IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

Jonathan Morton <chromatix99@gmail.com> Sat, 08 May 2021 15:25 UTC

Return-Path: <chromatix99@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 571403A1BB7 for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 08:25:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NP5K28DMg5i3 for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 08:25:25 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B38853A1BB8 for <tsvwg@ietf.org>; Sat, 8 May 2021 08:25:25 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id a36so15306667ljq.8 for <tsvwg@ietf.org>; Sat, 08 May 2021 08:25:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=V6oLBqL8+Qnsd+X2ff/ZM44S0lj9EY55YgGHKMzFe9U=; b=k/QgU3nTABaOWlmB0PvCdsCWm/eww3FWG4g2EITjW7Qmle5Tl0pSDo4NPm+pz03koi XF9+P23F+7E+ZWI7q7W/NnI4rkDRysFMLpl9KQnJWimJwuuGXrRONJtuFm8aI297biKm CeXjbDMzNKSrG9WdXxG/FBExFAGvlAgBGurxNSyAqSgHBjcOCCFPxjal9xpKML580fTG RHORcXpN8rqNhtX/HaBrkYnoupeCZ0O7BjA2I2284Gex7HO6ZpoFNX36sfZelSa4508U /AeiYQxbvXIz/QWrIKrlJeMoThyf/ojTAD+vYnejpQNTXeAM7BD02VcK1vr9xhvdmn3M kVlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=V6oLBqL8+Qnsd+X2ff/ZM44S0lj9EY55YgGHKMzFe9U=; b=C+IMJZKeP7x11jQBztpm0VH1tmYomMwcEm3TrFW3fxqN15pA6hBQpxfzpcj/dEViQL QNdXkKLyJba6dNh+aKq++JjoDJjN5jtl6X4pdhsTTfktV24ZBYvy8Estmpo0rLNfCw7O sX3liyFyKd8C9gMKOKOy03hyyrEAr8GZNwZ6BEyHMbWBIXR73RVFiZxvJ9xbXIgUJJcl JVS3I/rgxOxCcHwU3d+U5vopw5mcWnFMQ++abYpd0BTnaE643WNtE0k026blqKh1YQSF k1P0hbtc2rBZzyAnZ+34PKw1zf+Jy3/jAbZyLNHNAcDx7T+cfzCwNMYhrM4cL1Tco/uA SepA==
X-Gm-Message-State: AOAM530wKllNViD6oqtN+yG2F3GTvMjFWHxQ8D7yfgUpF1BPy7Ix+VkV 3hmvOHxqhRwUJHerucYWHG4=
X-Google-Smtp-Source: ABdhPJzCPiuImc8KM+poYXdJ/MhXR2jFs0CHj3ST9+thwrMKSI2SdkOY22vF1Fdq3wGs1YS2ZxpgqQ==
X-Received: by 2002:a2e:a413:: with SMTP id p19mr10173480ljn.485.1620487522578; Sat, 08 May 2021 08:25:22 -0700 (PDT)
Received: from jonathartonsmbp.lan (178-55-25-11.bb.dnainternet.fi. [178.55.25.11]) by smtp.gmail.com with ESMTPSA id l23sm1458102ljb.26.2021.05.08.08.25.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 May 2021 08:25:22 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jonathan Morton <chromatix99@gmail.com>
In-Reply-To: <b137a902-a2a6-fb47-1284-c6e962a1cd6f@bobbriscoe.net>
Date: Sat, 08 May 2021 18:25:21 +0300
Cc: Pete Heist <pete@heistp.net>, TSVWG <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FB4418AE-802D-46F6-AAC7-66DB804D9037@gmail.com>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de> <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com> <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net> <37CE31A2-E78D-479E-AC65-B49C57B7227D@gmail.com> <b137a902-a2a6-fb47-1284-c6e962a1cd6f@bobbriscoe.net>
To: Bob Briscoe <in@bobbriscoe.net>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/JrY4nPPcEvRE1vPK5YR38kS_rkw>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 15:25:30 -0000

> On 8 May, 2021, at 6:05 pm, Bob Briscoe <in@bobbriscoe.net> wrote:
> 
> As just pointed out (my email crossed yours), existing established Diffserv technology is also prone to this problem, and it's lower hanging fruit for an attacker, because the delay-delta is typically larger.

Perhaps - but usable Diffserv deployments at the last-mile are not very common.  L4S proposes to put a DualQ instance in front of every cable internet subscriber, making it much easier for an attacker to predict how he needs to conduct his attack than the equivalent with Diffserv.  If the PHB is implemented at a backbone node rather than a last-mile head-end, the bandwidth required to saturate DualQ is also much less than to saturate the Diffserv queue.

Also, if ECT(0) traffic is what gets stuffed down the C queue, how much can the sojourn time grow before packets start getting dropped, and is that situation persistent under an unresponsive load?  The difference in queue depth might *not* actually be much different from the Diffserv case.

> The solution to all these interactions between a poorly configured replay protection window and queues with different delay differences is simply to configure a replay window appropriate to the packet rate of the VPN tunnel, taking account of expected delay differences between queues.

Maybe so, but the small replay window size is the environment that exists today.  Perhaps it will improve in future, but I think it has to be increased by several orders of magnitude to make this attack infeasible.  The Wireguard implementation in Linux has a hard ceiling at 8192 packets - is that enough?

> Whatever, VPNs rarely provide open access for traffic from unauthorized sources to enter the VPN.

One common application of VPNs is to hide players' home IP addresses from other players in multiplayer games.  They do this to prevent a type of griefing whereby an opposing player launches a DDoS attack to effectively disconnect them from the game, or lag them enough to get an easy kill.  This is possible because fast-paced games tend to send data directly between players to reduce latency, rather than going through a central server which is a better choice for slower-paced games.

If a player uses a VPN to connect to the game, then the remote end of the VPN is the address given to the other players.  A DoS attack that could be launched into such a VPN endpoint would be highly attractive to a griefer.

 - Jonathan Morton

v2.23.0 | Report a Bug | By Email