IETF Logo Mail Archive

Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]

Nico Williams <nico@cryptonector.com> Thu, 06 December 2018 20:03 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E0BF131197; Thu, 6 Dec 2018 12:03:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sRJIaakek4pG; Thu, 6 Dec 2018 12:03:39 -0800 (PST)
Received: from bisque.maple.relay.mailchannels.net (bisque.maple.relay.mailchannels.net [23.83.214.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C0CF1311B9; Thu, 6 Dec 2018 12:03:29 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 741183E3EC0; Thu, 6 Dec 2018 20:03:28 +0000 (UTC)
Received: from pdx1-sub0-mail-a69.g.dreamhost.com (unknown [100.96.36.160]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A1A3C3E46C3; Thu, 6 Dec 2018 20:03:27 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a69.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Thu, 06 Dec 2018 20:03:28 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Share-Suffer: 56639b20546e6244_1544126608181_2534840862
X-MC-Loop-Signature: 1544126608181:2602549285
X-MC-Ingress-Time: 1544126608180
Received: from pdx1-sub0-mail-a69.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a69.g.dreamhost.com (Postfix) with ESMTP id 3B13281BCE; Thu, 6 Dec 2018 12:03:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=BGdnwQwNJTeXdr XYmn2m4ca0vcU=; b=RDdnsoYNKqjfUUJfMu9x5LOEuNVNbd+218KijTLS55Lcnj 5rZ0ZnfOpqXNqWZGxkHCRAmazsP3f7jXT2kg29Mg1lCdWsd8XppX5MKhDFQDOs9+ HVOxyRMBzwiHjR6I2wxXjeP4IqUm3dXO+h2M6zt7bQW5JU37jJoWjVyrGyrjw=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a69.g.dreamhost.com (Postfix) with ESMTPSA id 458EF81BCC; Thu, 6 Dec 2018 12:03:23 -0800 (PST)
Date: Thu, 06 Dec 2018 14:03:20 -0600
X-DH-BACKEND: pdx1-sub0-mail-a69
From: Nico Williams <nico@cryptonector.com>
To: "C. M. Heard" <heard@pobox.com>
Cc: Gert Doering <gert@space.net>, IETF <ietf@ietf.org>, draft-ietf-opsec-ipv6-eh-filtering.all@ietf.org, OPSEC <opsec@ietf.org>, TSV-ART <tsv-art@ietf.org>
Message-ID: <20181206200318.GP15561@localhost>
References: <CACL_3VGeJPzDhS0RVAvpQs9W8b4EODft-qJRwBD6Xxm+X6BZ6A@mail.gmail.com> <CAL9jLabK0bZz2nki=oFNHT0OrpVAB8pw7emAj2BtkHRCzkfmqQ@mail.gmail.com> <cf64abbf-e447-71e3-b983-4e525cc139aa@gmail.com> <CAL9jLaYMRDGFa7Qzj4ukRV1FPbJM40qbuZ34SYxoA30Z+h3EWw@mail.gmail.com> <20181205085227.GG1543@Space.Net> <9ba948f9-f286-1016-2dbd-f7056a15e744@gmail.com> <20181206093154.GF1543@Space.Net> <CACL_3VGy6rjr10E4FK4xd4pq_-XSfP2VGhVqT+z-6Gm17z7okA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACL_3VGy6rjr10E4FK4xd4pq_-XSfP2VGhVqT+z-6Gm17z7okA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedrudefjedgudefvdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/kK_3zWBI3nAz2aFnEE-Wy1Ezmv8>
Subject: Re: [Tsv-art] game over, EH [Tsvart last call review of draft-ietf-opsec-ipv6-eh-filtering-06]
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2018 20:03:49 -0000

On Thu, Dec 06, 2018 at 10:58:01AM -0800, C. M. Heard wrote:
>                                               [...]? I would certainly hope
> that filtering UDP/443 is not done preemptively without actual evidence that
> it is in fact a DDoS vector.

I'd expect that networks that filter / rate-limit UDP do it mostly
indiscriminately, and wouldn't already have exceptions for port 443.
Exceptions would mostly be for things like DNS and NTP (not filtered,
obviously, but maybe rate-limited).

The port number / application has a lot to do with DDoS potention.

E.g., DNS has great amplification potential, so it needs rate limits.
TCP has much smaller amplification potential, and more of the TCP state
machine is visible to the network than any non-TCP protocol's state
machine, so maybe TCP SYNs and maybe even RSTs get rate-limited, but
others do not.  With TCP there's no need to discriminate by port number
or know what the application protocol is.  With UDP all you have is port
numbers to discriminate by.

Without exposing that sort of detail (SYN, RST, ...) to the network, I'd
expect operators to scoff, and QUIC to have trouble in the public
Internet until operators / kit learn how to handle QUIC.  Not that we
can expect kit to understand new upper level protocols, or new UDP
application protocols, in with any kind of celerity.  So it's all a mess
:(

Also, we can run HTTP and HTTPS over TCP on any ports, not just 80 and
443.  That won't be true for QUIC.  Each alternative port number will
have to get middlebox relaxation de novo.  That could be a problem, or
maybe a blessing: maybe QUIC should mux multiple apps on one port.
(QUIC muxes streams, but not apps).  Then again, QUIC is done, right?

Nico
--

v2.23.0 | Report a Bug | By Email