IETF Logo Mail Archive

Re: QUIC Address Extension for NAT detection

Kazuho Oku <kazuhooku@gmail.com> Wed, 13 March 2019 22:46 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05EFC13112B for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:46:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBH65bBNRX2f for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:46:37 -0700 (PDT)
Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7671130EA6 for <quic@ietf.org>; Wed, 13 Mar 2019 15:46:36 -0700 (PDT)
Received: by mail-lf1-x141.google.com with SMTP id m13so2741285lfb.6 for <quic@ietf.org>; Wed, 13 Mar 2019 15:46:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ZrVNzzs0AImC+l1ARx89YUjfw21/kj3EWKBNRUB4um8=; b=RYVYNAhgru8MtQ1uAhsqnrubtdY2b2O7VzZUQhoDnhw3AvX5OakbZbkptmXNGg+IDN W8UyCTOOrXLX8Hiaqnl/c280GzGcYK+wUG+W+6s7jUlrdcf0I+y2H7jzwCwfULCQt6c2 YAzVN8KLNIkSf+QFbuHoO1UlEZPRwhvM6jTVumUGGDufYnI52g4liVZt+dClu/r+IJ2O CH0I9eWySWNt+Fpt8xfPquwqI4PqLMUH4DcQ4E1ImteJtCN8tc2RJx9gNGL1QlFkD4Jf qqAwxy/VDDFNJ0fXvjFKeCwyq6RRdm4KFaWOO1AnPYVX+5Lldyp4flitzxflgit09GCP D9pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ZrVNzzs0AImC+l1ARx89YUjfw21/kj3EWKBNRUB4um8=; b=hkOMn/2TNlc9h4eYAdw54w0uoX+eJYyDlwaCmjG7OHdZTqnBbblMENQ9Gz//Drz1iz uEpheWOijckhB0x0bU4rtrQOqTSYUiSBEzQF7ZAcI9UuTJ26l1sPWWbB+uW4TWYmCRD5 k12ltEPdScDnGE5lzTVkp49XgS+OWi2+F8B9Zox1ts6At2W97LiMPPE6slIPfywnwuU6 /A/nxG1AFPAHDO40RQrCcG27Mhl739wqGK6QTl0PMbrIIPDJfRGpr6NY4jaWRtMFsFmP V0sWqljQGPhlBo0kc3LcoH1uN+v+e9bjyiFd4EJIJaT0ia1yBMUGpolfa6KsotWLqfta MKjw==
X-Gm-Message-State: APjAAAUoVw7g5/G8b+psXawDGltAjX1qfVjdUn0NoO1Nh1tPWcHlW3WX ddB3N76Qhmjz8CWw3305Y0ipXDzjJpbFbJ/mXFs=
X-Google-Smtp-Source: APXvYqxn+y8OGdcyTFFMM4jAQ+MtJF7EqbELOdl1eqEqQRL0ZlsaEJmTG0+GIiszUOAAdYqZinrs8/DZlDZ+bHjZtOM=
X-Received: by 2002:ac2:548f:: with SMTP id t15mr10989799lfk.166.1552517194799; Wed, 13 Mar 2019 15:46:34 -0700 (PDT)
MIME-Version: 1.0
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CANatvzxf1BjTe=A2Ui3m9U2LhE501Fy0pom0LLbMGn=zSU-yAQ@mail.gmail.com> <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com>
In-Reply-To: <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 14 Mar 2019 07:46:23 +0900
Message-ID: <CANatvzyJfxpaM0dryj2EU2XoGh5ggwzX2Ss-72RAtaXdeWBipg@mail.gmail.com>
Subject: Re: QUIC Address Extension for NAT detection
To: Tommy Pauly <tpauly@apple.com>
Cc: QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Cq5TQ4eRcFtMLYGLdNm_uLiwEzM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 22:46:39 -0000

2019年3月14日(木) 7:20 Tommy Pauly <tpauly@apple.com>:
>
>
>
> > On Mar 13, 2019, at 3:04 PM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> >
> > I like the idea of communicating the address, I agree that it would be
> > useful for QUIC in general to detect NATs.
> >
> > OTOH I am bit concerned of the privacy implications of a server asking
> > the client it's IP address. Because it could be considered as a
> > private information, when the client is running behind a NAT (or a
> > VPN, or something like Tor).
>
> To clarify, you are concerned about the server asking the client to send what the server's address is?

I was concerned about the server asking the address of the client
which might be running behind an VPN or something.

Assume a client having an IPv6 address, occasionally connects to
example.com through a VPN.

Without the extension, the server cannot tell if the client is the one
that has visited previously or not, because the client tuple that the
server observes changes between connections.

However, if the server could obtain the client's true IP address
(that's what the _QUIC version_ of the I-D allows, am
I correct?), then the server can see if the client has returned by
checking the value.

> The protocol only lets the an endpoint request its own public address. The security concerns section points this out:
>
> Moreover, since endpoints can only request their public
>    address, peers cannot accidentally transmit their (possibly private)
>    address to a peer.
>
> >
> > Considering that, it might be a good idea to make the protocol
> > asymmetric; i.e. design the frames so that the server sends the
> > perceived address of the client and then the client responds with a
> > boolean indicating if the perceived address is the actual address.
>
> Yes, as something further than the existing mechanism, we could have replies indicate if a client thinks it is behind a NAT based on the result of the exchange.
>
> Thans,
> Tommy
>
> >
> > 2019年3月14日(木) 1:20 Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>:
> >>
> >> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path:
> >>
> >> QUIC Address Extension
> >> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/
> >>
> >> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections:
> >>
> >> TLS Client Network Address Extension
> >> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/
> >>
> >> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections.
> >>
> >> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them!
> >>
> >> Best,
> >> Tommy
> >
> >
> >
> > --
> > Kazuho Oku
>


-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email