Re: UDP source ports for HTTP/3 and QUIC

Erik Nygren <erik+ietf@nygren.org> Thu, 15 July 2021 23:25 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1DCD3A161B for <quic@ietfa.amsl.com>; Thu, 15 Jul 2021 16:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mGXmAUI1MwdN for <quic@ietfa.amsl.com>; Thu, 15 Jul 2021 16:25:13 -0700 (PDT)
Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 171533A161A for <quic@ietf.org>; Thu, 15 Jul 2021 16:25:12 -0700 (PDT)
Received: by mail-wr1-f42.google.com with SMTP id d2so9946339wrn.0 for <quic@ietf.org>; Thu, 15 Jul 2021 16:25:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YnxAp9hRRfknWiX7e9hSeEZSRuN8bukeOA9xmdPxJW0=; b=F+CFHfenre+U0n3+yU0SGSMKncSikQYVRfNpvgfOLuX3n3gaMc9xxkrXXO3NDhJYXm apijvRC89yxNbP2PhmxPcgyIvdsDCS9fI1xFbMYhlQsB/OcdAw0SdW5hOTMSgU7eU+Dp RzxxTI1SpvdIz/l/RmmXEivTEm4tHZEeyaIp9B8+SPi4ThZAJMTXLe4q4eMXo7njTxYP deds5RTP9IaSEEL5O/Z4UYQ/4YTxJ+i/t3BPBys+F7cnpE+ebXuopEFihLgVM5aSt3ky YGSMIau43gO9hhLbsvmE879XXOjMWerkAvHJe2gh+7mDTAixevwKS59HyN72EPCYBQcY Ds9A==
X-Gm-Message-State: AOAM532JNqwaJFSSWrpNBuQvrhuTevVE01O3bAgh/lzn1HACSQdPz3gO 5WC6miDumzHu+ykHLi1Z+Yy01DENHYTY+aXdOIg=
X-Google-Smtp-Source: ABdhPJxV+Ul7DGPHtUD2wA3OBE9qFCO1mQrOUvDIKvv3FAhdDYZ78vwVDeQ0WSAusZhRXkDyWgYLqQiiF/mzgyx8IPs=
X-Received: by 2002:a05:6000:2a1:: with SMTP id l1mr8401090wry.128.1626391511236; Thu, 15 Jul 2021 16:25:11 -0700 (PDT)
MIME-Version: 1.0
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
In-Reply-To: <3985895D-D420-4995-831E-332E33693B79@mnot.net>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Thu, 15 Jul 2021 19:25:00 -0400
Message-ID: <CAKC-DJjHObadQo1O9XngTkxr3PswQ5YUMfLs9NUaDdJHye8Ggw@mail.gmail.com>
Subject: Re: UDP source ports for HTTP/3 and QUIC
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004b05eb05c731c81d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/qBk1jDfMcmnPLEH9M-j3-MNEOak>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 23:25:18 -0000

On Wed, Jul 14, 2021 at 8:21 PM Mark Nottingham <mnot@mnot.net> wrote:

> [ bringing this up on both lists because it's not yet clear what the right
> scope is ]
>
> It's not uncommon for servers to block certain UDP source ports to avoid
> being overwhelmed by certain reflection attacks. In particular:
>
> * 53 - DNS
> * 123 - NTP
> * 1900 - SSDP
> * 5353 - mDNS
> * 11211 - memcached
>
> ... among other candidates.
>
> See, eg., <https://blog.cloudflare.com/reflections-on-reflections/>. This
> isn't done to avoid protocol vulnerabilities as such -- it's to avoid
> volumetric attacks (usually DDoS).
>
>

Closely related, the Fetch spec's "bad port" list is fairly TCP-specific
and could likely
use additions for some of these.  I opened
https://github.com/whatwg/fetch/issues/1268
to track that.

    Erik