IETF Logo Mail Archive

Re: UDP source ports for HTTP/3 and QUIC

Martin Thomson <mt@lowentropy.net> Thu, 15 July 2021 01:20 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 356903A1404 for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 18:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=NkRueKIg; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=bFiQcuS4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bm_qKQg55tOY for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 18:20:39 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0323E3A1400 for <quic@ietf.org>; Wed, 14 Jul 2021 18:20:38 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id DF6D15C0191 for <quic@ietf.org>; Wed, 14 Jul 2021 21:20:37 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute5.internal (MEProxy); Wed, 14 Jul 2021 21:20:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=mRvyfoIe93GjqyzqQ56n+QzD7kTvRgG lUZ0VUVGZG1k=; b=NkRueKIgLX2r4Qm8X6GJvwiXpoKGrEgaet6+9hVWyZTdxaa v605gJhNRUamrSG3u0ccBI8Q6E0/lMdqedA5BIW6wtmPPGUBfJBEmqB78RsvP87D y33yksOhSt68JIeTxX9MzeyUsLj9jPfm6ov6nuTzI5taQ0c7WrRDBKkXxhQAaE+1 /szzq24zYS21s9e6E8wz1InNiouneIp3fLgQscRqoUbP1NmaugxjSsxslkXB4wtO YvAW4UjihKLo8/9p+blzhsLwtB/p5aOI8qlaw8dEazX8LiwSEuvipm7C3bC901JN c8bWaEUkO83a0gXL1qggpeBKLXw+9ofNk9S6NEg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=mRvyfo Ie93GjqyzqQ56n+QzD7kTvRgGlUZ0VUVGZG1k=; b=bFiQcuS4Df0PCHsHRkyEdD rFwN7mPLSDBAHgORdbIi2AuD17RrP1uZGz8yi445+ToLT2LHbqQfZ7CwkRYDkQAO hZslnQh27/4OClfUr0C9zP1noKUjg7+lXKnpZoREbOS71REIStI6U2DuepBFV4l+ jdKx6vGqVAhKx51oykGbSZR92rRMXEK+/YIZBx3fONhclj27VZelnwmcy8MD+Crx YS5GvCJbBzEINOq8hMfsaK9FBd1iyJqeWcIgsilWnn3TIX3DSrYoRJrKMUvlu2/4 DOwT7UpT+ZCz2Mb4IUlduHT6/MANBIAMA1NnC9pMiP63+4JqtPnwVutIezdaAZnQ ==
X-ME-Sender: <xms:ZY3vYN3e5aNXdUaj_1h5wB67BoVES6l-6qP-XQeb1QZm4AfJ-PTQ_A> <xme:ZY3vYEGOzLCeKxU24n56IW6yK7aLC7C4Nj-04pQr1QuZ0-iuPRtPTES0fK-mQxVY6 ddLKdDRSighRiJowd0>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudelgdeikecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepkeetueeikedtkeelfeekve fhkeffvedvvefgkefgleeugfdvjeejgeffieegtdejnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:ZY3vYN5PM4jhVD0qrFaBCjEr1aFkI54N-3XZKTqrQtcfJpD2DUXhAA> <xmx:ZY3vYK3hJYGFvr9NPTow0DVNzgZvqMUlbZtKF0bWXt_1ED4_SuTr0w> <xmx:ZY3vYAFJolOR6q7X4lld3Z2L5Tc06V0kknAbR7kG-eObUvBUUzDhhA> <xmx:ZY3vYERoTuuGDXhWwi9Nas0C_hsEmDuudgfRH8pUr6TqTXt1IO1JJw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 91A053C0BDC; Wed, 14 Jul 2021 21:20:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-533-gf73e617b8a-fm-20210712.002-gf73e617b
Mime-Version: 1.0
Message-Id: <3e657a11-1c6a-472b-9600-08c3f04f6e25@www.fastmail.com>
In-Reply-To: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
Date: Thu, 15 Jul 2021 11:20:19 +1000
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: UDP source ports for HTTP/3 and QUIC
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/bG8UhdLubXdf0UcMSItQo1jnRcw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 01:20:44 -0000

Thanks for raising this Mark.  (Limiting my reply to QUIC, because I think this is more specific to that group.)

On Thu, Jul 15, 2021, at 10:20, Mark Nottingham wrote:
> Overall, the chance of collision (i.e., a client or a NAT choosing a 
> blocked source port) is quite low, but at Internet scale it'll happen, 
> leading to the client needing to open a new connection, thereby adding 
> perceived latency. 

What is going to happen in many cases is that QUIC will be disabled in addition to having high latency for that connection.
 
> My question is whether there's a need for more coordination -- e.g., a 
> very short RFC outlining such ports, to help bring this to folks' 
> attention (especially in the NAT crowd)?

So this isn't easy.  I think that it is good you raise this either way.  From the client side, some greater determinism around this would be good, for the above reasons if nothing else.  We don't currently have a source port blocklist and we will need to add that.

Because this isn't entirely under our control as a client, us knowing doesn't really provide a complete solution.  To that end, I am inclined to say that an informational RFC is a good idea.  Ideally, NAT and cgNAT will avoid these ports also and an RFC does tend to reach people.

HOWEVER, the challenge there is that the exact set of port numbers could be volatile.  That memcached is a problem is well known and so we can reasonably exclude it for the foreseeable future, but we don't know if other protocols might become a source of DoS.  We might hope that new protocols adopt designs with more rigorous DoS prevention inherent to them (like QUIC), making this less likely, but we can't guarantee it.  Baking a list into an RFC seems like it might need careful consideration.

v2.23.0 | Report a Bug | By Email