]> QUIC Address Discovery
martenseemann@gmail.com
Transport QUIC QUIC STUN Address Discovery Unless they have out-of-band knowledge, QUIC endpoints have no information about their network situation. They neither know their external IP address and port, nor do they know if they are directly connected to the internet or if they are behind a NAT. This QUIC extension allows nodes to determine their public IP address and port for any QUIC path. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the QUIC Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction STUN () allows nodes to discover their reflexive transport address by asking a remote server to report the observed source address. While the QUIC () packet header was designed to allow demultiplexing from STUN packets, moving address discovery into the QUIC layer has a number of advantages:
  1. STUN traffic is unencrypted, and can be observed and modified by on-path observers. By moving address discovery into QUIC's encrypted envelope it becomes invisible to observers.
  2. When located behind a load balancer, QUIC packets may be routed based on the QUIC connection ID. Depending on the architecture, not using STUN might simplify the routing logic.
  3. If QUIC traffic doesn't need to be demultiplexed from STUN traffic, implementations can enable QUIC bit greasing ().
Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Negotiating Extension Use Endpoints advertise their support of the extension by sending the address_discovery (0x9f81a174) transport parameter () with a variable-length integer value. The value determines the behavior with respect to address discovery:
  • 0: The node is willing to provide address observations to its peer, but is not interested in receiving address observations itself.
  • 1: The node is interested in receiving address observations, but it is not willing to provide address observations.
  • 2: The node is interested in receiving address observations, and it is willing to provide address observations.
Implementations that understand this transport parameter MUST treat the receipt of any other value than these as a connection error of type TRANSPORT_PARAMETER_ERROR. When using 0-RTT, both endpoints MUST remember the value of this transport parameter. This allows sending the frame defined by this extension in 0-RTT packets. If 0-RTT data is accepted by the server, the server MUST NOT disable this extension or change the value on the resumed connection.
Frames This extension defines the OBSERVED_ADDRESS frame.
OBSERVED_ADDRESS The OBSERVED_ADDRESS frame contains the following fields:
IPv4:
The IPv4 address. Only present if the least significant bit of the frame type is 0.
IPv6:
The IPv6 address. Only present if the least significant bit of the frame type is 1.
Port:
The port number, in network byte order.
This frame MUST only appear in the handshake and in the application data packet number space. It is a "probing frame" as defined in . OBSERVED_ADDRESS frames are ack-eliciting, and SHOULD be retransmitted if lost. Retransmissions MUST happen on the same path as the original frame was sent on. An endpoint MUST NOT send an OBSERVED_ADDRESS frame to a node that did not request the receipt of address observations as described in . A node that did not request the receipt of address observations MUST close the connection with a PROTOCOL_VIOLATION error if it receives an OBSERVED_ADDRESS frame.
Address Discovery An endpoint that negotiated (see ) this extension and offered to provide address observations to the peer MUST send an OBSERVED_ADDRESS frame on every new path. This also applies to the path used for the QUIC handshake. The OBSERVED_ADDRESS frame SHOULD be sent as early as possible. However, during the handshake an endpoint SHOULD prioritize frames that lead to handshake progress (CRYPTO and ACK frames in particular) over sending of the OBSERVED_ADDRESS frame. For paths used after completion of the handshake, endpoints SHOULD bundle the OBSERVED_ADDRESS frame with probing packets. This is possible, since the frame is defined to be a probing frame (). Additionally, the sender SHOULD send an OBSERVED_ADDRESS frame when it detects a change in the remote address on an existing path. This could be indicative of a NAT rebindings.
Security Considerations
On the Requester Side In general, nodes cannot be trusted to report the correct address in OBSERVED_ADDRESS frames. If possible, endpoints might decide to only request address observations when connecting to trusted peers, or if that is not possible, define some validation logic (e.g. by asking multiple untrusted peers and observing if the responses are consistent). This logic is out of scope for this document.
On the Responder Side Depending on the routing setup, a node might not be able to observe the peer's reflexive transport address, and attempts to do so might reveal details about the internal network. In these cases, the node SHOULD NOT offer to provide address observations.
IANA Considerations TODO: fill out registration request for the transport parameter and frame types
Normative References Session Traversal Utilities for NAT (STUN) Session Traversal Utilities for NAT (STUN) is a protocol that serves as a tool for other protocols in dealing with NAT traversal. It can be used by an endpoint to determine the IP address and port allocated to it by a NAT. It can also be used to check connectivity between two endpoints and as a keep-alive protocol to maintain NAT bindings. STUN works with many existing NATs and does not require any special behavior from them. STUN is not a NAT traversal solution by itself. Rather, it is a tool to be used in the context of a NAT traversal solution. This document obsoletes RFC 5389. QUIC: A UDP-Based Multiplexed and Secure Transport This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm. Greasing the QUIC Bit This document describes a method for negotiating the ability to send an arbitrary value for the second-most significant bit in QUIC packets. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
Acknowledgments TODO acknowledge.