Minutes of the 2021-04-14 IAB Teleconference
- Jari Arkko
- Deborah Brungard
- Ben Campbell
- Lars Eggert (IETF Chair)
- Wes Hardaker
- Cullen Jennings
- Mirja Kühlewind (IAB Chair)
- Zhenbin Li
- Jared Mauch
- Cindy Morgan (IAB Executive Administrative Manager)
- Karen O’Donoghue (ISOC Liaison)
- Tommy Pauly
- Colin Perkins (IRTF Chair)
- David Schinazi
- Amy Vezza (IETF Secretariat)
- Martin Vigoureux (IESG Liaison)
- Russ White
- Jiankang Yao
- Tim April
- Roland Dobbins
- Barry Greene
- Damian Menschen
- James Shank
- Olaf Kolkman
- Daniel Migault
- Chad Seaman
- Greg Wood
2. Technical Discussion: DDOS Attack Protection
Tim April, Roland Dobbins, Barry Greene, Damian Menschen, and James Shank joined the IAB to talk about DDOS attack protection.
James Shank said that Team Cymru works with Internet operators to focus on threat intelligence. They have an Unwanted Traffic Removal Service (UTRS) that helps reduce the impact of attacks. It distributes Remote Triggered Black Holes (RTBH) requests. UTRS works on IPv4 /32s only, and currently has over 1000 configured sessions and over 900 configured peers.
RFC 8955, “Dissemination of Flow Specification Rules,” defines the BGP Flow Specifications that can be used to distribute traffic. This is powerful in that it can rate limit, redirect, and tag traffic; has a full suite of Boolean operators; and can specify prefixes and chain rules. However, depending on the implementation of the router and the operator, it can also allow for some implementations that may be sub-optimal and end up cratering routers.
A “safe” BGP FlowSpec:
- MUST specify
- Source CIDR XOR Destination CIDR
- MAY specify any combination of the following:
- Protocol (Explicit integers only)
- Source Port (Explicit integers only)
- Destination Port (Explicit integers only)
- MUST set action to DROP (traffic-rate 0)
Barry Greene added that BGP FlowSpec was a stopgap; it is a good example of one step in a strategy that was never fully executed.
James Shank said that UTRS v2.0 is coming soon. It will support a “safe” BGP FlowSpec that translates between BGP only and FlowSpec. It will also add IPv6 advertisement support, allow for larger prefixes (/25 and /49), and add ROA validation.
Looking at where to go from here, James Shank noted that one issue is third-party trust. One possible solution would be to use RPKI.
Damian Menschen said that people need to recognize that there are different kinds of attacks. The number of devices, as well as the bandwidth on those devices, are seeing exponential growth. RFC 2827/BCP 38, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” was published in 2000, but few are using it.
Damian Menschen suggested the following recommendations:
- Education around spoofing
- Better flow analysis tools
- Templates for sharing attack information
- date/time/duration (including timezone)
- victim identifier
- attack style
- attack volume
Damian Menschen added that solutions that complete the attack, solutions that block or throttle the entire protocol, and solutions that rely on pushing changes to third-party routers could be dangerous or harmful if implemented.
Roland Dobbins suggested that updating RFC 3552, “Guidelines for Writing RFC Text on Security Considerations,” to include resiliency considerations could be a big step forward.
Cullen Jennings asked what sorts of things could be considered good practices for protocols.
Roland Dobbins replied that for protocols, it would be doing things that make it hard to use reflection or amplification attacks. He suggested looking at how a protocol can be attacked and what mechanisms need to be built into a protocol to help it sense when it is under attack.
Barry Greene said that looking at security and resiliency together will make a more robust protocol with DOS resilience.
Roland Dobbins replied that resilience under attack is a definite goal.
Roland Dobbins said that a standards-based traceback mechanism could help. He would also like to consider opening up IPFIX to support an inter-organizational traceback mechanism.
Roland Dobbins said that very large amplification attacks are mostly an IPv4 phenomenon, and one way to deal with them could be to push to sunset IPv4 as soon as possible.
Cullen Jennings asked why IPv6 is less likely to have a DDOS attack.
Roland Dobbins replied that it is more difficult to scan the IPv6 space quickly; IPv4 can be scanned in ten minutes.
Mirja Kühlewind said that shutting down IPv4 would likely only lower the number of attacks in the short term.
Roland Dobbins agreed that there are ways to scan IPv6, but that the same large-scale amplification attacks we see today would not be possible.
Damian Menschen noted that IPv6 would only mitigate reflection amplification attacks, but not other kinds of attacks like botnets.
Mirja Kühlewind asked what the next steps are.
Barry Greene noted that the IAB has done workshops related to this topic in the past, namely the Routing and Addressing Workshop in 2006 and the Coordinating Attack Response at Internet Scale (CARIS) Workshop in 2015.
Mirja Kühlewind noted that as encryption increases, DOS protection becomes more of a challenge.
Jared Mauch said it sounds like further discussion is needed, but there is a large chasm between the different camps.
Cullen Jennings agreed, saying that he thinks it would be helpful to have a conversation with a small group of people and see if there are any positions the IAB can agree upon.