

Rate-limiting State: The edge of the Internet is an unruly place - gyre007
https://queue.acm.org/detail.cfm?id=2578510

======
azernik
So, Source Address Verification is impractical because the beneficiaries are
not the same as the implementers. But when it comes to rate-limiting by
reflection targets a la DNS RRL, somehow altruism _is_ economically viable?
Pick one!

~~~
tptacek
The real problem is probably that you can break a network with source
verification, but RRL is zero risk.

~~~
dvanduzer
Do you mean something by "break" a network that is distinct from the game
theoretic distinction Vixie is already drawing?

Are you talking about something specifically technical like VPN technologies,
or something entirely different? It's not like the ocean of CPE devices Vixie
references are all trying to advertise BGP routes.

~~~
tptacek
I'm specifically not talking about CPE devices. Nobody cares about the network
configuration on a 2Wire gateway.

I spent several years working on backbone DDoS stuff (I was the lead dev at
Arbor Networks for Peakflow DoS, starting at version 2) and I remember large
networks having trouble getting address verification working non-disruptively.
Of course, the tool they had for it at the time was reverse path filtering;
maybe things have gotten better since then.

~~~
dvanduzer
My credentials involve being there when everyone hated SCO. I commented on the
only other thread in this post because it's a legitimately good question: Who
is Paul Vixie trying to convince here, and of what?

It seems that RRL can be applied _simply_ to other stateless non-DNS
protocols. My interpretation of Vixie's argument is that adding RRL to the
majority of stateless protocols is marginally less impossible to implement
than global SAV.

The question of pluralities versus majorities really matters when examining
_techniques_. Bringing game theory into it really seems to help. e.g. Why
bother figuring out a better method than reverse path filtering, if you
_require_ 2/3 of the global network to adopt the technique before the benefit
kicks in?

~~~
tptacek
Three thoughts.

First: Vixie is in the middle of this amplification stuff because he's one of
the Internet's foremost lobbyists for the most convenient amplifier of all
(DNS->DNSSEC). So maybe he's just, like: "I'm tired of responding to people's
claims that DNSSEC is going to make DDoS earlier and instead would prefer to
rewrite the terms of the debate so that the presumption is everyone was
supposed to have this rate-limiting band-aid all along".

Second: Don't overthink it. He's got a slot in ACM Queue, so maybe he just
wanted to fill some column inches. "Free associate: what am I thinking about
right now."

Third: This is all pretty silly. Even if you got global deployment of address
verification AND every stateless protocol was rate-limited, it would still be
trivial for attackers to launch vicious, debilitating DDoS attacks.

~~~
dvanduzer
1) It's extremely difficult to reason about (DNS -> DNSSEC) _in terms of a
DDoS_ considering how many security protocols assume NTP exists.

2) I'm not, but this was posted 18 months ago, so I'm just thinking about the
"global discussion" in general.

3) The fundamental argument Vixie is making is about tradeoffs. The
_impossibility_ of global SAV is an argument in favor of the _difficulty_ of
widely deployed RRL. It is an argument of spending the effort on something
that might be accomplished.

------
jaytaylor
What is the point of this article?

I mean this in the nicest way possible.

~~~
dvanduzer
Protocol design is popular "these days" so everyone eventually chooses UDP,
and reimplements a subset of TCP in their own protocol. (edit: not everyone
needs state in their protocol, but everyone needs to implement rate limiting)

If you're unaware of a large interest in protocol design, or don't understand
the cost and complexity of DDoS attacks, what point were you looking for?

~~~
jaytaylor
The information density seems uncharacteristically light to me (compared to
other Vixie articles).

~~~
dvanduzer
If Vixie can simplify his message to Stallman-level clarity, how would that be
a bad thing?

