting to everything they do not understand.
>>
>>   - pass TCP
>>   - rate-limit UDP on well-known reflective attacks port
>>   - pass rest of UDP
>>   - rate-limit ICMP
>>   - rate-limit fragments
>>   - rate-limit all the rest to something which can never exceed a customer's
>>     access-link
>>
>> game over, EH
> Just to point out that this is equivalent to saying "game over, any new layer 4 protocol" too. For example, you just killed SCTP. And the same goes for new protocols over IPv4.
>
>      Brian
>   
.. a consequence of the original design decision to make options and 
next protocols indistinguishable other than by knowing the full set of 
next protocol types.

However, aren't we moving to a world where new protocols get carried 
over UDP anyway?  This is needed so that those protocols can pass 
through NATS and firewalls, and be subjected to ECMP to spread them 
across the available paths.

- Stewart

>> (We're not doing this today, because as of today, "volume DDoS" comes in
>> without EHs [except fragment] - but this is just a matter of time)
>>
>> Gert Doering
>>          -- NetMaster
>>

v2.23.0 | Report a Bug | By Email