IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

Sebastian Moeller <moeller0@gmx.de> Sat, 08 May 2021 18:22 UTC

Return-Path: <moeller0@gmx.de>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9313A0C86 for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 11:22:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpKsjTQYhPmY for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 11:22:48 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6400B3A0CA2 for <tsvwg@ietf.org>; Sat, 8 May 2021 11:22:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1620498123; bh=PAZunBBidMk0nnino2dVFZWnglo+kRLvlx9CVQyoOuU=; h=X-UI-Sender-Class:Subject:From:In-Reply-To:Date:Cc:References:To; b=fotJsLu+tSCiuSnifmOaBPkmCI1PzABz4/hT/aKQzX2Qx0N3l+CQuOWtgNIBQKgrh EjNEYbuXdYZzvqTrwnWA78QVHCOk3IjQGjCmHLjrv/sepb39wdiIx+NPvIB/s3nKqv EkL5aHeWGHcdBTs0uEinykrHvQcE0F6ri2pFWEBc=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.42.229] ([77.8.244.85]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Ma24y-1m0Hq31ri0-00Vy2x; Sat, 08 May 2021 20:22:03 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\))
From: Sebastian Moeller <moeller0@gmx.de>
In-Reply-To: <1a0a1f9d-586d-5ee0-b3b2-e5fd96d2fe3c@bobbriscoe.net>
Date: Sat, 08 May 2021 20:22:02 +0200
Cc: Jonathan Morton <chromatix99@gmail.com>, TSVWG <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E67BA6B-F7C7-46C8-8B23-7A5A19962101@gmx.de>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de> <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com> <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net> <37CE31A2-E78D-479E-AC65-B49C57B7227D@gmail.com> <b137a902-a2a6-fb47-1284-c6e962a1cd6f@bobbriscoe.net> <FB4418AE-802D-46F6-AAC7-66DB804D9037@gmail.com> <1a0a1f9d-586d-5ee0-b3b2-e5fd96d2fe3c@bobbriscoe.net>
To: Bob Briscoe <ietf@bobbriscoe.net>
X-Mailer: Apple Mail (2.3445.104.20)
X-Provags-ID: V03:K1:mmy89Jsg9/DCosF/Fk2J1cvz0waQfrtB6j9t6bx1nqXGQq7ev4U EhiBgHJxxWf+R4AQUw3D9+qQ0grl9GIxFgLbyNDnYknWFN1FCp5lIx4K/xA4+H06BGJZRMg CCJY6uyQvJ+E2IgN/momXowBsA+K8HQP/aMirUNYk3sXfvaWpZfIyYtKOY2/cauZ+1lz9ex dVJbX/7pEjGAptQUJHV7Q==
X-UI-Out-Filterresults: notjunk:1;V03:K0:o6V6syl4luo=:ikb7WK050wbi2IjHzgnVFa oKdzuLffCI+d+IJDrmEc4aDeJGTvG+9oqbmPAQorJaAriQ5LT2iLD1kWoVvwN+fWKN7XfG2e5 qJxvtZtQBDR9gdQoLRi3YAnqEeDW1QUgUTD34CzcCiWjV5ovD3zTw1gfhRWPQTXikh0J8x7fn bsQG4DwtEpshAGBUYg6w4YwJNadC5G/mC7NkBp4AnRndjsB4oW5JDYBdAsNT3pXA/guwBcHKU fCYc3cPjtrGpy/21oep5cdF+fCOK4oOGb2WSoXajLOp5EnIYHhn1E0NZrK2CxFeRguYh4vZ0m tZ0odO4kc4H0RG/53YIyitm5zfqk4fjx3Wj2xKQYlG028GFk9rXwEzIoOzi+MDSgPNrIjO8Tx BiHxrK5OEFs+o+Yu5smxAbYMa74MC38SjBJJMm+cgYmbC479p8CuidCP8IVtu3IzisoDyUGCS EIi92rZfeZOQ7SP3OG5Rk5Rs/JRZ3ZQPaS6zTqAvOzPpvKwotdINtOvz5G28MU3Vbx/KEsZnC VZbui0OjWq6Q/ORif+z08bN75n+Q4QZTYcTgsIM+POcIz74xGee1ehF/5+txcYA4adtmhEj1c nkzaVzqSO+elEjROd90P9sAn75sC8MkmRiAB5BYUCjh0CVlXwS8YiLT5z9fRbQeiP2XmkIMxO Q+uAZhT+rv9OPElzVFXB72kQUZm3ZQBu3/COYcQaPuvg2q+k67lfrjfNswNGQQRmH/S2XHha+ xMPxXc9zNCbEl/O0SD2C9vy7NPbmQCElKZbEfLz/ljHqaGipVoO3NbZA+JH9ePSWAbY7K/k8e wsxpuB+h5R/fDvYKPBOTjy2lbPolRgY5LmtIEaOWHaXHsU5t8G9FjWMohMmXXztBP+Y3bmGHO G5jNfvFYT0PwqXX9zGvhS7YTITrP8Bb/xq6u1WXMzQJUjUIPjjtLpiSUIiOJfdkGUVzq8CFM+ p5dmZm1TB+m7nKLs6LPk7Rl8rZSZaBOjTa3r2XnFRSYXEcDgVqClPZ2zoEA5R+WYdayhECqPB FtAR2Eoi2iSRLJocyoq8KsmlaKc0qyEBM8AXlvbRvte4CfHB/h7/D0WxYszKgfVYcBcqZ50+J 15yLXdP8+i/K2jEEhqfTyQPG0R+FTBL+M7qsth0lx8bH4MY4//I0ICflabRl8lCOUQLuD4Omh RDu4yrwTPXFNHjXXX8RagM93nH6aC+rt2wxYwweYEliXKUGeQC01BkNw4FSRL5ODmE6OI=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/dH4xPdHYmEVlhcg6LygeUO91Hto>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 18:22:54 -0000

Hi Bob,



> On May 8, 2021, at 19:04, Bob Briscoe <ietf@bobbriscoe.net> wrote:
> 
> Jonathan,
> 
> On 08/05/2021 16:25, Jonathan Morton wrote:
>>> On 8 May, 2021, at 6:05 pm, Bob Briscoe <in@bobbriscoe.net> wrote:
>>> 
>>> As just pointed out (my email crossed yours), existing established Diffserv technology is also prone to this problem, and it's lower hanging fruit for an attacker, because the delay-delta is typically larger.
>> Perhaps - but usable Diffserv deployments at the last-mile are not very common.
> 
> [BB] WMM (Wifi MultiMedia).
> 
>> L4S proposes to put a DualQ instance in front of every cable internet subscriber, making it much easier for an attacker to predict how he needs to conduct his attack than the equivalent with Diffserv.  If the PHB is implemented at a backbone node rather than a last-mile head-end, the bandwidth required to saturate DualQ is also much less than to saturate the Diffserv queue.
>> 
>> Also, if ECT(0) traffic is what gets stuffed down the C queue, how much can the sojourn time grow before packets start getting dropped, and is that situation persistent under an unresponsive load?  The difference in queue depth might *not* actually be much different from the Diffserv case.
>> 
>>> The solution to all these interactions between a poorly configured replay protection window and queues with different delay differences is simply to configure a replay window appropriate to the packet rate of the VPN tunnel, taking account of expected delay differences between queues.
>> Maybe so, but the small replay window size is the environment that exists today.  Perhaps it will improve in future, but I think it has to be increased by several orders of magnitude to make this attack infeasible.
> 
> [BB] I understood this already when Pete said it. My point was that, you seem to want this to be a criticism of L4S, rather than of poorly configured VPNs.

	[SM] Well, L4S novel re-ordering behaviour can turn a VPN configuration that worked just fine into one that throws spurious replay attack warnings. IMHO that indicates that the VPN was properly configured for its envoronment before, so the party changing the environment, L4S in this case, carries at least as much responsibility as the VPN. 
	Side-note, it gets predictable, that all new L4S failure modes are immediately interpreted as someone else's fault.

> Surely you are not saying the IETF should halt any advances that reduce delay, like Diffserv and L4S, just because the replay windows of VPNs are poorly configured today?
> 
>> The Wireguard implementation in Linux has a hard ceiling at 8192 packets - is that enough?
> 
> [BB] A hard ceiling in /soft/ware?

	[SM] It is a define, so ATM you need to compile a new kernel, so for many end-user this is effectively a hard ceiling...

>>> Whatever, VPNs rarely provide open access for traffic from unauthorized sources to enter the VPN.
>> One common application of VPNs is to hide players' home IP addresses from other players in multiplayer games.  They do this to prevent a type of griefing whereby an opposing player launches a DDoS attack to effectively disconnect them from the game, or lag them enough to get an easy kill.  This is possible because fast-paced games tend to send data directly between players to reduce latency, rather than going through a central server which is a better choice for slower-paced games.
>> 
>> If a player uses a VPN to connect to the game, then the remote end of the VPN is the address given to the other players.  A DoS attack that could be launched into such a VPN endpoint would be highly attractive to a griefer.
> 
> [BB] So the player has a strong incentive to configure the replay window of her VPN properly.

	[SM] Or to bleach ECT(1) on tunnel egress to head off such behavior... Really I consider your evaluation of responsibility in this issue a bit offensive. L4S breaks existing known-working configurations, and all we say, is fix your VPN, really?

Best Regards
	Sebastian


> 
> 
> 
> Bob
> 
>> 
>>  - Jonathan Morton
> 
> -- 
> ________________________________________________________________
> Bob Briscoe                               http://bobbriscoe.net/
>

v2.23.0 | Report a Bug | By Email