IETF Logo Mail Archive

Re: UDP source ports for HTTP/3 and QUIC

Willy Tarreau <w@1wt.eu> Thu, 15 July 2021 02:39 UTC

Return-Path: <w@1wt.eu>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4777B3A1709 for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 19:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEabupN7jQtl for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 19:39:15 -0700 (PDT)
Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0003A1708 for <quic@ietf.org>; Wed, 14 Jul 2021 19:39:14 -0700 (PDT)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 16F2dBUI026193; Thu, 15 Jul 2021 04:39:11 +0200
Date: Thu, 15 Jul 2021 04:39:11 +0200
From: Willy Tarreau <w@1wt.eu>
To: Martin Thomson <mt@lowentropy.net>
Cc: quic@ietf.org
Subject: Re: UDP source ports for HTTP/3 and QUIC
Message-ID: <20210715023911.GA26074@1wt.eu>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net> <3e657a11-1c6a-472b-9600-08c3f04f6e25@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3e657a11-1c6a-472b-9600-08c3f04f6e25@www.fastmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/lAltHQv0HGSgEXfyN763KR-qltk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 02:39:17 -0000

On Thu, Jul 15, 2021 at 11:20:19AM +1000, Martin Thomson wrote:
> Thanks for raising this Mark.  (Limiting my reply to QUIC, because I think this is more specific to that group.)
> 
> On Thu, Jul 15, 2021, at 10:20, Mark Nottingham wrote:
> > Overall, the chance of collision (i.e., a client or a NAT choosing a 
> > blocked source port) is quite low, but at Internet scale it'll happen, 
> > leading to the client needing to open a new connection, thereby adding 
> > perceived latency. 
> 
> What is going to happen in many cases is that QUIC will be disabled in
> addition to having high latency for that connection.
>  
> > My question is whether there's a need for more coordination -- e.g., a 
> > very short RFC outlining such ports, to help bring this to folks' 
> > attention (especially in the NAT crowd)?
> 
> So this isn't easy.  I think that it is good you raise this either way.  From
> the client side, some greater determinism around this would be good, for the
> above reasons if nothing else.  We don't currently have a source port
> blocklist and we will need to add that.
> 
> Because this isn't entirely under our control as a client, us knowing doesn't
> really provide a complete solution.  To that end, I am inclined to say that
> an informational RFC is a good idea.  Ideally, NAT and cgNAT will avoid these
> ports also and an RFC does tend to reach people.

I don't imagine a single second that those random unprivileged ports will be
avoided. They were randomly picked and will be difficult to exclude from NAT
ranges. By the time implementors have a solution to exclude them, they will
probably not be used anymore and others will happen.

I think that we must at least specify that privileged ports (<1024) must
always be blocked because under no circumstances valid HTTP traffic should
be emitted from such ports which are normally reserved for services. And
for the rest we should rather caution that many UDP services are highly
vulnerable to reflection attacks because there's no such thing as a
distinction from a request packet and a response packet like in TCP,
and that along QUIC's life new popular services will occasionally pop up
and will cause trouble.

The most important for implementors is to be able to quickly validate a
QUIC packet and make sure that no response is ever sent if it cannot be
decoded. This will only lead to CPU usage and nothing more. Sadly, if
we'd had a short protocol identifier at the very beginning of each
packet (e.g. even a 8-bit or 16-bit field), it would have become extremely
difficult to make other protocols match it in their responses and it
wouldn't have been an issue at all. But we don't have this so the packets
will at least have to be parsed.

Willy

v2.23.0 | Report a Bug | By Email