QUIC, Connection IDs and NAT
Jean St-Laurent
jean at ddostest.me
Tue Jun 1 11:51:22 UTC 2021
Hey Rob, quick question for you.
Are you able to see the connection ID when you are forwarding the frames and
doing NAT?
I thought this is encrypted. Can you confirm?
Thanks
Jean
-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Jean
St-Laurent via NANOG
Sent: June 1, 2021 6:51 AM
To: 'The source of all things networking' <nanog at nanog.org>
Subject: RE: QUIC, Connection IDs and NAT
The first thing that comes to mind is to check the NAT timers.
By default, TCP is 86400 seconds or 24h.
Udp is usually shorter at around 300 seconds or 5 minutes.
This is not a standard, but it seems to be broadly accepted in the industry.
I am not sure, if UDP/443 should be left at 300 or increase a bit.
Anyone?
Jean
P.S.: I'm not a fan of Quic. It's opening the gates to massive DDoS for
Akamai and all the others CDN. Good luck
-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Robert
Brockway
Sent: May 31, 2021 11:15 PM
To: The source of all things networking <nanog at nanog.org>
Subject: QUIC, Connection IDs and NAT
QUIC has Connection IDs independent from IP. This was done to make it
easier to move from one IP network to another while keeping connections
active, as most here will know.
Does the existence of Connection IDs separate from IP mean that the host/IP
contention ratio in CGNAT can be higher? IE, can a single CGNAT device
provide Internet access for a greater number of end-users?
And if so, does this reduce demand on IPv4 resources?
It's ok, I'm wearing a fire-resistant suit with self-contained breathing
apparatus as I type this.
Rob
More information about the NANOG
mailing list