Use of zero-length connection IDs and NAT rebinding resilience

Cameron Steel <ietfquic@tugzrida.xyz> Sun, 04 August 2024 22:37 UTC

Return-Path: <ietfquic@tugzrida.xyz>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C04CC14CF1E for <quic@ietfa.amsl.com>; Sun, 4 Aug 2024 15:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tugzrida.xyz header.b="InjlpjIM"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="DIShqZN+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jKioKMreZBiw for <quic@ietfa.amsl.com>; Sun, 4 Aug 2024 15:37:24 -0700 (PDT)
Received: from fout1-smtp.messagingengine.com (fout1-smtp.messagingengine.com [103.168.172.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE2A6C151980 for <quic@ietf.org>; Sun, 4 Aug 2024 15:37:24 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfout.nyi.internal (Postfix) with ESMTP id 7BB971388062 for <quic@ietf.org>; Sun, 4 Aug 2024 18:37:23 -0400 (EDT)
Received: from wimap24 ([10.202.2.84]) by compute2.internal (MEProxy); Sun, 04 Aug 2024 18:37:23 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugzrida.xyz; h= cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s=fm3; t=1722811043; x=1722897443; bh=9CDQOT8H33FB15Rit1LtGTYk6C0j0RyZ bmABWE8fB3s=; b=InjlpjIMclIENOVAefIVK6w8/aunZBBQgtnObYI6hchZ2rTb wqfYZrzMFC5qGkVS8ghHq63RBMTLzhRDIuVLmhOZtfMpVCHjx4hkh+T1usr5JLRd j7Cw3awzJ6kDw0HUZgreKwHB4UASEqEcu0Rnoo+8SihGx4mmijQBYS22ZUU2a7qJ ah+DOaxqluFRCt4kz0VGfwWpGuYkYnGPgnm+Qjh/sa/Q1v+wRob9OQSZIFfKITWM eDs6gPeNRf2LQe7DwzAf7gT60s5GfwEuI4TrwHQmlhuj8tWVaWIH4I2cso5PCNSi ltaC+JKNl+neaD3vjtYT076GM0sVgjCM7qXxtQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1722811043; x=1722897443; bh=9CDQOT8H33FB15Rit1LtGTYk6C0j0RyZbmA BWE8fB3s=; b=DIShqZN+R5zM2Z1q4zduYRBpNUtRuc/03tkyYn3FnWhezJz05zF XHM1aJYwcQ/pKIUxTdTH8Ji4Ir8kwJYa1U19w8ZtPc5uGlMvxrnERw/WlEATe1Ut YwE34751W3OevdK8qs7hOwuYQq3R6mkC9r0H1tsqKVrulBTHKshxyBKabCQc8ceU tjPZfjS237JsvoCfs4Gih3ArYEpxFEKC2vlaBdBa0Tm1oYPYWgGUHoT6qUkkdniV /jt+wxRHc0Rly/y5CrcmJw1mifyXR2IUAzbQn9ghPOwEyt8uwnV9jdhC4st5u7jX Yf/7Wy/3ECZBCqNCWdkFaac7QYh2uYDZgbw==
X-ME-Sender: <xms:owKwZlVShA3sBTbxGH-xaJUzzfUdh5Kl6x1-QQcxWU38CqPru14Oyw> <xme:owKwZlmIoYdLyRDVypoucXTL2jKZmn0_kS6xzCg_nKx5aeVOHi_QkDxxQvqJf9fCs 6coIYca4AkklgFgFFE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrkeehgddufecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecufghrlhcuvffnffculdefhedmnecujfgurhepofggff fhvffkufgtsegrtderreertddtnecuhfhrohhmpedfvegrmhgvrhhonhcuufhtvggvlhdf uceoihgvthhfqhhuihgtsehtuhhgiihrihgurgdrgiihiieqnecuggftrfgrthhtvghrnh epudfhffejfeetffevheejtddttddtveetgfelgeeftddujedtvdfgffeifeehleehnecu ffhomhgrihhnpehtuhhgiihrihgurgdrgiihiienucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpehivghtfhhquhhitgesthhughiirhhiuggrrdig hiiipdhnsggprhgtphhtthhopedt
X-ME-Proxy: <xmx:owKwZhZcs7e7mdyqMfUQzoUixp7PAugHjeZDYOzsSeEu36GcXTeYZw> <xmx:owKwZoVlRZmbW40nrz8A4XbZZRY1JG1iVPtgJgk-L0rAOn0REjMgLg> <xmx:owKwZvl7ocRYAjeDayJmLvyEL5Hioh7-u1sB8eggWaLVYgEkiXqLqg> <xmx:owKwZlcbloaNqUmR401NbNiNVK_zbjEvZKnzs56UR0K8y3s_OqFCEw> <xmx:owKwZuulyzXDdHBCM9nhHywvcELL-S1By5t0Lp_hZoishQfIsq9qjup7>
Feedback-ID: i55d9460b:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3C1D825E0064; Sun, 4 Aug 2024 18:37:23 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Mon, 05 Aug 2024 08:37:23 +1000
From: Cameron Steel <ietfquic@tugzrida.xyz>
To: quic@ietf.org
Message-Id: <bef28311-83d0-4aff-bce2-81fc14e58a20@app.fastmail.com>
Subject: Use of zero-length connection IDs and NAT rebinding resilience
Content-Type: multipart/alternative; boundary="d5cabcfc344444b99f0c84c0c48f4b89"
Message-ID-Hash: NVZLK5OC4RHBN57MO4QIXFTODYDFT2OU
X-Message-ID-Hash: NVZLK5OC4RHBN57MO4QIXFTODYDFT2OU
X-MailFrom: ietfquic@tugzrida.xyz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-quic.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/SxiVzj388VnVi7b4AGjf-1GQg-o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Owner: <mailto:quic-owner@ietf.org>
List-Post: <mailto:quic@ietf.org>
List-Subscribe: <mailto:quic-join@ietf.org>
List-Unsubscribe: <mailto:quic-leave@ietf.org>

Hi QUIC experts,

I've just completed a writeup of an issue I was experiencing with websites using QUIC through my ISP's CGNAT. In short, the issue was due to the CGNAT having a rather short UDP timeout of 20 seconds, in combination with the fact that Google Chrome seems to use zero-length connection IDs, which prevents connection migration.

In the process of checking the behaviour I was observing against the QUIC RFCs, I came across a few oddities that I'd like to bring up:

Both RFC 9000 and 9308 fairly plainly state that connections using zero-length IDs will not be resilient to NAT rebinding, however RFC 9000 section 5.1.1 does have this passage which vaguely implies that multiple network paths are possible with zero-length IDs:

> An endpoint that selects a zero-length connection ID during the handshake cannot issue a new connection ID. A zero-length Destination Connection ID field is used in all packets sent toward such an endpoint over any network path.

As this is only implied the once that I can find, I'm assuming it's just ambiguous wording and that the intended behaviour is what I observed, that connection migration is not permitted when using a zero-length connection ID.

Given that, I'd be very curious to hear any insight into why Chrome has chosen not to use connection IDs.

If anyone is interested in reading my full writeup, you can find it here: https://blog.tugzrida.xyz/2024/08/04/too-quic-for-chrome-troubleshooting-udp-nat-rebinding/

Cameron Steel
he/him