zzz
0) Hi
zzz
hi
zlatinb
hi
zzz
eyedeekay is probably on the road
orignal
hi
zzz
what's on the agenda for today?
orignal
SSU2 status and release
zzz
ok that's 1)
orignal
and I also want to talk about ipv6-only routers
zzz
I'll add 2) connection migration spec review
zzz
3) is ipv6-only routers
zzz
that's a good list I think
zzz
1) SSU2 status and release
zzz
not much to report on my side; we're on track for a release a week from today
zzz
what do you have to report orignal ?
orignal
so any update about release plans?
orignal
everything works good
zzz
no update. I added code for the 2% at random
orignal
so my plan is to replace rather than add SSU2
zzz
ok
orignal
we will do it for andoroid and for qt
orignal
maybe for windows
orignal
not decided yet
zzz
we did android + non-mac ARM 100%
eyedeekay
I am here but barely, in a cab on the move
zzz
safe travels eyedeekay
eyedeekay
Thanks zzz
zzz
anything else on 1) ?
orignal
maybe for L routers
orignal
not sure yet
orignal
no
zzz
2) connection migration spec review
zzz
as mentioned last week
zzz
did you all have time to read it, and do you have any questions?
orignal
parttially
orignal
still not clear where does it come from
zzz
it starts with the threat model, copied from QUIC
zzz
then path challenge / path response, also from QUIC, but simplified
orignal
yes I understand
zzz
as I said last week, the QUIC spec is very confusing and not even consistent, it's a little messy. I tried to make sense of it
orignal
as I said I don't understand how it's initiated
orignal
say I have a socket binded to an endpoint
orignal
what causes such port change?
zzz
NAT rebinding, usually
zzz
nat keeps a mapping from internal to external port. After some timeout, it "forgets" the mapping
zzz
then you send another packet and it picks a new external port
zzz
does that make sense?
orignal
yes
orignal
but if NAT rebinding
orignal
they should terminate a session
orignal
no it doesn't make sense
zzz
why terminate?
orignal
because we expect port we publish
zzz
if you're firewalled you don't publish a port
orignal
why? because symmetric NAT
zzz
what's your proposal?
orignal
if you see different port just terminate
zzz
that wouldn't fit our threat model as it would allow an attacker to force termination
zzz
and how would you terminate? you'd have to send something to the new port anyway
orignal
agree
orignal
just close a session on my side
orignal
they must do the same once they discover differemt port
zzz
they won't discover it if you don't respond
orignal
through another new session or peer test
orignal
but agree
zzz
I've seen at least 4 different SSU2 routers change port out of about 75. That's over 5%.
orignal
if they don't publish thier port it might make sense
orignal
but only in this case
orignal
e.g. only address without port is allowed to change IP/port
zzz
we must handle this situation, and the entire design of SSU2, with connection IDs, was developed with connection migration in mind, to improve what we do over SSU 1
orignal
agree
zzz
no, because android/mobile can change IPs also, we must support IP changes even if not firewalled
orignal
I disgree
zzz
why?
orignal
if somebody publishes port in thier netdb
orignal
it must be consistent
zzz
then if you change, send your new RI to everybody?
orignal
if I'm in situation when my port is changed by ISP
orignal
I must be firewalled
zzz
sure, but maybe you thought you were not firewalled, and then your port changes.
zzz
so then you do a peer test and discover you really are firewalled
zzz
you have to tear down all your sessions?
orignal
if I'm not firewalled how it's possible?
orignal
if my port changes I should reconnect
zzz
maybe you assumed you were not firewalled when you started up
orignal
them my sitation is mess anyway
orignal
and I should clear it
orignal
e.g. if my status is OK while I'm firewalled
zzz
I don't understand why it would be necessary to put limitations on when we can migrate connections and when we can't. Why not just allow it no matter what?
orignal
no reason, just my thoughts
orignal
about possibilities
orignal
then another question
orignal
if I publish port and discoved my external port is different
zzz
ok, well obviously we will get smarter about it in the next few weeks as we implement it
orignal
should I run peer test again?
orignal
of swith to firewalled
orignal
my point is I want to understand how we might come to this situatation and how to handle it
zzz
yeah if something changed I'll run at least two peer tests and look for the same result
orignal
good pount
orignal
that's what we should start from
zzz
fyi - 1HmrG9 is a port-hopper that does respond to path challenge
orignal
if port mismatches we start peer test
zzz
that's the only one right now that will respond
orignal
maybe older version
orignal
maybe I did something worng
zzz
yeah the others won't answer. lEKII is the most frequent hopper
zzz
I won't send it unless the port changes :)
orignal
see the mistake
orignal
but still should reponse
zzz
I also have seen CEFnjX hop from 6345 to 1044 and then back to 6245
orignal
just don't copy chalenge
orignal
will fix
zzz
oh ok, good
orignal
but you should get it back, maybe with worng data
orignal
a minor bug
zzz
I'll look at the logs later
zzz
any other questions or comments on the spec for now? we'll definitely talk about it more in a few weeks
orignal
not now
orignal
question
zzz
zlatinb, eyedeekay you have any comments?
orignal
can I just change endpoint without path challenge for now?
zzz
i don't think that's a good idea because an attacker could mess things up
zzz
but that's kinda what we do for 10 years in java SSU 1
orignal
after payload decryption ofc
zzz
at least for port changes. We won't change IP in SSU 1
orignal
how can they do it?
zzz
an on-path attacker that copies or modifies a packet to change the port
orignal
if they copy it will be out of sequence
orignal
e.g. already handled
zzz
usually the threat model says an on-path attacker can delay or reorder packets, so they could put the modified one first
orignal
agree
zzz
but it's not very likely, for sure
zzz
I think any strategy would be ok for one release
orignal
anyway let's not do it at least for this release
zzz
yeah I'm not sending any path challenge in trunk, there's no code checked in
zzz
anything else on 2) ?
orignal
no
zzz
3) ipv6-only routers
orignal
but it's good Ihave found a bug
orignal
so, route48
orignal
more and more people use it becuase it works trough wireguard tunnel
orignal
and they don't ask questions
zzz
interesting
orignal
and many people like to use ipv6-only routers to hide own IP from netdb
orignal
similiar to ygg but magnified
orignal
now the qeustion itself
orignal
they complain they see too small transit
orignal
and we know the reason
orignal
because they can be chosen as an intermediate participant
orignal
not OBEP or IBGW
orignal
and I asked myself why
zzz
and what was your answer to yourself? :)
orignal
I know the answer
orignal
but when we pick tunnel pairs in one direction we can check transport compatibilty between tunnel endpoiunts
orignal
that's basically my question if you are capable to do it
orignal
the answer for myself it's not a problem for me
orignal
because I can pick tunnels this way
orignal
I do it alerady if need to talk to i2v6-only floodfiils
zzz
capable to do what? BE a ipv6-only OBEP/IBGW or SELECT a ipv6-only OBEP/IBGW ?
orignal
say you have 5 OB tunnels
orignal
and you have 5 leases in remote LeaseSet
orignal
can you check that a pair is compatible?
zzz
ok, the question is do we check OBEP/IBGW compatibility when specifying the route
orignal
OBEP of your OB and lease
orignal
yes
orignal
basically
zzz
I don't think so...
orignal
that's why I'm asking if you are able to implement it
zzz
I'll have to research and get back to you
orignal
yes
orignal
no rush
orignal
but potentially we will see more and more ipv6-only
zzz
we really need more ipv6 routers, only about 1/3 have v6 now
zzz
anything else on 3) ?
orignal
my concern is ipv6-only router
orignal
ipv4 + ipv6 are fine
orignal
no
zzz
sure, but the more v4+v6 we have, the better the v6-only will work ))
zzz
anything else for the meeting?
zzz
StormyCloud, dr|z3d, how is the outproxy holding up?
zzz
thanks everybody