Re: QUIC Address Extension for NAT detection
Kazuho Oku <kazuhooku@gmail.com> Wed, 13 March 2019 22:54 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C213127983 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5FDULl5NLE4 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:54:12 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24461200ED for <quic@ietf.org>; Wed, 13 Mar 2019 15:54:11 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id z20so3085681ljj.10 for <quic@ietf.org>; Wed, 13 Mar 2019 15:54:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=eO7godfm9+j/B+wa7TotLRYCUHujb3o6rQcd8cV3G1Y=; b=ibAIwXXSY30j1Uh3ROkxtdP0TcZu9uqk07rE5I1rE/JfG3e07yPrCtNUmDQ6oMXNMv 0W7ip35nMqMdTUzIX/rV7RmrtR3aPR5+YEWwJXb/Ivxmihjlu9ajZt5BzsrXTk0qAcEw G+BdWKfo1tk03snByjIokKhbg9uAKo/XCLJUqJfLAQFSg+zAsq4iVCF7BxMe1q9sjfTl E/g/Jflx5jlzLAEKx1QKt8S/AONVPQQvG4xxLuo8+OcZxQrTaz1PGQF8E5qZy9eQWrjg 4+6DD5dFDVgM2HLDVvou63Om64FGgIQRJMA4QW7Z3NguOd9f32izIHMIFrp9ScTvpqDz vU+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=eO7godfm9+j/B+wa7TotLRYCUHujb3o6rQcd8cV3G1Y=; b=FXEvsyonilsbt6xQYh3I3QTNUYDkYI1HryKzMnC3J/Fl24cg3+lAzqfDa35aUb/Du/ AT2tw2PABsy5+dyo2sme9pU3kP6aWi5PloECDvhFk4sN3IkkFWryCfwWZzGLOfqLuVda N1Yp+22KJmaA9sp3NS0UWm/6hRZGgunB7NxBGrFY29xHdwrx6P8cJx/quktMXx3Lq9qq qhrQ/ZOWEwBCoDglYlMTWJ9Wy0NhS3eE7YQ9ahXEUvCtIGSJbN7XOEPzXBiMc3vxWMIr HfPV3IADD8xtvqcgU609pGFPsUp8B7ch+7eGROc6ib+L3/Ax+pfJ9AXB6Q2XAyIQU6Uk qwmw==
X-Gm-Message-State: APjAAAUPBwwUvHj+QfNyIX5ccKsz0I7Js7dJfR6NJIbr3jxogAgzJr2e FFpfOu+ppUoqHdZz6WylU1wvAyFiAoB9kvlVdRw=
X-Google-Smtp-Source: APXvYqz8BMlaMMlCl7K8hVLcqDz8/8uM6JBXC+aR5lnVjGKm/pbSB9aQliO6B7TQP9sKad2h07pCx6lKLSSE9f5tEVo=
X-Received: by 2002:a2e:9e4b:: with SMTP id g11mr995480ljk.155.1552517649714; Wed, 13 Mar 2019 15:54:09 -0700 (PDT)
MIME-Version: 1.0
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CANatvzxf1BjTe=A2Ui3m9U2LhE501Fy0pom0LLbMGn=zSU-yAQ@mail.gmail.com> <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com> <CANatvzyJfxpaM0dryj2EU2XoGh5ggwzX2Ss-72RAtaXdeWBipg@mail.gmail.com>
In-Reply-To: <CANatvzyJfxpaM0dryj2EU2XoGh5ggwzX2Ss-72RAtaXdeWBipg@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 14 Mar 2019 07:53:59 +0900
Message-ID: <CANatvzy6NGHM6vmf6k-zg_irW3pqsCqmSD+OX+QFVqySi_8phQ@mail.gmail.com>
Subject: Re: QUIC Address Extension for NAT detection
To: Tommy Pauly <tpauly@apple.com>
Cc: QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/TkVCYyEiirQGJqo1bXgfo4kmwyI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 22:54:15 -0000
2019年3月14日(木) 7:46 Kazuho Oku <kazuhooku@gmail.com>: > > 2019年3月14日(木) 7:20 Tommy Pauly <tpauly@apple.com>: > > > > > > > > > On Mar 13, 2019, at 3:04 PM, Kazuho Oku <kazuhooku@gmail.com> wrote: > > > > > > I like the idea of communicating the address, I agree that it would be > > > useful for QUIC in general to detect NATs. > > > > > > OTOH I am bit concerned of the privacy implications of a server asking > > > the client it's IP address. Because it could be considered as a > > > private information, when the client is running behind a NAT (or a > > > VPN, or something like Tor). > > > > To clarify, you are concerned about the server asking the client to send what the server's address is? > > I was concerned about the server asking the address of the client > which might be running behind an VPN or something. > > Assume a client having an IPv6 address, occasionally connects to > example.com through a VPN. > > Without the extension, the server cannot tell if the client is the one > that has visited previously or not, because the client tuple that the > server observes changes between connections. > > However, if the server could obtain the client's true IP address > (that's what the _QUIC version_ of the I-D allows, am > I correct?), then the server can see if the client has returned by > checking the value. Please discard my comment. The client sends the server's address. I think I'm still asleep. > > > The protocol only lets the an endpoint request its own public address. The security concerns section points this out: > > > > Moreover, since endpoints can only request their public > > address, peers cannot accidentally transmit their (possibly private) > > address to a peer. > > > > > > > > Considering that, it might be a good idea to make the protocol > > > asymmetric; i.e. design the frames so that the server sends the > > > perceived address of the client and then the client responds with a > > > boolean indicating if the perceived address is the actual address. > > > > Yes, as something further than the existing mechanism, we could have replies indicate if a client thinks it is behind a NAT based on the result of the exchange. > > > > Thans, > > Tommy > > > > > > > > 2019年3月14日(木) 1:20 Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>: > > >> > > >> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path: > > >> > > >> QUIC Address Extension > > >> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/ > > >> > > >> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections: > > >> > > >> TLS Client Network Address Extension > > >> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/ > > >> > > >> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections. > > >> > > >> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them! > > >> > > >> Best, > > >> Tommy > > > > > > > > > > > > -- > > > Kazuho Oku > > > > > -- > Kazuho Oku -- Kazuho Oku
- QUIC Address Extension for NAT detection Tommy Pauly
- Re: QUIC Address Extension for NAT detection Mikkel Fahnøe Jørgensen
- Re: QUIC Address Extension for NAT detection Tommy Pauly
- Re: QUIC Address Extension for NAT detection Mikkel Fahnøe Jørgensen
- Re: QUIC Address Extension for NAT detection Erik Kline
- Re: QUIC Address Extension for NAT detection Christian Huitema
- Re: QUIC Address Extension for NAT detection Martin Thomson
- Re: QUIC Address Extension for NAT detection Ryan Hamilton
- Re: QUIC Address Extension for NAT detection Kazuho Oku
- Re: QUIC Address Extension for NAT detection Tommy Pauly
- RE: QUIC Address Extension for NAT detection Mike Bishop
- Re: QUIC Address Extension for NAT detection Christian Huitema
- Re: QUIC Address Extension for NAT detection Kazuho Oku
- Re: QUIC Address Extension for NAT detection Kazuho Oku
- Re: QUIC Address Extension for NAT detection Martin Thomson
- Re: QUIC Address Extension for NAT detection Roberto Peon
- Re: QUIC Address Extension for NAT detection Christopher Wood
- Re: QUIC Address Extension for NAT detection Roberto Peon
- Re: QUIC Address Extension for NAT detection Tommy Pauly
- Re: QUIC Address Extension for NAT detection Tommy Pauly
- Re: QUIC Address Extension for NAT detection Mikkel Fahnøe Jørgensen
- Re: QUIC Address Extension for NAT detection Tommy Pauly
- Re: QUIC Address Extension for NAT detection Mikkel Fahnøe Jørgensen
- Re: QUIC Address Extension for NAT detection Patrick McManus
- Re: QUIC Address Extension for NAT detection Tommy Pauly
- Re: QUIC Address Extension for NAT detection Patrick McManus