IETF Logo Mail Archive

Re: QUIC Address Extension for NAT detection

Patrick McManus <mcmanus@ducksong.com> Thu, 21 March 2019 15:22 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C975130FF3 for <quic@ietfa.amsl.com>; Thu, 21 Mar 2019 08:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=ISqPGNdJ; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=GOh+EhKj
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiaYKWBEdItN for <quic@ietfa.amsl.com>; Thu, 21 Mar 2019 08:22:33 -0700 (PDT)
Received: from outbound1b.ore.mailhop.org (outbound1b.ore.mailhop.org [54.200.247.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D93F12799B for <quic@ietf.org>; Thu, 21 Mar 2019 08:22:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553181753; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=pzZ82ExFArLHhbNIQSn1Ef93NXZnQjOz2eObp2b+uzmppx7btpyuiyl5wlmwKjXRlnCDqrW6ifF6L 7O7dXq7fg+nuLqfeY244E+V8T69mpUFDqpfo2S+G7znZUx7j+mO3hHCUuoHwBwi0E/8Ff90c1XgNLn E1Oxnwj+He9FHrVZlEAG5ApPxTM5GGn2xkOm5la0FHPU4bzXjxTG2qjRWYMReELLHEdPdhVKiErAAQ kVyYOoU1JF6L89q2WAnSebqHg26i8Rgv4oem/BYKjCrwxBA0pmzdAOWf/v4ju9GxsLKd0jvP+w5nzq 7ZYnsac2GKVvdlB3lmXIP7RkK90430g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=pqHzTarMuJMlSdpBribEniqBwiAlOS8FK+alId/UtZw=; b=IfHaG45olkL4PXbxk1w6vZT23rIuuQN6wMYvvyNTLkiTCkOjxCwtxs41J3v1yMLtiZOQKviLfMycn 6l263N1+QRgS1mfqhtNQW2QqF1CF+ouOpFv6ITVUAl/cOxGf6SKqNkMLXy2B9EwWqTztT2ZP/NpiiQ 6SkUMZ0q1S5DVyhQ/P4fNJKpZgyyV8GS2yaMD7ZjS1e7SZe6eIGsk6F3j3DXI2s7LtcwQpUVOQuP60 OaLoz7ybxn6lxniZK/o/4g36RKCBYARKQ85mDLD4pP4QSnfQNt5J+5okH5fT+D74+HhkcPSr/3qwMX DCDw8vFgJ8KmLd1DdVk1uIm4UxyfHjA==
ARC-Authentication-Results: i=1; outbound3.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.54; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=pqHzTarMuJMlSdpBribEniqBwiAlOS8FK+alId/UtZw=; b=ISqPGNdJNTcJE/nCuKwTfs4rA0bLz1NlR4B94YRkFrbJPzqwF3T3xP3iMye4jr8wmr1HiQll2PsET 0wlPE4kN266+6oPmRtkJkyHSLC7YxmEzenqiYmwfqn7YJlGN29ECC6XFms81jrBrZBYF+mOx55uJFg OZS4bxTY1dWfTId4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=pqHzTarMuJMlSdpBribEniqBwiAlOS8FK+alId/UtZw=; b=GOh+EhKj+WcTiZkXgdU4XR+fBeKorHSoXNHas+hWKWdMF5m51ARUudZtO7/1EEBbm8dXHhIj6N1qh oh9wIG82KGtImOWzRQErpB4kIw7lqe6pP4CjZxisKO3lyUtbOL4nVOP2aY3PA9QnpWeOtMWE9iP7Ij bbQSEq3Au1LKfdwb2KOUQGEokQ8/z7KxmN+XZkxVGV4t+UhZlXigpz5Y+U7hB/TI4RlB/SYcsuTn6n BoMVJ+150RQulS77A6MAHUR8wOjFMSk+DOSrnT8QSdwLQUKVROxQxwPxgEgQbyTQoPG+TOQXdGQGTH Kf0j2jAh0h6usxLZ6tsojPgwULMiuXw==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 2536286e-4bed-11e9-9bb1-1f29e4676f89
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.54
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f54.google.com (unknown [209.85.210.54]) by outbound3.ore.mailhop.org (Halon) with ESMTPSA id 2536286e-4bed-11e9-9bb1-1f29e4676f89; Thu, 21 Mar 2019 15:22:32 +0000 (UTC)
Received: by mail-ot1-f54.google.com with SMTP id c16so5766399otn.4 for <quic@ietf.org>; Thu, 21 Mar 2019 08:22:31 -0700 (PDT)
X-Gm-Message-State: APjAAAWgs/kswuEMLXPQrUlQVHmyo3SG0+DYTliE6vEmgjyw5KcZcQgn 0nin1DMw+aQRyECHwii9BHTLTjrYCHsy+Vyts5M=
X-Google-Smtp-Source: APXvYqyEroYpB4PNDa9nVbS12uzNv/c5A16WBeosCWCJ5Hnk3nq2vVfRTlnD0ozmo/GvTVv4nib22Gcyr/AqC6x4Ais=
X-Received: by 2002:a9d:de4:: with SMTP id 91mr2707894ots.5.1553181751304; Thu, 21 Mar 2019 08:22:31 -0700 (PDT)
MIME-Version: 1.0
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CAOdDvNqxJzv2VkgMK6ug+u8iS41aa2RmCUBN4qncUu-Q+KkwyA@mail.gmail.com> <2552F8DC-F7B6-466D-BEF6-31BAD98E18FE@apple.com>
In-Reply-To: <2552F8DC-F7B6-466D-BEF6-31BAD98E18FE@apple.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 21 Mar 2019 11:22:20 -0400
X-Gmail-Original-Message-ID: <CAOdDvNonwr0iUoCbQAGi1fk5UHk347PRotPozB_Bi6OH80iSTw@mail.gmail.com>
Message-ID: <CAOdDvNonwr0iUoCbQAGi1fk5UHk347PRotPozB_Bi6OH80iSTw@mail.gmail.com>
Subject: Re: QUIC Address Extension for NAT detection
To: Tommy Pauly <tpauly@apple.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
Content-Type: multipart/alternative; boundary="0000000000008ee5de05849c4e6e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/c3kTzmkpBBLGXJJ_ocsvSYfCdMo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 15:22:37 -0000

My thinking was that this is information that the HTTP layer is going to
act on.. by adjusting its timeout, parallel connection, and/or ping
strategy accordingly.. so as a practical matter if it gets implemented in a
differently layer you need both an interface for passing that data around
and you need to manage two more dependencies (1] your own software deps add
a TLS dependency for something that isn't really about transport security,
and 2] you now require 1.3 on both peers which might be a change
disproportionate to the value here).. we've seen tls-lib dependencies
really slow down adoption cycles in the past.

but it could totally work.

My thinking is this is really a transport property of quic, but we could
get some more immediate experience with it (as well as parity) as a trivial
h2 extension.


On Wed, Mar 20, 2019 at 11:34 AM Tommy Pauly <tpauly@apple.com> wrote:

> Hi Patrick,
>
> Interesting! Glad we're thinking along similar lines.
>
> The extension for TLS, similar to what you mention, only allows the client
> side to request its own public IP address from the server's perspective.
> Since this is the model that would be used for HTTP/2 and similar
> protocols, it ends up being pretty similar. We're definitely interested in
> seeing this mechanism be used for TLS connections beyond HTTP/2, for
> example in something like DNS-over-TLS connections. Is there any reason you
> see to have the mechanism in HTTP/2 as opposed to one layer down in TLS?
>
> Thanks,
> Tommy
>
> On Mar 20, 2019, at 7:25 AM, Patrick McManus <mcmanus@ducksong.com> wrote:
>
> Coincidentally I have been noodling with an almost identical idea (though
> I was only going to allow the client side to request its own IP as seen by
> the peer) for prototyping in h2 with an eye towards quic if it proved
> useful.
>
> Would it be easiest to start it there (and would you be interested in
> implementing it there?) as that framework already has wide deployment and a
> sorta-exercised extension mechanism that seems like it should work with
> minimal disruption to test out if the information is indeed useful.
>
> I agree that ideally this is a transport function but I wouldn't let that
> stand in the way of getting some experience.
>
>
>
> On Wed, Mar 13, 2019 at 12:19 PM Tommy Pauly <tpauly=
> 40apple.com@dmarc.ietf.org <40apple.com@dmarc..ietf.org>> wrote:
>
>> We recently posted a draft that defines a proposed extension to QUIC that
>> allows peers to request their perceived IP address and port from their
>> peer, effectively allowing NAT detection along a path:
>>
>> QUIC Address Extension
>> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/
>>
>> We have posted a corresponding document in TLS that provides the same
>> mechanism for TLS/TCP connections:
>>
>> TLS Client Network Address Extension
>> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/
>>
>> One of the benefits specific to QUIC from detecting a NAT is that it
>> helps determine whether or not NAT rebindings are expected to create “fake”
>> migration events. It also helps a client know whether or not rotating CIDs
>> and local ports will be of use to obfuscate a client’s connections.
>>
>> If you have any thoughts on use cases for this information, or the
>> mechanism, we’d love to hear them!
>>
>> Best,
>> Tommy
>>
>
>

v2.23.0 | Report a Bug | By Email