Re: Back to work
Christian Huitema <huitema@huitema.net> Thu, 29 October 2020 23:42 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBB33A0AC4 for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 16:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Level:
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oz2pliiSrE51 for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 16:42:24 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DC2A3A0ABA for <quic@ietf.org>; Thu, 29 Oct 2020 16:42:24 -0700 (PDT)
Received: from xse404.mail2web.com ([66.113.197.150] helo=xse.mail2web.com) by mx166.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kYHYh-0000lR-ST for quic@ietf.org; Fri, 30 Oct 2020 00:42:21 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4CMhn56LTbz1TkM for <quic@ietf.org>; Thu, 29 Oct 2020 16:42:17 -0700 (PDT)
Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kYHYf-0005on-P8 for quic@ietf.org; Thu, 29 Oct 2020 16:42:17 -0700
Received: (qmail 24011 invoked from network); 29 Oct 2020 23:42:17 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.139]) (envelope-sender <huitema@huitema.net>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 29 Oct 2020 23:42:17 -0000
To: Martin Thomson <mt@lowentropy.net>, Eric Kinnear <ekinnear@apple.com>
Cc: quic@ietf.org
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com> <efe63bdf-7af2-49c0-932d-3a36de61bdd6@www.fastmail.com> <41A07550-1BFA-43E6-83A0-93FA96DF1E9B@apple.com> <CAN1APddS_qtMoUiUL9uwtAB3rXuAQ0NmiipXGDkS4hcA5od6Ag@mail.gmail.com> <CAKcm_gOcuuF_REWszJyYC6eO6swavMD3D9VnzgJTHEwEAXOsnw@mail.gmail.com> <CAM4esxT2kD6U-Hb5cOSfykBPvTmboEozqqiYiFF63ywxstm-LQ@mail.gmail.com> <CAKcm_gPzEgEssO3LMyW=t9tvbsRrLQBJ7M=2mxySs3H-YUXF5A@mail.gmail.com> <CACpbDceKFAVZ=Vrvj8ZoOj95TNfkCqNrpLh8FOBMBUBU=Qx_eQ@mail.gmail.com> <cc9aca43-7556-7fed-8ef8-1b5343316a0d@huitema.net> <59211AC5-0D72-4295-9E67-DA0BF5B92965@apple.com> <7fca948f-6c71-45c8-8c76-8cfabf11898b@www.fastmail.com> <5CD85C94-CFB2-47FF-9178-0DBE354EFCBF@apple.com> <f950a0cf-1be1-491b-8bc4-f5816cdb13e6@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Subject: Re: Back to work
Message-ID: <fed2a70b-954e-f224-fd0f-e80d36f12e87@huitema.net>
Date: Thu, 29 Oct 2020 16:42:20 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <f950a0cf-1be1-491b-8bc4-f5816cdb13e6@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.150
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0QBfAh7lyK8tB8mq1asnDr6pSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDcnqpk5VeF3xR4kF6iVwRtbgN zB/4Jkrw1eDLcif59ftN7L2DRwMzsv5SToDnMc7JU7Tmz6iKnkQL9gqsxD347235Nhqq+/HvroPq 8GSPg+60/QPNqXybIny9WGhadIo/FqANMYqm8+U1ocMliIzyKbyme9ldZJ7uNXfg/GfS8fUvP/L5 rCqHDsKZM+xa1iwJX+gRCHfMVnsAk591zk0uilUI+ZL4xWiN8NS6C+dmX6OEdA4u1aThyWrQ/ou2 +v/lmX4Em37yFgrCB6NHRn1g+f3uncIqYSL3lhh5c81YyJqFoLZMmkWsaurVZfvqROaDnDtHb8z5 dpPkEuJ8Snwqla7jUnW3hy14Yji8fo+4xCnSRo4Rcu5Z37rMuDjCny5fE9ykbJ7I9co1MAEE3ruN Xsm8UJsAPvDcVSKtDCYkioPY5Qx4fJOk03R5fJtf/Dv/dkIzS7m4GUpXCY1Y3j3ilZpnfSx1WjM8 Y221ho/pD394mWepawqbJhSWXDEVBtSwzX/G+0OVe7KMEWdb6P+EfB0SEsxetsik2ZEXWPJduDzv 5pWb82qAoDl3ILGSF0vmDvI0DEihOd7XzCAIcFZdY11677oPXF7r5zsW33ZNliqQWXiK63IBlEyx 50xFFL1+CDRZgQnFYkq0SOLrmvxpFxqf27VeHOkXe82afzWlDIsdwYBlgg5KTuQ8iFMpDaa3HHAS JNUmoOHSoqgqxfHmWRWcrRhLeB34s3hUb32GO+39mM1C5mT9OTDD6EBjMQ7f08QV3No+S2msRDep v5w/kkG0v17AmegcpQ0tml/sN9lmMy/o83jVXTcfb9k0nLWblJy7uxV6dw8jzlsaNZe6hynMJcjx DydxsJEju76A7X1QIVydqXpZ6MHhiKws9Iiut28r9wo4SqUIg8Yh9hAM0n3LLzx/F2gT3wl8JQJv Bho=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4eyHXjIrtqJ_VOOOLZMk0NHsaYM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 23:42:26 -0000
On 10/29/2020 3:53 PM, Martin Thomson wrote: > Thanks for clarifying Eric, > > On Fri, Oct 30, 2020, at 09:07, Eric Kinnear wrote: >> Client is fetching a decently large web resource from a server over >> QUIC. NAT rebinds and so the server sees un-padded QUIC packets >> arriving on a different port. > Ah, so I had in my mind that the server would be able to treat the new address as validated if only the port changed. Then it wouldn't be obligated to perform address validation or limit its sending. > > This is not what the draft says. The same-port exception only applies to the congestion controller. (https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-9.4-2) > > I guess that my implementation will be off-spec in this regard. I have no intention of splitting the logic so that a port rebinding retains congestion control and RTT state, but not address validation state. > > The question then is whether this is worth permitting in the spec. First, let's look at Eric's scenario, a client that is fetching a big load of data, and sending back a steady stream of ACKs. Under these circumstances, NAT rebinding ought to be fairly rare. NATs don't actually "rebind". They create state on first packet from client, and discard it according to some resource management algorithm. In the proposed scenario, the NAT sees that the port is in use and it will take some extra pressure or some software bugs to discard the NAT state. If that happen, incoming packets from the server will be lost until the client sends a packet, the NAT installs some new binding state, and the server decides to send on the new path. Bottom line, we are talking about an error scenario, which we should not try to optimize it too much. My concern is the opposite. Over-optimization of the NAT rebinding scenario creates a significant attack surface. If sending a tiny packet triggers a series of fully padded path challenges, attackers can use that creatively. I would rather **not* optimize the NAT rebinding scenario for performance, and look for robustness instead. On the server side, send short challenges without padding to assess address ownership without opening a DDOS avenue. Worry about path MTU later. That means doing thing differently for a regular migration and for a NAT rebinding. A regular migration happens starts the client sends a full size packet, with a not yet seen CID, and containing a path challenge. Responding to that with a full size response makes sense. But if the server receives a short packet, with an already used CID, and without a path challenge, that's probably a NAT rebinding. Responding with full size challenge packets is counter-productive. -- Christian Huitema
- Re: Back to work Christian Huitema
- Re: Back to work Jana Iyengar
- Back to work Martin Thomson
- Re: Back to work Töma Gavrichenkov
- Re: Back to work Ian Swett
- RE: Back to work Nick Banks
- Re: Back to work Magnus Westerlund
- Re: Back to work Martin Duke
- Re: Back to work Kazuho Oku
- Re: Back to work Martin Duke
- Re: Back to work Kazuho Oku
- Re: Back to work Martin Thomson
- Re: Back to work Eric Kinnear
- Re: Back to work Eric Kinnear
- Re: Back to work Mikkel Fahnøe Jørgensen
- Re: Back to work Ian Swett
- Re: Back to work Martin Duke
- Re: Back to work Eric Kinnear
- Re: Back to work Ian Swett
- Re: Back to work Martin Thomson
- Re: Back to work Eric Kinnear
- Re: Back to work Martin Thomson
- Re: Back to work Christian Huitema
- Re: Back to work Martin Thomson
- Re: Back to work Eric Kinnear
- Re: Back to work Ian Swett
- Re: Back to work Martin Duke
- Re: Back to work Ian Swett
- Re: Back to work Martin Duke
- Re: Back to work Ian Swett
- Re: Back to work Magnus Westerlund
- Re: Back to work Gorry Fairhurst