IETF Logo Mail Archive

Re: QUIC Address Extension for NAT detection

Tommy Pauly <tpauly@apple.com> Wed, 20 March 2019 15:34 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3065112786D for <quic@ietfa.amsl.com>; Wed, 20 Mar 2019 08:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLL7tIMMdF81 for <quic@ietfa.amsl.com>; Wed, 20 Mar 2019 08:34:41 -0700 (PDT)
Received: from nwk-aaemail-lapp01.apple.com (nwk-aaemail-lapp01.apple.com [17.151.62.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BC6512AF7D for <quic@ietf.org>; Wed, 20 Mar 2019 08:34:41 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp01.apple.com [127.0.0.1]) by nwk-aaemail-lapp01.apple.com (8.16.0.27/8.16.0.27) with SMTP id x2KFWD9E055323; Wed, 20 Mar 2019 08:34:39 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : message-id : subject : date : in-reply-to : cc : to : references; s=20180706; bh=zVpWHhuQkEceW6hKvLxzHgAtgfz3dTjWkOmQ02PvoKk=; b=aDZplZAW4p6Efj0wefhOgU8yfusGXzsK1J3JyJc7fcT5oWQBJsWK9xnqvGZ/e+QRV3Gw zwU4rdYwpLxuVEFSq3HxPajdLMUpHzmZiIW2wiUAHgWv+vW47KGNoUNeIayvVBVG/dFN MkatBn6t1HtHs9bOhaXpTVK+QD6Uyj6AHzAag5mzz6KMInUetOH3X5DmugGUJd3Gxbth BES+kMLWzhOqf6GBiGGdWX03IF/R3C+meKZf++ZW0BHfjUycOjkZyuWbPhwGXFVPldRZ D7F0VNujk46FAM4CB2qSZbpqaoDkZGH+LqBw4o1LEUWVh+matL0et4ptinkF3ij0czE2 zQ==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by nwk-aaemail-lapp01.apple.com with ESMTP id 2rak4nsqgb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 20 Mar 2019 08:34:39 -0700
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_E56Cw4BZQSc9Sqk3ChRrAQ)"
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0POO00LGK8LO98C0@ma1-mtap-s02.corp.apple.com>; Wed, 20 Mar 2019 08:34:38 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0POO00200894E300@nwk-mmpp-sz11.apple.com>; Wed, 20 Mar 2019 08:34:37 -0700 (PDT)
X-Va-A:
X-Va-T-CD: f89190830296b49509af62d90e347535
X-Va-E-CD: 75ed10a4c389fdf1385774fd634da24b
X-Va-R-CD: d917230d437218739bb5986c278bef7a
X-Va-CD: 0
X-Va-ID: 0f74d92c-bacd-4ac3-a986-d7a5f1d1e59d
X-V-A:
X-V-T-CD: 58f0cff13583f00a0c939dbbe066ef22
X-V-E-CD: 75ed10a4c389fdf1385774fd634da24b
X-V-R-CD: d917230d437218739bb5986c278bef7a
X-V-CD: 0
X-V-ID: b7223ba0-c943-46d6-99ce-fabc0c496a0f
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-20_09:,, signatures=0
Received: from [17.230.171.182] (unknown [17.230.171.182]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0POO00FYH8LOON70@nwk-mmpp-sz11.apple.com>; Wed, 20 Mar 2019 08:34:36 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <2552F8DC-F7B6-466D-BEF6-31BAD98E18FE@apple.com>
Subject: Re: QUIC Address Extension for NAT detection
Date: Wed, 20 Mar 2019 08:34:34 -0700
In-reply-to: <CAOdDvNqxJzv2VkgMK6ug+u8iS41aa2RmCUBN4qncUu-Q+KkwyA@mail.gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
To: Patrick McManus <mcmanus@ducksong.com>
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CAOdDvNqxJzv2VkgMK6ug+u8iS41aa2RmCUBN4qncUu-Q+KkwyA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-20_09:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/imDkScbynCKMY4nuCfAvpEkOO68>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2019 15:34:43 -0000

Hi Patrick,

Interesting! Glad we're thinking along similar lines.

The extension for TLS, similar to what you mention, only allows the client side to request its own public IP address from the server's perspective. Since this is the model that would be used for HTTP/2 and similar protocols, it ends up being pretty similar. We're definitely interested in seeing this mechanism be used for TLS connections beyond HTTP/2, for example in something like DNS-over-TLS connections. Is there any reason you see to have the mechanism in HTTP/2 as opposed to one layer down in TLS?

Thanks,
Tommy

> On Mar 20, 2019, at 7:25 AM, Patrick McManus <mcmanus@ducksong.com> wrote:
> 
> Coincidentally I have been noodling with an almost identical idea (though I was only going to allow the client side to request its own IP as seen by the peer) for prototyping in h2 with an eye towards quic if it proved useful.
> 
> Would it be easiest to start it there (and would you be interested in implementing it there?) as that framework already has wide deployment and a sorta-exercised extension mechanism that seems like it should work with minimal disruption to test out if the information is indeed useful.
> 
> I agree that ideally this is a transport function but I wouldn't let that stand in the way of getting some experience.
> 
> 
> 
> On Wed, Mar 13, 2019 at 12:19 PM Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org <mailto:40apple.com@dmarc..ietf.org>> wrote:
> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path:
> 
> QUIC Address Extension
> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/ <https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/>
> 
> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections:
> 
> TLS Client Network Address Extension
> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/ <https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/>
> 
> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections.
> 
> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them!
> 
> Best,
> Tommy

v2.23.0 | Report a Bug | By Email