Re: [tsvwg] UDP source ports for HTTP/3 and QUIC

Joseph Touch <> Sat, 24 July 2021 17:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 780463A0CFC for <>; Sat, 24 Jul 2021 10:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.318
X-Spam-Status: No, score=-1.318 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VDfye280JV4S for <>; Sat, 24 Jul 2021 10:58:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 113913A4462 for <>; Sat, 24 Jul 2021 10:58:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dPUq8IznpNkLA2K2zpQd4dH5RA7H4x5YSwT0COyJ5bE=; b=VwaVlyk8GZ3+U0fad7G5YZ1gCf cLk7twBWADD0JNkj1gLcOXoqBx0g6K3AfyMflwcogoiw3OVesLdx58eaUyi1xIT8upvnAp8L9kTdi i9Oe/nKkQMqfKBIzLkAb/06fdn0SNO7V2mEmaOyRVJ5kAPkyr82gJdN1SGvNmUtwuZyUQgeJa5Yta FuOH2xf6vRHbVUUErMQrD6WkAVvlcBvVinqKnZct9+ySn0M/UsI1AVLgPkkR4UZkWZdP+Uh+QAGtA 2plWW6hubYC7qLdtKa1jBo4NZ071gJf2nmpulQ2S0v+BihxTSHtU72ii9OMKRHhQZcJekapB5W4I3 aBP8Mnxw==;
Received: from ([]:50767 by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1m7LuW-0039kg-Hj; Sat, 24 Jul 2021 13:58:08 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_10C47BDD-A9EB-45C9-AC49-31AF990610F8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Joseph Touch <>
In-Reply-To: <>
Date: Sat, 24 Jul 2021 10:58:03 -0700
Cc: Mark Nottingham <>, "" <>
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
To: "Black, David" <>
X-Mailer: Apple Mail (2.3654.
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [tsvwg] UDP source ports for HTTP/3 and QUIC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 24 Jul 2021 17:58:15 -0000

Hi, David,

> On Jul 23, 2021, at 9:05 AM, Black, David <> wrote:
> > This is the core Issue though. So we have a problem where people generate spoofed traffic.
> > 
> > And some patterns of that traffic can be identified by how they use source ports.
> In the cases of interest for this discussion, the source ports are real not spoofed.

Correct me if I’m not tracking:

A- some people send spoofed packets as attacks
B- the packets have one thing in common - use of particular source ports
C- so others have started to filter based on those source ports
D- which means legitimate uses of those ports are now blocked

Assuming that tracks:

(C) has made the leap that “correlation” becomes “cause”, so now it’s not just being under attack, but merely looking at the port that is considered an attack to be blocked

This is no different than the RST attacks on TCP, as follows:

A- some people sent spoofed RSTs all over the sequence space as attacks
B- the packets have one thing in common - being RSTs
C- so there was a proposal to block RSTs not at a single correct location in the receive window
D- which means legitimate transmissions of RSTs are now blocked (and that everyone had to change their TCP, making it more complex).

This is a common IETF fallacy:

A. Some people do X
B. There is a correlation between X and Y (not cause and effect)
C. Others interpret X as bad, leaping from correlation to cause and effect
D. We all have to deal with it (complexity)

We need to stop this at step C and declare THAT the problem.