Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5tuple routing #3536

Merged
merged 26 commits into from Apr 29, 2020
Merged

5tuple routing #3536

Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
de06849
Added considerations for 5tuple routing
martinduke Mar 20, 2020
b3e5a0c
s/may/can
martinduke Mar 20, 2020
657b103
typo
martinduke Mar 20, 2020
1406b1d
Responded to reviews
martinduke Mar 25, 2020
6962e63
Fix latest reviews
martinduke Mar 26, 2020
7ad84a2
Addressed most of MT's comments
martinduke Mar 27, 2020
8ea8ed4
whitespace
martinduke Mar 27, 2020
dbc1c1d
Update draft-ietf-quic-transport.md
martinduke Mar 30, 2020
62b34f6
Update draft-ietf-quic-transport.md
martinduke Mar 30, 2020
0abc1ed
Update draft-ietf-quic-transport.md
martinduke Mar 30, 2020
4dfae9c
Update draft-ietf-quic-transport.md
martinduke Mar 30, 2020
2c81e06
Update draft-ietf-quic-transport.md
martinduke Mar 30, 2020
784000e
Update draft-ietf-quic-transport.md
martinduke Mar 30, 2020
88a7120
removed inferences about disable_migration
martinduke Mar 30, 2020
5e6c5b4
Apply suggestions from code review
janaiyengar Apr 28, 2020
e06a542
Apply suggestions from code review
janaiyengar Apr 28, 2020
1c5b3a9
Update draft-ietf-quic-transport.md
janaiyengar Apr 28, 2020
0b4044e
Update draft-ietf-quic-transport.md
janaiyengar Apr 28, 2020
19e9d5c
Update draft-ietf-quic-transport.md
janaiyengar Apr 28, 2020
729fcb0
Update draft-ietf-quic-transport.md
janaiyengar Apr 28, 2020
6567ba8
Update draft-ietf-quic-transport.md
ianswett Apr 28, 2020
1368cce
Update draft-ietf-quic-transport.md
ianswett Apr 28, 2020
3b25faf
Ian's suggestions
martinthomson Apr 29, 2020
36cac20
Update draft-ietf-quic-transport.md
martinduke Apr 29, 2020
601c8fe
Update draft-ietf-quic-transport.md
martinduke Apr 29, 2020
743702c
Update draft-ietf-quic-transport.md
martinduke Apr 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
26 changes: 16 additions & 10 deletions draft-ietf-quic-transport.md
View file
Open in desktop
Expand Up @@ -6396,20 +6396,26 @@ likely to be routed to a different server. There are several actions that can
mitigate or resolve operational and security issues in this case.

* Servers can use an out-of-band mechanism to deliver packets to the correct
destination or transfer state from the original destination. Properly designed,
this completely solves the problem and no further measures are necessary.
destination or transfer state from the original destination.

* Sending the disable_active_migration transport parameter informs the client
that any address change is likely to terminate the connection, which can lead it
to use more aggressive timeouts or terminate connections when its IP address
* If the server has another address where the 5-tuple based routers are not on-
path, the preferred_address transport parameter can communicate that address and
thus support changing client IP addresses without difficulty.
martinduke marked this conversation as resolved.
Show resolved Hide resolved

If a server does not implement one of the solutions above, it SHOULD send the
disable_active_migration transport parameter to inform the client that any
address change is likely to terminate the connection, which can lead it to use
strategies to avoid NAT rebinding or terminate connections when its IP address
changes.
martinduke marked this conversation as resolved.
Show resolved Hide resolved

* The preferred_address transport parameter can provide a path that does not use
the 5-tuple based routers.
Regardless of other mitigations, servers behind 5-tuple routing MUST do one of
the following to avoid creating a Reset Oracle ({{reset-oracle}}):

* Servers MUST either use different Stateless Reset Token keys, or encode the
client IP address and port in the Stateless Reset token. Doing neither will
create a Reset Oracle (see {{reset-oracle}}).
* not send Stateless Reset under any circumstances, or
martinduke marked this conversation as resolved.
Show resolved Hide resolved
* use a different Stateless Reset Token key than other servers, or
martinduke marked this conversation as resolved.
Show resolved Hide resolved
* encode the client IP address and port in the Stateless Reset token. If using
martinduke marked this conversation as resolved.
Show resolved Hide resolved
the preferred_address transport parameter, the token must also encode the
preferred address.
martinduke marked this conversation as resolved.
Show resolved Hide resolved

# IANA Considerations {#iana}

Expand Down