Re: New Version Notification for draft-duke-quic-natsupp-00.txt
Martin Duke <martin.h.duke@gmail.com> Wed, 29 January 2020 17:09 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11DF9120884 for <quic@ietfa.amsl.com>; Wed, 29 Jan 2020 09:09:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nz5QmmJG-ODv for <quic@ietfa.amsl.com>; Wed, 29 Jan 2020 09:09:52 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94C0F120130 for <quic@ietf.org>; Wed, 29 Jan 2020 09:09:52 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id y17so228738wrh.5 for <quic@ietf.org>; Wed, 29 Jan 2020 09:09:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ziPIr12KpD6h7bt6KXCIbpr1IEpl8vmuKjMCPedwZvk=; b=Vbr04UY2p2+H6sIh1A2wrYnNXdVdjTEql0uDNc2bXJzsaGLFM2olu93xFYO3aBurRR e/kVqcpxd3E0pnXDGevI0276Q3xxM6cP1gGJ3H1rGhNlPtsRd08OkMfP0gq2AZ0dIzGi 3UletMlJV8uFo/SCT7jdzLBBEU7/yKMqXDMsKojT86EGzSQNhWInrb65+neIryHNJKuH J5FfnIgTYeQhh8yBkm+KFCdZhYMvDgjDjdxGsuXsFa5YGtcmiiu5n7BbPrO90KD2NuCH iVXVlYg7Pz3NoWtysvxyOj0aU4eAJ0W/Dd2iOJKwfA/0q91l7zdRHW/TjPIsvkO/28HY /A6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ziPIr12KpD6h7bt6KXCIbpr1IEpl8vmuKjMCPedwZvk=; b=O8dBtNC+oBhzqnsZAJzBeeseeNZYswZV9T0xVTRKU8QOqeBhMnsAyE+IG7HQULe4xQ LpGiYqoaPOPgXhqu7sOCLjl0KtNlwJG8tXhHFVKRd/XJa+lBEt4+tbDWnY96sX3QOx51 ganBSTOjHLF4LMwfguq3ktEQAdMKNIheYnrIIeXWlVdsrvRb6Jn4ecH586e2htHqfZud zUG7JgUT4KuGsFqShXz02WuQZF8fv4g78lNtAEXLCeeEjIdM0jZC8pNVr7KJTdxM7yYd bR6zo/Df6rJMlY3EAkza9/hJpJ70ieZgvCdSaeFhig6Ovc/Qvz8wXZnOSHV9syaJ7GwN IzIg==
X-Gm-Message-State: APjAAAVtjEZNhreot/BL4f5IrlHfSFPImYepcFmChwFt9Vj3N2OO1LCm tXapK+evJxufFuHVQxBISqKn6dpiF/i/ktopjdU=
X-Google-Smtp-Source: APXvYqzgO2+ef04Wt1NIqYXy3gg5ukO19e/1CJcCOElRHqFPunbsmxRFaroOJ812sC34rmsX1RikSMfPICB0Rii2b04=
X-Received: by 2002:a5d:6151:: with SMTP id y17mr35874068wrt.110.1580317791022; Wed, 29 Jan 2020 09:09:51 -0800 (PST)
MIME-Version: 1.0
References: <157470946896.14159.17248985824634821547.idtracker@ietfa.amsl.com> <CAM4esxTPb1p_mH4eOpj62K0hVd0c5S50UC=rSbVqe=1bRXyJ0g@mail.gmail.com> <FCCC853A-2984-4823-AB67-71DA0A13E4A0@ericsson.com>
In-Reply-To: <FCCC853A-2984-4823-AB67-71DA0A13E4A0@ericsson.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Wed, 29 Jan 2020 09:09:39 -0800
Message-ID: <CAM4esxQPOJmnm+qmBPhQDi-hrYMkXUjB8Ptj5FaT6o7pK3K8YA@mail.gmail.com>
Subject: Re: New Version Notification for draft-duke-quic-natsupp-00.txt
To: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090f17f059d4a68db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/f8KNapRXRJArMlTMTd4CeW0u5nQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2020 17:09:55 -0000
Hi Mirja, For Section 4.1, here is the scenario I have in mind: - the NAT is out of public addresses and ports and uses CIDs to multiplex clients over one port (which the draft is arguing it should not do) - NAT routes packets coming in from the internet with address/port A:B and CID C to client #1 - NAT routes packets coming in from the internet with address/port A:B and CID D to client #2 - Client #1 provides a new CID E to the server - The NAT receives a packet for address/port A:B and CID E, and cannot disambiguate the two clients. Section 4.2. - Server deployment has 4-tuple routing and it is expensive to change - IT installs a NAT at the front of the infrastructure that stores a mapping of CIDs to inbound source address and port. - If a packet arrives with a known CID but a different source address/port, the NAT will rewrite the source/address port to the old value, and thus the packet will route to the correct back-end server. Thus the infrastructure is robust to NAT rebinding, if not intentional migration with a new CID. - While this "works", it has security implications as discussed. If we decide this is worth writing up at all, I'll try to make it clearer. Or have I made a mistake somewhere? Thanks for the comments. Let's discuss next week if this worth living as a separate document. Martin On Wed, Jan 29, 2020 at 1:28 AM Mirja Kuehlewind < mirja.kuehlewind@ericsson.com> wrote: > Hi Martin, > > > > thanks for writing this up. I have two questions and a comment. > > > > This part in section 4.1: > > “Therefore, leveraging Connection IDs will cause sudden connection > > breakage when an incoming packet uses CIDs with no clear mapping.” > > Not sure I understand this correctly but would a NAT simply assign a new > port/address when a new CID shows up..? Why would that break connectivity? > Or what do you mean with that? > > > > Regarding section 4.2: > > You basically say that changing the port/address might break 4-tuple > routing on the other end. But wouldn’t mean that any NAT rebinding would > break connectivity and that’s a problem by the other end that should be > solved there? > > > > I think the most important part of the document is the last paragraph in > section 4.2. I’d recommend to put that in an own section. However, I’m > actually not convinced about the other two points (above). If that is the > only point we would need to make, maybe that’s also something to put in the > manageability document. > > > > Mirja > > > > > > *From: *QUIC <quic-bounces@ietf.org> on behalf of Martin Duke < > martin.h.duke@gmail.com> > *Date: *Tuesday, 28. January 2020 at 19:29 > *To: *IETF QUIC WG <quic@ietf.org> > *Subject: *Fwd: New Version Notification for > draft-duke-quic-natsupp-00.txt > > > > At Gorry's suggestion, I took the NAT recommendations and put them in a > short draft that NAT guys are more likely to read. If this seems > extraneous, I'm happy to get that feedback. > > > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Mon, Nov 25, 2019 at 11:17 AM > Subject: New Version Notification for draft-duke-quic-natsupp-00.txt > To: Martin Duke <martin.h.duke@gmail.com> > > > > > A new version of I-D, draft-duke-quic-natsupp-00.txt > has been successfully submitted by Martin Duke and posted to the > IETF repository. > > Name: draft-duke-quic-natsupp > Revision: 00 > Title: Network Address Translation Support for QUIC > Document date: 2019-11-25 > Group: Individual Submission > Pages: 5 > URL: > https://www.ietf.org/internet-drafts/draft-duke-quic-natsupp-00.txt > Status: https://datatracker.ietf.org/doc/draft-duke-quic-natsupp/ > Htmlized: https://tools.ietf.org/html/draft-duke-quic-natsupp-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-duke-quic-natsupp > > > Abstract: > Network Address Translators (NATs) are widely deployed to share > scarce public IPv4 addresses among mutiple end hosts. They overwrite > IP addresses and ports in IP packets to do so. QUIC is a protocol on > top of UDP that provides transport-like services. QUIC is better- > behaved in the presence of NATs than older protocols, and existing > UDP NATs should operate without incident if unmodified. QUIC offers > additional features that may tempt NAT implementers as potential > optimizations. However, in practice, leveraging these features will > lead to new connection failure modes and security vulnerabilities. > > > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat >
- Fwd: New Version Notification for draft-duke-quic… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind