Re: [quicwg/base-drafts] 5tuple routing (#3536)

Jana Iyengar <notifications@github.com> Tue, 28 April 2020 22:59 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10A763A0828 for <quic-issues@ietfa.amsl.com>; Tue, 28 Apr 2020 15:59:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u106GRDQ9dAu for <quic-issues@ietfa.amsl.com>; Tue, 28 Apr 2020 15:59:20 -0700 (PDT)
Received: from out-6.smtp.github.com (out-6.smtp.github.com [192.30.252.197]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 591693A0820 for <quic-issues@ietf.org>; Tue, 28 Apr 2020 15:59:20 -0700 (PDT)
Received: from github-lowworker-b19c547.va3-iad.github.net (github-lowworker-b19c547.va3-iad.github.net [10.48.17.66]) by smtp.github.com (Postfix) with ESMTP id 607991C0802 for <quic-issues@ietf.org>; Tue, 28 Apr 2020 15:59:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1588114759; bh=j0BOHq2GIIQHYbKUEG5frGkONvmijKxbtEQMtCbUVZQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=kTgWzIITv5uhNjKbgSNK2upXPeCC39MSSW/TUw7brYOGIJXH5uE5CbiZN6bRMAYnN 4NFHUES53+gC/OPfLalpU8dutMJ5t+4dAWs767USOua4XBI7bNEAiV7ujtTxuxQyv0 CoOpljmzijX0a640bIz3R8Wgs5IQ9bcTROVMoOfk=
Date: Tue, 28 Apr 2020 15:59:19 -0700
From: Jana Iyengar <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4S2N4XNLI4WUBBB2N4WSLEPEVBNHHCFYX2PM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3536/review/402243394@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3536@github.com>
References: <quicwg/base-drafts/pull/3536@github.com>
Subject: Re: [quicwg/base-drafts] 5tuple routing (#3536)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ea8b54750d78_460d3fc2a86cd964101779"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: janaiyengar
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/H5zDsCRfxPgncLvF5nsPxL_sda0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 22:59:22 -0000

@janaiyengar commented on this pull request.

editorial suggestions

> +QUIC endpoints can be deployed behind a 5-tuple based routing architecture that
+delivers packets based on both the source and destination IP addresses and
+ports. When routing depends on addresses that the endpoint does not control,
+changes to the IP address or port of peers could result in packets being routed
+to a different server. The following actions could mitigate or resolve
+operational and security issues in this case:

```suggestion
A server farm could be deployed behind a simple load balancer that routes
packets based on source and destination IP addresses and ports. Changes to
the IP address or port of a peer could result in packets being routed by the load
balancer to a different server. Such a server deployment could use one of the
following methods to for connection continuity when a client's address changes.
```

> @@ -1156,6 +1156,34 @@ SHOULD ignore any such packets.
 
 Servers MUST drop incoming packets under all other circumstances.
 
+### Considerations for 5-tuple routing architectures

```suggestion
### Considerations for simple load balancers
```

> +* Endpoints can use an out-of-band mechanism to deliver packets to the correct
+destination or transfer state from the original destination.

```suggestion
* Servers could use an out-of-band mechanism to forward packets or connection
state to the correct endpoint.
```

> +* A server can request that a connection be migrated to an address that is
+unique using the preferred_address transport parameter. For example, the initial
+address may route to a 5-tuple based load balancer, and the preferred address
+could indicate a separate server address that does not require the use of the
+client address for routing. Note that clients could choose not to use the
+preferred address.

```suggestion
* If the server deployment can use other non-load-balanced server IP
addresses or ports than the one that the client is initiating connections on,
servers could use the preferred_address transport parameter to request
that clients move to these server addresses. Note that clients could choose
not to use the preferred address.
```

> +If a server does not implement one of the solutions above, it SHOULD send the
+disable_active_migration transport parameter to inform the client that any
+address change is likely to terminate the connection.

```suggestion
If a server behind such a load balancer does not implement a solution to
maintain connection continuity SHOULD disallow connection migration
via the disable_active_migration transport parameter.
```

> +Regardless of other mitigations, 5-tuple routing introduces new possibilities
+to create a stateless reset oracle. An attacker could tweak the source address
+or port of a packet to direct it to a different server and thus obtain the
+stateless reset token for a connection ID. Endpoints should take additional
+precautions in accordance with {{reset-oracle}}.

```suggestion
Server deployments that use such load balancing might still allow for
creation of a stateless reset oracle. Servers should take additional
precautions in accordance with {{reset-oracle}}.
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3536#pullrequestreview-402243394