IETF Logo Mail Archive

Re: UDP source ports for HTTP/3 and QUIC

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Thu, 15 July 2021 08:56 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 618D53A22FE for <quic@ietfa.amsl.com>; Thu, 15 Jul 2021 01:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7sBVS6E3TstZ for <quic@ietfa.amsl.com>; Thu, 15 Jul 2021 01:56:33 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 951973A22FD for <quic@ietf.org>; Thu, 15 Jul 2021 01:56:33 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id d2so6811296wrn.0 for <quic@ietf.org>; Thu, 15 Jul 2021 01:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+qynKqoTOkBmfJ7D9Dh0b/TMssz9VEUpZCd9rhkLDo0=; b=p5psvD6NVvl3aIhnUNFLET4C7WhjR/ntiPKoC8w/cupIkHBkK51fDSzphmLOCZyyXR 4++0LRqiSFvF0SLddcbxqJMVWxrywsuKpVL1e+z/2N7g0Vxjnz3P1TRsj0KsqT5LMLwX DugvazcV7/cUo6OLwEoYCUugUyjpaAxNe1fXppFAsnoV6ms66o2ta3frclkJsGlQr9z+ CM29s5cacy0PloKDu/g98T8PTJnjH0w5vrUCOL95+1iEB347zInqvzmCGjPg65lUvOmC 6R6xNWeacFP8ipY8jd0NgcN0ik2n709WDHlneFenI6UR+UpDEZu7uoY39t+FsQctinfc 2xpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=+qynKqoTOkBmfJ7D9Dh0b/TMssz9VEUpZCd9rhkLDo0=; b=pVdEWXTPS8dGXQCGylHvJ5n8WwHuRbV25bzd2nbMOvksAOmhzkV3CYke9N1d1sbPWH UaDdBRaoOu1JTkSN7xx4sLD88JqW7hAlaT63dGCAb68qis3YZU4fRTBERyycUDZIRMLn 3wu47GwKgndkPBnOF+VADhPm1h3/AQETbvT+B32k7rvgP5rxoynHe4xXUrUVgxNp6WXL urV+ZdClni5KJmp5sdeS89w4stsr+i17CBJ5tEvPWKd+cqtuulj52P8HtNtgb15CPcrf GyQRpa48+/TSzubgXSFqb5IGbdkONmf1om3m7CcQoaRXbx/EknAr/Qtb114KQpM1H4WI pJZg==
X-Gm-Message-State: AOAM530iij08dX3/i0G0Z9DRB6ooyskhG2huTnY3sVgK8c+6uSqnWmkP 2Mt8iDyqJG0yRB87BbbAe1Y=
X-Google-Smtp-Source: ABdhPJz0LkmDHXmW8At6rMnZ0Vbf7DKGoRGO/yQsambl/wLw4BQZdgxMIdBkoIPUxeEl6M990s4efA==
X-Received: by 2002:adf:90e2:: with SMTP id i89mr4241836wri.338.1626339390217; Thu, 15 Jul 2021 01:56:30 -0700 (PDT)
Received: from [192.168.50.192] ([87.72.40.193]) by smtp.gmail.com with ESMTPSA id k24sm5866515wrh.30.2021.07.15.01.56.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Jul 2021 01:56:29 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Subject: Re: UDP source ports for HTTP/3 and QUIC
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
Date: Thu, 15 Jul 2021 10:56:28 +0200
Cc: HTTP Working Group <ietf-http-wg@w3.org>, IETF QUIC WG <quic@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F79A78A-1DF8-4A48-9B7F-334B309C9C26@gmail.com>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/06dPr9MxgFt1XhA_UaqL1eA4t6g>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 08:56:39 -0000

It is perhaps worth noting that due to QUIC (optionally) having unique connection identifiers, it is feasible to have many connections on the same source port. Therefore that could be a recommendation in cases where some source ports might be blocked.

As others have pointed out, I would suspect an RFC with a port list would quickly become outdated.

Mikkel

> On 15 Jul 2021, at 02.20, Mark Nottingham <mnot@mnot.net> wrote:
> 
> [ bringing this up on both lists because it's not yet clear what the right scope is ]
> 
> It's not uncommon for servers to block certain UDP source ports to avoid being overwhelmed by certain reflection attacks. In particular:
> 
> * 53 - DNS
> * 123 - NTP
> * 1900 - SSDP
> * 5353 - mDNS
> * 11211 - memcached
> 
> ... among other candidates.
> 
> See, eg., <https://blog.cloudflare.com/reflections-on-reflections/>. This isn't done to avoid protocol vulnerabilities as such -- it's to avoid volumetric attacks (usually DDoS). 
> 
> If a client chooses source ports from the ephemeral port range, this shouldn't be an issue. However, some implementations (or deployments) extend the source port range "downwards" to avoid exhaustion:
> 
> * On Linux, it's pretty common to tune to extend the ephemeral port range, e.g., <https://ma.ttias.be/linux-increase-ip_local_port_range-tcp-port-range/>
> 
> * On some versions of Windows, ports as low as 1025 are used: <https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements>
> 
> * FreeBSD has used ports as low as 1024 in the past; their documentation is... confused right now. <https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a51307f9f2e/sys/netinet/in.h#L272> (I don't run a FreeBSD box to check this)
> 
> * NAT and CGNAT are a thing. <https://www.rfc-editor.org/rfc/rfc4787.html#section-4.2.1> recommends that source ports in the range 1024-65535 be reassigned within that range, which can cause collisions. 
> 
> Overall, the chance of collision (i.e., a client or a NAT choosing a blocked source port) is quite low, but at Internet scale it'll happen, leading to the client needing to open a new connection, thereby adding perceived latency. 
> 
> At a minimum, it seems like a good thing for client and NAT developers to be aware that some ports are likely to be blocked, so that they can avoid them if they care about perceived performance. This e-mail might be enough for that immediate purpose.
> 
> My question is whether there's a need for more coordination -- e.g., a very short RFC outlining such ports, to help bring this to folks' attention (especially in the NAT crowd)?
> 
> Cheers,
> 
> 
> 
> --
> Mark Nottingham   https://www.mnot.net/
>

v2.39.1 | Report a Bug | By Email | System Status