Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply the 3x amplification-limit to migration too #4264
Apply the 3x amplification-limit to migration too #4264
Changes from all commits
51423d0
3bf6b2f
97ba8a6
59f5a3a
2df832a
549564f
8c0c1f9
fb033df
fb253e9
66b7c2a
593d552
4769dbe
3527972
2ffb2ab
bbc0711
54f48ce
fae20ab
3e5b0fd
8324d82
c549aee
07989a2
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it is late in the process, but I would much prefer the paragraph to say that "An endpoint SHOULD expand datagrams that contain a PATH_CHALLENGE frame..." The reason is that if we say MUST, picky implementations will account the number of bytes sent and discard un-padded path challenges if they sent 400 bytes of data or more. Such measurements are very hard to get right, so we will end up with interoperability issues.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is specifically an issue for server responses to NAT traversal. A man on the side could trigger a number "fake" NAT traversal, and it makes sense for servers to avoid sending large packets in response to that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In practice, these fake NAT traversals don't seem so concerning because most ports on a NAT are going to be unused and dropped by the NAT itself. And I believe most Large(ie: Carrier Grade) NATs are symmetric, so even if the port was open, the traffic would be dropped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem happens when the attacker is not behind a NAT, say is using IPv6. Suppose the attacker is an evil client, intent on targeting IPv6 address X, or maybe IPv6 prefix X/64. It can set up a connection, then manufacture a series of short packets with faked source addresses and ports -- packets less than 100 bytes including the IP header, each triggering a 1200 byte response. The evil client can set up an arbitrary number of good connections to do that, effectively getting a factor 12 amplification for a large stream of data.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that if the IP changes, assuming it is a NAT migration is a bit dangerous, so I only had port in mind.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinthomson the padding enforcement rule says "an endpoint MUST NOT close a connection when it receives a datagram that does not meet size constraints; the endpoint MAY however discard such datagrams." The latter behavior, discarding the datagram, is exactly what leads to interop failure when the server does not pad because of amplification concerns, and the client drops because it interprets the clause as "MUST pad".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to add text specific to this instance that prohibits enforcement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some text that prohibits dropping. I will note that at the point that you detect this violation, you have likely already started to process the packet, so enforcement of the requirement is a little dangerous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO the added text prohibiting dropping resolves this problem
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The added text solves my issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This entire paragraph doesn't seem very specific to "Interaction of Client Migration and Preferred Address"
I think it'd be better to reference the section and not put these normative statements here, since they are so general.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Follow-up Q: Is this SHOULD specific to "Interaction of Client Migration and Preferred Address" or more general? It seems more general, but I don't have a strong opinion.