IETF Logo Mail Archive

Re: 0-RTT Design for HTTP/2

Martin Thomson <mt@lowentropy.net> Thu, 17 December 2020 01:45 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4DF53A1370 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 16 Dec 2020 17:45:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.748
X-Spam-Level:
X-Spam-Status: No, score=-2.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=ElYc/fgM; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Yyim6mzM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gsHGGFG0ZQIp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 16 Dec 2020 17:45:29 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19BD03A136E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 16 Dec 2020 17:45:28 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kpiJl-0005o2-9x for ietf-http-wg-dist@listhub.w3.org; Thu, 17 Dec 2020 01:42:57 +0000
Resent-Date: Thu, 17 Dec 2020 01:42:57 +0000
Resent-Message-Id: <E1kpiJl-0005o2-9x@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1kpiJj-0005nB-6a for ietf-http-wg@listhub.w3.org; Thu, 17 Dec 2020 01:42:55 +0000
Received: from wout4-smtp.messagingengine.com ([64.147.123.20]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <mt@lowentropy.net>) id 1kpiJg-0007s6-Ma for ietf-http-wg@w3.org; Thu, 17 Dec 2020 01:42:55 +0000
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id A22AC712 for <ietf-http-wg@w3.org>; Wed, 16 Dec 2020 20:42:39 -0500 (EST)
Received: from imap10 ([10.202.2.60]) by compute1.internal (MEProxy); Wed, 16 Dec 2020 20:42:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=7SKT05LT6IfANSDP21v9MoyLu/3GHFK 0DuRwgeLhEh0=; b=ElYc/fgMSOsXiPunU+/TIodoyCl1nZt0ClBAM4GU8qVctA2 40rCbQ4zCVzkujb/Ze5z6UlsFNJcOG43KuygQCoYb8rHeXEpW9eobIF+2uj2RVm7 P+9xa1P/HQloWpXQ2t7YohADF7JeKvEdlzi+kMzPmUxWAGqEwKNQ0aMUrJwHX1i7 gmpGsUZvf9awgxuTyTMLijDe9R8Jjt7GXXayWB8XEmMDn6nHvJsqWCWTB9vuYg8Z YSsEtY9FQ9r6UZk02YkeXp/kesLHUVOh5keQiRVi5lZc7u94hIYGtpeXlhHQPuuA rZ7cs7nORjd0DtvBdj3o0thfL9YAecU9ZiPvUmA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=7SKT05 LT6IfANSDP21v9MoyLu/3GHFK0DuRwgeLhEh0=; b=Yyim6mzMYPJFZowY1m0sIT 263UbSOTG/dMbl+yjP9xtvHS1VDoWTlPvO4AEUT4uE6ohkPbKM4RvtpKN7eb+29b PC5XBrgZXI+y+96+/0ETJ+KLc5uHfSQ521GtRlG7IRa6Ci48ECO0wQSte+TmEZWG jPqqv8d0V5lgD0MxbwNXZQeI6mpMYPr5xUXTEUINkBAVyVwYcx5cPSJ4d3JvrB+5 Gpgn97PivU99HcYQV8NNvqRaAqE54CDSSPtx4YWRHzCvBnYBA+2tYLFnfDrcqVoP MT/k8GrtnDz+6zXMkrevWd3D0XugkU6XXtOdDZ2vV44hBbsITCwJs+2ic6iK/ZaA ==
X-ME-Sender: <xms:j7faX6S2kSIaBnW9OSb8LLPfZ2AIxtTGR0G1WuvJUMC8XfWd3-3b1w> <xme:j7faX_w3SIGUXMdOTpj9bz0GPYCvgCDj9bjvBh2gTLO8UbjsE5TkzbNHk2EcQCtkZ KxTrhUPIZ5zbCeDm8E>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudelfedgfeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpedukeehtdevieeigfeife fgveduieethfefhffgvdeuteekieefgeeigfffiedvgfenucffohhmrghinhephhhtthhp vdhsthgrtghkshhgohhthhhrohhughhhthhhvggvfhhfohhrthhofhhimhhplhgvmhgvnh htihhnghhthhgvvgigthgvnhhsihhonhdrshhopdhsvggrrhgthhhfohigrdhorhhgnecu vehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehloh ifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:j7faX32WvAlidKLrOA2b7rolmXbP-hDtxL35LUmCeZa0zIGUNO7cjA> <xmx:j7faX2DNn_ptLnUbEYfYa6dSjKH7IJsSf7SenwpZocpy6M1lgEXqXQ> <xmx:j7faXzh2UhkXOrkwS1qmBnHif_NX-p9m1eujadVjIdNRbgH2WI5IKw> <xmx:j7faX-vRPMNO9acGL-kZHk6Gt4Czglqdrm_USCq_kGpW5NvnMJw7RA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id F271720063; Wed, 16 Dec 2020 20:42:38 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.1-61-gb52c239-fm-20201210.001-gb52c2396
Mime-Version: 1.0
Message-Id: <0adce792-13b3-4e87-a31e-6d3bc4cd5367@www.fastmail.com>
In-Reply-To: <CAPDSy+55brsH9c_RkvmjzFX6CmKu10go2_G-w2Ub=iO2LZjpbQ@mail.gmail.com>
References: <126ee381-7828-451f-865a-db6357928243@www.fastmail.com> <CAH_hAJEmDzfsQQ_V9vpFkGAZcXHtfKzfSDM0r6WJERb6y0_qMA@mail.gmail.com> <CAKcm_gP=2uix9wd_uOw9JgR2OeobNPAdR4s7Sp=r6CEUEng58g@mail.gmail.com> <CAPDSy+55brsH9c_RkvmjzFX6CmKu10go2_G-w2Ub=iO2LZjpbQ@mail.gmail.com>
Date: Thu, 17 Dec 2020 12:42:11 +1100
From: Martin Thomson <mt@lowentropy.net>
To: ietf-http-wg@w3.org
Content-Type: text/plain
Received-SPF: pass client-ip=64.147.123.20; envelope-from=mt@lowentropy.net; helo=wout4-smtp.messagingengine.com
X-W3C-Hub-Spam-Status: No, score=-6.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1kpiJg-0007s6-Ma 478431e46bc46855a3c4554c98919ff2
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 0-RTT Design for HTTP/2
Archived-At: <https://www.w3.org/mid/0adce792-13b3-4e87-a31e-6d3bc4cd5367@www.fastmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38314
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Mega-reply...

On Wed, Dec 16, 2020, at 21:33, Cory Benfield wrote:
> I am somewhat nervous here about how many servers will implement this.
> 
> Typical OSS server implementations have a somewhat arms-length
> relationship with their TLS stack. This tends to mean they don't
> actually know exactly when new session ticket messages were sent.
> While this is not a hard limitation (OpenSSL has the requisite
> functions) it's the kind of barrier to entry that could be quite
> awkward. This may also lead to limitations in how many HTTP/2 stacks
> go through the effort of implementing the extension.

So there is a lot of text here, but it is very easy to implement the server side of this if you don't change settings often.  Just set the value to 1 in the preface and remember those values.  Confirm that the TLS stack isn't spitting out session tickets except during the handshake (which is the only place they appear in TLS 1.2) and you are good.

There is a risk with TLS 1.3 that sending session tickets might take some time.  This depends on things like ticket requests with large numbers and how the stack schedules those relative to application data.  Basically, you need to ensure that you delay any changes to settings (changes you might not be able to synchronize with ticket issuance properly) until you are reasonable sure that tickets aren't being sent.

BTW, I like how NSS manages this, and not just because it's my code :).  NSS makes it the responsibility of the application to send extra tickets [1].  It might send one, but that is sent ahead of any responses you might generate.

Short story: I believe that it is easy to implement this with TLS 1.2; TLS 1.3 might take a little care.

[1] https://searchfox.org/nss/rev/51b18ad6c1e627ada90028df9062f7200f7cec94/lib/ssl/sslexp.h#245-264 (I really need to promote that one from experimental some time.)

On Wed, Dec 16, 2020, at 23:34, David Schinazi wrote:
> If there's energy in the community to improve HTTP/2 SETTINGS,
> I would personally prefer to direct that energy at also solving the
> "not having SETTINGS when sending the first request" problem.
> Once potential solution is ALPS [1]. Would it make sense to join
> these two efforts to ensure we fix SETTINGS for good?

I'm glad you raise ALPS David.  My view is that we can't really deploy ALPS in an incremental fashion for HTTP/2.  Part of what I'm looking for here is an incremental solution.

I do see the possibility of just trying ALPS when it is available.  However, I think that is enough of a different protocol that it requires a new ALPN to go along with it.

I've watched the discussion regarding the possibility of defining a new ALPN for HTTP/2 and my sense is that there isn't overwhelming support for the idea.  If we had that support, then it might be good to try to fix ALPS into the design of a new protocol, but that isn't how things appear to be going.

On Wed, Dec 16, 2020 at 4:31 AM Ian Swett <ianswett@google.com> wrote:
> Before we get to that, one Q on deployability: Does the working group think enough of the ecosystem can handle this new EARLY_DATA_SETTINGS setting?  If no one sends it, even if they support the functionality, it sort of defeats the purpose.

Good question and worth answering before considering this.  I think that the work Bence has done here shows that there is some hope of success on this front.  That goes back to the "new ALPN" question.  I'm reading a pretty strong desire to fix "h2" rather than give up on it, but I'm sure that everyone is open to conceding that the bustage cost is too high if that is where things stand.

v2.23.0 | Report a Bug | By Email