IETF Logo Mail Archive

Re: QUIC Address Extension for NAT detection

Tommy Pauly <tpauly@apple.com> Wed, 13 March 2019 17:31 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F7C6130EF7 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 10:31:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXVDJhK_KkE8 for <quic@ietfa.amsl.com>; Wed, 13 Mar 2019 10:31:39 -0700 (PDT)
Received: from nwk-aaemail-lapp02.apple.com (nwk-aaemail-lapp02.apple.com [17.151.62.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9779E130F02 for <quic@ietf.org>; Wed, 13 Mar 2019 10:31:39 -0700 (PDT)
Received: from pps.filterd (nwk-aaemail-lapp02.apple.com [127.0.0.1]) by nwk-aaemail-lapp02.apple.com (8.16.0.27/8.16.0.27) with SMTP id x2DHLQmZ027494; Wed, 13 Mar 2019 10:31:37 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : message-id : subject : date : in-reply-to : cc : to : references; s=20180706; bh=jSz9y3csaOjgVdcWwu3BT6QWcgFCdPVS1FxqcPnBq6c=; b=GHQJ3F9DA36A/0jtZtZ3Kuy8+guE57SR1QmIFrS+aBoxTEbKiQVc/Hv6W70D7hUS/zSS 7o7hBjmzDxwn3Hxl1hj+wSmzyzSg/qRhK8/IxKh+qH6zN/LhRxBRuDchiUGuaO6VQK6I VCOXdRYCGtCaloKiTGinWwrIGjsn+AXcpN+M029zJ9yD5tOuXU04Gx0neZOUxN7FnOmM GN2ZjhLFEcuVj65WOSa0ZF2fn5RsoyyCk5BSUqQX7UM1FM5V+pTsneJAsuLqB6ZU7S+N j9C6Eq+ZvaLfD0/1Sl4uGDSyGi2v4jf/Wm9zhyvL2rdftCWLrd89KTN92kVxN8Q5qyUu EQ==
Received: from ma1-mtap-s03.corp.apple.com (ma1-mtap-s03.corp.apple.com [17.40.76.7]) by nwk-aaemail-lapp02.apple.com with ESMTP id 2r4axtffqy-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 13 Mar 2019 10:31:37 -0700
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_aa00d+Av5abdENoNz4o42w)"
Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by ma1-mtap-s03.corp.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0POB00D7IFCN2730@ma1-mtap-s03.corp.apple.com>; Wed, 13 Mar 2019 10:31:36 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz11.apple.com by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0POB00500F21NM00@nwk-mmpp-sz11.apple.com>; Wed, 13 Mar 2019 10:31:36 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 5587d8e057f86e2aae994903c3eef08b
X-Va-E-CD: 75ed10a4c389fdf1385774fd634da24b
X-Va-R-CD: d917230d437218739bb5986c278bef7a
X-Va-CD: 0
X-Va-ID: 6716c412-f8b0-4019-8d59-aa89b57eb194
X-V-A:
X-V-T-CD: 7e033510bdf844d1de9690c1bf9f162b
X-V-E-CD: 75ed10a4c389fdf1385774fd634da24b
X-V-R-CD: d917230d437218739bb5986c278bef7a
X-V-CD: 0
X-V-ID: 937c500f-1a3a-46a5-b771-eb81ad3bb888
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-13_11:,, signatures=0
Received: from [17.230.175.227] (unknown [17.230.175.227]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0POB00H2EFCNXQ50@nwk-mmpp-sz11.apple.com>; Wed, 13 Mar 2019 10:31:36 -0700 (PDT)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <818B6C3F-52C5-4107-828F-31CDD0A7FAFE@apple.com>
Subject: Re: QUIC Address Extension for NAT detection
Date: Wed, 13 Mar 2019 10:31:34 -0700
In-reply-to: <CAN1APdep9iW+nurOhjCBVNO-KiPEEr_6xsgvSQ0zkRDnAr9Wqg@mail.gmail.com>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, QUIC WG <quic@ietf.org>, Eric Kinnear <ekinnear@apple.com>, Chris Wood <cawood@apple.com>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
References: <3E6E5A5B-C1B1-4ABF-89AB-C5FAF634F080@apple.com> <CAN1APdep9iW+nurOhjCBVNO-KiPEEr_6xsgvSQ0zkRDnAr9Wqg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-13_11:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/xosJI0k6Iz0Yh9UXYzxZOAvsSHk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 17:31:43 -0000


> On Mar 13, 2019, at 9:54 AM, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> wrote:
> 
> How does that work when you are behind multiple layers of translations, which isn’t that unusual in a cloud environment:
> Client has a nat router at home, cloud has public to private IP mappings.

NAT detection, as already works in protocols like IKE, generally just detects that there is either something translating your address/ports or not. So, each direction can detect that there is >=1 translations, but not how many.

> 
> Also, this information could provide information about cloud infrastructure that maybe best stays local - not sure about implications. But a standard web framework terminating QUIC might have no idea about the surrounding infrastructure and volunteer more information that the cloud infrastructure wants to.

Can you explain the concern around cloud infrastructure? If a server is running in a cloud service, this extension has it send the *client's* address back to the client so that the client can detect if it is itself behind a NAT. No peer sends their own local address to the other side at any point.

Best,
Tommy

> 
> 
> Kind Regards,
> Mikkel Fahnøe Jørgensen
> 
> 
> On 13 March 2019 at 17.20.02, Tommy Pauly (tpauly=40apple.com@dmarc.ietf.org <mailto:tpauly=40apple.com@dmarc.ietf.org>) wrote:
> 
>> We recently posted a draft that defines a proposed extension to QUIC that allows peers to request their perceived IP address and port from their peer, effectively allowing NAT detection along a path:
>> 
>> QUIC Address Extension
>> https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/ <https://datatracker.ietf.org/doc/draft-pauly-quic-address-extension/>
>> 
>> We have posted a corresponding document in TLS that provides the same mechanism for TLS/TCP connections:
>> 
>> TLS Client Network Address Extension
>> https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/ <https://datatracker.ietf.org/doc/draft-kinnear-tls-client-net-address/>
>> 
>> One of the benefits specific to QUIC from detecting a NAT is that it helps determine whether or not NAT rebindings are expected to create “fake” migration events. It also helps a client know whether or not rotating CIDs and local ports will be of use to obfuscate a client’s connections.
>> 
>> If you have any thoughts on use cases for this information, or the mechanism, we’d love to hear them!
>> 
>> Best,
>> Tommy

v2.23.0 | Report a Bug | By Email