IETF Logo Mail Archive

Re: [quicwg/base-drafts] IP restrictions on Tokens makes them of limited use for non-anycast DNS load balancing (#4076)

Martin Thomson <notifications@github.com> Tue, 08 September 2020 03:26 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E7003A11AC for <quic-issues@ietfa.amsl.com>; Mon, 7 Sep 2020 20:26:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fp9nPA47Wr2 for <quic-issues@ietfa.amsl.com>; Mon, 7 Sep 2020 20:26:42 -0700 (PDT)
Received: from out-19.smtp.github.com (out-19.smtp.github.com [192.30.252.202]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C93C53A11AA for <quic-issues@ietf.org>; Mon, 7 Sep 2020 20:26:41 -0700 (PDT)
Received: from github-lowworker-a6a2749.va3-iad.github.net (github-lowworker-a6a2749.va3-iad.github.net [10.48.16.62]) by smtp.github.com (Postfix) with ESMTP id 12C8DE003A for <quic-issues@ietf.org>; Mon, 7 Sep 2020 20:26:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1599535601; bh=Lyd6cUKbZByjB2TQ8QRSPCLiBlCUlm6K6cW3LRC/Cgw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=DJ2LeMcOBKPs14ghi4XOfA3TBz7NULGsn8zEVDD7Oi0mEp6U0o5TnjKOzKWpN9dxX GjYrd/A9iI8+FKU4Z5F1I3nCjKNeKwZpt+z1NszmsLEfLPdw/pcE/CSojTukP9xaQL NDMSy9f/3zdsf5ty/RcU6IlvI6M6EzcQYLC/L010=
Date: Mon, 07 Sep 2020 20:26:41 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJKZDVXL2T6MJGLCT33F5MLNPBEVBNHHCS4WOJ4@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/4076/688596190@github.com>
In-Reply-To: <quicwg/base-drafts/issues/4076@github.com>
References: <quicwg/base-drafts/issues/4076@github.com>
Subject: Re: [quicwg/base-drafts] IP restrictions on Tokens makes them of limited use for non-anycast DNS load balancing (#4076)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f56f9f1182a_7ca819f092861f"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/bTMZoLU5XECHgM3yG6kZkezJs_4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 03:26:43 -0000

No guaranteed.  I used to work at an office that had a firewall and a VPN.  There were a bunch of unprotected server behind that firewall.  Most, if not all, of those servers used addresses from public address space.  This is likely not common practice any more (addresses are expensive), but it is also not completely unexpected.

To give an example, one thing you might consider is that you have a subnet (x::/56 say) where servers all operate public addresses and operate services that are accessible on the public Internet.  However, that network also has a bypass for authentication checks if the source address of a request is in the x::/56 subnet to enable cross-traffic between services without overheads.  This might be consider acceptable if you also assume that ingress filtering is in use for the network.

I need to stress again how much I think that this sort of thing is monumentally inadvisable.  On the other hand, if we're looking for hypotheticals (in the absence of actual cases), then these are at least plausible cases to consider.

That said, I definitely agree that this restriction is not great and it probably is too much.  I don't know how to generate a heuristic that can capture a change of the magnitude you identify.  Google is lucky to have addresses that are contiguous at ~/20; I imagine that other servers have to work with a larger spread.  (BTW, I get 142.250.66.228)

After considering this, if we are not going to implement more rigorous protections for other aspects of this (migration spoofing), then it seems reasonable to allow this reuse and accept the risk.  That means relying on the generic protections more for this case also, which already talk about moving from public space to link-local/site-local/private spaces.  We might even just rely solely on those protections.

(The editorial note is well-taken; we can fix that.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/4076#issuecomment-688596190

v2.23.0 | Report a Bug | By Email