Re: [quicwg/base-drafts] What needs to be checked for address validation (#3327)

Kazuho Oku <notifications@github.com> Sun, 16 February 2020 23:53 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3A9112007A for <quic-issues@ietfa.amsl.com>; Sun, 16 Feb 2020 15:53:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXl00POHB1Vl for <quic-issues@ietfa.amsl.com>; Sun, 16 Feb 2020 15:53:45 -0800 (PST)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 188E7120043 for <quic-issues@ietf.org>; Sun, 16 Feb 2020 15:53:45 -0800 (PST)
Received: from github-lowworker-3a0df0f.ac4-iad.github.net (github-lowworker-3a0df0f.ac4-iad.github.net [10.52.25.92]) by smtp.github.com (Postfix) with ESMTP id 15A896A0D02 for <quic-issues@ietf.org>; Sun, 16 Feb 2020 15:53:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1581897224; bh=R8sGReA+KDP4gJtFARxqN+3+AQonMHEcyQkbpn/vkYE=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=K39xGOj1rlYPKLmOolh5fjtf2RqFuyIiZxbEvIaPtig+ddtDajK98m2Q0A0A5p2HY lTCAKjkDCe/bmH6CBsFrj3CKSJh2GyP+lVwA/tXCPFFDbn6TtaRsjOe4nX2LYphf03 Yhki8VhVP1d6O6TambajX0tmEaAy+wqCUjdz/qQM=
Date: Sun, 16 Feb 2020 15:53:44 -0800
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6F3RP45DMYYZLS4QN4K4EIREVBNHHCBFKYSE@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3327/review/359440443@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3327@github.com>
References: <quicwg/base-drafts/pull/3327@github.com>
Subject: Re: [quicwg/base-drafts] What needs to be checked for address validation (#3327)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e49d6085d7b_91a3fe790acd96c3337c"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/QyV-XjYZqg8Vmhw3hnSWMSOpVZg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Feb 2020 23:53:47 -0000

kazuho commented on this pull request.



> @@ -1834,10 +1834,9 @@ SHOULD include information that allows the server to verify that the source IP
 address and port in client packets remains constant.
 
 Servers might use tokens from NEW_TOKEN in deciding not to send a Retry packet,
-even if the client address has changed.  A token that was provided in
-NEW_TOKEN cannot be used for address validation if the client address is not the
-same, though servers MAY allow for the possibility of changes arising from new
-mappings at a NAT.
+even if the client address has changed. Tokens sent in NEW_TOKEN frames SHOULD
+include information that allows the server to verify if the client address is
+stable, but might allow for different NAT bindings or ephemeral port selection.

Yeah one way of moving forward would be to state the intent along with how it might be implemented, rather than using RFC 2119 words for explaining how it should be implemented.

For example: "MUST validate that the network path between the peers have not changed (e.g., client's IP address is stable)."

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3327#discussion_r379945192