IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

Bob Briscoe <ietf@bobbriscoe.net> Sat, 08 May 2021 17:05 UTC

Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E3C53A201F for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 10:05:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.434
X-Spam-Level:
X-Spam-Status: No, score=-1.434 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nN6TpAwg3ky7 for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 10:05:02 -0700 (PDT)
Received: from mail-ssdrsserver2.hosting.co.uk (mail-ssdrsserver2.hosting.co.uk [185.185.85.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E15E3A201E for <tsvwg@ietf.org>; Sat, 8 May 2021 10:05:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=PaMo0b7cjuCN1/RsiM8Y47E5VRe49DxeFXJeWI09ViE=; b=Hd3YcO5WTTJSsZICeJ9mjuII9S HZxKcohVCPlIWAUGfLvCpO9SuQKtSbFIGkC4+kdmz32n4V4o0s6M1reRkIS6LIwXZE8xbVKDK8WT/ g2NBDDhsH8b7SWG/83OmVJYALbSjwIsiU4fpMnbwOrlcgEomfmoL7mlPnx0A3Tt98rluvDNlE5fT7 ozli8aoavmtgjrhRZR4sLaaC34524uRyQCzPm3amJhKhU4nor7eA4tpBLoNjiKtNbJSn5Hz2hQpQu T5S0f6saTrqAYQ3Bm7eHFHBALf7jML24VnlSCQVN21vQsW2AB3EHwDpmff/M1UjbEaqz+hcc51iL+ cdPGmfQw==;
Received: from 67.153.238.178.in-addr.arpa ([178.238.153.67]:40760 helo=[192.168.1.11]) by ssdrsserver2.hosting.co.uk with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <ietf@bobbriscoe.net>) id 1lfQNw-0002lP-U7; Sat, 08 May 2021 18:04:59 +0100
To: Jonathan Morton <chromatix99@gmail.com>
Cc: Pete Heist <pete@heistp.net>, TSVWG <tsvwg@ietf.org>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de> <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com> <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net> <37CE31A2-E78D-479E-AC65-B49C57B7227D@gmail.com> <b137a902-a2a6-fb47-1284-c6e962a1cd6f@bobbriscoe.net> <FB4418AE-802D-46F6-AAC7-66DB804D9037@gmail.com>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <1a0a1f9d-586d-5ee0-b3b2-e5fd96d2fe3c@bobbriscoe.net>
Date: Sat, 08 May 2021 18:04:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <FB4418AE-802D-46F6-AAC7-66DB804D9037@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ssdrsserver2.hosting.co.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: ssdrsserver2.hosting.co.uk: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: ssdrsserver2.hosting.co.uk: in@bobbriscoe.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/1R4gW94F1oK7k0pJk7GwOvaZAcM>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 17:05:07 -0000

Jonathan,

On 08/05/2021 16:25, Jonathan Morton wrote:
>> On 8 May, 2021, at 6:05 pm, Bob Briscoe <in@bobbriscoe.net> wrote:
>>
>> As just pointed out (my email crossed yours), existing established Diffserv technology is also prone to this problem, and it's lower hanging fruit for an attacker, because the delay-delta is typically larger.
> Perhaps - but usable Diffserv deployments at the last-mile are not very common.

[BB] WMM (Wifi MultiMedia).

> L4S proposes to put a DualQ instance in front of every cable internet subscriber, making it much easier for an attacker to predict how he needs to conduct his attack than the equivalent with Diffserv.  If the PHB is implemented at a backbone node rather than a last-mile head-end, the bandwidth required to saturate DualQ is also much less than to saturate the Diffserv queue.
>
> Also, if ECT(0) traffic is what gets stuffed down the C queue, how much can the sojourn time grow before packets start getting dropped, and is that situation persistent under an unresponsive load?  The difference in queue depth might *not* actually be much different from the Diffserv case.
>
>> The solution to all these interactions between a poorly configured replay protection window and queues with different delay differences is simply to configure a replay window appropriate to the packet rate of the VPN tunnel, taking account of expected delay differences between queues.
> Maybe so, but the small replay window size is the environment that exists today.  Perhaps it will improve in future, but I think it has to be increased by several orders of magnitude to make this attack infeasible.

[BB] I understood this already when Pete said it. My point was that, you 
seem to want this to be a criticism of L4S, rather than of poorly 
configured VPNs. Surely you are not saying the IETF should halt any 
advances that reduce delay, like Diffserv and L4S, just because the 
replay windows of VPNs are poorly configured today?

> The Wireguard implementation in Linux has a hard ceiling at 8192 packets - is that enough?

[BB] A hard ceiling in /soft/ware?


>> Whatever, VPNs rarely provide open access for traffic from unauthorized sources to enter the VPN.
> One common application of VPNs is to hide players' home IP addresses from other players in multiplayer games.  They do this to prevent a type of griefing whereby an opposing player launches a DDoS attack to effectively disconnect them from the game, or lag them enough to get an easy kill.  This is possible because fast-paced games tend to send data directly between players to reduce latency, rather than going through a central server which is a better choice for slower-paced games.
>
> If a player uses a VPN to connect to the game, then the remote end of the VPN is the address given to the other players.  A DoS attack that could be launched into such a VPN endpoint would be highly attractive to a griefer.

[BB] So the player has a strong incentive to configure the replay window 
of her VPN properly.



Bob

>
>   - Jonathan Morton

-- 
________________________________________________________________
Bob Briscoe                               http://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email