IETF Logo Mail Archive

Re: Back to work

Christian Huitema <huitema@huitema.net> Thu, 29 October 2020 23:42 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBB33A0AC4 for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 16:42:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.135
X-Spam-Level:
X-Spam-Status: No, score=-2.135 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oz2pliiSrE51 for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 16:42:24 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DC2A3A0ABA for <quic@ietf.org>; Thu, 29 Oct 2020 16:42:24 -0700 (PDT)
Received: from xse404.mail2web.com ([66.113.197.150] helo=xse.mail2web.com) by mx166.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kYHYh-0000lR-ST for quic@ietf.org; Fri, 30 Oct 2020 00:42:21 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4CMhn56LTbz1TkM for <quic@ietf.org>; Thu, 29 Oct 2020 16:42:17 -0700 (PDT)
Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kYHYf-0005on-P8 for quic@ietf.org; Thu, 29 Oct 2020 16:42:17 -0700
Received: (qmail 24011 invoked from network); 29 Oct 2020 23:42:17 -0000
Received: from unknown (HELO [192.168.1.107]) (Authenticated-user:_huitema@huitema.net@[172.58.43.139]) (envelope-sender <huitema@huitema.net>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 29 Oct 2020 23:42:17 -0000
To: Martin Thomson <mt@lowentropy.net>, Eric Kinnear <ekinnear@apple.com>
Cc: quic@ietf.org
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com> <efe63bdf-7af2-49c0-932d-3a36de61bdd6@www.fastmail.com> <41A07550-1BFA-43E6-83A0-93FA96DF1E9B@apple.com> <CAN1APddS_qtMoUiUL9uwtAB3rXuAQ0NmiipXGDkS4hcA5od6Ag@mail.gmail.com> <CAKcm_gOcuuF_REWszJyYC6eO6swavMD3D9VnzgJTHEwEAXOsnw@mail.gmail.com> <CAM4esxT2kD6U-Hb5cOSfykBPvTmboEozqqiYiFF63ywxstm-LQ@mail.gmail.com> <CAKcm_gPzEgEssO3LMyW=t9tvbsRrLQBJ7M=2mxySs3H-YUXF5A@mail.gmail.com> <CACpbDceKFAVZ=Vrvj8ZoOj95TNfkCqNrpLh8FOBMBUBU=Qx_eQ@mail.gmail.com> <cc9aca43-7556-7fed-8ef8-1b5343316a0d@huitema.net> <59211AC5-0D72-4295-9E67-DA0BF5B92965@apple.com> <7fca948f-6c71-45c8-8c76-8cfabf11898b@www.fastmail.com> <5CD85C94-CFB2-47FF-9178-0DBE354EFCBF@apple.com> <f950a0cf-1be1-491b-8bc4-f5816cdb13e6@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Subject: Re: Back to work
Message-ID: <fed2a70b-954e-f224-fd0f-e80d36f12e87@huitema.net>
Date: Thu, 29 Oct 2020 16:42:20 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <f950a0cf-1be1-491b-8bc4-f5816cdb13e6@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.150
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0QBfAh7lyK8tB8mq1asnDr6pSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDcnqpk5VeF3xR4kF6iVwRtbgN zB/4Jkrw1eDLcif59ftN7L2DRwMzsv5SToDnMc7JU7Tmz6iKnkQL9gqsxD347235Nhqq+/HvroPq 8GSPg+60/QPNqXybIny9WGhadIo/FqANMYqm8+U1ocMliIzyKbyme9ldZJ7uNXfg/GfS8fUvP/L5 rCqHDsKZM+xa1iwJX+gRCHfMVnsAk591zk0uilUI+ZL4xWiN8NS6C+dmX6OEdA4u1aThyWrQ/ou2 +v/lmX4Em37yFgrCB6NHRn1g+f3uncIqYSL3lhh5c81YyJqFoLZMmkWsaurVZfvqROaDnDtHb8z5 dpPkEuJ8Snwqla7jUnW3hy14Yji8fo+4xCnSRo4Rcu5Z37rMuDjCny5fE9ykbJ7I9co1MAEE3ruN Xsm8UJsAPvDcVSKtDCYkioPY5Qx4fJOk03R5fJtf/Dv/dkIzS7m4GUpXCY1Y3j3ilZpnfSx1WjM8 Y221ho/pD394mWepawqbJhSWXDEVBtSwzX/G+0OVe7KMEWdb6P+EfB0SEsxetsik2ZEXWPJduDzv 5pWb82qAoDl3ILGSF0vmDvI0DEihOd7XzCAIcFZdY11677oPXF7r5zsW33ZNliqQWXiK63IBlEyx 50xFFL1+CDRZgQnFYkq0SOLrmvxpFxqf27VeHOkXe82afzWlDIsdwYBlgg5KTuQ8iFMpDaa3HHAS JNUmoOHSoqgqxfHmWRWcrRhLeB34s3hUb32GO+39mM1C5mT9OTDD6EBjMQ7f08QV3No+S2msRDep v5w/kkG0v17AmegcpQ0tml/sN9lmMy/o83jVXTcfb9k0nLWblJy7uxV6dw8jzlsaNZe6hynMJcjx DydxsJEju76A7X1QIVydqXpZ6MHhiKws9Iiut28r9wo4SqUIg8Yh9hAM0n3LLzx/F2gT3wl8JQJv Bho=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4eyHXjIrtqJ_VOOOLZMk0NHsaYM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 23:42:26 -0000

On 10/29/2020 3:53 PM, Martin Thomson wrote:
> Thanks for clarifying Eric,
>
> On Fri, Oct 30, 2020, at 09:07, Eric Kinnear wrote:
>> Client is fetching a decently large web resource from a server over 
>> QUIC. NAT rebinds and so the server sees un-padded QUIC packets 
>> arriving on a different port. 
> Ah, so I had in my mind that the server would be able to treat the new address as validated if only the port changed.  Then it wouldn't be obligated to perform address validation or limit its sending.
>
> This is not what the draft says.  The same-port exception only applies to the congestion controller.  (https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-9.4-2)
>
> I guess that my implementation will be off-spec in this regard.  I have no intention of splitting the logic so that a port rebinding retains congestion control and RTT state, but not address validation state.
>
> The question then is whether this is worth permitting in the spec.

First, let's look at Eric's scenario, a client that is fetching a big
load of data, and sending back a steady stream of ACKs. Under these
circumstances, NAT rebinding ought to be fairly rare. NATs don't
actually "rebind". They create state on first packet from client, and
discard it according to some resource management algorithm. In the
proposed scenario, the NAT sees that the port is in use and it will take
some extra pressure or some software bugs to discard the NAT state. If
that happen, incoming packets from the server will be lost until the
client sends a packet, the NAT installs some new binding state, and the
server decides to send on the new path. Bottom line, we are talking
about an error scenario, which we should not try to optimize it too much.

My concern is the opposite. Over-optimization of the NAT rebinding
scenario creates a significant attack surface. If sending a tiny packet
triggers a series of fully padded path challenges, attackers can use
that creatively. I would rather **not* optimize the NAT rebinding
scenario for performance, and look for robustness instead. On the server
side, send short challenges without padding to assess address ownership
without opening a DDOS avenue. Worry about path MTU later.

That means doing thing differently for a regular migration and for a NAT
rebinding. A regular migration happens starts the client sends a full
size packet, with a not yet seen CID, and containing a path challenge.
Responding to that with a full size response makes sense. But if the
server receives a short packet, with an already used CID, and without a
path challenge, that's probably a NAT rebinding. Responding with full
size challenge packets is counter-productive.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email