Re: [tsvwg] L4S dual-queue re-ordering and VPNs
Bob Briscoe <ietf@bobbriscoe.net> Sun, 09 May 2021 14:28 UTC
Return-Path: <ietf@bobbriscoe.net>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AD753A08EE for <tsvwg@ietfa.amsl.com>; Sun, 9 May 2021 07:28:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.047
X-Spam-Level: **
X-Spam-Status: No, score=2.047 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.972, URIBL_BLOCKED=0.001, URI_DOTEDU=1.273] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4AX1XWuzz02 for <tsvwg@ietfa.amsl.com>; Sun, 9 May 2021 07:28:14 -0700 (PDT)
Received: from mail-ssdrsserver2.hosting.co.uk (mail-ssdrsserver2.hosting.co.uk [185.185.85.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CEC33A08E6 for <tsvwg@ietf.org>; Sun, 9 May 2021 07:28:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=B/Krqrpk66SgdwX6T7ilY4XDeNy3+PADmslj74DUg0I=; b=2MtULpQy3FxOMVzpSUrjGwsr3d Zrmkw805gqPMeYM7sZkSJg/yez58BWHMBnTjJur14ySZK4tvXyJMFXwd8MDPA3NvVVbkBC6gQTCoQ DkMpKby0k2vIUdQo6sbLzp8RTX9WOiqeEOIjxwTTJJhnR9aFpvYcGAzWIBB+BC8bpTNWJAc3rTdpc CDIdVxe9+pHwN6pUTRgW4ZdwxC2n69brY4p0RKfQiZjP5QYfTpcdIv7QwKgERKQ0XoZ73up7ez2tT GbhUfvPu3jlajQIyxOL9IPjOXPMmGVRPVkBukpU8VVPlhVXO1HuAljDrNdANVHXPNiYkjzUfXiqkp IA0kVWSw==;
Received: from 67.153.238.178.in-addr.arpa ([178.238.153.67]:47660 helo=[192.168.1.11]) by ssdrsserver2.hosting.co.uk with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <ietf@bobbriscoe.net>) id 1lfkPe-0006in-Ql; Sun, 09 May 2021 15:28:06 +0100
To: Jonathan Morton <chromatix99@gmail.com>
Cc: Pete Heist <pete@heistp.net>, TSVWG <tsvwg@ietf.org>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de> <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com> <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net> <37CE31A2-E78D-479E-AC65-B49C57B7227D@gmail.com> <b137a902-a2a6-fb47-1284-c6e962a1cd6f@bobbriscoe.net> <FB4418AE-802D-46F6-AAC7-66DB804D9037@gmail.com> <1a0a1f9d-586d-5ee0-b3b2-e5fd96d2fe3c@bobbriscoe.net> <4DEF57C5-40D0-4455-B722-75E85E068CDD@gmail.com>
From: Bob Briscoe <ietf@bobbriscoe.net>
Message-ID: <b378e4ea-3207-1806-884b-7f9761593ded@bobbriscoe.net>
Date: Sun, 09 May 2021 15:28:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <4DEF57C5-40D0-4455-B722-75E85E068CDD@gmail.com>
Content-Type: multipart/alternative; boundary="------------BAC248E6EA29135FE4425A07"
Content-Language: en-GB
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ssdrsserver2.hosting.co.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: ssdrsserver2.hosting.co.uk: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: ssdrsserver2.hosting.co.uk: in@bobbriscoe.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/qtEJqivzZUDQeyLehdlLbI3leF8>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 May 2021 14:28:19 -0000
Jonathan, On 08/05/2021 19:32, Jonathan Morton wrote: >>>> On 8 May, 2021, at 6:05 pm, Bob Briscoe <in@bobbriscoe.net> wrote: >>>> >>>> As just pointed out (my email crossed yours), existing established Diffserv technology is also prone to this problem, and it's lower hanging fruit for an attacker, because the delay-delta is typically larger. >>> Perhaps - but usable Diffserv deployments at the last-mile are not very common. [BB] See email to Sebastian for the global market in business services that is built on Diffserv deployments in the last mile. But you are right that my point about authorization to use VPNs applies to last-mile Diffserv as well - Diffserv's rarely open access. That's why I pointed to WMM. >> [BB] WMM (Wifi MultiMedia). > That's not the last mile - that's within customer premises. [BB] Is that relevant? I mean, in the context of this issue (I know it's not literally what you said). [BB] All the reasons you give for WMM not being relevant below seem to be clutching at straws. [BB] I found the same text that Sebastian found in the IPsec architecture ([RFC4301] section 4.1) saying that different security associations 'SHOULD' be used for each Diffserv codepoint. That would help rule out Diffserv's vulnerability, but I'm not sure whether IPsec implementations follow that advice - anyone know? > I would also question how often a DSCP would survive on the outer header of a VPN packet long enough to influence this mechanism. [BB] * Upstream: Diffserv (typically an abstraction of Diffserv) is invariably the interface that OSs present to applications in order to use WMM. * Downstream: ISPs typically supply an access point, so they will often hook into WMM from their QoS regime using Diffserv as the go-between. In the past I'm sure Greg White has given the results of his informal study of just how common different DSCPs are on frames snooped from busy WiFi environments (downstream and upstream). > But I would also note the increase in the use of fq_codel in wifi AP stacks, which would tend to reduce any differential delay to a greater degree than the C queue in DualQ does. Those, taken together, might be significant reasons why problems have not been noticed up to now. [BB] One would need to imagine that nearly the whole WMM world has nearly always used FQ-CoDel for this to be a reason. > > For the particular use case I mentioned, a player connecting over wifi would be ridiculed due to the inconsistent latency that wifi offers, especially in congested radio environments. [BB] It's the attack traffic that needs to use the lower delay WMM access category, not (necessarily) the user. > >>> L4S proposes to put a DualQ instance in front of every cable internet subscriber, making it much easier for an attacker to predict how he needs to conduct his attack than the equivalent with Diffserv. > ... > >> My point was that, you seem to want this to be a criticism of L4S, rather than of poorly configured VPNs. > As often seems to happen, you seem to want to deflect any possible criticism of L4S onto some other piece of technology that it might happen to interact poorly with, so that you don't need to change L4S, only all those other things need to change or just plain go away. [BB] If L4S is the problem, I'll say. But I'm trying to establish whether this problem already exists, and whether solutions to it have been proposed. The approach a researcher takes when they think they have found a new attack is to generalize it, and then see if it's already been proposed and studied. So far I haven't found any research that uses a pre-existing delay-delta on the path like your attack. The following two papers are about related attacks exploiting the IPsec replay window, but the attacker needs to be on-path: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.183.2766&rep=rep1&type=pdf https://arxiv.org/pdf/0910.3511.pdf > You don't like FQ, or Codel, or fq_codel, or the continuing deployment of RFC-3168 compliant middleboxes in general, and you *certainly* don't like me personally. I've got used to that. > > The operative phrase here is that you're entitled to your own opinions, but not your own facts. [BB] A mailing list is for establishing what the facts are. I should know some facts in this space, because I've been involved in the access network QoS business of operators for decades (and I helped set up a start-up before operators were doing it). But I also know that there's always a lot I don't know. So the normal etiquette is to be circumspect about the breadth of your own knowledge, because none of us know how much we don't know. > >> Surely you are not saying the IETF should halt any advances that reduce delay, like Diffserv and L4S, just because the replay windows of VPNs are poorly configured today? > Configuring the replay window size is a game of compromises. If it's too small, then a variety of effects can result in legitimate packets falling outside the window. If it's too large, then there is presumably a greater risk of the replay attacks that it's designed to protect against being inadvertently permitted. I don't know enough about the details of that to judge how serious that particular risk is - but the fact that many VPNs default to values near the minimum recommended in RFC-4303 is probably not a gross error of judgement. [BB] I also didn't know much about the replay window tradeoff until yesterday, but I've been reading. It seems to be a lot to do with implementation efficiency. The number 64 for the replay window seems to come from the variable you would use to hold the bit map of the replay window on a 64-bit machine. From IPSec [RFC4302] Appx B.1.: (No requirement is established for minimum or recommended sizes for this window, beyond the 32- and 64-packet values already established for 32-bit sequence number windows. However, it is suggested that an implementer scale these values consistent with the interface speed supported by an implementation that makes use of the ESN option. I found papers proposing techniques to efficiently use larger bit-maps, including RFC6479 (the IPR declaration offers non-assertion with reciprocity). The papers I cited earlier attempted to reason about a recommended window size. The unstated rule for preventing replay attacks seems to be "as small as possible without creating vulnerabilities to other attacks". The paper proposes a replay window needs to be "as large as the e2e bandwidth-delay product at the rate supported by the VPN over a max delay path". But I don't see any justification for that. > > I do note that RFC-4303 significantly post-dates most of the Diffserv specifications, so it notionally had the opportunity to consider the implications. [BB] That assumes the problem was known. The 1998 version of IPsec had the same replay prevention window approach as the current (2005) version in RFC4301. But until the 2009 papers linked above (and your proposed attack), IPsec's anti-replay protocol seems to have only been considered useful for /preventing/ DoS attacks. > One way that VPNs could sidestep this particular problem in a Diffserv context is to fix a single DSCP on all outer headers, ensuring that they'll go through the same queue - and at least some of them actually do this. [BB] "You can't do what you want to do" isn't really a solution. When the DSCP is actually being used for different levels of QoS, one needs a Diffserv tunnel's uniform mode [RFC2983], i.e. propagation and from outer. > > But they can't really do the equivalent of this to the ECN field in an L4S context, because that would trigger the CE ambiguity problem without also sending the L4S traffic through the L queue. Not unless they put Not-ECT on the outer header unconditionally - but that *would* be a step backwards. > > I hope you can see the difference here. > >>> The Wireguard implementation in Linux has a hard ceiling at 8192 packets - is that enough? >> [BB] A hard ceiling in /soft/ware? > It's a value that you can't exceed merely by userspace configuration, only by patching the kernel. Hence there will be significant inertia in raising it, if it needs to be raised. Hence my question - *is* it large enough? And following on from that, what are the downsides of choosing such a large value? [BB] Yes, those questions arose for me too. See sketchy summary of the only paper I can find about this, above. > >>> If a player uses a VPN to connect to the game, then the remote end of the VPN is the address given to the other players. A DoS attack that could be launched into such a VPN endpoint would be highly attractive to a griefer. >> [BB] So the player has a strong incentive to configure the replay window of her VPN properly. > For normal operation, the default replay window is big enough. [BB] Can you justify that statement? Never mind Diffserv or DualQ. Just the background reordering degree on some Internet paths is greater than 64. https://www.ietf.org/proceedings/90/slides/slides-90-tcpm-9.pdf Where this is due to bonded links, even if the reordering degree was half a dozen, an attacker could tip it over 64 by sending a stream of tiny back-to-back datagrams into the VPN (29B instead of 1500B packets could inflate the reordering degree by up to x50). It wouldn't matter if the tinygrams were spread across both/all channels; IPsec's replay protection would still start deleting genuine packets. As a feel for the order of magnitude, at only 100Mb/s, 64 injected back-to-back min sized datagrams (29B) occupy only 150μs. > For network paths that deliver packets more-or-less in-order, the default replay window is big enough. It's only when an attack arises on a vulnerable path - a path *made* vulnerable by the installation of DualQ - that an adjustment becomes necessary. > > So where is the cause, exactly? And where should the cure be applied? [BB] Still trying to find that answer. Replay attacks have to be mounted by on-path attackers, and they are application-specific but the attacker is blind to what's in the packets. Plus e2e security protocols take care about replay attacks themselves (salting passwords, etc). So it seems that it's just useful for a VPN to have /a/ replay window in case there might be a replay attack that e2e protocols have not protected against. IPsec replay protection seems like an extra pair of underpants just in case. Bob > > - Jonathan Morton -- ________________________________________________________________ Bob Briscoe http://bobbriscoe.net/
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Greg White
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Pete Heist
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Black, David
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Pete Heist
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Jonathan Morton
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Jonathan Morton
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Jonathan Morton
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Black, David
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Jonathan Morton
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Bob Briscoe
- Re: [tsvwg] L4S dual-queue re-ordering and VPNs Sebastian Moeller