Thanks for progress on these drafts Mirja.
I wanted to call out a key recommendation in #305
<https://github.com/quicwg/ops-drafts/pull/305/files>, since I think it
could cause unexpected issues in the presence of NAT rebinding. I'm not
sure what the best options are here, but I wanted to ensure this saw a
slightly wider audience of deployments.
Further, if UDP traffic is desired to be throttled, it is recommended to
> block individual
> QUIC flows entirely rather than dropping packets randomly. When the
> handshake is
> blocked, QUIC-capable applications may failover to TCP
> However, blocking a
> random fraction of QUIC packets across 4-tuples will allow many QUIC
> handshakes
> to complete, preventing a TCP failover, but the connections will suffer
> from
> severe packet loss (see also {{sec-filtering}}).
The issue is called out at the end of the section, and maybe that's
sufficient?
While QUIC endpoints are often able to survive address changes, e.g. by NAT
> rebindings, blocking a portion of the traffic based on 5-tuple hashing
> increases
> the risk of black-holing an active connection when the address changes.
I would advise dropping Initial packets and not other packets, which would
solve the NAT rebind case, but that only rate-limits QUIC flows, and
presumably QUIC flows aren't even the real issue here, it's other UDP
traffic?
The one positive is that this can be mitigated for QUIC with port migration
upon one or more PTOs. Chrome/gQuiche currently implements that, but it's
fairly new.
Thoughts?
Ian
On Mon, Apr 12, 2021 at 11:00 AM Mirja Kuehlewind <mirja.kuehlewind=
[email protected]> wrote:
> Hi again,
>
> there is one more new PR that would benefit from more review:
>
> Initial endpoint DDoS cooperation text #312
> https://github.com/quicwg/ops-drafts/pull/312/files
>
> This PR is to address issue #240 on Endpoint cooperation for DoS
> mitigation. This issue was discuss at the last meeting and we were looking
> for an author. We got some initial text from Gorry (thanks!) but if people
> have more insights what else should be added here (maybe something about
> handling of 0-RTT packets?), that would be more than welcome!
>
> We plan to merge all open PR on Wednesday and then submit new draft
> revision by end of week!
>
> Mirja and Brian
>
>
> On 09.04.21, 17:42, "Mirja Kuehlewind" <[email protected]>
> wrote:
>
> Hi all,
>
> we are about drain the remaining issues for both ops draft. There are
> currently 7 PRs which are more or less ready to merge, however, we didn't
> merge them yet in order to give more people a chance to review.
>
> Especially there are two larger PRs on the manageability draft that do
> change/extend the recommendation given in this draft and therefore more
> review would be appreciated.
> Here are the links:
>
> Update on UDP policing section #305
> https://github.com/quicwg/ops-drafts/pull/305/files
>
> Rewrite Stateful Treatment section #300
> https://github.com/quicwg/ops-drafts/pull/300/files
>
> Thanks in advance!
>
> Brian and Mirja
>
>
>
