IETF Logo Mail Archive

RE: QUIC Address Extension for NAT detection

Mike Bishop <mbishop@evequefou.be> Wed, 13 March 2019 22:27 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3EE512796B for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:27:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oE67Vqf826Ns for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:27:18 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (mail-eopbgr710122.outbound.protection.outlook.com [40.107.71.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2C512798F for <quic@ietf.org>; Wed, 13 Mar 2019 15:27:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kACayZ3ZbflBX+EQlh3iWKjvfCdSptxs5S5LGH8tmMU=; b=pJZOeDFno8iVL/U/+zfa2f5DudqqMxwPgibp6nyQxRXudkjNoVSEFo39pcnHb5svyVFL5pVGBS15Y6AB2wq/MIvYAVfAcRrDzJhRllFdmc6wk9wJoFaB+ClHo48gKHVfdvJT9avIjP9UMFgJPCjxFRN/X4MxhbKvBJ1x2F7KxXk=
Received: from CY4PR22MB0983.namprd22.prod.outlook.com (10.171.164.151) by CY4PR22MB0551.namprd22.prod.outlook.com (10.172.141.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.18; Wed, 13 Mar 2019 22:27:15 +0000
Received: from CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::76:e309:d27f:23e6]) by CY4PR22MB0983.namprd22.prod.outlook.com ([fe80::76:e309:d27f:23e6%2]) with mapi id 15.20.1709.011; Wed, 13 Mar 2019 22:27:15 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, Kazuho Oku <kazuhooku@gmail.com>
CC: QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
Subject: RE: QUIC Address Extension for NAT detection
Thread-Topic: QUIC Address Extension for NAT detection
Thread-Index: AQHU2bifMe4C/L1g7U6/xTjKdOoZjaYKHfAAgAAEcQCAAAF4QA==
Date: Wed, 13 Mar 2019 22:27:14 +0000
Message-ID: <CY4PR22MB098360DD0557B0C883FF00B5DA4A0@CY4PR22MB0983.namprd22.prod.outlook.com>
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CANatvzxf1BjTe=A2Ui3m9U2LhE501Fy0pom0LLbMGn=zSU-yAQ@mail.gmail.com> <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com>
In-Reply-To: <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [38.134.241.6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 674dc9aa-e9bb-4f90-c5ec-08d6a8030ba1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:CY4PR22MB0551;
x-ms-traffictypediagnostic: CY4PR22MB0551:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR22MB055129002FC85D61DD328065DA4A0@CY4PR22MB0551.namprd22.prod.outlook.com>
x-forefront-prvs: 09752BC779
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(346002)(136003)(39830400003)(396003)(13464003)(199004)(189003)(11346002)(14444005)(106356001)(7696005)(476003)(25786009)(97736004)(305945005)(486006)(81166006)(81156014)(99286004)(76176011)(5660300002)(8676002)(508600001)(68736007)(105586002)(966005)(86362001)(229853002)(74316002)(52536014)(7736002)(4326008)(186003)(446003)(74482002)(33656002)(6246003)(26005)(9686003)(3846002)(66066001)(6436002)(54906003)(316002)(14454004)(53546011)(8936002)(6116002)(71190400001)(53936002)(71200400001)(102836004)(6506007)(6306002)(2906002)(110136005)(256004)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR22MB0551; H:CY4PR22MB0983.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-exchange-diagnostics: 1;CY4PR22MB0551;23:vAlubTSRz6azYnV3I3VNMTM6fhT1s9jNrKP7AMFBwFYKw3JX1sghoFUM8tIFQnguk/23dfFeBCDdyV+uieHrTnuCw1WJu+leq4uYzMBhk35+ixLgnLH4wzvPIau1brkwmnoOiLyCQoZcxMkuJqGCHwRmdiU/SnrVFys1MOllWzdNCVjlKd5ipBRMsu4IZVB0VXOIZk02bRaU4fJGmFjH/fGfv0V2D30acyGQpQA5bRPXiDxaDByNOQKo3arXLHNoeZe4N16pPv3sEKVvsEWIpm2Hu4hq3FTQb61eXEn08HT1+GEVYLDZridyX0pdqp65lXZ+KA/pLJlX09zw2qYND2daNjvrBEdwA3bgKcSgn7PnYxYEHKW+vjrOKLiY30QDIV/DIe4ANcJm0u4Osj6V6H+q8nQ0PBOnKTEPITpcWlDqng9mu95u57ZoqwgUgWMWEUjfBj7ERLzuNj21da0QibI0h0MuMv450udcMVk5VdwEc+hrSzLogQi5Rkh+Komypi+oVZfm5Q9+3QaDX85BSR0Oq/Hrsqs5DkWEj2fplb5m3skUTSQ3OnAgy99jK3U3fLAOoCuVIKR9K5fmA7UpkRq/poEXGYOhtsk9+Pw2/g3bh/DzW0Nv7XhV864J7r+RdNVzN03hWbBIAJMWxOQo6Rz+MqwDlKHXuXYKtKJkY+1ulPVl+cPl3rsCFchbhwHDZtW3iSPahmKqwpINd0JIf9bdiffwdyBHbsyU1JGPH4GReCCMqaPcBrZX7laePtNQFsA/dX9LeprUk7PbfVplbUtYwl5V6DXunmS3b9iFjBf1qGKT9GieirW+eOTWwM3Bt0xvu7BI5iEpTgVAfrdZwUpZxtibCwqcMNy7ZYMxxbO2jC2uYmvg+k0S16iaRcjbxWQFgD8oWaziZejEQNHPiOpV7rmw7+axv7Z8Qzy/8EQwEv9Oh1/3eU1F5/5J5Tx6l2vg4Y3PJ71zLGheochwrCk9gYcC1DvjJMSEzkvv5mfY5mr4dvowzJl3ZylsZngGY/3y3wxoyypgu9XD9uHOG5Z/fYXYmuQ1ntsKoaKuOMi5hqk9Qqd1bMXEWvB8BKQArp9v6bvEa5YgQt6h1kJuR47q1evjo6rjSqd9hyQHWN2OrzliUEghjAjwaI0bzYKLSVXrUXf+vUejZh8nh7HetBWf7REbU1ywJmJp2k/grdY3RUtqNWB5dJSvkJF1QuLF8dWJeUOrFDXY1e5Q4iVKa/ltiAMcD2C8PGEPTH+Zynp1MeX3mKwNGIPQsoRkfU/maqFATaMfn8Ttj8xjkeyWwuwV6FGN199ja4E7V9GU+cIFv8jGkmfdgkORHh7C4/m1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jr1yc4a1/LK7lk+SeUJaoPKZ/KA7As/e5cFZ9po1Ir8u8c/mS7DxeErs7lz4N2WHwzyeKML7pS7+u/P/nCX/7qiJ883yUjKly30Zxo3KWFpezOCbh0mgWvP8uc8XSCyamK6RJjj33vPcLUZjwt+bE3fIHZIVE5f64ZGqPOsEZh3WphjYTcOZZLsCGzWDIWvh4rwSS5NzaC5ssRW/gTaQaL6ED7zy6eAMBU53qAfWsJCvQD+pNEr0XOzo6Rs2xaBkV3adl675ZGBcy/EncToMSLDXP5fWJWIclkw/ZLww73jvvtc6+S3i4Se2Vfu40oFJtSmN2S6nw0vWxYZFbWBqGIxEsrqfUDucAO6fExWYvyqMEwWULSVJaxZCSgSWGiT8CekW2XQhqnQUepD/KowOakdBjLf5RE0nuJGHkPM3eg0=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 674dc9aa-e9bb-4f90-c5ec-08d6a8030ba1
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 22:27:15.0761 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR22MB0551
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/E6tiLMuegIvkKkBtYTpXPDoOaFQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 22:27:23 -0000

If I'm understanding correctly, the concern is about the server running inside a private infrastructure such that it never sees the client's public IP, but instead an IP belonging to the inner edge of its load balancer.  To echo back the "client IP" in this deployment scenario would expose the server's deployment details to clients.

I'm unsure how common such deployments are.

-----Original Message-----
From: QUIC <quic-bounces@ietf.org> On Behalf Of Tommy Pauly
Sent: Wednesday, March 13, 2019 3:20 PM
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: QUIC WG <quic@ietf.org>; Eric Kinnear <ekinnear@apple.com>; Chris Wood <cawood@apple.com>
Subject: Re: QUIC Address Extension for NAT detection



> On Mar 13, 2019, at 3:04 PM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> 
> I like the idea of communicating the address, I agree that it would be 
> useful for QUIC in general to detect NATs.
> 
> OTOH I am bit concerned of the privacy implications of a server asking 
> the client it's IP address. Because it could be considered as a 
> private information, when the client is running behind a NAT (or a 
> VPN, or something like Tor).

To clarify, you are concerned about the server asking the client to send what the server's address is? The protocol only lets the an endpoint request its own public address. The security concerns section points this out:

Moreover, since endpoints can only request their public
   address, peers cannot accidentally transmit their (possibly private)
   address to a peer.

> 
> Considering that, it might be a good idea to make the protocol 
> asymmetric; i.e. design the frames so that the server sends the 
> perceived address of the client and then the client responds with a 
> boolean indicating if the perceived address is the actual address.

Yes, as something further than the existing mechanism, we could have replies indicate if a client thinks it is behind a NAT based on the result of the exchange.

Thans,
Tommy

> 
> 2019年3月14日(木) 1:20 Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>:
>> 
>> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path:
>> 
>> QUIC Address Extension
>> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/
>> 
>> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections:
>> 
>> TLS Client Network Address Extension
>> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address
>> /
>> 
>> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections.
>> 
>> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them!
>> 
>> Best,
>> Tommy
> 
> 
> 
> --
> Kazuho Oku

v2.23.0 | Report a Bug | By Email