IETF Logo Mail Archive

Re: [tsvwg] L4S dual-queue re-ordering and VPNs

Jonathan Morton <chromatix99@gmail.com> Sat, 08 May 2021 18:32 UTC

Return-Path: <chromatix99@gmail.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F0A53A0CFC for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 11:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFSE0ufaqw5k for <tsvwg@ietfa.amsl.com>; Sat, 8 May 2021 11:32:10 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 077DA3A0CEF for <tsvwg@ietf.org>; Sat, 8 May 2021 11:32:09 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id j10so17360341lfb.12 for <tsvwg@ietf.org>; Sat, 08 May 2021 11:32:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=T10S1/xuLskaq3G0OvQvNFevwl49YGN8i4S1u/dRbJk=; b=pPIJkrDszG1drhebP34YfYbvkBsnVHf9birv0HD0VD+tTtvpFxcPNBC4RTwqdKs/JV BQYibiAMoai2O9fIrxDD9ApOHhGoB1NIjIXfOBZN1hIA/3VKxh4Nl3y1/2aAHdK+BVG8 6zDeGePmC3zuk5N07X0rm9xtcQ5NC9frfeivCTNxIzyRMAfNo5tbYB4YkutqIWb7u2rE 8FtDz81eS3Xx07/uFM5AhbRp24XVz7cm9I8x9FEyBCBkrGsAbnXu3hgyiRMXk1Ta0oK8 qxCYY/JeQW/7/G3nEo9/9sFA/8DOFpGGVXib2ZCw1vbyuRlWnGQDWqGHFuqJU6zVF7WS b2vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=T10S1/xuLskaq3G0OvQvNFevwl49YGN8i4S1u/dRbJk=; b=XbdniXenEov1uUjjXz7qUDjeSsA6NFz/w4cn5PJMa3/k/iHAzP8oykCCd392OoKEPE j14M7DmHP3rlHVmnX/gkDcGrOK3en32xj2Pu6oLCAexLrUls8QAiiwkgcC8iuy3U6Fjq cRmV0xE7+t3+BYwB6bD5aoI4nK8bMtwT6sAX19XJRQrOX86z1w3uhQLJILj+GI03InXb q9fCEVs/18tzQ5SuDGODxvXoK0MMKS9mcjSQZMBsvv+bWafMDqBShbeJ6AqQ3X9xmxke jr1PdRp1pzA8r4rlz/4t2kXiKRYe2UCiST1J87QsMbNA0lz+gG1W80xwEbhXWwwV3fe/ fkBA==
X-Gm-Message-State: AOAM531eZs8xShWw1loDTjXNP7KojYYRtOAnBWKJyFsxjXxSj3NZWKML 8Y0alOl1sJKfJdwKvsoFv0w=
X-Google-Smtp-Source: ABdhPJz/P7CLDPIAFkwjqaeFs5ttNdO/qbjITXsK7sVKQcYSW1nqO6Mdw82pf4YycrSIdWMbDRzxiQ==
X-Received: by 2002:a05:6512:1388:: with SMTP id p8mr11232140lfa.269.1620498722600; Sat, 08 May 2021 11:32:02 -0700 (PDT)
Received: from jonathartonsmbp.lan (178-55-25-11.bb.dnainternet.fi. [178.55.25.11]) by smtp.gmail.com with ESMTPSA id z15sm471620ljc.84.2021.05.08.11.32.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 May 2021 11:32:02 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Jonathan Morton <chromatix99@gmail.com>
In-Reply-To: <1a0a1f9d-586d-5ee0-b3b2-e5fd96d2fe3c@bobbriscoe.net>
Date: Sat, 08 May 2021 21:32:00 +0300
Cc: Pete Heist <pete@heistp.net>, TSVWG <tsvwg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4DEF57C5-40D0-4455-B722-75E85E068CDD@gmail.com>
References: <68F275F9-8512-4CD9-9E81-FE9BEECD59B3@cablelabs.com> <1DB719E5-55B5-4CE2-A790-C110DB4A1626@gmx.de> <MN2PR19MB40452C9DD1164609A005139583569@MN2PR19MB4045.namprd19.prod.outlook.com> <e15d732f64bf983975dbe507092b39f0744f7f74.camel@heistp.net> <37CE31A2-E78D-479E-AC65-B49C57B7227D@gmail.com> <b137a902-a2a6-fb47-1284-c6e962a1cd6f@bobbriscoe.net> <FB4418AE-802D-46F6-AAC7-66DB804D9037@gmail.com> <1a0a1f9d-586d-5ee0-b3b2-e5fd96d2fe3c@bobbriscoe.net>
To: Bob Briscoe <ietf@bobbriscoe.net>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/yLU79OnuqPzmLmsJMZ1_-2HH9tU>
Subject: Re: [tsvwg] L4S dual-queue re-ordering and VPNs
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 May 2021 18:32:16 -0000

>>> On 8 May, 2021, at 6:05 pm, Bob Briscoe <in@bobbriscoe.net> wrote:
>>> 
>>> As just pointed out (my email crossed yours), existing established Diffserv technology is also prone to this problem, and it's lower hanging fruit for an attacker, because the delay-delta is typically larger.

>> Perhaps - but usable Diffserv deployments at the last-mile are not very common.
> 
> [BB] WMM (Wifi MultiMedia).

That's not the last mile - that's within customer premises.  I would also question how often a DSCP would survive on the outer header of a VPN packet long enough to influence this mechanism.  But I would also note the increase in the use of fq_codel in wifi AP stacks, which would tend to reduce any differential delay to a greater degree than the C queue in DualQ does.  Those, taken together, might be significant reasons why problems have not been noticed up to now.

For the particular use case I mentioned, a player connecting over wifi would be ridiculed due to the inconsistent latency that wifi offers, especially in congested radio environments.

>> L4S proposes to put a DualQ instance in front of every cable internet subscriber, making it much easier for an attacker to predict how he needs to conduct his attack than the equivalent with Diffserv.

...

> My point was that, you seem to want this to be a criticism of L4S, rather than of poorly configured VPNs.

As often seems to happen, you seem to want to deflect any possible criticism of L4S onto some other piece of technology that it might happen to interact poorly with, so that you don't need to change L4S, only all those other things need to change or just plain go away.  You don't like FQ, or Codel, or fq_codel, or the continuing deployment of RFC-3168 compliant middleboxes in general, and you *certainly* don't like me personally.  I've got used to that.

The operative phrase here is that you're entitled to your own opinions, but not your own facts.

> Surely you are not saying the IETF should halt any advances that reduce delay, like Diffserv and L4S, just because the replay windows of VPNs are poorly configured today?

Configuring the replay window size is a game of compromises.  If it's too small, then a variety of effects can result in legitimate packets falling outside the window.  If it's too large, then there is presumably a greater risk of the replay attacks that it's designed to protect against being inadvertently permitted.  I don't know enough about the details of that to judge how serious that particular risk is - but the fact that many VPNs default to values near the minimum recommended in RFC-4303 is probably not a gross error of judgement.

I do note that RFC-4303 significantly post-dates most of the Diffserv specifications, so it notionally had the opportunity to consider the implications.  One way that VPNs could sidestep this particular problem in a Diffserv context is to fix a single DSCP on all outer headers, ensuring that they'll go through the same queue - and at least some of them actually do this.

But they can't really do the equivalent of this to the ECN field in an L4S context, because that would trigger the CE ambiguity problem without also sending the L4S traffic through the L queue.  Not unless they put Not-ECT on the outer header unconditionally - but that *would* be a step backwards.

I hope you can see the difference here.

>> The Wireguard implementation in Linux has a hard ceiling at 8192 packets - is that enough?
> 
> [BB] A hard ceiling in /soft/ware?

It's a value that you can't exceed merely by userspace configuration, only by patching the kernel.  Hence there will be significant inertia in raising it, if it needs to be raised.  Hence my question - *is* it large enough?  And following on from that, what are the downsides of choosing such a large value?

>> If a player uses a VPN to connect to the game, then the remote end of the VPN is the address given to the other players.  A DoS attack that could be launched into such a VPN endpoint would be highly attractive to a griefer.
> 
> [BB] So the player has a strong incentive to configure the replay window of her VPN properly.

For normal operation, the default replay window is big enough.  For network paths that deliver packets more-or-less in-order, the default replay window is big enough.  It's only when an attack arises on a vulnerable path - a path *made* vulnerable by the installation of DualQ - that an adjustment becomes necessary.

So where is the cause, exactly?  And where should the cure be applied?

 - Jonathan Morton

v2.23.0 | Report a Bug | By Email