Tuesday, 6 July 2021

QUIC Will Eat the Internet

 QUIC (not an acronym) is a unique beast, but is best thought of as a new transport protocol that solves many longstanding problems in the internet and captures most of the value provided by TCP, TLS, SCTP, IPSec, and HTTP/2. There is a new version of HTTP called HTTP/3 that is designed to work over UDP/QUIC instead of TCP/TLS.

Google deployed an early version of HTTP over QUIC in its browsers and web servers as early as 2014. An IETF standardization process began in 2016. After much evolution and data gathering, this will result in the first batch of RFCs in early 2021. Several major internet companies, including F5, have either shipped products that use QUIC or have deployed QUIC in their infrastructure. As of October 2020, 75% of Facebook’s traffic was over HTTP/3 and QUIC.

These early deployments, and fervor for new standards on top of QUIC in the IETF, indicate that this will become an important, and possibly dominant, substrate for cutting-edge applications over the internet.

Technical overview—Why QUIC?


Figure 1. QUIC draws capabilities from many legacy protocols.

Figure 1 gives the reader an idea of what QUIC does. However, this functional decomposition doesn’t clarify why early adopters in industry are moving to QUIC:

  1. Lower Latency. Web-like data transfers are dominated by the latency of three layers of handshakes: one for TCP, at least one for TLS, and one for HTTP request/response. Recent developments in TCP/TLS can in principle collapse this to one round trip, though this rarely works in practice. QUIC will reduce this to one round trip, and at most two.

  2. Streams. Like HTTP/2, QUIC provides the application with multiple byte streams to increase the independence of conceptually distinct data delivered over the same connection. Doing it in the transport only increases this independence. Streams naturally fit the needs of streaming video delivery and major internet content providers are well on their way to delivering streaming over QUIC.

  3. Better Loss Response. QUIC’s design improves on TCP’s ability to detect and recover from packet losses. Moreover, by presenting multiplexed streams instead of a single in-order byte stream, loss of a packet containing one object need not delay delivery of a different object.

  4. Multihoming. Much like MPTCP and SCTP, QUIC connections can be associated with multiple IP addresses for each endpoint. Unlike those protocols, QUIC has a good chance of making it across an internet that drops unfamiliar protocol numbers and TCP header options.

  5. Security and Privacy. QUIC applies encryption at the transport layer, instead of above it. The entire UDP payload is authenticated, preventing any transparent modification by intermediaries, and almost all transport information is encrypted. The ramifications of this are a white paper in itself. Suffice it to say that this substantially improves the privacy properties, and virtually eliminates the attack surface that TCP provides. Unlike IPSec, this is running today at web scale. It also leads to:

  6. Extensibility. TCP is hard to change because its creators left limited extension space, and because middleboxes enforce old TCP behavior. QUIC combines explicit versioning with opaqueness to middleboxes to allow further innovation in the transport. This will allow support for future use cases and eventually improvement on bulk transport capacity compared to TCP.

There are two reasons, besides inertia, why some applications may not move to QUIC:

  • Complexity: applications that only need a single bytestream and don’t care about encryption don’t need the additional workload associated with these features.

  • Middleboxes: A non-negligible percentage of internet paths don’t admit UDP. HTTP/3 has been designed with TCP fallback for these paths, but ultimately the performance impact on major websites (Google, Facebook, etc) is likely to obsolete the responsible devices, except where nation-states desiring surveillance mandate otherwise.

It is eating the Internet

Google Chrome, Google App Clients, and Facebook’s app already support HTTP/3. Safari, Edge, and Firefox implementations support it, but (for now) off by default.

On the server side, implementations and/or deployments by Google, Microsoft, Facebook, Apple, Cloudflare, LiteSpeed, F5 BIG-IP, NGINX, Fastly, and Akamai either have shipped, or are close to it. Recently, a leading European ISP reported 20% of their packets were QUIC. About 5% of websites use HTTP/3 in February 2021, but we expect this to grow once the RFC is published.

Moreover, there is much work in standards organizations to bring QUIC beyond the HTTP use case. Draft standards at IETF propose DNS, Websockets, SIP, and both TCP and UDP tunnels over QUIC. QUIC was a little too late to be fully incorporated into 5G architectures, but the interest and applicability of QUIC to service providers is clear. Finally, the upper APIs for HTTP/2 and HTTP/3 are quite similar, so any protocol or application that runs on top of HTTP/2 can be easily ported to run over HTTP/3 and QUIC instead of TCP.

Threats & Opportunities

QUIC & HTTP/3 will shape a variety of markets. High-performing websites and applications have a strong incentive to switch to HTTP/3 and QUIC once the ecosystem fully matures, and we expect our customers to demand HTTP/3 support at a similar tempo to their deployment of HTTP/2.

Security Products need a fundamental reevaluation in a QUIC-denominated internet. Packet inspection is much more difficult without access to TLS session keys, which is usually only possible with possession of the domain’s private key. This enhances the value of a security solution integrated with an application-level proxy, rather than a series of single-function devices.

Moreover, traditional DDoS defense needs a tune-up. Not only is packet identification and inspection harder, but TCP syncookies have been replaced with “Retry packets,” which cannot be easily spoofed by intermediaries. There are standard ways to coordinate that allow servers to offload Retry Packet generation and validation, but again, that requires development effort.

Traditional Layer 4 Load Balancing will break QUIC Address migration, as it can’t associate a flow that changes its address or ports to itself, and then route to the same server. Again, there are standards to coordinate and overcome this problem, but it requires investment.

The IETF’s MASQUE working group is working on generalized traffic tunneling over QUIC, which could be the basis of next-generation VPN schemes. The properties of QUIC are much better for multiplexing arbitrary flows than TLS over TCP. These tunnels can also replace IPSec tunnels with webscale cryptography, improving some service provider use cases, and even provide a way to optimize QUIC connections for mobile link types with explicit client consent.

QUIC will require new network measurement and analysis tools. Systems that could measure TCP latency and loss cannot use these signals, but there is an explicit latency signal to the network, and other signals may be on the way. With more transport information hidden behind encryption, packet captures are less useful. However, there is an emerging standard logging format many QUIC implementations follow, that people are building analysis tools to leverage.

Conclusion

QUIC has broad industry support and the potential to be the basis of most applications that deliver business value over the internet. Anyone delivering applications over the internet should start thinking about how their operations should change to reflect the new threats and opportunities that these protocols bring.





F5 BIG-IQ

F5 BIG-IQ is a single, end-to-end solution for analyzing the health, performance, and availability of your F5 application delivery and security portfolio in any environment.
This solution contains of two key components, including "Console Node (Centralized Management)" and "Log Node (Data Collection Device)" which make it easy for you manage up to 1000 (physical, virtual, or vCMP) BIG-IP devices and all of their services (such as LTM, AFM, ASM, AWAF, FPS, APM, SWG, DNS, SSLO ) from one centralized location. Also, BIG-IQ can handle licensing for up to 5,000 unmanaged BIG-IP devices.



"F5 DNS-EXPRESS"

 Here is one of the key features of F5-DNS Module which is called "DNS-EXPRESS", in a nutshell  


The below diagram shows you how the "DNS-EXPRESS" feature could be used on F5-DNS Module to act as a 'Secondary DNS Server' by focusing on improving your DNS experience from "Client-side" (Hit Ratio = 100%), and removing the Query Handling Load on "Server-side" (Just AXFR/IXFR messages).
Furthermore, it provides relaying of "Notify/Zone Transfer" messages between your "Primary-NS" and other "LDNS Server(s)".
It should also be noted that in F5-DNS Flowchart, the "DNS-EXPRESS" feature has higher priority rather than "DNS-CACHE" or "DNS Load-balancing" options.


*** Overview of DNS Query Processing on F5 BIG-IP Systems ***



* If the "Recursion Desired (RD) Flag = Set" in the request header, and the "Process Recursion Desired = Enabled" in the DNS profile:


 1- DNS iRules
 2- DNSSEC Zone Processing
 3- Wide-IP Processing (GSLB)
 4- DNS-EXPRESS Zone Processing
 5- DNS-CACHE (Local-Zone / RPZ / Forward-Zone)
 
 * Then, the "Unhandled Query Actions" setting controls how the system handles packets that do not match the previous steps...
 
 * If the "Recursion Desired (RD) Flag = Set" in the request header, but the "Process Recursion Desired = Disabled" in the DNS profile:

 1- The request is immediately considered "Un-handled", and dispatched according to the "Unhandled Query Action" setting in the DNS profile.
 2- If the "Unhandled Query Actions = Allow", then:
 2-1- DNS-CACHE (CACHE / Load-balancing)
 2-2- Local-BIND
 2-3- Drop



*** Configuring Dynamic Routing Protocols by F5 BIG-IP ARM ***

It could be so remarkable to know that F5 BIG-IP system supports Dynamic Routing using "IP Infusion ZebOS Advanced Routing Modules (ARMs)". Using the F5-ARM, you can configure the following protocols: RIP, RIPng, BGP, OSPFv2, OSPFv3, IS-IS, BFD, and PIM!

First of all, you need to check your license; F5-ARM is included for "Better" and "Best" Bundles. Then, the "tmrouted" process starts and manages the ZebOS daemons, and you can configure all your desired protocols on the involved "Route-domain(s)", like other Routers in your Network...

Also, It's good to know that F5-ARM has two Core Daemons:

* NSM -->The ZebOS Network Services Module daemon
* IMI --> Allows the system administrator to configure and monitor ZebOS daemons through a centralized connection



F5 VIPRION

 F5 VIPRION platform is a single, powerful Application Delivery Controller (ADC) with modular performance Blades you can add or remove without disrupting users or applications. Instead of adding devices and segmenting applications, simply add more power to your existing infrastructure as needs and opportunities arise.

F5 VIPRION enables the scalability you need to establish a sustainable ADN growth strategy and supports up to 8x140 Gbps = 1.12 Tbps L4/L7 Throughput!

Totally, there are four types of "Chassis" which start with letter "C", and five types of "Blade" which start with letter "B", as following:

C2200 --> Up to “2” B2150 / B2250 Blades
C2400 --> Up to “4” B2150 / B2250 Blades

C4480 --> Up to “4” 4300 / 4340N / B4450 Blades
C4800 --> Up to “8” 4300 / 4340N / B4450 Blades

*** Using vCMP for Multi-Tenancy & High-Performance Services Fabric ***



F5 Virtual Clustered Multiprocessing (vCMP) creates multiple, isolated instances of the BIG-IP software on a single F5 Hardware platform. Each instance has its own CPU, Memory, and Disk, and can take advantage of multiple assigned CPU Cores using the same Clustered Multiprocessing design used on all F5 Platforms. BIG-IP “Guests” run on F5 vCMP-enabled Hardware using a Standards-based, Purpose-built Hypervisor that provides robust Security and Isolation.

vCMP is completely supported on VIPRION Platform, but about BIG-IP Platform, you need at least "i5800" or "5200v" Models. For Performance, all vCMP Guests tap into the same Application Delivery Acceleration Hardware used by the Hosting Platform. To remain Scalable for VIPRION Chassis, each Guest instance spans Multiple CPUs across Multiple Blades.

In best situation, It is possible to create up to "96" vCMP Guests on VIPRION 4800 Platform (by considering 8x4450 Blades). In this case, each vCMP Guest could have "4 CPU vCore" and almost "21GB Memory".



**** Three-Tier Architecture (Recommended by F5) ****

 

Here is one of the best recommended Architecture for Network and Security Advisors which proposed by F5, and considers Ingress Traffic as "Reverse/Forward Proxy" Model to be Mitigated at Three different Tiers.

* In this Design, Most of Anomalies and Volumetric Attacks should be Detected and Mitigated on the "First-tier (Cloud Tier)". As a result, our desired Cloud Service Provider publishes and protects our critical Services, before they could reach out our main Data Center.

* Next, all the Legitimate and even probable Bad Actors should be checked on "Second-tier (Network Tier)" for other types of Attack Vectors and/or Anomalies which could not be found on the First Line of Defense (Cloud Tier). For Example, some of the vital components of the "Network Tier" are including: L2-L4 DDoS Protection Engine, North-South NGFW, IPS, and Threat Intelligence Feedback Services.

* Then, we should be involved on the "Third-tier (Application Tier)" before accessing the 'Server-farm' to perform some of the remained tasks including: SSL Off-loading, TLS Handshake Attack Mitigation, L7 DDoS Protection, ADC (Application Delivery Controller) Deployment, East-West NGFW, and so on



*** F5 L7 BaDoS (Behavioral Analysis DoS Protection) ***



F5 AWAF Module is able to distinguish between "Valid" requests and "Bad Actor" requests, letting only the valid user requests through.
The system will detect a "Server Stress" condition and trigger a DDoS Attack Mitigation. When under Attack, the system will detect clients that exhibit "Anomalous Behavior" and who participate in the DDoS Attack.
Then, "Anomaly Detection Engine" will generate "Dynamic Signatures" that describe patterns of the Attack Traffic. These Signatures will be used to make Mitigation more efficient.

F5 BaDoS feature also Enables "TLS Signature Database" matching to block "Bad Actor Fingerprints", when trying to establish an SSL/TLS connection. Moreover, BaDoS Enables "Signatures Detection", before the connection is established, by using "Syn-cookie Protection" option.

About the "Mitigation Modes" of BaDoS feature, It provides the following options:

* Slows Down Requests from Bad Actor IP Addresses
* Rate Limits Requests from Anomalous IP Addresses
* Rate Limits All Requests based on the Server's Health
* Limits the number of Concurrent Connections from Anomalous IP Addresses
* Limits the number of All Concurrent Connections based on the Server's Health
* Proactively, performs All Protection Actions (Even Before an Attack)!



*** Implementing a Secure DNS Configuration (Best Practices) ***

 1- Your DNS Servers should NOT Respond to Name Resolution Requests from Any Unauthorized Networks (F5-AFM)


2- Use a Firewall solution to Filter both Source and Destination Addresses and Ports (F5-AFM)

3- “Zone Transfers” should be targeted at Specific DNS Servers (F5-DNS)

4- Limit the Number of DNS Servers that are Allowed to Start a DNS Zone Transfer (F5-DNS)

5- In case of configuring "DNS-EXPRESS", Consider using of "TSIG Key" (F5-DNS)

6- Configure “IPsec Policy“ to Protect Zone Transfers between PRIMARY/SECONDARY DNS Servers (F5-AFM)

7- To protect from Spoofing of DNS Records, use the only “Secure Dynamic Updates” option for Dynamic Update

8- Consider using “Active Directory Integrated Zones”, if you are using Active Directory

9- “Disable” Recursion and Forwarder on all DNS Servers that do NOT require it (F5-DNS)

10- Remove All “Unnecessary Services” from your DNS Servers

11- Consider Adding a Second DNS Server on a “Different Subnet“ to further augment protection from DoS Attacks

12- Deploy DDoS Protection Engine to Mitigate any types of Anomalies targeting your DNS Servers (F5-AFM/DHD)

13- Consider using "DNSSEC" Solution instead of the Traditional DNS which uses "Unsigned Resource Records" (F5-DNS)

14- Regularly Monitor your DNS Servers and the DNS Log Files (F5-DNS)


iRule

  iRule: -- o iRule is a powerful and flexible feature within the BIG-IP local traffic management (LTM). o IRule is a powerful & flexibl...