IETF Logo Mail Archive

Re: QUIC Address Extension for NAT detection

Kazuho Oku <kazuhooku@gmail.com> Wed, 13 March 2019 22:54 UTC

Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C213127983 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5FDULl5NLE4 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:54:12 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24461200ED for <quic@ietf.org>; Wed, 13 Mar 2019 15:54:11 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id z20so3085681ljj.10 for <quic@ietf.org>; Wed, 13 Mar 2019 15:54:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=eO7godfm9+j/B+wa7TotLRYCUHujb3o6rQcd8cV3G1Y=; b=ibAIwXXSY30j1Uh3ROkxtdP0TcZu9uqk07rE5I1rE/JfG3e07yPrCtNUmDQ6oMXNMv 0W7ip35nMqMdTUzIX/rV7RmrtR3aPR5+YEWwJXb/Ivxmihjlu9ajZt5BzsrXTk0qAcEw G+BdWKfo1tk03snByjIokKhbg9uAKo/XCLJUqJfLAQFSg+zAsq4iVCF7BxMe1q9sjfTl E/g/Jflx5jlzLAEKx1QKt8S/AONVPQQvG4xxLuo8+OcZxQrTaz1PGQF8E5qZy9eQWrjg 4+6DD5dFDVgM2HLDVvou63Om64FGgIQRJMA4QW7Z3NguOd9f32izIHMIFrp9ScTvpqDz vU+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=eO7godfm9+j/B+wa7TotLRYCUHujb3o6rQcd8cV3G1Y=; b=FXEvsyonilsbt6xQYh3I3QTNUYDkYI1HryKzMnC3J/Fl24cg3+lAzqfDa35aUb/Du/ AT2tw2PABsy5+dyo2sme9pU3kP6aWi5PloECDvhFk4sN3IkkFWryCfwWZzGLOfqLuVda N1Yp+22KJmaA9sp3NS0UWm/6hRZGgunB7NxBGrFY29xHdwrx6P8cJx/quktMXx3Lq9qq qhrQ/ZOWEwBCoDglYlMTWJ9Wy0NhS3eE7YQ9ahXEUvCtIGSJbN7XOEPzXBiMc3vxWMIr HfPV3IADD8xtvqcgU609pGFPsUp8B7ch+7eGROc6ib+L3/Ax+pfJ9AXB6Q2XAyIQU6Uk qwmw==
X-Gm-Message-State: APjAAAUPBwwUvHj+QfNyIX5ccKsz0I7Js7dJfR6NJIbr3jxogAgzJr2e FFpfOu+ppUoqHdZz6WylU1wvAyFiAoB9kvlVdRw=
X-Google-Smtp-Source: APXvYqz8BMlaMMlCl7K8hVLcqDz8/8uM6JBXC+aR5lnVjGKm/pbSB9aQliO6B7TQP9sKad2h07pCx6lKLSSE9f5tEVo=
X-Received: by 2002:a2e:9e4b:: with SMTP id g11mr995480ljk.155.1552517649714; Wed, 13 Mar 2019 15:54:09 -0700 (PDT)
MIME-Version: 1.0
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CANatvzxf1BjTe=A2Ui3m9U2LhE501Fy0pom0LLbMGn=zSU-yAQ@mail.gmail.com> <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com> <CANatvzyJfxpaM0dryj2EU2XoGh5ggwzX2Ss-72RAtaXdeWBipg@mail.gmail.com>
In-Reply-To: <CANatvzyJfxpaM0dryj2EU2XoGh5ggwzX2Ss-72RAtaXdeWBipg@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 14 Mar 2019 07:53:59 +0900
Message-ID: <CANatvzy6NGHM6vmf6k-zg_irW3pqsCqmSD+OX+QFVqySi_8phQ@mail.gmail.com>
Subject: Re: QUIC Address Extension for NAT detection
To: Tommy Pauly <tpauly@apple.com>
Cc: QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/TkVCYyEiirQGJqo1bXgfo4kmwyI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 22:54:15 -0000

2019年3月14日(木) 7:46 Kazuho Oku <kazuhooku@gmail.com>:
>
> 2019年3月14日(木) 7:20 Tommy Pauly <tpauly@apple.com>:
> >
> >
> >
> > > On Mar 13, 2019, at 3:04 PM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> > >
> > > I like the idea of communicating the address, I agree that it would be
> > > useful for QUIC in general to detect NATs.
> > >
> > > OTOH I am bit concerned of the privacy implications of a server asking
> > > the client it's IP address. Because it could be considered as a
> > > private information, when the client is running behind a NAT (or a
> > > VPN, or something like Tor).
> >
> > To clarify, you are concerned about the server asking the client to send what the server's address is?
>
> I was concerned about the server asking the address of the client
> which might be running behind an VPN or something.
>
> Assume a client having an IPv6 address, occasionally connects to
> example.com through a VPN.
>
> Without the extension, the server cannot tell if the client is the one
> that has visited previously or not, because the client tuple that the
> server observes changes between connections.
>
> However, if the server could obtain the client's true IP address
> (that's what the _QUIC version_ of the I-D allows, am
> I correct?), then the server can see if the client has returned by
> checking the value.

Please discard my comment. The client sends the server's address. I
think I'm still asleep.
>
> > The protocol only lets the an endpoint request its own public address. The security concerns section points this out:
> >
> > Moreover, since endpoints can only request their public
> >    address, peers cannot accidentally transmit their (possibly private)
> >    address to a peer.
> >
> > >
> > > Considering that, it might be a good idea to make the protocol
> > > asymmetric; i.e. design the frames so that the server sends the
> > > perceived address of the client and then the client responds with a
> > > boolean indicating if the perceived address is the actual address.
> >
> > Yes, as something further than the existing mechanism, we could have replies indicate if a client thinks it is behind a NAT based on the result of the exchange.
> >
> > Thans,
> > Tommy
> >
> > >
> > > 2019年3月14日(木) 1:20 Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>:
> > >>
> > >> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path:
> > >>
> > >> QUIC Address Extension
> > >> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/
> > >>
> > >> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections:
> > >>
> > >> TLS Client Network Address Extension
> > >> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/
> > >>
> > >> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections.
> > >>
> > >> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them!
> > >>
> > >> Best,
> > >> Tommy
> > >
> > >
> > >
> > > --
> > > Kazuho Oku
> >
>
>
> --
> Kazuho Oku



-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email