IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#ls2
/2022/08/15
zzz 0) Hi
zzz eyedeekay is probably on the road
zzz what's on the agenda for today?
orignal SSU2 status and release
zzz ok that's 1)
orignal and I also want to talk about ipv6-only routers
zzz I'll add 2) connection migration spec review
zzz 3) is ipv6-only routers
zzz that's a good list I think
zzz 1) SSU2 status and release
zzz not much to report on my side; we're on track for a release a week from today
zzz what do you have to report orignal ?
orignal so any update about release plans?
orignal everything works good
zzz no update. I added code for the 2% at random
orignal so my plan is to replace rather than add SSU2
orignal we will do it for andoroid and for qt
orignal maybe for windows
orignal not decided yet
zzz we did android + non-mac ARM 100%
eyedeekay I am here but barely, in a cab on the move
zzz safe travels eyedeekay
eyedeekay Thanks zzz
zzz anything else on 1) ?
orignal maybe for L routers
orignal not sure yet
zzz 2) connection migration spec review
zzz as mentioned last week
zzz did you all have time to read it, and do you have any questions?
orignal parttially
orignal still not clear where does it come from
zzz it starts with the threat model, copied from QUIC
zzz then path challenge / path response, also from QUIC, but simplified
orignal yes I understand
zzz as I said last week, the QUIC spec is very confusing and not even consistent, it's a little messy. I tried to make sense of it
orignal as I said I don't understand how it's initiated
orignal say I have a socket binded to an endpoint
orignal what causes such port change?
zzz NAT rebinding, usually
zzz nat keeps a mapping from internal to external port. After some timeout, it "forgets" the mapping
zzz then you send another packet and it picks a new external port
zzz does that make sense?
orignal but if NAT rebinding
orignal they should terminate a session
orignal no it doesn't make sense
zzz why terminate?
orignal because we expect port we publish
zzz if you're firewalled you don't publish a port
orignal why? because symmetric NAT
zzz what's your proposal?
orignal if you see different port just terminate
zzz that wouldn't fit our threat model as it would allow an attacker to force termination
zzz and how would you terminate? you'd have to send something to the new port anyway
orignal agree
orignal just close a session on my side
orignal they must do the same once they discover differemt port
zzz they won't discover it if you don't respond
orignal through another new session or peer test
orignal but agree
zzz I've seen at least 4 different SSU2 routers change port out of about 75. That's over 5%.
orignal if they don't publish thier port it might make sense
orignal but only in this case
orignal e.g. only address without port is allowed to change IP/port
zzz we must handle this situation, and the entire design of SSU2, with connection IDs, was developed with connection migration in mind, to improve what we do over SSU 1
orignal agree
zzz no, because android/mobile can change IPs also, we must support IP changes even if not firewalled
orignal I disgree
zzz why?
orignal if somebody publishes port in thier netdb
orignal it must be consistent
zzz then if you change, send your new RI to everybody?
orignal if I'm in situation when my port is changed by ISP
orignal I must be firewalled
zzz sure, but maybe you thought you were not firewalled, and then your port changes.
zzz so then you do a peer test and discover you really are firewalled
zzz you have to tear down all your sessions?
orignal if I'm not firewalled how it's possible?
orignal if my port changes I should reconnect
zzz maybe you assumed you were not firewalled when you started up
orignal them my sitation is mess anyway
orignal and I should clear it
orignal e.g. if my status is OK while I'm firewalled
zzz I don't understand why it would be necessary to put limitations on when we can migrate connections and when we can't. Why not just allow it no matter what?
orignal no reason, just my thoughts
orignal about possibilities
orignal then another question
orignal if I publish port and discoved my external port is different
zzz ok, well obviously we will get smarter about it in the next few weeks as we implement it
orignal should I run peer test again?
orignal of swith to firewalled
orignal my point is I want to understand how we might come to this situatation and how to handle it
zzz yeah if something changed I'll run at least two peer tests and look for the same result
orignal good pount
orignal that's what we should start from
zzz fyi - 1HmrG9 is a port-hopper that does respond to path challenge
orignal if port mismatches we start peer test
zzz that's the only one right now that will respond
orignal maybe older version
orignal maybe I did something worng
zzz yeah the others won't answer. lEKII is the most frequent hopper
zzz I won't send it unless the port changes :)
orignal see the mistake
orignal but still should reponse
zzz I also have seen CEFnjX hop from 6345 to 1044 and then back to 6245
orignal just don't copy chalenge
orignal will fix
zzz oh ok, good
orignal but you should get it back, maybe with worng data
orignal a minor bug
zzz I'll look at the logs later
zzz any other questions or comments on the spec for now? we'll definitely talk about it more in a few weeks
orignal not now
orignal question
zzz zlatinb, eyedeekay you have any comments?
orignal can I just change endpoint without path challenge for now?
zzz i don't think that's a good idea because an attacker could mess things up
zzz but that's kinda what we do for 10 years in java SSU 1
orignal after payload decryption ofc
zzz at least for port changes. We won't change IP in SSU 1
orignal how can they do it?
zzz an on-path attacker that copies or modifies a packet to change the port
orignal if they copy it will be out of sequence
orignal e.g. already handled
zzz usually the threat model says an on-path attacker can delay or reorder packets, so they could put the modified one first
orignal agree
zzz but it's not very likely, for sure
zzz I think any strategy would be ok for one release
orignal anyway let's not do it at least for this release
zzz yeah I'm not sending any path challenge in trunk, there's no code checked in
zzz anything else on 2) ?
zzz 3) ipv6-only routers
orignal but it's good Ihave found a bug
orignal so, route48
orignal more and more people use it becuase it works trough wireguard tunnel
orignal and they don't ask questions
zzz interesting
orignal and many people like to use ipv6-only routers to hide own IP from netdb
orignal similiar to ygg but magnified
orignal now the qeustion itself
orignal they complain they see too small transit
orignal and we know the reason
orignal because they can be chosen as an intermediate participant
orignal not OBEP or IBGW
orignal and I asked myself why
zzz and what was your answer to yourself? :)
orignal I know the answer
orignal but when we pick tunnel pairs in one direction we can check transport compatibilty between tunnel endpoiunts
orignal that's basically my question if you are capable to do it
orignal the answer for myself it's not a problem for me
orignal because I can pick tunnels this way
orignal I do it alerady if need to talk to i2v6-only floodfiils
zzz capable to do what? BE a ipv6-only OBEP/IBGW or SELECT a ipv6-only OBEP/IBGW ?
orignal say you have 5 OB tunnels
orignal and you have 5 leases in remote LeaseSet
orignal can you check that a pair is compatible?
zzz ok, the question is do we check OBEP/IBGW compatibility when specifying the route
orignal OBEP of your OB and lease
orignal basically
zzz I don't think so...
orignal that's why I'm asking if you are able to implement it
zzz I'll have to research and get back to you
orignal no rush
orignal but potentially we will see more and more ipv6-only
zzz we really need more ipv6 routers, only about 1/3 have v6 now
zzz anything else on 3) ?
orignal my concern is ipv6-only router
orignal ipv4 + ipv6 are fine
zzz sure, but the more v4+v6 we have, the better the v6-only will work ))
zzz anything else for the meeting?
zzz StormyCloud, dr|z3d, how is the outproxy holding up?
zzz thanks everybody