Re: [tsvwg] UDP source ports for HTTP/3 and QUIC

Joseph Touch <> Sun, 25 July 2021 04:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 659013A135E for <>; Sat, 24 Jul 2021 21:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.318
X-Spam-Status: No, score=-1.318 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oMj_orwncA6p for <>; Sat, 24 Jul 2021 21:07:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B298F3A135D for <>; Sat, 24 Jul 2021 21:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Cc:Date:In-Reply-To: From:Subject:Mime-Version:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=mZdsvmbhu03N+bIn07anUCVXv9LIQVWm51X4LiLDgvA=; b=FH4bp1kwoPnefmMjYTIurgPQ00 nJUUYIptm2p5Z5uzdJcOTCHsGYTQXRs6ZFYWnnkui9EMSI4tM7m3FgqxBYWGjX4uWvgsdgGgbCtX9 Vy12MKR4cf79FHUJ92kTi8mtZxHZLqCuaQt19AKA+qcZuqBhO0Skpy0nqwvc/nnVO3Nxg/KKOkWbr 7BtsXTl+mzpgjYRPe6U4fLwY7ztrrgkOKCchW2fH2uQ6pqaMONOPk3p0XjukFL4R8zKQBx1ENzwQp 0ZCLUYhi0M5CRvTltwua/HEyQ/S3OZZiHg17iPSJWRGJJKz1TaZboSdv+L0J4Fhke2qh9aZnGX6Pj Fai4uTxg==;
Received: from ([]:52317 by with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <>) id 1m7VPl-001GRB-9O; Sun, 25 Jul 2021 00:07:02 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_E22AC299-E893-4DA4-A914-E14976633189"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Joseph Touch <>
In-Reply-To: <>
Date: Sat, 24 Jul 2021 21:06:56 -0700
Cc: "" <>
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
To: Mark Nottingham <>
X-Mailer: Apple Mail (2.3654.
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
X-From-Rewrite: unmodified, already matched
Archived-At: <>
Subject: Re: [tsvwg] UDP source ports for HTTP/3 and QUIC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 25 Jul 2021 04:07:09 -0000

Hi, Mark,

> On Jul 24, 2021, at 7:29 PM, Mark Nottingham <> wrote:
>> On 25 Jul 2021, at 3:58 am, Joseph Touch <> wrote:
>> Hi, David,
>>> On Jul 23, 2021, at 9:05 AM, Black, David <> wrote:
>>>> This is the core Issue though. So we have a problem where people generate spoofed traffic.
>>>> And some patterns of that traffic can be identified by how they use source ports.
>>> In the cases of interest for this discussion, the source ports are real not spoofed.
>> Correct me if I’m not tracking:
>> A- some people send spoofed packets as attacks
>> B- the packets have one thing in common - use of particular source ports
> No, it's more like
> A - some people identify services that allow reflection attacks (often, wit
> h a significant amplification factor)
> B - those services often use specific source ports

Your descriptions are consistent with mine; I’m OK with yours.

It’s the next two that are the issue...

>> C- so others have started to filter based on those source ports
>> D- which means legitimate uses of those ports are now blocked.

>> ..
>> This is a common IETF fallacy:
>> A. Some people do X
>> B. There is a correlation between X and Y (not cause and effect)
>> C. Others interpret X as bad, leaping from correlation to cause and effect
>> D. We all have to deal with it (complexity)
>> We need to stop this at step C and declare THAT the problem.
> That may be the problem from your perspective, but from the perspective of people operating services on the Internet, it definitely isn't. 

People care that their traffic is incorrectly being treated as an attack.

Sure, they’ll accept anything the can do to avoid the issue. However, that may not be good for the Internet as it evolves.

> And there is already a precedent of a sort for that view in BCP38:
> """
>   Similar attacks have been attempted using UDP and ICMP flooding.
>   The former attack (UDP flooding) uses forged packets to try and
>   connect the chargen UDP service to the echo UDP service at another
>   site.  Systems administrators should NEVER allow UDP packets destined
>   for system diagnostic ports from outside of their administrativeer 
>   domain to reach their systems.
> """

Agreed; but “designed for” are destination, not source ports. Destination ports indicate both service and socket pair, but source ports are ONLY an indicator of demux. 

We have never registered source ports for a reason - they don’t indicate service. The current error of assuming other meaning to those ports (i.e., that 0 means an attack) is just as bad an idea.