marten-seemann / draft-seemann-quic-nat-traversal

Other
15 stars 4 forks source link

How much of ICE do we want to specify? #1

Closed huitema closed 1 year ago

huitema commented 1 year ago

ICE is a rather complex protocol, but the underlying ideas are simple:

There are additional complexities:

Which means we do not have just one message, but rather 3 or 5:

We can debate whether the probing should use existing frames (e.g. PATH_CHALLENGE) or a new ICE frame, but we would have to explain that these ICE frames are sent on the probed paths, just like path challenge.

Since this is a rather complex issue, it might be simpler to start with the scenario in which there is an existing proxied connection between the two endpoints, and we are merely trying to migrate the traffic to a direct path.

huitema commented 1 year ago

NAT rebinding can happen at either end, and will break the "peer-to-peer" path. It might make sense to start from Multipath QUIC, with one path through the proxy and another for the peer-to-peer shortcut.

Multipath is currently limited to establishment of new paths by the client. If peer-to-peer defines an Address Advertisement frame, the multipath-enabled server could use it to tell the client to establish another "preferred" path.

marten-seemann commented 1 year ago

@huitema Are you suggesting to drop ICE entirely? I agree that ICE is quite complex, and I've spent a fair amount of time reading the RFCs, and I'm not sure I've fully understood it... However, I also don't want to reinvent the wheel. It seems like ICE already solves all the points you list in the first two lists of your post. Where do you see the simplification coming from when dropping ICE for our own home-grown protocol?


It might make sense to start from Multipath QUIC, with one path through the proxy and another for the peer-to-peer shortcut.

This definitely should work well with Multipath QUIC (that actually should be a design goal of this protocol), but I'd prefer to not make it a requirement, if we can avoid it. RFC 9000 allows keeping several paths alive, and endpoints could keep the proxied connection alive (by regularly sending probing packets) after they've migrated to a direct path. On the other hand, this is probably not what the proxy wants: It wants to free up resources as quickly as possible. How does ICE handle this?

NAT rebinding can happen at either end, and will break the "peer-to-peer" path.

Do we have any numbers on how often NAT rebindings actually happen, and if they can be avoided by more aggressive keep-alives? Given the trouble endpoints have gone through to establish a hole-punched connections, it might be justified to invest more into keeping the NAT binding alive (e.g. send a PING frame at least every 5s or so). It would be nice if we could base this kind of recommendation on data though.

huitema commented 1 year ago

I think supporting both RFC9000 and Multipath is more complex than just doing multipath alone. I also think that starting from multipath allows for incremental development, such as, after having a multipath capable proxy connection. Maybe for example, test local discovery first, then traversal of IPv6 stateful firewall, then add discovery of NATed addresses.

marten-seemann commented 1 year ago

https://github.com/marten-seemann/draft-seemann-quic-nat-traversal/pull/11 completely changed how this draft uses ICE. I believe this resolves this issue.