Re: New Version Notification for draft-duke-quic-natsupp-00.txt
Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Tue, 11 February 2020 09:35 UTC
Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4191201E0 for <quic@ietfa.amsl.com>; Tue, 11 Feb 2020 01:35:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZLwqGnF2FG9r for <quic@ietfa.amsl.com>; Tue, 11 Feb 2020 01:35:09 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2055.outbound.protection.outlook.com [40.107.22.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FE58120020 for <quic@ietf.org>; Tue, 11 Feb 2020 01:35:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nnvOAzb/ZRTDogV8xeVXp4e5YXJ4p8R1NOKWcoaLbCFaQo91Pj81TqografH9QB7jqAAMzwVNCB2mQCdxtUtqMqk9rjJs0XggoNxapfP9QK6cJA50AjuiefiVfHEJtyYmsO9R9L6CPOdmzlvJ1BmtxH4hFvyh3PEMPGJ0QtX8Ndw9tzNjGm8yAR0R5yP2DNWCFSdtT8j7phupB03HGxYLI6L7dlwmO3z/6yC4vk/YiEsRv97b+4kPw84K92JwmGUctbTmKN8m07fyMHKlaiB7eLdwPQ7hzVb05V7asEwyYUvvS0WHOC0EatXnvz6+grJ+ploTyCubkU45TPh6yCbQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0uzlHZWlSn9ayHvQcXjXqJUT+ryKrySb37uR5ps0UHg=; b=QXIYtww3KI2nOnL3inV/aDlzKWzjdWJMX9Omf7lKV3mFxRRH6+y1hlZF7XkQUGX9rpAPylj6JiciNPaiLIdrKURiPJDZLpi30TUO+KjMzeibh6ggLddP3bCf6nShrbtdg0EM8/z3yCWk0anAnLCSLGRPBxtyD4LDmoH4Vi2HQsaD6eLXrZgxGjGe0n77/jRQ97kgYCeM/5rM8cEBtQP2iT+n71WTnnire+e5B25TZcx8NHejA8mMJ81JbKmAp3eQkKqzbckuBgoCoUpmWAFAxdcuFCIa+M/nj5RiNMpxscoIGyUkcXkVXUENf3dJTXfNU6GBRV2FJjysscc7afjbIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0uzlHZWlSn9ayHvQcXjXqJUT+ryKrySb37uR5ps0UHg=; b=X55mXqQB+zckcEJN0+8k3R9P92UH/ChjKVXAYi2YWT4Qy6dO4oO7MWO+yI9kFx+oeUNzhyvtq4xPgRdxmI5is7pSnv4n8yqbuDtEp4duFkPd12o6T0T08DO8i3s7xDBxmSOA8Fr4OO0TNhZ2GsZgIIoBdzgxgL/n0nY94V9nDxU=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB4162.eurprd07.prod.outlook.com (52.133.55.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.16; Tue, 11 Feb 2020 09:35:06 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7%7]) with mapi id 15.20.2729.021; Tue, 11 Feb 2020 09:35:06 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: Martin Duke <martin.h.duke@gmail.com>
CC: IETF QUIC WG <quic@ietf.org>
Subject: Re: New Version Notification for draft-duke-quic-natsupp-00.txt
Thread-Topic: New Version Notification for draft-duke-quic-natsupp-00.txt
Thread-Index: AQHV1gjboi/pVkkeTEm5AkAzYIUU46gBcaSAgABwEYCAASk+gIAR8O0AgADl5oA=
Date: Tue, 11 Feb 2020 09:35:06 +0000
Message-ID: <571B2506-AA27-411A-AE5D-D0E780FD889B@ericsson.com>
References: <157470946896.14159.17248985824634821547.idtracker@ietfa.amsl.com> <CAM4esxTPb1p_mH4eOpj62K0hVd0c5S50UC=rSbVqe=1bRXyJ0g@mail.gmail.com> <FCCC853A-2984-4823-AB67-71DA0A13E4A0@ericsson.com> <CAM4esxQPOJmnm+qmBPhQDi-hrYMkXUjB8Ptj5FaT6o7pK3K8YA@mail.gmail.com> <6A334674-0D30-4FB6-A4BE-4D2BBAF344A4@ericsson.com> <CAM4esxRJv1xuM6ztDj4Fb23JwazaLhudfkBUJmrb8_K9OAzFdw@mail.gmail.com>
In-Reply-To: <CAM4esxRJv1xuM6ztDj4Fb23JwazaLhudfkBUJmrb8_K9OAzFdw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [2001:16b8:2c13:d000:7056:c073:a2e2:17e4]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e9e899f-f029-4dbc-6823-08d7aed5adbf
x-ms-traffictypediagnostic: AM0PR07MB4162:
x-microsoft-antispam-prvs: <AM0PR07MB416239B07F865041C225F19AF4180@AM0PR07MB4162.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0310C78181
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(366004)(39860400002)(376002)(346002)(199004)(189003)(86362001)(6506007)(53546011)(186003)(33656002)(8936002)(15650500001)(478600001)(5660300002)(6916009)(91956017)(66556008)(6486002)(71200400001)(66946007)(66476007)(76116006)(64756008)(66446008)(316002)(8676002)(36756003)(6512007)(81166006)(2616005)(81156014)(2906002)(44832011)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4162; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MSLHCaCzI9C8LJ8sUGgQG7Di/fj+FNoeAoh+y5In2Xeu5V/H8WMb4HeebqXek0I6XRWCJrEyGEgL0M9cKEEFFnsgohViD8FcS0nGp2RGLZK5e/ZmcG6Xr654b2kxmzcMGuw1VhkMcB4+m7riT85hjTcrab6HCc6X+dZ0R/CAE1cvpuZ43WoFHbBSHs0fK4yBR+WrZQPm4XvIAqS+OFOTfqv1OsH8v12womW1OyWh3d/sHd7DfOKJFJbaTnpW6KC41NKsOc/WM653J45BYm/91yOFakv1yEdzChXgrnpaKW1KnehHfWMJqeiTtUH6uNZZZasMjxNsADlY+NtWoVah1SVt9517nH7ggSBBCVquVt4y/ZN7Mr3ugTVBnaV3zOFp7TDWa33i43/TwiKukryDR6G+gVCYoKVA4eukFbIn80YRVMIfQj/cG8bl61dWe42A
x-ms-exchange-antispam-messagedata: kwuCbBRBRTfhdo0IT4sg3y74+Ki43PBWE1hrLmFe1rCfNuZhMIbAILScxx215iJhwgzJOdq3uMvzMf9JywMBD5mCoO9XyAChqZ9nEYTPB4yGT+vw2JuYZsDLDgXiyLjHGYM8bioXHROYpAm4n/qwwx9Dor2Sb4ZDG6S49+XsRQU/Fkz3fDPaQjYPrWDnBF57PvkQQuo+JpVP/0hh3hGQIA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_571B2506AA27411AAE5DD0E780FD889Bericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e9e899f-f029-4dbc-6823-08d7aed5adbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2020 09:35:06.1904 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VWM8ksgLkapfCYmvDqP0sy7cVPqr+nZpuzCAG6DNuFjUHIiIKh6arFvhPQsdvERu0/WvFjEOeQ3sh7T5iAx5ywAAFatdEX4CNCVQWyBC61w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4162
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/qF9YLzA20Rgj6bQ-3oOTAU8Wzco>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Feb 2020 09:35:11 -0000
Hi Martin, short reply: sounds good! Otherwise see inline. Mirja From: Martin Duke <martin.h.duke@gmail.com> Date: Monday, 10. February 2020 at 21:52 To: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Cc: IETF QUIC WG <quic@ietf.org> Subject: Re: New Version Notification for draft-duke-quic-natsupp-00.txt Responses inline: On Thu, Jan 30, 2020 at 10:53 AM Mirja Kuehlewind <mirja.kuehlewind@ericsson.com<mailto:mirja.kuehlewind@ericsson.com>> wrote: I somehow was initially only think about out-going packet and no incoming packets… so, yes, the NAT needs to discard this packet. However, you say the NAT is out of addresses/ports, thus not using the CID would have meant that it would have to discard the connection right at the beginning. Not sure if that is any better…? It's a good point that immediately dropping is not great either. However, · this would create an ossification vector where CID changes may break the protocol. · it's better for QUIC to fail right away (enabling TCP fallback) than to black hole suddenly. [MK] Right, the second point here is actually important. Probably also something to mention in the draft. Section 4.2. - Server deployment has 4-tuple routing and it is expensive to change - IT installs a NAT at the front of the infrastructure that stores a mapping of CIDs to inbound source address and port. This step was also not fully clear to me from the draft. Now that I look at it again, I understand what’s meant but I think it could be clearer in the draft. So is 4-tuple routing actually common? Why is the 4-tuple used instead of only routing based on the destination address/port? Yes it's common. If we're fronting a single website there may be a single destination IP and well-known port, so the destination doesn't add any entropy. [MK] That makes sense. - If a packet arrives with a known CID but a different source address/port, the NAT will rewrite the source/address port to the old value, and thus the packet will route to the correct back-end server. Thus the infrastructure is robust to NAT rebinding, if not intentional migration with a new CID. - While this "works", it has security implications as discussed. I think you need to further explain the attack case here in the draft – that an attacker might spoof the IP address and therefore can DDoS a target as the server might keep sending a large amount of data to that new IP address. However, I think this should probably be discussed in the security section of the transport draft a bit more as this is only possible because of migration which is a new feature in QUIC. I believe Eric Kinnear has already written a ton about how to handle new addresses in the transport draft. I'll rewrite the paragraph as you suggest. [MK] Thanks! However, given that if someone anyway decided to implement this setup, the endpoints have no way to detect that an address changed and was respectively re-written then again, should we maybe start think about a way to improve the situation…? The signal here is that absolutely nothing in the packet has changed, so I'm not sure how endpoints could possibly detect this. Yes, but maybe there are other things. Not proposing this as a solution but e.g. one could detect an address change using TURN… anyway I guess you are right that there is not easy way…
- Fwd: New Version Notification for draft-duke-quic… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind
- Re: New Version Notification for draft-duke-quic-… Martin Duke
- Re: New Version Notification for draft-duke-quic-… Mirja Kuehlewind