IETF Logo Mail Archive

Re: Privacy holes

Ian Swett <ianswett@google.com> Fri, 06 April 2018 12:55 UTC

Return-Path: <ianswett@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 439DA124BE8 for <quic@ietfa.amsl.com>; Fri, 6 Apr 2018 05:55:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0hEz6Cv6dj9 for <quic@ietfa.amsl.com>; Fri, 6 Apr 2018 05:55:27 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4094B1201FA for <quic@ietf.org>; Fri, 6 Apr 2018 05:55:27 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id q84so1599497iod.10 for <quic@ietf.org>; Fri, 06 Apr 2018 05:55:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8dMtntBw6NK2j8nrTgs05sne9j9dwLxpTeCsaDoDh+A=; b=BNcLLeFlEDyKTvy7SqvucNR5s56zJyl9AvvcgwVKXAEJOV39GG1vA2HHOiqNdbcHkz JOU7hLGt8OiJHrZVC+1Q2lpcgTQDbMwEjgvyK1+4x5Iu7it6yknyBYkL9qISU2g4f44T RF/hTdJLQFXYK9W7gxI1jrptHZ3BnCVygNKcpOKpYuHqUB3ZjXuDz8V7jdJGe0yFiILO SHLOhDATkURrsYSaSDQacnQ15jwpR6H4YbOzop948gsa3wjSOhcoi4c9I3Y91yjW9P/D iD80qalOoLlK0hOl1zs9+lLD573DcS5J+Wew56iguMrCoav1EqdompoO8jrcSYCzyMD3 H5ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8dMtntBw6NK2j8nrTgs05sne9j9dwLxpTeCsaDoDh+A=; b=rI9xHEhUZx/fv/RTl/B2ySmvotX2LCFjiRL67aetXonIYpDOV0jpwcX3Vnrr8tTPxM XiSJd1TsmIwFj2PbLo6Jd6GuMP2DlZuvggvEaDR4lKKpgn/igpWyPaw881Q7gvwksaH2 9Gs8GVpSqYj6SV8N6zdxg5GE2yV7dVSZNWCIgznmSghgxP7r+5Q171vMLkeB7Y2/3HII 1lAEk5xcYHzmxvifZh79UsAzAgaLAcybAeos5V1kkq2/bvi/TA5xK4kCw9mEVfDdLGA8 i365GIYsqDHAcLNVbNGTe5lonaaDUzf2I2by6kBMtGUmzDHX39GHrzEbcvpe1iuLqQrP Me0Q==
X-Gm-Message-State: ALQs6tBIi8A5VMTEnJcUKlJTSVt7q9R722dCv0akO3+bbdV3/lZ1+nUt IaZqUMz6e8iwRm5MKixDOzYjUfjPFzFtXLIowZ0qcQyloYA=
X-Google-Smtp-Source: AIpwx4/+noN65hq0/BiALEZrPoVcZ9UzYPCsaHwHVKT49w9OUhui05lPdY8i1rMAPrhTVPZ89+GRfmsxoQx7k/5v7G8=
X-Received: by 10.107.131.83 with SMTP id f80mr23891108iod.102.1523019326306; Fri, 06 Apr 2018 05:55:26 -0700 (PDT)
MIME-Version: 1.0
References: <7fd34142-2e14-e383-1f65-bc3ca657576c@huitema.net> <CAKcm_gNffwpraF-H2LQBF33vUhYFx0bi_UXJ3N14k4Xj4NmWUw@mail.gmail.com> <40C1F6FE-2B2C-469F-8F98-66329703ED50@mnot.net> <21C36B57-6AE2-40EF-9549-7196D7FA9B45@tik.ee.ethz.ch> <B176FC07-887D-4135-B01E-FE8B4986A5EE@mnot.net> <CAKcm_gOCeocLyrYpOS7Ud332xdz3xHSH0psPN8T6BGRjoL9ptQ@mail.gmail.com> <CY4PR21MB0630FA0EDD343396AD414641B6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <CAN1APde13JTzCvKFFvMd183Fka6QGD1kGBjsa9fcoLrYeA2hsA@mail.gmail.com> <CY4PR21MB0630C0FD4FBECBFEC3C863BBB6A40@CY4PR21MB0630.namprd21.prod.outlook.com> <759C5BE4-DE4C-4A82-929C-B03234B88A37@huitema.net> <CAJGwveB=qs+J2iBQRs3d5jdGuP9yBWoAgv0t3mwD=Wrf6Q5g8g@mail.gmail.com> <F395D018-FFCA-405F-BBD5-1313C6F6DAF9@huitema.net> <CABkgnnWAgGJaKs8teKTURiNDRA61fRhN6pxYQuD1MbkPDqasKQ@mail.gmail.com> <2F06334E-C3DF-4034-A6A4-AF383505D930@trammell.ch> <CABkgnnX1=h4qx+3YjXj=ZME5ihZbJ2rqE8zeT4j84dJj0ZfZGg@mail.gmail.com> <b39baf47-f6ef-a249-dfa4-48a32db03d04@zinks.de>
In-Reply-To: <b39baf47-f6ef-a249-dfa4-48a32db03d04@zinks.de>
From: Ian Swett <ianswett@google.com>
Date: Fri, 06 Apr 2018 12:55:14 +0000
Message-ID: <CAKcm_gPcnSm9q+Y0g74RUJRwoz3fdhw-f-HS8=7ngOz0dA+B1w@mail.gmail.com>
Subject: Re: Privacy holes
To: roland@zinks.de
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f998aeeb9d005692d91f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/UaZMbFZhWQzL-W6noCthl9E7zHI>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Apr 2018 12:55:31 -0000

There's some slightly older data from QUIC on slide 10 in this IETF
presenation:
https://www.ietf.org/proceedings/88/slides/slides-88-tsvarea-10.pdf

TLDR: 90% of networks have at least a 1 minute timeout, but only 50% have
at least a 2 minute timeout.

On Fri, Apr 6, 2018 at 6:01 AM Roland Zink <roland@zinks.de> wrote:

>
> Am 06.04.2018 um 09:45 schrieb Martin Thomson:
>
> We do have data about rate of binding creation, courtesy of tests done
> for WebRTC.  In essence, bindings can be created at rates that exceed
> most needs (I think that they went down to single digit milliseconds,
> far lower than I think is relevant here).
>
> Justin Uberti has the numbers, but I struggled to find the email or
> slides; we can ask if you care. This result differed from the data
> that was available when STUN was first developed, where it was found
> that there were non-trivial numbers of NAT devices that lost bindings
> below 20ms (see https://tools.ietf.org/html/rfc5245#appendix-B.1).
>
> The question about exhaustion is relevant, I agree.  There, the value
> doesn't need measurement as much as asking the right person what their
> configuration is.  Take the number of ports open for bindings per IP,
> the duration of a binding, and how many clients are expected to be
> behind each IP address or how many bindings each client is limited to.
> We'd probably need to just ask a few CGNAT operators; anything smaller
> is unlikely to be as sensitive as something that runs at a decent
> scale.  But getting data in the usual fashion - making bindings until
> something breaks - might be a little antisocial.
>
> If we're going to saturate NAT bindings with this, then a signal might
> be a good solution.  Or it might just be that we can recommend a rate
> limit on these little migrations.  Based on typical timeouts on UDP
> (30s is very common, see also experience with ICE), we could say that
> a little migration every 10s is OK and you only have each connection
> taking 3 bindings.  That doesn't seem that bad.
>
> I have found this :
>
> RFC 4787 Network Address Translation (NAT) Behavioral Requirements for
> Unicast UDP (https://tools.ietf.org/html/rfc4787#page-12):
>    REQ-5:  A NAT UDP mapping timer MUST NOT expire in less than two
>       minutes, unless REQ-5a applies.
>
>       a) For specific destination ports in the well-known port range
>          (ports 0-1023), a NAT MAY have shorter UDP mapping timers that
>          are specific to the IANA-registered application running over
>          that specific destination port.
>
> RFC6888 Common Requirements for Carrier-Grade NATs (CGNs):
>
>   REQ-8:  Once an external port is deallocated, it SHOULD NOT be
>       reallocated to a new mapping until at least 120 seconds have
>       passed, with the exceptions being:
>
>       a.  If the CGN tracks TCP sessions (e.g., with a state machine, as
>           in Section 3.5.2.2 of [RFC6146] <https://tools.ietf.org/html/rfc6146#section-3.5.2.2>), TCP ports MAY be reused
>           immediately.
>
>       b.  If external ports are statically assigned to internal
>           addresses (e.g., address X with port range 1000-1999 is
>           assigned to subscriber A, 2000-2999 to subscriber B, etc.),
>           and the assignment remains constant across state loss, then
>           ports MAY be reused immediately.
>
>       c.  If the allocated external ports used address-dependent or
>           address-and-port-dependent filtering before state loss, they
>           MAY be reused immediately.
>
>       The length of time and the maximum number of ports in this state
>       MUST be configurable by the CGN administrator.
>
>
>
> So assuming 30 seconds seems a bit short. When there would be signals for
> session start and end then NATs could track how long mappings are
> necessary. Avoiding that and creating many bindings may be unsocial.
>
>
> On Fri, Apr 6, 2018 at 5:16 PM, Brian Trammell (IETF) <ietf@trammell.ch> <ietf@trammell.ch> wrote:
>
> (Repeating and expanding my comment on #1269 to the list)
>
> +1 to CID rotation being pointless if we don't do this. However, this seems dangerous if not done carefully, and it links CID rotation rate to the maximum usable UDP port consumption rate, which is (most probably) widely variable across access networks and (AFAICT) largely unknown in the literature. We have anecdata here, and we need data.
>
> Note that QUIC presently doesn't have an advisory on-path state clearance signal (we hsd discussed this as a signal bound to public reset in #20, but it morphed into Stateless Reset, which has completely different semantics), which means that there is neither a present nor yet a potential future method to reduce the NAT state load this will generate.
>
> I'd feel a lot less apprehensive about this if there were an advisory, integrity-protected signal meant for path consumption to clear state for a path. Of course it wouldn't be used at all on day one, but the tradeoff it presents is "hey, this is QUIC, it will burn through your UDP port state faster than any other UDP protocol and multiplicatively faster than TCP; but hey look, you can clear state when you see this path-verifiable singal to reduce the impact this has."
>
> Cheers,
>
> Brian
>
>
> On 6 Apr 2018, at 02:38, Martin Thomson <martin.thomson@gmail.com> <martin.thomson@gmail.com> wrote:
>
> On Fri, Apr 6, 2018 at 2:08 AM, Christian Huitema <huitema@huitema.net> <huitema@huitema.net> wrote:
>
> On Apr 5, 2018, at 8:58 AM, Frederick Kautz <fkautz@alumni.cmu.edu> <fkautz@alumni.cmu.edu> wrote:
>
> Are you concerned that middleware boxes may be trained to reject migrations, thereby forcing a new connection with a visible negotiation?
>
>
> Yes. Hence the need to grease. For example, have clients do some gratuitous migration to a new source port number rather frequently.
>
>
> This seems like a simple fix, particularly since Mike recently added
> text that suggests occasional use of new connection IDs.  In the
> spirit of keeping the wheels greased:
> https://github.com/quicwg/base-drafts/pull/1269
>
>
>

v2.23.0 | Report a Bug | By Email