Re: Use of zero-length connection IDs and NAT rebinding resilience
Cameron Steel <ietfquic@tugzrida.xyz> Mon, 05 August 2024 03:04 UTC
Return-Path: <ietfquic@tugzrida.xyz>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 510F7C14F6EE for <quic@ietfa.amsl.com>; Sun, 4 Aug 2024 20:04:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tugzrida.xyz header.b="jUL29iEV"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="J16qxwLN"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6p0SUiENL4qT for <quic@ietfa.amsl.com>; Sun, 4 Aug 2024 20:04:38 -0700 (PDT)
Received: from fout4-smtp.messagingengine.com (fout4-smtp.messagingengine.com [103.168.172.147]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20DD2C14F6E2 for <quic@ietf.org>; Sun, 4 Aug 2024 20:04:38 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfout.nyi.internal (Postfix) with ESMTP id 580A31390116; Sun, 4 Aug 2024 23:04:37 -0400 (EDT)
Received: from wimap24 ([10.202.2.84]) by compute2.internal (MEProxy); Sun, 04 Aug 2024 23:04:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugzrida.xyz; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1722827076; x=1722913476; bh=f1udGXwVb9 8jHLb0QsoWQvymz+VwG3ZOwPtdzx+GR3M=; b=jUL29iEV2XgoeNJco2cCK5xSDR bXMh9lj0//pO2g6L0WjSc3/B6xgPkStCInPolgW3fVPbhYwRbM20jhehKmwW7K/G 5jx16Afhpnz40jE1HR/krZvLVU72GqSv9viA11A/hFCqN7K9KQdq3D6/YkCF4Pgm Qj2NQUfbWsKbMARLu9FxFDVjhk2mOT/F0Q3wxysdH3LrS2Cr0PkV1mkcMRgU9o/S 3I5ltO1EGrMfLxR52hPBI1ZgcokqaoUScnKEKns4xoMw90HQccYJ5YUJjmzvLzFp thKEkgTerO8/sUvZoVNCD9e5+L3qwgdYDIVCLSAZxidFN931+GimFsJ6VYUw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1722827076; x=1722913476; bh=f1udGXwVb98jHLb0QsoWQvymz+Vw G3ZOwPtdzx+GR3M=; b=J16qxwLN76wEN36Zc2VEho4H3AL9XF6Fr9mz3btVlH7S eyqPR5ExwqteFADAgV8+J+gopFULitrAibaTC8H4i6qHyEeVkRCeWj8OdsD3sgru 0lEYuKo7S+88XRHgzVDOP0Bo7QEBHxeQC8H0NzUJK+RfzZwKRFCn/AkDNz+Z2gkA HahthF2twxJ0Wh8fVmOg6Pkqvc8VzZTJ28b/hFLXIjNkerWVScVmR3441HC7NOD2 Tc79SzPXqI2CcRAfY3p+5FuC4OCNfIg3Yr535ea164zkOlarq8VySbUH3/8qviE/ eJuTV7t3OYmwyyWruf6vyyeOlBIibqdc8VxM4eE2Lg==
X-ME-Sender: <xms:REGwZp_EOoaoGCNVlE4v2dX8zTAIPfiTx5-axvwbeAE7QQAN6YKUzg> <xme:REGwZtutNmCOYpwb8ekh6k-Osoinzn_58W2Uv-kNdvW0yeEfy60y_Sw3kWKIrBkyo J6LqKZi54-8Iyt6fSo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrkeehgdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculdefhedmnecujfgurhepofggfffhvffkjghfufgtsehmtderreertddt necuhfhrohhmpedfvegrmhgvrhhonhcuufhtvggvlhdfuceoihgvthhfqhhuihgtsehtuh hgiihrihgurgdrgiihiieqnecuggftrfgrthhtvghrnhepkeettedtvdeluefgvdefieef geejhfdvlefftdejuddtgfduieevgfetkefhtedtnecuffhomhgrihhnpehtuhhgiihrih gurgdrgiihiidphhhtthhpghgvthifhhhitghhrhgvtggvihhvvghsrghnvgifnhgrthhm rghpphhinhhgrdihohhunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepihgvthhfqhhuihgtsehtuhhgiihrihgurgdrgiihiidpnhgspghrtghp thhtoheptd
X-ME-Proxy: <xmx:REGwZnAgvz7sLMgqXLkUDuElg_J2TUbGfzospbrIo4LnEn4atKkLLQ> <xmx:REGwZtfbqLqyDMK6twSl1AmCftpJto3le7RSKindXWRIyy0Nn1X0TQ> <xmx:REGwZuOI4IcUeZemYipo-lm1ZSsey75vkYF8-Dj7UfLZiqbgN33d6g> <xmx:REGwZvnWwCGP9ISwN01Cd8tDPZYocFEI28cDFJcSh-FMW7YOb36Vbg> <xmx:REGwZg3ruFqOYOeY-yoDr2lxgM9aEKf9YrveRx360wpYrBcDDLTLL4Zb>
Feedback-ID: i55d9460b:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9935B25E0064; Sun, 4 Aug 2024 23:04:36 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Mon, 05 Aug 2024 13:04:15 +1000
From: Cameron Steel <ietfquic@tugzrida.xyz>
To: Christian Huitema <huitema@huitema.net>, quic@ietf.org
Message-Id: <4b26934e-eea4-4c96-b517-e9a396ed2a1d@app.fastmail.com>
In-Reply-To: <13977c9e-3539-4bf9-a268-e45c8e92a404@huitema.net>
References: <bef28311-83d0-4aff-bce2-81fc14e58a20@app.fastmail.com> <13977c9e-3539-4bf9-a268-e45c8e92a404@huitema.net>
Subject: Re: Use of zero-length connection IDs and NAT rebinding resilience
Content-Type: multipart/mixed; boundary="eec492f498b54d0d88a26c83b3195d36"
Message-ID-Hash: POC6UCL4OCSU7IR73XSS67PONUBRRBYH
X-Message-ID-Hash: POC6UCL4OCSU7IR73XSS67PONUBRRBYH
X-MailFrom: ietfquic@tugzrida.xyz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-quic.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/-58B-WTFV9dD5VilCLazgur6rR4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Owner: <mailto:quic-owner@ietf.org>
List-Post: <mailto:quic@ietf.org>
List-Subscribe: <mailto:quic-join@ietf.org>
List-Unsubscribe: <mailto:quic-leave@ietf.org>
Hi Christian, You are of course correct, I had been conflating terminology in my mind, apologies. The situation I was experiencing the issue in is as you describe: the NAT mapping times out and the first packet after the timeout is an HTTP GET which receives a new NAT mapping. You are also correct that Chrome does use 0-length id's for server > client, and the servers I've been using in my testing do use non-zero-length id's for the other direction. Given the error nginx logs when experiencing the issue ("quic no available client ids for new path while handling decrypted packet"), I had put the issue down to a suboptimal interpretation of RFC 9000 section 9.1 ("an endpoint MUST NOT reuse a connection ID when sending to more than one destination address"). I have also seen this behaviour when the server is Caddy, and with a site behind Cloudflare, so the interpretation seems to be somewhat widespread on the server side. I've attached a pcap from the internal side of a NAT and Chrome net-export of the issue, let me know if more details would be helpful. Cameron Steel. On Mon, Aug 5, 2024, at 09:34, Christian Huitema wrote: > > > On 8/4/2024 3:37 PM, Cameron Steel wrote: > > Hi QUIC experts, > > > > I've just completed a writeup of an issue I was experiencing with websites using QUIC through my ISP's CGNAT. In short, the issue was due to the CGNAT having a rather short UDP timeout of 20 seconds, in combination with the fact that Google Chrome seems to use zero-length connection IDs, which prevents connection migration. > > > > In the process of checking the behaviour I was observing against the QUIC RFCs, I came across a few oddities that I'd like to bring up: > > > > Both RFC 9000 and 9308 fairly plainly state that connections using zero-length IDs will not be resilient to NAT rebinding, however RFC 9000 section 5.1.1 does have this passage which vaguely implies that multiple network paths are possible with zero-length IDs: > > > >> An endpoint that selects a zero-length connection ID during the handshake cannot issue a new connection ID. A zero-length Destination Connection ID field is used in all packets sent toward such an endpoint over any network path. > > > > As this is only implied the once that I can find, I'm assuming it's just ambiguous wording and that the intended behaviour is what I observed, that connection migration is not permitted when using a zero-length connection ID. > > It is a bit more complicated than that. First, let's get the naming > right. "Connection migration" describes a voluntary action in which the > client tries to reach the server using a different 5-tuple and a > different connection ID. What you are encountering here is "NAT > Rebinding", i.e., the effect of an uncoordinated decision by the NAT to > forget the binding between the 5-tuple used by the client and the > "external" 5-tuple. > > After the NAT rebinding, all packets sent by the server to the old > 5-tuple will be lost: there is no mapping for that and packet are > dropped by the NAT, or maybe the mapping has been reused for a new > client and packet are dropped by that client because they cannot be > decrypted. > > The solution is for the server to somehow learn the new value of the > client's 5-tuple. It can only do that by receiving packets from the > client. All the packets sent after the NAT rebinding and before a new > packet is received by the client will be lost, whether connection IDs > are used or not. For example, if the application pattern is to send a > request, then wait some long time before the server replies, the long > wait will increase the risk of NAT rebinding, and the eventual response > of the server will be lost. > > If the traffic is series of HTTP GET triggering immediate responses, > there is hope. The server could learn the new 5-tuple when receiving the > GET command. But it needs to associate the arriving packet with the old > connection, and it can only do that if the old packet carries a > connection ID. > > > > > Given that, I'd be very curious to hear any insight into why Chrome has chosen not to use connection IDs. > > NAT Traversal will work if connection IDs are used in the client to > server direction. I was under the impression that Chrome uses 0-length > CID in the server to client direction, but Google servers use 8 bytes > CID in the client to server direction. If that's the case, NAT rebinding > should work. > > > If anyone is interested in reading my full writeup, you can find it here: https://blog.tugzrida.xyz/2024/08/04/too-quic-for-chrome-troubleshooting-udp-nat-rebinding/ > > Can you attach some kind of packet log so we can see what is really > happening? QLOG would be great. > > -- Christian Huitema >
- Use of zero-length connection IDs and NAT rebindi… Cameron Steel
- Re: Use of zero-length connection IDs and NAT reb… Christian Huitema
- Re: Use of zero-length connection IDs and NAT reb… Martin Duke
- Re: Use of zero-length connection IDs and NAT reb… Cameron Steel