On 10/28/2020 5:17 PM, Jana Iyengar wrote: > I like the universality of the 3x limit. The reasoning applies broadly > and there's no reason to separately reason about how a server responds > to new addresses, be it at the start of a connection or > mid-connection. Overall, I have a few minor suggestions to make, but > I'm happy with the way the PR is headed.
I think that we can devise proper solutions for "organized migrations", such as requiring both receipt and acknowledgement of a long enough packet before validating a path. I am not going to belabor that. But NAT traversal is a can of worms, and some of the norms are going to bite us. I order to support NAT traversal, we request servers to take action if they see a packet arriving from a new address of the client. This opens a huge hole through which enterprising MOTS or "specially crafted clients" can harass servers. We have an OK defense: send a challenge to both old and new IP to force "proof of address ownership". That defense is OK because it uses minimal length packets, and thus does not cause too much amplification. I think we should leave it at that, and not force the server to send large packets. There is a need to then validate that the path can carry traffic, which will happen naturally when the server tries to send a large packet. But if the server only sends these large packets after address ownership has been verified, things ought to be quite good. -- Christian Huitema
