IETF Logo Mail Archive

[quicwg/base-drafts] IP restrictions on Tokens makes them of limited use for non-anycast DNS load balancing (#4076)

ianswett <notifications@github.com> Mon, 07 September 2020 21:03 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA5E3A11FB for <quic-issues@ietfa.amsl.com>; Mon, 7 Sep 2020 14:03:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kh4ciNs_EB6C for <quic-issues@ietfa.amsl.com>; Mon, 7 Sep 2020 14:03:38 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDE8A3A11FA for <quic-issues@ietf.org>; Mon, 7 Sep 2020 14:03:38 -0700 (PDT)
Received: from github-lowworker-cf59896.ash1-iad.github.net (github-lowworker-cf59896.ash1-iad.github.net [10.56.112.26]) by smtp.github.com (Postfix) with ESMTP id 0DDD9600DEC for <quic-issues@ietf.org>; Mon, 7 Sep 2020 14:03:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1599512618; bh=UireUJKD3UwT46dXbAXU40aP9bqwxQfY4rRPyljDT7Q=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=RkgKy5ANeiFEyMakAmrtM3pWksWLcUGhq4K3uOr8M8U1encXkdblODWNVFsyyrwRI SgdhMhznJHByixVr9SWgnAu9EFulUjyeYZuAE6R8Or7UKJi16LGGOqzh2xgDEG3roi JA2Oeo3tYjh0FKLC7pAFX6CXP10em6IdSEeaSFlY=
Date: Mon, 07 Sep 2020 14:03:37 -0700
From: ianswett <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZ33MSLTXDJH7KLBVV5MKASTEVBNHHCS4WOJ4@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4076@github.com>
Subject: [quicwg/base-drafts] IP restrictions on Tokens makes them of limited use for non-anycast DNS load balancing (#4076)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f56a029f1fba_2eb519f01850ef"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ianswett
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/D56qDMnaaut8233LHf8Sgi9S6ho>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 21:03:40 -0000

PR #3996 adds a new normative restriction on when tokens received in NEW_TOKEN can be used:

"Therefore, clients SHOULD NOT send a token received in a NEW_TOKEN frame from
one server address in an Initial packet that is sent to a different server
address.  As strict equality might reduce the utility of this mechanism, clients
MAY employ heuristics that result in different server addresses being treated
as equivalent, such as treating addresses with a shared prefix of sufficient
length as being functionally equivalent (for instance, /24 in IPv4 or /56 in
IPv6). In addition, clients SHOULD treat a preferred address that is
successfully validated as equivalent to the address on which the connection was
made; see {{preferred-address}}."

I believe this will greatly reduce the practical value of 0-RTT, since most responses cannot fit into 2 packets(assuming 1 to complete the handshake) and unless Anycast is used for load balancing, it's extremely common for the IPs not to match and quite common for them not to share a /24 or /56.

>From local testing, when I resolved www.google.com twice in a row a second apart, I got 172.217.6.196 and 172.217.12.164.
I can follow up with some numbers on how frequently this occurs today in existing deployments if that's useful?

Also, from an editorial perspective, I also don't think this normative statement should only be in security considerations, since I believe it's more likely to be missed there.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/4076

v2.29.0 | Report a Bug | By Email | System Status