Re: [Tsv-art] [OPSEC] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

[Jared Mauch <jared@puck.nether.net>]

> On Dec 6, 2018, at 1:58 PM, C. M. Heard <heard@pobox.com> wrote:
> 
> On Thu, Dec 6, 2018 at 1:32 AM Gert Doering <gert@space.net> wrote:
>> On Thu, Dec 06, 2018 at 01:14:54PM +1300, Brian E Carpenter wrote:
>>>> Which implies that as soon as the evil guys out there find a way to
>>>> generate DDoS streams carrying EHs that our border routers will (have to)
>>>> apply very strict rate limiting to everything they do not understand.
>>>> 
>>>> - pass TCP
>>>> - rate-limit UDP on well-known reflective attacks port
>>>> - pass rest of UDP
>>>> - rate-limit ICMP
>>>> - rate-limit fragments
>>>> - rate-limit all the rest to something which can never exceed a
>>>>   customer's access-link
>>>> 
>>>> game over, EH
>>> 
>>> Just to point out that this is equivalent to saying "game over,
>>> any new layer 4 protocol" too. For example, you just killed SCTP.
>>> And the same goes for new protocols over IPv4.
>> 
>> Well.  Since nobody is using SCTP, it can nicely live in the
>> "rate-limit all the rest to something ..." bucket...
>> 
>> But yes, "any new layer 4 protocol" is likely to not work in an Internet
>> that is basically full of hostile packets *in high volumes*.
>> 
>> Trying to run large volume traffic over UDP/443 is going to be the next
>> excercise in "operators told you that is isn't going to work"...
> 
> Is that a prediction, or a self-fulfilling prophecy? I would certainly hope
> that filtering UDP/443 is not done preemptively without actual evidence that
> it is in fact a DDoS vector.

It is done as UDP is where the majority of the abuse has been.  I’ve been responsible for implementing these types of controls at operator networks due to the damage it does to our infrastructure.

People are very unhappy then their service is down because they’re staring down a cannon that took out their country/continent with UDP abuse.

I would say I find it shocking that the transport area folks seem to keep ignoring the feedback from operators, but this feeds into the longstanding meme of operators don’t show up at the IETF because they aren’t heard.

I’ve had folks at $dayjob say they “Well that network will then have poor performance and people will switch”.  This may be the case for those that have choice, but as was recently pointed out in home net, much of the complexity perhaps isn’t used or desired by the consumers.

Yes, the ad networks want to serve me ads faster.  I don’t expect the transport area to listen to those that operate networks as it’s been demonstrated the conversation about harm to the network by these behaviors isn’t listened to.

Let me state it clearly:

UDP is filtered or policed by network operators not because they want it, but as self-defense.  Nothing personal.  If you are on the end of a long subsea circuits, you may not be able to use UDP based protocols.  If you are trying to SNMP poll over public internet because you think you can e2e, you will become sad.  No operator wants to deploy these configurations, they must because of the problems.

- jared

(Feels like a broken record on this topic)