Re: New Version Notification for draft-duke-quic-natsupp-00.txt
Martin Duke <martin.h.duke@gmail.com> Mon, 10 February 2020 20:52 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B347212084E for <quic@ietfa.amsl.com>; Mon, 10 Feb 2020 12:52:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y5WLE4mN0Qug for <quic@ietfa.amsl.com>; Mon, 10 Feb 2020 12:52:28 -0800 (PST)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34C94120018 for <quic@ietf.org>; Mon, 10 Feb 2020 12:52:28 -0800 (PST)
Received: by mail-wm1-x331.google.com with SMTP id a5so786282wmb.0 for <quic@ietf.org>; Mon, 10 Feb 2020 12:52:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vEIm/Dp5qNLHLfmIkixAvuswERTqFdICEvcR2ZYrbc0=; b=LQKF4eS0lqRYJhSYiNPxTSZsJ7JvMm2p/oyORoQY9cLnkGRfXzGC//kqSZe8KOoVRv HOCksT7SG9i20eGN+LS1JIt2djy568NoXpmeWpf1s7pYluNmNrqIJgiItxckTuxkRS4m h1Ifl0t/p9O51HvwZqEzo3wvOWjzBq7iS2NADt4yKcOcmcIbvxlbOVPjWjePBMbDKbnf sPz0kJMBy7sCmVaOZQ/gVGxm4fhV77brzXV/pXjntt7KqXl9RLVbEYnY/+INcRGkAJCg V+3ZWKujoCm+9KII2W2Ru13fwcV9NKTSxCVp1eZ9toGfGbmyKWYtn7/Cyp0L2ew85WBO ZK+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vEIm/Dp5qNLHLfmIkixAvuswERTqFdICEvcR2ZYrbc0=; b=kYJL4ozoqT4phJgz3YGeJ6NGbdWQNd1tkHMYn5Wr/uqgHu2Oe/RmXapiW8nIsx0aUx 3i6R1PyhTzCfh50IiLxTHii4lvws7oqdLo0JyQKKiPjHd54dXTD9aEAMs3l2G6Ma6BrK QYX65HmdtmK0z6Q0qm9GZkO6/xuSLIshtFVSCv4xS5CESU41zObqmxHmGQy2UapHyQIC n0AdyMafo6r6u6h//wRd7OtAr6I8hcLJVgYqZZCtQ8PF9tR14rZHI3bMVsxh/5QZyoi+ EHa0MSSY/9qVieF/lGNCj2nQov8WqTaRv7Ck5JA5IU5zWMHiE5V2XWeN4abtbhu5D9SA AO7Q==
X-Gm-Message-State: APjAAAUp4SrLWMcaHTbgTw45K2luduBHE8xKMygzvUo4xytREszi69R9 7oD1DPHeYMs+HVMKEaQOeEViNr0J/UiXrfqeHUE=
X-Google-Smtp-Source: APXvYqwZnPJzYSgVe9gVEBOP0yIkEWqGlhGa7cEQvBHrFtvVQGB+XkK0yK4cXoBWrbn+7vuS3KNXu+u6WavZRBrsu8s=
X-Received: by 2002:a1c:7215:: with SMTP id n21mr894567wmc.154.1581367946654; Mon, 10 Feb 2020 12:52:26 -0800 (PST)
MIME-Version: 1.0
References: <157470946896.14159.17248985824634821547.idtracker@ietfa.amsl.com> <CAM4esxTPb1p_mH4eOpj62K0hVd0c5S50UC=rSbVqe=1bRXyJ0g@mail.gmail.com> <FCCC853A-2984-4823-AB67-71DA0A13E4A0@ericsson.com> <CAM4esxQPOJmnm+qmBPhQDi-hrYMkXUjB8Ptj5FaT6o7pK3K8YA@mail.gmail.com> <6A334674-0D30-4FB6-A4BE-4D2BBAF344A4@ericsson.com>
In-Reply-To: <6A334674-0D30-4FB6-A4BE-4D2BBAF344A4@ericsson.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Mon, 10 Feb 2020 21:52:14 +0100
Message-ID: <CAM4esxRJv1xuM6ztDj4Fb23JwazaLhudfkBUJmrb8_K9OAzFdw@mail.gmail.com>
Subject: Re: New Version Notification for draft-duke-quic-natsupp-00.txt
To: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b839dd059e3eea2e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/PzqX8NcnXdr5FUhPN_lMge_WcZ0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 20:52:31 -0000
Responses inline: On Thu, Jan 30, 2020 at 10:53 AM Mirja Kuehlewind < mirja.kuehlewind@ericsson.com> wrote: > > > I somehow was initially only think about out-going packet and no incoming > packets… so, yes, the NAT needs to discard this packet. However, you say > the NAT is out of addresses/ports, thus not using the CID would have meant > that it would have to discard the connection right at the beginning. Not > sure if that is any better…? > It's a good point that immediately dropping is not great either. However, - this would create an ossification vector where CID changes may break the protocol. - it's better for QUIC to fail right away (enabling TCP fallback) than to black hole suddenly. > > > > > Section 4.2. > > - Server deployment has 4-tuple routing and it is expensive to change > > - IT installs a NAT at the front of the infrastructure that stores a > mapping of CIDs to inbound source address and port. > > > > This step was also not fully clear to me from the draft. Now that I look > at it again, I understand what’s meant but I think it could be clearer in > the draft. > > > > So is 4-tuple routing actually common? Why is the 4-tuple used instead of > only routing based on the destination address/port? > Yes it's common. If we're fronting a single website there may be a single destination IP and well-known port, so the destination doesn't add any entropy. > > > - If a packet arrives with a known CID but a different source > address/port, the NAT will rewrite the source/address port to the old > value, and thus the packet will route to the correct back-end server. Thus > the infrastructure is robust to NAT rebinding, if not intentional migration > with a new CID. > > - While this "works", it has security implications as discussed. > > > > I think you need to further explain the attack case here in the draft – > that an attacker might spoof the IP address and therefore can DDoS a target > as the server might keep sending a large amount of data to that new IP > address. However, I think this should probably be discussed in the security > section of the transport draft a bit more as this is only possible because > of migration which is a new feature in QUIC. > I believe Eric Kinnear has already written a ton about how to handle new addresses in the transport draft. I'll rewrite the paragraph as you suggest. > > > However, given that if someone anyway decided to implement this setup, the > endpoints have no way to detect that an address changed and was > respectively re-written then again, should we maybe start think about a way > to improve the situation…? > > The signal here is that absolutely nothing in the packet has changed, so I'm not sure how endpoints could possibly detect this. >
- Fwd: New Version Notification for draft-duke-quic… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind