Re: Using QUIC to traverse NATs
Marten Seemann <martenseemann@gmail.com> Sat, 22 July 2023 17:18 UTC
Return-Path: <martenseemann@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9913DC14CE42 for <quic@ietfa.amsl.com>; Sat, 22 Jul 2023 10:18:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9PZDNH7wKko for <quic@ietfa.amsl.com>; Sat, 22 Jul 2023 10:17:59 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 579DFC14CF0C for <quic@ietf.org>; Sat, 22 Jul 2023 10:17:59 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-992f15c36fcso491189266b.3 for <quic@ietf.org>; Sat, 22 Jul 2023 10:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690046278; x=1690651078; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1lUMmAa7ZG4oZGTTXHmV6rtIfuVfZvP8rGHA7t05qws=; b=S4dJK89K9qT5BTmQS3PYQOa/Gh5nlqRl/MZ+IUTgU4Sm45g9Wia8Z+PQ9jtPpn86Gs sTG7UmCjaXHygcKiIxXYboXYJOxeyRUXGs1Lq1bh7nCeeIgWYUI8lBl/LjdYZubKzed3 Xv8do2mB48LFGhNsB9bVWdFxHOi7IWEwLsJMVLtGg5glcSGL315TyIP3UbR17YIwxumr 1mLqLEjV0CzEqSjtC45Jeba41iP98U/27dN1gwQGkvlVMORyeFdIHtOe7P+UlQKOyNFe aldqe3ietvaBbzwctlXosltZEh1/31GdxtpFYW4wQP5nXJp44UVoGXOICTAP9ZKR7SYO xDMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690046278; x=1690651078; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1lUMmAa7ZG4oZGTTXHmV6rtIfuVfZvP8rGHA7t05qws=; b=d49h4/KD+mLKE6haR2hR3mjR0praSUA1UKrB4kxVvnA90hGL+rkdztHEmUtEYksh+8 8M1izKBZL7oqu9Ept8aWNu56S5oc6baqBciZLWOmkG6ApQ/vzs7jwh5gucOnvRwMGDUR oZEUWa0XZ52bVJNxQC2o233JOx/+1mmc9qaj5GtbwbcNRE5sPamOWezBQK/VxnbjBVd+ NjxqaZXvXxxc8Zo5ECQQ2O6OnMi4CSa7zFllcgKOumXmAGwxtxHH+BOD4N3cwfOqqlvB SqWo1EkoCbSfvLIrQ/6O0RTiE/kDfqrRrJEMtdLIAKDHoUWkO2LO2hhTYo5pWpTW4HrG 94FQ==
X-Gm-Message-State: ABy/qLYFWmqmAoyX9Zgj/dv3RDM2xOD6kbtA1qBdCkn2C1/LjDysPldJ RTtayUP7go0rAaaXZZD3OoafLCAJqBY0/HW2dW11V9HNK30=
X-Google-Smtp-Source: APBJJlHz+gkLnxLzs+PbEZYCAWlpHuTXJHyFYLU10Cj4AtPlnmSq3CL8URILt565di2jtOG8/Lff25uhf0zXZaZTznc=
X-Received: by 2002:a17:906:10db:b0:993:e860:f20 with SMTP id v27-20020a17090610db00b00993e8600f20mr5754409ejv.19.1690046277307; Sat, 22 Jul 2023 10:17:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAOYVs2pqmQW2J4mkPOhV5b0c2CLG_+uw1iT26f3=bUzRdKameA@mail.gmail.com> <2d0e2504-476f-461e-bd83-39e8e391f8d8@app.fastmail.com>
In-Reply-To: <2d0e2504-476f-461e-bd83-39e8e391f8d8@app.fastmail.com>
From: Marten Seemann <martenseemann@gmail.com>
Date: Sat, 22 Jul 2023 10:17:45 -0700
Message-ID: <CAOYVs2rS5-QFYimCp1S_+ESKbu8RfHyn5GWP-WDETO9VXC0csw@mail.gmail.com>
Subject: Re: Using QUIC to traverse NATs
To: Martin Thomson <mt@lowentropy.net>
Cc: quic@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000351fd060116904d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/41CYYR_O1b-sWoDbpVUraFsz8qg>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2023 17:18:01 -0000
Thanks for all the feedback! I'll address multiple points made in the thread so far. Multipath: I'd like this extension to work well with QUIC Multipath, and I don't see anything that would prevent that. However, I don't think it needs anything multipath-specific, and can run on top of a RFC 9000 stack just as well. In specific: 1. RFC 9000 already allows a client to simultaneously probe an arbitrary number of paths, and to keep them alive (by sending probing packets). The only thing that multipath adds here is the capability to send / receive on multiple paths at the same time, but a NAT won't even be able to distinguish between these scenarios. 2. Multipath doesn't allow the server to initiate a new path: as in RFC 9000, path initiation is solely the client's responsibility. A NAT traversal solution will need to define a way for the server to send a hole punching packet either way. Who's initiating the migration: When we designed QUIC, we concluded that server-initiated migration creates a lot of corner cases, especially around the simultaneous initiation of new paths. It might also open up new attack scenarios. The draft therefore doesn't change that logic: All probing of new paths is driven by the client. That’s why we need to sure that the the QUIC client's ACE agent ends up being the controlling agent (it is my understanding that the controlling agent is responsible for the probing of new paths). That being said, the draft should probably go into more detail regarding NAT rebindings that might happen on the server's NAT. QUIC Address Extension: This seems useful for nodes that don’t need to rely on ICE for their address discovery, e.g. p2p applications that are running continuously. They cut then piggy-back address discovery on top of connections they’re establishing anyways. In fact, I have deployed something very similar, with the address requests happening at the application layer. Who’s responsible for path selection? Martin is making a good point here (and wrote a really interesting ICE / DTLS draft 10 years ago, thank you for sharing!). In mode 1, I’d imagine that ICE runs to completion before the QUIC handshake starts, so it would be ICE’s responsibility to select the path. In mode 3, it makes sense to have the QUIC layer decide which of the paths to use, as it probably knows more about the application’s needs than ICE. On Tue, 18 Jul 2023 at 18:55, Martin Thomson <mt@lowentropy.net> wrote: > Hi Marten, > > I did a little thinking about this problem a fair while back, see > https://datatracker.ietf.org/doc/html/draft-thomson-rtcweb-ice-dtls-00 > > That's closer in truth to your mode 3. That is, it collapses the > protocols. And of course there are properties of DTLS that ensure that > this is less than ideal, whereas QUIC might be better suited to the sorts > of tweaks that connectivity checking demands. > > In particular, it is worth thinking about carefully here is how much > QUIC's path validation logic is duplicative of parts of ICE and whether > that is overhead that can be saved. > > As for the non-collapsed versions, you might need to be clearer about > which part of the stack is responsible for path selection. In mode 1, this > is not particularly clear. If you think of classic ICE, you essentially > have ICE being responsible for path selection (especially with the > continuous ICE versions) and the flow that you initiate on top of it is > ignorant of path changes. That will interact somewhat poorly with a > protocol like QUIC that expects to be more involved in that process. It's > worse in mode 2, which might be quite confusing with the two layers > interacting as they do. That could stand to be made much clearer. > > Cheers, > theonewithan"i" > > On Mon, Jul 10, 2023, at 22:20, Marten Seemann wrote: > > I just submitted a new draft that describes how to do NAT traversal > using QUIC: > > https://datatracker.ietf.org/doc/draft-seemann-quic-nat-traversal/ > > > > The document defines 3 distinct modes. The first mode is the simplest > > one, first running ICE to completion to find a suitable path between > > two nodes, and then establishing a QUIC connection on that path. > > The other two modes use a proxied QUIC connection to do the ICE > > signaling (potentially using one of the protocols defined by the MASQUE > > WG), and then make use of QUIC connection migration to migrate to a > > better / direct path. > > > > This is an early draft version, and I wouldn’t be surprised if it > > wasn’t actually implementable, most likely due to my limited > > familiarity with ICE. I’d appreciate feedback if the general direction > > makes sense. > > > > Cheers, > > Marten > >
- Using QUIC to traverse NATs Marten Seemann
- Re: Using QUIC to traverse NATs Dan Wing
- Re: Using QUIC to traverse NATs Joerg Ott
- Re: Using QUIC to traverse NATs Christian Huitema
- Re: Using QUIC to traverse NATs David Schinazi
- Re: Using QUIC to traverse NATs Martin Thomson
- Re: Using QUIC to traverse NATs Marten Seemann