Bill, On 31/03/2021 22.29, Bill Woodcock wrote:
On Mar 31, 2021, at 9:55 PM, Rob Sayre <say...@gmail.com> wrote: I still don't understand the resistance here. Some data on what the impact would be still seems like the most helpful thing to move the conversation forward.We have that: https://vaibhavbajpai.com/documents/papers/proceedings/dot-pam-2021.pdf Short story is that it’s 3x - 15x higher load on the servers, more delay, fewer people served, easier DDoS. That’s a price that can be paid, if there’s a suitably corresponding benefit, and no more effective way to solve the problem.
One thing about DDoS is that any connection-oriented protocol (TCP, TLS, HTTPS, or QUIC) is that you don't need to overbuild your infrastructure to the same degree because spoofing source address is a lot harder and you can drop unsophisticated traffic floods at or near your edge.
In my mind this probably means changing from the 10x peak-traffic (or more!) over-build that authoritative providers have today to a much smaller factor.
For unencrypted TCP you can probably get back the 4x or so higher cost of running TCP vs. UDP. For encrypted traffic probably not, but I have no idea what the additional costs there are (I heard that earlier implementations of QUIC were CPU hogs, for example).
Cheers, -- Shane
OpenPGP_0x3732979CF967B306.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
