So, Source Address Verification is impractical because the beneficiaries are not the same as the implementers. But when it comes to rate-limiting by reflection targets a la DNS RRL, somehow altruism is economically viable? Pick one!
What happens if you accidentally install NTP publicly, creating a public DDoS reflector? When it gets used, you get emails from people who are getting DDoSed by your IP, saying "hey, some attacker is using your system to compromise me." Now there are selfish and altruistic motives, both, invoked by that feedback, causing you to ban inbound NTP requests. Even if your server responsiveness doesn't matter much to you, you'd still like to limit legal liability; even if legal liability doesn't matter much to you; you still feel offended that someone else is twisting your systems to nefarious purpose.
So one nuance is that SAV doesn't really offer any feedback for the network operators: nobody from the outside ever complains so nobody from the inside ever hears about the problem. Maybe altruism is only economically viable with a good feedback mechanism.
Someone like Cloudflare could provide feedback. They could insert a script into their "free" pages that would attempt to send DOS-like traffic to one of their own endpoints. If they come through, then embed a complaint about lack of SAV in the pages sent to that ISP. When enough customers call the ISP bitching that every page they go to complains, the ISP might eventually do something.
I'm not sure what CF's motivation for this would be, but I don't really understand their business model anyway, and they do lots of other nice things.
Yop. Just to try to define "break" a bit for others who have an aversion to that word, it reduces the generality and transparency of the intermediary transit. Solving a problem today shouldn't reduce future connectivity. Choice should happen at the edge whenever possible, just like in the real world.
Embedding a choice in the middle often snowballs, for the same reason those in power rarely give it back once they hold it. Centrality becomes the norm, with all the chilling ripple effects.
Do you mean something by "break" a network that is distinct from the game theoretic distinction Vixie is already drawing?
Are you talking about something specifically technical like VPN technologies, or something entirely different? It's not like the ocean of CPE devices Vixie references are all trying to advertise BGP routes.
I'm specifically not talking about CPE devices. Nobody cares about the network configuration on a 2Wire gateway.
I spent several years working on backbone DDoS stuff (I was the lead dev at Arbor Networks for Peakflow DoS, starting at version 2) and I remember large networks having trouble getting address verification working non-disruptively. Of course, the tool they had for it at the time was reverse path filtering; maybe things have gotten better since then.
My credentials involve being there when everyone hated SCO. I commented on the only other thread in this post because it's a legitimately good question: Who is Paul Vixie trying to convince here, and of what?
It seems that RRL can be applied simply to other stateless non-DNS protocols. My interpretation of Vixie's argument is that adding RRL to the majority of stateless protocols is marginally less impossible to implement than global SAV.
The question of pluralities versus majorities really matters when examining techniques. Bringing game theory into it really seems to help. e.g. Why bother figuring out a better method than reverse path filtering, if you require 2/3 of the global network to adopt the technique before the benefit kicks in?
First: Vixie is in the middle of this amplification stuff because he's one of the Internet's foremost lobbyists for the most convenient amplifier of all (DNS->DNSSEC). So maybe he's just, like: "I'm tired of responding to people's claims that DNSSEC is going to make DDoS earlier and instead would prefer to rewrite the terms of the debate so that the presumption is everyone was supposed to have this rate-limiting band-aid all along".
Second: Don't overthink it. He's got a slot in ACM Queue, so maybe he just wanted to fill some column inches. "Free associate: what am I thinking about right now."
Third: This is all pretty silly. Even if you got global deployment of address verification AND every stateless protocol was rate-limited, it would still be trivial for attackers to launch vicious, debilitating DDoS attacks.
1) It's extremely difficult to reason about (DNS -> DNSSEC) in terms of a DDoS considering how many security protocols assume NTP exists.
2) I'm not, but this was posted 18 months ago, so I'm just thinking about the "global discussion" in general.
3) The fundamental argument Vixie is making is about tradeoffs. The impossibility of global SAV is an argument in favor of the difficulty of widely deployed RRL. It is an argument of spending the effort on something that might be accomplished.
