Re: [tsvwg] UDP source ports for HTTP/3 and QUIC
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Thu, 22 July 2021 21:15 UTC
Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DACC3A0B88 for <tsvwg@ietfa.amsl.com>; Thu, 22 Jul 2021 14:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVOs8Hdw-K9y for <tsvwg@ietfa.amsl.com>; Thu, 22 Jul 2021 14:15:11 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [137.50.19.135]) by ietfa.amsl.com (Postfix) with ESMTP id 99C373A0B83 for <tsvwg@ietf.org>; Thu, 22 Jul 2021 14:15:10 -0700 (PDT)
Received: from GF-MBP-2.lan (fgrpf.plus.com [212.159.18.54]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 7B38B1B00288; Thu, 22 Jul 2021 22:14:34 +0100 (BST)
To: "Black, David" <David.Black@dell.com>, Joseph Touch <touch@strayalpha.com>
Cc: Mark Nottingham <mnot@mnot.net>, "tsvwg@ietf.org" <tsvwg@ietf.org>
References: <3985895D-D420-4995-831E-332E33693B79@mnot.net> <CF409524-96F3-412A-A8DB-E4EFFDD9F4E7@mnot.net> <E62515E7-38FD-4197-8CF0-2D196FB6D6C4@strayalpha.com> <16CD883B-9561-41A5-97E0-43EF3618333C@mnot.net> <8235BE77-7849-49A3-A709-EB32EB039982@strayalpha.com> <AA5B1FC1-E0E8-488F-AE2E-F21696AD0A06@akamai.com> <MN2PR19MB4045E5063CE13DDE39D5BE8683E29@MN2PR19MB4045.namprd19.prod.outlook.com> <9263482C-2E0A-46F0-9351-B63C0E3B53E0@strayalpha.com> <MN2PR19MB40450ACCE13E4A335FF929A483E49@MN2PR19MB4045.namprd19.prod.outlook.com> <694559d2-c0ac-80f2-7336-950bf6384a9d@erg.abdn.ac.uk> <MN2PR19MB40454F6D65F78FD618C691E283E49@MN2PR19MB4045.namprd19.prod.outlook.com>
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Message-ID: <79d01f33-bc20-fce6-b49d-7c7cd67bea70@erg.abdn.ac.uk>
Date: Thu, 22 Jul 2021 22:14:34 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <MN2PR19MB40454F6D65F78FD618C691E283E49@MN2PR19MB4045.namprd19.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------1F18A213E91832E6F1730FF2"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/C_kroTJsVXn2JTaQqcZdRUDnZWg>
Subject: Re: [tsvwg] UDP source ports for HTTP/3 and QUIC
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jul 2021 21:15:16 -0000
On 22/07/2021 19:10, Black, David wrote: > > Dell Customer Communication - Confidential > > Hi Gorry, > > Quoting from the original message that Mark forwarded > (https://mailarchive.ietf.org/arch/msg/tsvwg/7Fbxa5NryyUzJSWesNFbAx6hs3U/ > <https://mailarchive.ietf.org/arch/msg/tsvwg/7Fbxa5NryyUzJSWesNFbAx6hs3U/> > - scroll down past Mark's initial remarks to TSVWG): > > > If a client chooses source ports from the ephemeral port range, this > shouldn't be an issue. However, some implementations (or deployments) > extend the source port range "downwards" to avoid exhaustion: > > Thanks, --David > I haven't quite yet understood this use case, I suspect I must have missed something: Am I understanding this about a client choosing source ports, and this client runs out of ephemeral ports (at least within the time it can reuse closed ports). I can see that servers can have lots of clients, but what is the use-case for a QUIC client to have that many open UDP ports? Gorry > *From:* Gorry Fairhurst <gorry@erg.abdn.ac.uk> > *Sent:* Thursday, July 22, 2021 11:46 AM > *To:* Black, David; Joseph Touch > *Cc:* Mark Nottingham; tsvwg@ietf.org > *Subject:* Re: [tsvwg] UDP source ports for HTTP/3 and QUIC > > [EXTERNAL EMAIL] > > I'm still misisng some context about the use case why a QUIC client > would wishes to use a source port outside the ephmeral range. > > Althoughit was always possible to use all ports as source port, that > use does not come without pain. And QUIC multiplexes data, so what's > the use case for using the lower-numbered source ports? > > Gorry > > On 22/07/2021 16:05, Black, David wrote: > > Hi Joe, > > Let's start from a couple of aspects where we're in rough agreement: > > 1. "… agree with documenting the problem as a problem, but not as > a practice." & > 2. " … no problem making a list of ports that people ... > attribute to attacks." > > Someone ought to "Send Draft!" (credit to Randy Bush) that > contains an explanation of the problem, text to create the new > IANA registry that lists the ports plus some discussion of what > can usefully be done. That draft's text on implications and > recommendations (what can usefully be done) can then be discussed > in detail to get to precise text that is acceptable to all (e.g., > what to do about the view that attribution to attacks in the > second bullet may be mistaken). > > Does that sound reasonable? > > Thanks, --David > > *From:* Joseph Touch <touch@strayalpha.com> > <mailto:touch@strayalpha.com> > *Sent:* Thursday, July 22, 2021 12:57 AM > *To:* Black, David > *Cc:* Holland, Jake; Mark Nottingham; tsvwg@ietf.org > <mailto:tsvwg@ietf.org> > *Subject:* Re: [tsvwg] UDP source ports for HTTP/3 and QUIC > > [EXTERNAL EMAIL] > > Hi, David, > > > > On Jul 20, 2021, at 12:02 PM, Black, David > <David.Black@dell.com <mailto:David.Black@dell.com>> wrote: > > Explaining as an individual, not WG chair ... TL;DR - +1 on > Jake's comments, his understanding matches mine. > > Providing some more detail ... > > > As I understand the proposal, it's to say "these source ports > happen to match common attack targets that are listening ports > for other protocols, and thus commonly get special handling to > help avoid reflection attacks against those servers". > > > +1 - this is about documenting "running code" that discards > traffic that uses one of those UDP source ports. > > There’s a hazard with this viewpoint, IMO. > > It’s like observing people driving on flat tires and thinking the > road is bumpy. > > There are two solutions: > > - document existing practice and describe how road engineers can > redesign roads to avoid the problem > > - document that driving on flat tires is incorrect and explain > what it impacts > > I agree with documenting the problem as a problem, but not as a > practice. The latter viewpoint endorses it, which then means we > all have to accommodate that behavior. > > > > There’s no precedence for that decision and no > registry where > those values would be indicated. > > > The proposal here is to create such a registry. > > > I definitely agree that a new registry is wanted/warranted, > > I have no problem making a list of ports that people MISTAKENLY > attribute to attacks. > > However, those who assume that a packet is bad simply because it > uses one of these source ports is ITSELF incorrect. Just because > it works when you’re under this attack, doesn’t mean it is safe to > do when you’re not. > > Let’s please not endorse incorrect conclusions that source port > has this sort of meaning. > > Joe >
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Rodney W. Grimes
- [tsvwg] Fwd: UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Joseph Touch
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Joseph Touch
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Gorry Fairhurst
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Holland, Jake
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Black, David
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Joseph Touch
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Black, David
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Gorry Fairhurst
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Black, David
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Gorry Fairhurst
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Gorry Fairhurst
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Joseph Touch
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Black, David
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Joseph Touch
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Mark Nottingham
- Re: [tsvwg] UDP source ports for HTTP/3 and QUIC Joseph Touch