Re: [tsvwg] UDP source ports for HTTP/3 and QUIC

Gorry Fairhurst <gorry@erg.abdn.ac.uk> Tue, 20 July 2021 14:40 UTC

Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8E513A251F; Tue, 20 Jul 2021 07:40:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmvfttwXUdTT; Tue, 20 Jul 2021 07:39:57 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [137.50.19.135]) by ietfa.amsl.com (Postfix) with ESMTP id 3363C3A251D; Tue, 20 Jul 2021 07:39:56 -0700 (PDT)
Received: from GF-MBP-2.lan (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 6DCDD1B0022D; Tue, 20 Jul 2021 15:39:20 +0100 (BST)
To: tsvwg@ietf.org
Cc: Joseph Touch <touch@strayalpha.com>, Mark Nottingham <mnot@mnot.net>, "tsvwg-chairs@ietf.org" <tsvwg-chairs@ietf.org>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net> <CF409524-96F3-412A-A8DB-E4EFFDD9F4E7@mnot.net> <E62515E7-38FD-4197-8CF0-2D196FB6D6C4@strayalpha.com> <16CD883B-9561-41A5-97E0-43EF3618333C@mnot.net> <8235BE77-7849-49A3-A709-EB32EB039982@strayalpha.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Message-ID: <f763b818-7fd8-0e13-8d19-a1cdadd14d1f@erg.abdn.ac.uk>
Date: Tue, 20 Jul 2021 15:39:20 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <8235BE77-7849-49A3-A709-EB32EB039982@strayalpha.com>
Content-Type: multipart/alternative; boundary="------------BCC596C91430ED0C0213FD9B"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/8_6Tl3z4_uzKPxozVGJrWsIq3mQ>
Subject: Re: [tsvwg] UDP source ports for HTTP/3 and QUIC
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2021 14:40:03 -0000

This is just a short note to say that I think this topic **IS** in the 
scope of tsvwg.

IETF transport protocols do utilise source ports in various ways, 
(RFC6437; RFC6438; RFC8086; etc) e.g.:

- as a part of IP fragmentation processing in the net and at endpoints;
- can be used a part of forwarding, QoS classification; and tunnel 
processing;
- as a part of load balancing ( ECMP etc);
- randomised src ports as a method of mitigating off-path data insertion 
attack at receivers;
etc.

Some protocols have specified the src port as a part of their spec.  
Some relevent BCPs are RFC8085; RFC6056. I'd expect recommendations to 
on-path devices to *NOT* be specific to QUIC, and devices don't know 
which traffic is QUIC; Endpoints at the transport also might not know 
which traffic is QUIC.

Please do discuss the use of source ports here on the tsvwg list, 
especially if there is new thinking on how source ports of QUIC should 
be used and/or should be managed.

Best wishes,

Gorry Fairhurst
(as a TSVWG Chair)

On 20/07/2021 05:10, Joseph Touch wrote:
> Hi, Mark,
>
>> On Jul 19, 2021, at 8:43 PM, Mark Nottingham <mnot@mnot.net 
>> <mailto:mnot@mnot.net>> wrote:
>>
>> Hi Joe,
>>
>>> On 20 Jul 2021, at 1:15 pm, Joseph Touch <touch@strayalpha.com 
>>> <mailto:touch@strayalpha.com>> wrote:
>>>
>>> Hi, Mark,
>>>
>>> All ports are permitted as *source* ports. They are not assigned by 
>>> IANA nor do any have special meaning, AFAICT.
>>>
>>> Port values have meaning most specifically in socket pairs; they are 
>>> assigned/reserved by IANA and have meaning for a RFC793-style socket 
>>> ONLY when there is a corresponding RFC793-style listen listen that 
>>> allows the source port to float AND when there is no more specific 
>>> binding to a socket pair.
>>
>> And yet, we have text like this in RFC5905:
>>
>>> dstport: UDP port number of the client, ordinarily the NTP port
>>   number PORT (123) assigned by the IANA.  This becomes the source port
>>   number in packets sent from this association.
>
> This is consistent with my definition above. See notably the 
> definition for srcport, which is 123 only in symmetric mode (which 
> makes sense - both sides can receive requests).
>
>> and this in RFC6762:
>>
>>> A compliant Multicast DNS querier, which implements the rules
>>   specified in this document, MUST send its Multicast DNS queries from
>>   UDP source port 5353 (the well-known port assigned to mDNS)
>
> It is sending from the port on which it listens, as noted in the 
> remainder of that paragraph:
>     , and MUST
>     listen for Multicast DNS replies sent to UDP destination port 5353 at
>     the mDNS link-local multicast address (224.0.0.251 and/or its IPv6
>     equivalent FF02::FB).
> I.e., it is sending from a server.
>
>>> This suggests we should neither create a registry nor document this 
>>> approach, to avoid either giving the impression of endorsing this 
>>> behavior.
>>
>> I don't follow.
>>
>>> At best, we should document why this behavior is incorrect and 
>>> should be avoided.
>>
>> Based upon the preliminary discussions we've had on the QUIC list, I 
>> don't think there's consensus to do that.
>
> Well, there’s no consensus on reserving ports as source ports UNLESS 
> that is the port on which the service listens. I.e., IANA ports are 
> defined as listening ports and are thus used in packets emitted from 
> that listener.
>
> There should be no prohibition on using any port number for source 
> unless a listen exists on that port. There’s no precedence for that 
> decision and no registry where those values would be indicated.
>
> Joe