IETF Logo Mail Archive

Re: QUIC Address Extension for NAT detection

Tommy Pauly <tpauly@apple.com> Wed, 13 March 2019 22:20 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8A6124BF6 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:20:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z6feLFkG1v3F for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 15:20:12 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4D2127873 for <quic@ietf.org>; Wed, 13 Mar 2019 15:20:12 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id x2DMBUpc013396; Wed, 13 Mar 2019 15:20:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=fm40t+MPOwoX6xfNu9Rk+zyNgsGWmZYNDGM2geBWNuk=; b=NVsJ99ek+OvHKoXi1yS6azMx9qj6vbd2P2RSb34o5hGMg6fcyGz93dZdQxL9n3G1Nm9k 6NOgs46js/IV7KFVRqY3HAM9/Jdfokrtr5TXhmybdgX7kzY4LDfOwkHCxwaDGsM4dy2O eM1Mb4J64NogHVlYmPN0XYccjf7FrTlQAEaDEvMTPvGydObm1ds2nZO7uobDB2WU4AoF LZ9cd4o7DLLbugAsq2o5AFlbrNN4CCsFoRA0kpVRZqHOWioIp06qf9k4DupamwaaX25l VIWxh9Jw8/PoCshfwYSsE5JKCRKhrOUy3KEgNyBVa/9obeC15UM3V0/0puJTxzuyuXd/ 1g==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 2r4dc5awn4-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 13 Mar 2019 15:20:10 -0700
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"
Received: from nwk-mmpp-sz12.apple.com (nwk-mmpp-sz12.apple.com [17.128.115.204]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0POB00JLVSPK7X30@ma1-mtap-s02.corp.apple.com>; Wed, 13 Mar 2019 15:20:09 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz12.apple.com by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0POB00300RXXEJ00@nwk-mmpp-sz12.apple.com>; Wed, 13 Mar 2019 15:20:09 -0700 (PDT)
X-Va-A:
X-Va-T-CD: a73ada5d95d0e12dfbe5201d786457f4
X-Va-E-CD: 75ed10a4c389fdf1385774fd634da24b
X-Va-R-CD: d917230d437218739bb5986c278bef7a
X-Va-CD: 0
X-Va-ID: 8238e45b-7e55-4ea8-aa59-8a4b42215e3f
X-V-A:
X-V-T-CD: f47a32de39f1cfa35444508222caef20
X-V-E-CD: 75ed10a4c389fdf1385774fd634da24b
X-V-R-CD: d917230d437218739bb5986c278bef7a
X-V-CD: 0
X-V-ID: 92f8fef7-1091-4618-a83f-388f67d4ec61
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-13_13:,, signatures=0
Received: from [17.230.175.227] (unknown [17.230.175.227]) by nwk-mmpp-sz12.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0POB0042ESPJ8410@nwk-mmpp-sz12.apple.com>; Wed, 13 Mar 2019 15:20:08 -0700 (PDT)
Sender: tpauly@apple.com
Subject: Re: QUIC Address Extension for NAT detection
From: Tommy Pauly <tpauly@apple.com>
In-reply-to: <CANatvzxf1BjTe=A2Ui3m9U2LhE501Fy0pom0LLbMGn=zSU-yAQ@mail.gmail.com>
Date: Wed, 13 Mar 2019 15:20:06 -0700
Cc: QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
Content-transfer-encoding: quoted-printable
Message-id: <3F3B0F64-C1D4-4F3B-A8AA-5EFD32D59D39@apple.com>
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CANatvzxf1BjTe=A2Ui3m9U2LhE501Fy0pom0LLbMGn=zSU-yAQ@mail.gmail.com>
To: Kazuho Oku <kazuhooku@gmail.com>
X-Mailer: Apple Mail (2.3445.104.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-13_13:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ce8cTnB-9Cew54HCtD1t1goO3Lo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 22:20:15 -0000


> On Mar 13, 2019, at 3:04 PM, Kazuho Oku <kazuhooku@gmail.com> wrote:
> 
> I like the idea of communicating the address, I agree that it would be
> useful for QUIC in general to detect NATs.
> 
> OTOH I am bit concerned of the privacy implications of a server asking
> the client it's IP address. Because it could be considered as a
> private information, when the client is running behind a NAT (or a
> VPN, or something like Tor).

To clarify, you are concerned about the server asking the client to send what the server's address is? The protocol only lets the an endpoint request its own public address. The security concerns section points this out:

Moreover, since endpoints can only request their public
   address, peers cannot accidentally transmit their (possibly private)
   address to a peer.

> 
> Considering that, it might be a good idea to make the protocol
> asymmetric; i.e. design the frames so that the server sends the
> perceived address of the client and then the client responds with a
> boolean indicating if the perceived address is the actual address.

Yes, as something further than the existing mechanism, we could have replies indicate if a client thinks it is behind a NAT based on the result of the exchange.

Thans,
Tommy

> 
> 2019年3月14日(木) 1:20 Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>:
>> 
>> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path:
>> 
>> QUIC Address Extension
>> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/
>> 
>> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections:
>> 
>> TLS Client Network Address Extension
>> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/
>> 
>> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections.
>> 
>> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them!
>> 
>> Best,
>> Tommy
> 
> 
> 
> -- 
> Kazuho Oku

v2.23.0 | Report a Bug | By Email