Re: UDP source ports for HTTP/3 and QUIC
Willy Tarreau <w@1wt.eu> Thu, 15 July 2021 02:39 UTC
Return-Path: <w@1wt.eu>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4777B3A1709 for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 19:39:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tEabupN7jQtl for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 19:39:15 -0700 (PDT)
Received: from 1wt.eu (wtarreau.pck.nerim.net [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0003A1708 for <quic@ietf.org>; Wed, 14 Jul 2021 19:39:14 -0700 (PDT)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 16F2dBUI026193; Thu, 15 Jul 2021 04:39:11 +0200
Date: Thu, 15 Jul 2021 04:39:11 +0200
From: Willy Tarreau <w@1wt.eu>
To: Martin Thomson <mt@lowentropy.net>
Cc: quic@ietf.org
Subject: Re: UDP source ports for HTTP/3 and QUIC
Message-ID: <20210715023911.GA26074@1wt.eu>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net> <3e657a11-1c6a-472b-9600-08c3f04f6e25@www.fastmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3e657a11-1c6a-472b-9600-08c3f04f6e25@www.fastmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/lAltHQv0HGSgEXfyN763KR-qltk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 02:39:17 -0000
On Thu, Jul 15, 2021 at 11:20:19AM +1000, Martin Thomson wrote: > Thanks for raising this Mark. (Limiting my reply to QUIC, because I think this is more specific to that group.) > > On Thu, Jul 15, 2021, at 10:20, Mark Nottingham wrote: > > Overall, the chance of collision (i.e., a client or a NAT choosing a > > blocked source port) is quite low, but at Internet scale it'll happen, > > leading to the client needing to open a new connection, thereby adding > > perceived latency. > > What is going to happen in many cases is that QUIC will be disabled in > addition to having high latency for that connection. > > > My question is whether there's a need for more coordination -- e.g., a > > very short RFC outlining such ports, to help bring this to folks' > > attention (especially in the NAT crowd)? > > So this isn't easy. I think that it is good you raise this either way. From > the client side, some greater determinism around this would be good, for the > above reasons if nothing else. We don't currently have a source port > blocklist and we will need to add that. > > Because this isn't entirely under our control as a client, us knowing doesn't > really provide a complete solution. To that end, I am inclined to say that > an informational RFC is a good idea. Ideally, NAT and cgNAT will avoid these > ports also and an RFC does tend to reach people. I don't imagine a single second that those random unprivileged ports will be avoided. They were randomly picked and will be difficult to exclude from NAT ranges. By the time implementors have a solution to exclude them, they will probably not be used anymore and others will happen. I think that we must at least specify that privileged ports (<1024) must always be blocked because under no circumstances valid HTTP traffic should be emitted from such ports which are normally reserved for services. And for the rest we should rather caution that many UDP services are highly vulnerable to reflection attacks because there's no such thing as a distinction from a request packet and a response packet like in TCP, and that along QUIC's life new popular services will occasionally pop up and will cause trouble. The most important for implementors is to be able to quickly validate a QUIC packet and make sure that no response is ever sent if it cannot be decoded. This will only lead to CPU usage and nothing more. Sadly, if we'd had a short protocol identifier at the very beginning of each packet (e.g. even a 8-bit or 16-bit field), it would have become extremely difficult to make other protocols match it in their responses and it wouldn't have been an issue at all. But we don't have this so the packets will at least have to be parsed. Willy
- UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: UDP source ports for HTTP/3 and QUIC Martin Thomson
- Re: UDP source ports for HTTP/3 and QUIC Willy Tarreau
- Re: UDP source ports for HTTP/3 and QUIC Mikkel Fahnøe Jørgensen
- Re: UDP source ports for HTTP/3 and QUIC Willy Tarreau
- Re: UDP source ports for HTTP/3 and QUIC Stefan Eissing
- Re: UDP source ports for HTTP/3 and QUIC Willy Tarreau
- Re: UDP source ports for HTTP/3 and QUIC Töma Gavrichenkov
- Re: UDP source ports for HTTP/3 and QUIC Töma Gavrichenkov
- Re: UDP source ports for HTTP/3 and QUIC Nick Banks
- Re: UDP source ports for HTTP/3 and QUIC David Schinazi
- Re: UDP source ports for HTTP/3 and QUIC Töma Gavrichenkov
- Re: UDP source ports for HTTP/3 and QUIC Erik Nygren
- Re: UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: UDP source ports for HTTP/3 and QUIC Toerless Eckert
- Re: UDP source ports for HTTP/3 and QUIC Willy Tarreau
- Re: UDP source ports for HTTP/3 and QUIC Poul-Henning Kamp
- Re: UDP source ports for HTTP/3 and QUIC Willy Tarreau
- Re: UDP source ports for HTTP/3 and QUIC Stefan Eissing
- Re: UDP source ports for HTTP/3 and QUIC Toerless Eckert
- Re: UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: UDP source ports for HTTP/3 and QUIC Töma Gavrichenkov