IETF Logo Mail Archive

Re: New Version Notification for draft-duke-quic-natsupp-00.txt

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Thu, 30 January 2020 09:53 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD611200B4 for <quic@ietfa.amsl.com>; Thu, 30 Jan 2020 01:53:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LuQHoVh1LXkt for <quic@ietfa.amsl.com>; Thu, 30 Jan 2020 01:53:34 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2073.outbound.protection.outlook.com [40.107.20.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4369412011D for <quic@ietf.org>; Thu, 30 Jan 2020 01:53:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=l1recdkAJazLb9SWMlGXWSpaynjKmk9uPI+MC32EbBnkL59RcUznMsAlK2yWYNc9cM4ZRfjBJK/eLRpkP9YHSFTQPej7FZHs4xCXzrNIy2i9F7VFZAhsOOKFjPc4wiMfMalb2xvgRkMLdvItUX6faUlolRIxHGDHzhbGtL/B2CqcKo3B6MNDr0t4jG3wAwOhDLTFe/clzRfDxswpCdVqGY9nSk4KksBF5ILzreS/bGF/jmzXWJw2aBGZtQ3A65aKF+tw5sB8hciZM4VWxcgildaB3MQkPU0OFq48rUhOTA9Amdo98GOJ+5Et4lhd7lx9vDohlv8jY5Lir0O4dcWHfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+dkOkOkiTpxpCw+X1dO1tFeI6xIrt4cDoAgdo82cgSk=; b=fMoxJ1OT/I4jki/dGcy8UExIZmLG/xVpVHJo9nlSIkWmUhYHz64sz8W6X9fU+b4n2TeeBk7Bmt321KQe4SOsV2rE1scmCdpiz6F8ZzGUGu/2C7lcsMa0SRC2moDey2lgxZc+fwqeu4PQdZXr951sKYNdfQPGvskCXu+HwuBPOaSFb6F7blNZ+HaT8P1408z2macQ2SAWghTWAeLH+fwguaig2o6j+B+bdOf5IDz8/v7YFpPHlKwJp1ENI1jgR1w8NBhiMtRhkaLzvlwVLnqGpSrYNBKM5UVeEUsrONUz6WOf5ja/HsAvUfdg/rCYqHsazFedn4mX3BMKe13HkByn5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+dkOkOkiTpxpCw+X1dO1tFeI6xIrt4cDoAgdo82cgSk=; b=IF8F0FFQ+zMizUT8IqMiCACQrb14ReY4Z5CGcgtJrEsCeyoj6K5ldpVwIK2rFQHxQeHwUTeg7qk/5W3b8BX6KvQl944Hi53rZX7ulTI2oLKIOya4K2XzerxOJBrv6Q6fJq5fbqq+dsJ+loXMAKnqw+PPSdKVt+/73Jwq2n/5ZfY=
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com (52.135.149.158) by AM0PR07MB5411.eurprd07.prod.outlook.com (20.178.23.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.14; Thu, 30 Jan 2020 09:53:32 +0000
Received: from AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7]) by AM0PR07MB4691.eurprd07.prod.outlook.com ([fe80::4879:46ae:16e:f5b7%7]) with mapi id 15.20.2686.025; Thu, 30 Jan 2020 09:53:32 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: Martin Duke <martin.h.duke@gmail.com>
CC: IETF QUIC WG <quic@ietf.org>
Subject: Re: New Version Notification for draft-duke-quic-natsupp-00.txt
Thread-Topic: New Version Notification for draft-duke-quic-natsupp-00.txt
Thread-Index: AQHV1gjboi/pVkkeTEm5AkAzYIUU46gBcaSAgABwEYCAASk+gA==
Date: Thu, 30 Jan 2020 09:53:32 +0000
Message-ID: <6A334674-0D30-4FB6-A4BE-4D2BBAF344A4@ericsson.com>
References: <157470946896.14159.17248985824634821547.idtracker@ietfa.amsl.com> <CAM4esxTPb1p_mH4eOpj62K0hVd0c5S50UC=rSbVqe=1bRXyJ0g@mail.gmail.com> <FCCC853A-2984-4823-AB67-71DA0A13E4A0@ericsson.com> <CAM4esxQPOJmnm+qmBPhQDi-hrYMkXUjB8Ptj5FaT6o7pK3K8YA@mail.gmail.com>
In-Reply-To: <CAM4esxQPOJmnm+qmBPhQDi-hrYMkXUjB8Ptj5FaT6o7pK3K8YA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mirja.kuehlewind@ericsson.com;
x-originating-ip: [192.176.1.97]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 24614342-caa2-4f93-f40d-08d7a56a43f4
x-ms-traffictypediagnostic: AM0PR07MB5411:
x-microsoft-antispam-prvs: <AM0PR07MB5411E13130B65B3321A6E01BF4040@AM0PR07MB5411.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02981BE340
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(136003)(39860400002)(366004)(346002)(199004)(189003)(4326008)(44832011)(6916009)(6512007)(71200400001)(2616005)(2906002)(5660300002)(966005)(478600001)(33656002)(4001150100001)(6486002)(86362001)(15650500001)(91956017)(186003)(36756003)(316002)(64756008)(81166006)(76116006)(8936002)(66446008)(8676002)(26005)(6506007)(81156014)(66476007)(53546011)(66574012)(66556008)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB5411; H:AM0PR07MB4691.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iTlA//byEW/dFeizCG++RYkuiTYr8/b24PMUkVrPSE4tqAxcxmwHxhQbpIzskgigNYwRCL9K583oudStJsJ8FLSJiTLK79slXe56qmO4YFjmY56eUBourwlIbwlyiwCxckXPZXQAKy+Y5AI6MUUCpNnnUTizUjelXbuBaSB71yibiTloTR3/fHIXsjIZXksYZKOlhiPZLEv0k01Rq5274bIe1Sb5/M+5H1WWDtWn+ORIlnsxUFoDaLTwXBVYG2w1jlw8hSP2AYQAF4Fb2k042ikXZOwVUWkgBnoECTHg6UkNu8ShDnbHtSoXycNRTBJpp2uMx7DYhbWZ/zjK0tEwTT3/zLRX7ikYn3xi3iqreOSFP6xtC5a2Z4BqlOsXaEq0RCXWaCbbV//vmd8a1vQs6uh2dywMoMMN78kRhRWmACOR99l8WxrhTNkCI8LwS1OuWVikboa4mWPvDx7UwtOSL4J4pZ2oAOgqiQJ2pRo+D8nD51MuWK0YsY+iRIGT7FAeac8Dss57mVvN4mZiChJSRA==
x-ms-exchange-antispam-messagedata: MkaIss+8jRNyqu4+JfWN1tDga9sWlvtK5eUsSrM0uyMO7P8ueNv+1zJ1LT2R6qt+pq6Qiw99WVmhH8w2L8d8GmA9jzF1T/v5jlTPbogfDxjFSJ5qCU2mGzriPtVLyQ8ZrH8E6lEUvJ7FFpzdlYrmew==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_6A3346740D304FB6A4BE4D2BBAF344A4ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 24614342-caa2-4f93-f40d-08d7a56a43f4
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2020 09:53:32.0398 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZSjYCKNu/mP0QOtdjalcE+odhRCFgTsKdUXLyUQ1V+AINHcMxuKLSeN2rnNNmlbBz1snu+1Fa7uyOVwgTn+DrdT9Xbfcbk1iAciHnrwwvwg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5411
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/tG-UF45OAFWVFWq-5bF-1qCBnaQ>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2020 09:53:38 -0000

Hi Martin,

see inline.

From: Martin Duke <martin.h.duke@gmail.com>
Date: Wednesday, 29. January 2020 at 18:09
To: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
Cc: IETF QUIC WG <quic@ietf.org>
Subject: Re: New Version Notification for draft-duke-quic-natsupp-00.txt

Hi Mirja,

For Section 4.1, here is the scenario I have in mind:
- the NAT is out of public addresses and ports and uses CIDs to multiplex clients over one port (which the draft is arguing it should not do)
-  NAT routes packets coming in from the internet with address/port A:B and CID C to client #1
- NAT routes packets coming in from the internet with address/port A:B and CID D to client #2
- Client #1 provides a new CID E to the server
- The NAT receives a packet for address/port A:B and CID E, and cannot disambiguate the two clients.

I somehow was initially only think about out-going packet and no incoming packets… so, yes, the NAT needs to discard this packet. However, you say the NAT is out of addresses/ports, thus not using the CID would have meant that it would have to discard the connection right at the beginning. Not sure if that is any better…?


Section 4.2.
- Server deployment has 4-tuple routing and it is expensive to change
- IT installs a NAT at the front of the infrastructure that stores a mapping of CIDs to inbound source address and port.

This step was also not fully clear to me from the draft. Now that I look at it again, I understand what’s meant but I think it could be clearer in the draft.

So is 4-tuple routing actually common? Why is the 4-tuple used instead of only routing based on the destination address/port?

- If a packet arrives with a known CID but a different source address/port, the NAT will rewrite the source/address port to the old value, and thus the packet will route to the correct back-end server. Thus the infrastructure is robust to NAT rebinding, if not intentional migration with a new CID.
- While this "works", it has security implications as discussed.

I think you need to further explain the attack case here in the draft – that an attacker might spoof the IP address and therefore can DDoS a target as the server might keep sending a large amount of data to that new IP address. However, I think this should probably be discussed in the security section of the transport draft a bit more as this is only possible because of migration which is a new feature in QUIC.

However, given that if someone anyway decided to implement this setup, the endpoints have no way to detect that an address changed and was respectively re-written then again, should we maybe start think about a way to improve the situation…?


If we decide this is worth writing up at all, I'll try to make it clearer. Or have I made a mistake somewhere?

Thanks for the comments. Let's discuss next week if this worth living as a separate document.

Sure.

Mirja



Martin

On Wed, Jan 29, 2020 at 1:28 AM Mirja Kuehlewind <mirja.kuehlewind@ericsson.com<mailto:mirja.kuehlewind@ericsson.com>> wrote:
Hi Martin,

thanks for writing this up. I have two questions and a comment.

This part in section 4.1:
   “Therefore, leveraging Connection IDs will cause sudden connection
   breakage when an incoming packet uses CIDs with no clear mapping.”
Not sure I understand this correctly but would a NAT simply assign a new port/address when a new CID shows up..? Why would that break connectivity? Or what do you mean with that?

Regarding section 4.2:
You basically say that changing the port/address might break 4-tuple routing on the other end. But wouldn’t mean that any NAT rebinding would break connectivity and that’s a problem by the other end that should be solved there?

I think the most important part of the document is the last paragraph in section 4.2. I’d recommend to put that in an own section. However, I’m actually not convinced about the other two points (above). If that is the only point we would need to make, maybe that’s also something to put in the manageability document.

Mirja


From: QUIC <quic-bounces@ietf.org<mailto:quic-bounces@ietf.org>> on behalf of Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>>
Date: Tuesday, 28. January 2020 at 19:29
To: IETF QUIC WG <quic@ietf.org<mailto:quic@ietf.org>>
Subject: Fwd: New Version Notification for draft-duke-quic-natsupp-00.txt

At Gorry's suggestion, I took the NAT recommendations and put them in a short draft that NAT guys are more likely to read. If this seems extraneous, I'm happy to get that feedback.

---------- Forwarded message ---------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Mon, Nov 25, 2019 at 11:17 AM
Subject: New Version Notification for draft-duke-quic-natsupp-00.txt
To: Martin Duke <martin.h.duke@gmail.com<mailto:martin.h.duke@gmail.com>>



A new version of I-D, draft-duke-quic-natsupp-00.txt
has been successfully submitted by Martin Duke and posted to the
IETF repository.

Name:           draft-duke-quic-natsupp
Revision:       00
Title:          Network Address Translation Support for QUIC
Document date:  2019-11-25
Group:          Individual Submission
Pages:          5
URL:            https://www.ietf.org/internet-drafts/draft-duke-quic-natsupp-00.txt
Status:         https://datatracker.ietf.org/doc/draft-duke-quic-natsupp/
Htmlized:       https://tools.ietf.org/html/draft-duke-quic-natsupp-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-duke-quic-natsupp


Abstract:
   Network Address Translators (NATs) are widely deployed to share
   scarce public IPv4 addresses among mutiple end hosts.  They overwrite
   IP addresses and ports in IP packets to do so.  QUIC is a protocol on
   top of UDP that provides transport-like services.  QUIC is better-
   behaved in the presence of NATs than older protocols, and existing
   UDP NATs should operate without incident if unmodified.  QUIC offers
   additional features that may tempt NAT implementers as potential
   optimizations.  However, in practice, leveraging these features will
   lead to new connection failure modes and security vulnerabilities.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

The IETF Secretariat

v2.23.0 | Report a Bug | By Email