IETF Logo Mail Archive

Re: UDP source ports for HTTP/3 and QUIC

Mark Nottingham <mnot@mnot.net> Fri, 16 July 2021 00:27 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECDD23A1C5D for <quic@ietfa.amsl.com>; Thu, 15 Jul 2021 17:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnot.net header.b=s4+e3dOw; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=H8gu8Rns
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcqFUU__i_Wd for <quic@ietfa.amsl.com>; Thu, 15 Jul 2021 17:27:32 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57E603A1C5B for <quic@ietf.org>; Thu, 15 Jul 2021 17:27:32 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 6AAEC320090C; Thu, 15 Jul 2021 20:27:27 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Thu, 15 Jul 2021 20:27:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnot.net; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm3; bh=m UL6JfM9JNsfKxQJ3+SNkXUOvCj4npk53aOxc5OoYu8=; b=s4+e3dOwkG9lzANvX LTpXIOX07/AuErZPDGuVXcEhRMnZ3R5MdWMJOFxaini8U+j9vhb+TubiVHpyDhOA DyDh/FuhrzXYYz6jTeW5CppswnZiPiHqTsQTNTHGAhbinUaLXcEp6xcNCla6GJjV /c5mh59WN9n8gGB3JrOr/JlZ82SdLE0NS7rhUGuStj8Myypwp6RDMUgAic5s3Xs1 I8qBaNAaZCc4u2a5Q/oLtJK1bK29H55WYUhrO23qW/6trMS6dSMrutmw/nCUc55B stsQLroHmHkAAO6LZUnqD138OqC/IP3CJvaogEOIYuS8UQ8OCHvVSz32z5quhcSC mPSNw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=mUL6JfM9JNsfKxQJ3+SNkXUOvCj4npk53aOxc5OoY u8=; b=H8gu8Rns1lTlFtYbpTTqGW2VYT4GDOnXuPNB+UYh3Fkm9560E5UNDQT3M 8qguot33QEvzD4ehfQYXf5YGv/LyC7wKv5w0HAs9r2ayEAtvumlCCnsyFYxZvwqb J5diXlx8LnZ5WWISXPOFaCWsTh/Myl/NTKrVkZFjjLC0KKgBenFcw5eDEu8aV3g+ /YEQzgR8Kjm36/ltncryq5ots1FAVOWwiuc1xFh8MMIXVvZPsXedQ4O/2ECFK+WR 5pEvBiVG4qe7378pWHupMa4SSnV64seWgGfBSjclojehEmp7KftIkHYoaD1Euf+W Mh3DiRrDeWbzenB4QTFzH1vj2GRRQ==
X-ME-Sender: <xms:bNLwYDOW01qm-vPkA8MkiIa5JY9SKayDUUNn9EFHG9-qMvW08wEiAA> <xme:bNLwYN_hAr5US6x1ZhEqQvTFpKqWF2hv_Ouk1u1Q87GjBNCqU58m5JCrbfx2ieqho 1UkPa1ikvE2ywztMg>
X-ME-Received: <xmr:bNLwYCTeHBFzeibaery4-Ou5w4F6ey-K48GRlSyRH_6e2Xmbudsn9RKLGnlwF-kiKE8gu-1kbErrom0lhJIUKUrEoRNvMLgeKCtYF2fVnNPTnILI4-zG52Yx>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddvgddvlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeforghrkhcu pfhothhtihhnghhhrghmuceomhhnohhtsehmnhhothdrnhgvtheqnecuggftrfgrthhtvg hrnhepgfejhedtfeefffetgefhtdefieekvdegtdfgkeejheekvdeftedtfefgjeefudeh necuffhomhgrihhnpehirghnrgdrohhrghdptghlohhuughflhgrrhgvrdgtohhmpdhgih hthhhusgdrtghomhdpmhhnohhtrdhnvghtnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepmhhnohhtsehmnhhothdrnhgvth
X-ME-Proxy: <xmx:bNLwYHtZ8n72uNvzx8XM_dp6_sntoRVlhe0-NMx8yVKAHUJbvq-yEA> <xmx:bNLwYLdfPC21qwQOpucjWuVK0zhEDiH5IlEmjhk7lifI02bgkYI-6w> <xmx:bNLwYD3HTfAJ8UmKVkL3HbQwzfwinp-rTjmP8XPUgR05IaCD1YbK6g> <xmx:b9LwYC405gp9FYiLYB1AukM4OnNjaTLMp2NYGQ7y1JCoezQPmugaDQ>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 15 Jul 2021 20:27:23 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Subject: Re: UDP source ports for HTTP/3 and QUIC
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CAKC-DJjHObadQo1O9XngTkxr3PswQ5YUMfLs9NUaDdJHye8Ggw@mail.gmail.com>
Date: Fri, 16 Jul 2021 10:27:20 +1000
Cc: IETF QUIC WG <quic@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A75470C1-185F-4663-A66E-4805B3053676@mnot.net>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net> <CAKC-DJjHObadQo1O9XngTkxr3PswQ5YUMfLs9NUaDdJHye8Ggw@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/t28HqFntqGTRLbT3FjYhdETiO1s>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 00:27:38 -0000

Adding source ports to Fetch to complement their list of "bad" destination ports is interesting, but probably not sufficient -- NAT and CGNAT vendors tend not to read that document.

If we believe both that this should be written down and that more reflection-capable applications are going to emerge, we should probably put this information in a registry.

It strikes me that it could be done by adding a column to the port registry <https://www.iana.org/assignments/service-names-port-numbers/>. In other words, TSVWG. Thoughts?

Cheers,


> On 16 Jul 2021, at 9:25 am, Erik Nygren <erik+ietf@nygren.org> wrote:
> 
> 
> On Wed, Jul 14, 2021 at 8:21 PM Mark Nottingham <mnot@mnot.net> wrote:
> [ bringing this up on both lists because it's not yet clear what the right scope is ]
> 
> It's not uncommon for servers to block certain UDP source ports to avoid being overwhelmed by certain reflection attacks. In particular:
> 
> * 53 - DNS
> * 123 - NTP
> * 1900 - SSDP
> * 5353 - mDNS
> * 11211 - memcached
> 
> ... among other candidates.
> 
> See, eg., <https://blog.cloudflare.com/reflections-on-reflections/>. This isn't done to avoid protocol vulnerabilities as such -- it's to avoid volumetric attacks (usually DDoS). 
> 
> 
> 
> Closely related, the Fetch spec's "bad port" list is fairly TCP-specific and could likely
> use additions for some of these.  I opened https://github.com/whatwg/fetch/issues/1268
> to track that.
> 
>     Erik
> 
> 

--
Mark Nottingham   https://www.mnot.net/

v2.35.0 | Report a Bug | By Email | System Status