IETF Logo Mail Archive

UDP source ports for HTTP/3 and QUIC

Mark Nottingham <mnot@mnot.net> Thu, 15 July 2021 00:20 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C5BD3A1045 for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 17:20:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=PwMtGUuO; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Jkk3WoQa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJRcgMuxKY95 for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 17:20:48 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52DB53A1043 for <quic@ietf.org>; Wed, 14 Jul 2021 17:20:48 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 06DD23200953; Wed, 14 Jul 2021 20:20:46 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 14 Jul 2021 20:20:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h=from :content-type:content-transfer-encoding:mime-version:subject :message-id:date:to; s=fm3; bh=lFWY92NWU44OG+Yu37umA2B4jIDRgRSan VmtBpECvsY=; b=PwMtGUuOTLXRcj6s/hvD/mIj++DfX0OLgsZda0f1ud5AYbfKx YuUfoUaYQHErCMrTmZWGeqkOmuxvt0h+rRKGVrKO04CM4nVmSIch/idqL/nWrz0O 3ZPF0ekziSYxmwmKdcX1NwCLlB8y9XiSBc60VuyHN/bmspIgjiRj28juyz5K+Vtb p9qh9mGpq+DGcEIpcFRvF1CzaVKuuoZlaov1wOGemAURAXlZP9WFZF703dz3YyaX c+w4CgbFMjhN4hqVPU3wJdU8BR/q4yf0pPqJBHPQ3t0htrezJ20YeOmsb/1IJCq6 XmWZfZ0YZDPiABR2HQWDAF1auxFqTkPwhoICQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=lFWY92 NWU44OG+Yu37umA2B4jIDRgRSanVmtBpECvsY=; b=Jkk3WoQaTOmYih515zgcJg 7HMiry+vSv5wnl3/ExIex9KSUEFoIWhE/3x1ALGxmon5p3dPSKPDJID36xovB/0A FHCyRajrQSiLWQj8Xk7tOnAf6o3xme5397YId9EnMFxOlDP6aGCasYLjPWkK5K9G U0y9Wrya3wZ5Fa4zI7die7EmOekwcJLeTW/6jjR+ZhkfeLEtTlUCgNyRljpKjK3F uc2xLM/rj1g2makpG2ZVHRwL0Y6UdHbb3eQeFNvPhwK3wp8rvdNi6/h/yRBuo2ny q+EcIjqaMBZRnd72R+CzKtW3eR+mXQrkTqD1TTuZRZ14dyjUVLQN2nMTiLjq/zYA ==
X-ME-Sender: <xms:XX_vYK6TdlRl5U40ErFuflIl20f3dUTzU_ZN7IgwYrWuoPbkstdn3w> <xme:XX_vYD5Ric99GI1GNCNkzu9tVrRNKiQhOfGQGuWPmBR237WTMVg0m_eAhk1n3l9Yq NeoBBFY7iImBVzyjA>
X-ME-Received: <xmr:XX_vYJej_VwvZ4ooyB2jNVSd8hdjCYqnpmfFxyGL9umbRnZFjqMFk4ss1DdMspPucgzigu6dzg__u6RRauSxTMBFTf9bYUnXvHy_rRHW4LHcNOlejoq5QzWQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudelgdehiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhtgfgggfukfffvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcupfho thhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvghrnh eptdekkeejhfeukedvteejffegtdeuueelvdehueefiedvjeegvdefkeevgfekuefhnecu ffhomhgrihhnpegtlhhouhgufhhlrghrvgdrtghomhdpthhtihgrshdrsggvpdhmihgtrh hoshhofhhtrdgtohhmpdhgihhthhhusgdrtghomhdprhhftgdqvgguihhtohhrrdhorhhg pdhmnhhothdrnhgvthenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehmnhhothesmhhnohhtrdhnvght
X-ME-Proxy: <xmx:XX_vYHK9D38CwZcyl2fS5WHMEWXstgKIVxWimEWzpxNoiWkJlOHfNA> <xmx:XX_vYOLZQ_sILqaOUSGBZS75qu5EtpADnf40g0ovhmLeAmF9hGYkXQ> <xmx:XX_vYIxt40pxoMPRnhkx0ae2Vjd0El6ATw1WWPrUZphXAhWGaeeHAg> <xmx:Xn_vYK14P5ddcGPc7xoxzvFJCpW8effdzQbRPQAFeRh9VKMA_D55PQ>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 14 Jul 2021 20:20:44 -0400 (EDT)
From: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Subject: UDP source ports for HTTP/3 and QUIC
Message-Id: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
Date: Thu, 15 Jul 2021 10:20:39 +1000
To: HTTP Working Group <ietf-http-wg@w3.org>, IETF QUIC WG <quic@ietf.org>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/S-RFr4SssiQFGO9-ga9_uZsMeLo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 00:20:54 -0000

[ bringing this up on both lists because it's not yet clear what the right scope is ]

It's not uncommon for servers to block certain UDP source ports to avoid being overwhelmed by certain reflection attacks. In particular:

* 53 - DNS
* 123 - NTP
* 1900 - SSDP
* 5353 - mDNS
* 11211 - memcached

... among other candidates.

See, eg., <https://blog.cloudflare.com/reflections-on-reflections/>. This isn't done to avoid protocol vulnerabilities as such -- it's to avoid volumetric attacks (usually DDoS). 

If a client chooses source ports from the ephemeral port range, this shouldn't be an issue. However, some implementations (or deployments) extend the source port range "downwards" to avoid exhaustion:

* On Linux, it's pretty common to tune to extend the ephemeral port range, e.g., <https://ma.ttias.be/linux-increase-ip_local_port_range-tcp-port-range/>

* On some versions of Windows, ports as low as 1025 are used: <https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/service-overview-and-network-port-requirements>

* FreeBSD has used ports as low as 1024 in the past; their documentation is... confused right now. <https://github.com/freebsd/freebsd-src/blob/373ffc62c158e52cde86a5b934ab4a51307f9f2e/sys/netinet/in.h#L272> (I don't run a FreeBSD box to check this)

* NAT and CGNAT are a thing. <https://www.rfc-editor.org/rfc/rfc4787.html#section-4.2.1> recommends that source ports in the range 1024-65535 be reassigned within that range, which can cause collisions. 

Overall, the chance of collision (i.e., a client or a NAT choosing a blocked source port) is quite low, but at Internet scale it'll happen, leading to the client needing to open a new connection, thereby adding perceived latency. 

At a minimum, it seems like a good thing for client and NAT developers to be aware that some ports are likely to be blocked, so that they can avoid them if they care about perceived performance. This e-mail might be enough for that immediate purpose.

My question is whether there's a need for more coordination -- e.g., a very short RFC outlining such ports, to help bring this to folks' attention (especially in the NAT crowd)?

Cheers,



--
Mark Nottingham   https://www.mnot.net/

v2.39.1 | Report a Bug | By Email | System Status