IETF Logo Mail Archive

Re: Proposal Towards Universal HTTP/3, with a polyfill of QUIC for TCP (Fwd: New Version Notification for draft-kazuho-httpbis-http3-on-streams-00.txt)

Kazuho Oku <kazuhooku@gmail.com> Mon, 26 February 2024 06:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=ietf.org@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9167C14F5EF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 Feb 2024 22:37:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.855
X-Spam-Level:
X-Spam-Status: No, score=-2.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="FAdWLTpq"; dkim=pass (2048-bit key) header.d=w3.org header.b="O3n3qljG"; dkim=pass (2048-bit key) header.d=gmail.com header.b="HjXRjHaS"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0uHLI7Mml01 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 25 Feb 2024 22:37:41 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D305EC14F5EC for <httpbisa-archive-bis2Juki@ietf.org>; Sun, 25 Feb 2024 22:37:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:Content-Type:Cc:To:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=lmwZeLWLJBlN0NL/HMcQGMaRFd2cyM4UQ9G+y9V6OHQ=; b=FAdWLTpqC/q94slwLRZyegdUGY GsZkhi/I412uxJVDtfm7fr9x9LCrf7R96ghybmRqG5JWLMO0LxMIOlTNzV/IYMb0u+mG6WLVAF6xR a6Iop1ZTrZ2i9faGu5nzwgDiuNtlqQt2YUhA6dm3cwy++Zw4aS6+aSvY02BKxLtpK1Com87GMaInW ediIF4E1rDsd/4amrYt7qVoKGjMLf9+cdxpaSPX2PLYEEoigegI0XpngbhGwA1pl+h6p/WC+0d6g5 5s1QJwDTZeCL6+/kBnKZJ59mkQTEv82RrIrIPTFwHg+Lw5npp6vxZ9dtd4Wy2Jx3RkmWNpC5vMWyX XJlq61Vw==;
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1reUaA-00FquJ-0o for ietf-http-wg-dist@listhub.w3.org; Mon, 26 Feb 2024 06:35:22 +0000
Resent-Date: Mon, 26 Feb 2024 06:35:22 +0000
Resent-Message-Id: <E1reUaA-00FquJ-0o@lyra.w3.org>
Received: from puck.w3.org ([34.196.82.207]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <kazuhooku@gmail.com>) id 1reUa7-00FqtH-KK for ietf-http-wg@listhub.w3.org; Mon, 26 Feb 2024 06:35:19 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:Reply-To; bh=lmwZeLWLJBlN0NL/HMcQGMaRFd2cyM4UQ9G+y9V6OHQ=; t=1708929319; x=1709793319; b=O3n3qljG0y9/lB4jbtj+CUYiycdSJ+AjmVszKJUIsd65JKNYytkq+eOmSUUc9MGsm6eG063wg73 yA7xvXPBeeK81Sed6uiiKJGJ378WFUh49YhMyCasF+MBR78ZEydMZ6lU+B94M1Cu3EKFnAEzuH5n+ I6sYUDGvHavUVn6kihymjXQaRoy340D9LElWfL5coEMgCwqT1Z+MuojEzGrJ+fuHrZKCxc9vLn79u F04x6D24+W7KIOrAb0//JBWBPZ5HskabxBuCex+jFSHRjkmlm3dt/dWUQU6kLgxcUlA0vHi63JXBi ShdXwsJkHMLftGp6LLktNIydy/dtCTCGtIJw==;
Received-SPF: pass (puck.w3.org: domain of gmail.com designates 2a00:1450:4864:20::533 as permitted sender) client-ip=2a00:1450:4864:20::533; envelope-from=kazuhooku@gmail.com; helo=mail-ed1-x533.google.com;
Received: from mail-ed1-x533.google.com ([2a00:1450:4864:20::533]) by puck.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from <kazuhooku@gmail.com>) id 1reUa6-001zJd-1Q for ietf-http-wg@w3.org; Mon, 26 Feb 2024 06:35:19 +0000
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-563b7b3e3ecso3657081a12.0 for <ietf-http-wg@w3.org>; Sun, 25 Feb 2024 22:35:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1708929314; x=1709534114; darn=w3.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lmwZeLWLJBlN0NL/HMcQGMaRFd2cyM4UQ9G+y9V6OHQ=; b=HjXRjHaSJDpMrNNQR9UM6jbmKITbXoT2uQui84hnkDE8HeqbitiH9KhpyJJCDtvM0G AB08sFrQ1yNeEbH6wB0p+UaheJHPKcXGXP6jJJ6+EyRFQb3LWFvqg5f2i9utoE4s0xJ9 7J11fgQrvTGOH5Nc9lS6a3+tZ/n2GCs4mZ474fbBfVoRdU2BTI0UjAzA8TmA6qnZ1qxw O54QCNoYZoz7w2Y+LrmE9yjva6Dz3O6IWo+wlD/FCJ0G2vDkSIarLOnGSKm35o7k59P0 LrUhn5chLNWx1fxV29yb36xfEIM13gP91m2+x6mOt+rD5lrOnpPBPoBxEB/YHL6q25Yb q1MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708929314; x=1709534114; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lmwZeLWLJBlN0NL/HMcQGMaRFd2cyM4UQ9G+y9V6OHQ=; b=tIW6fTz7rMV5bnbcgrWahsItt43PvoVrjL06fYKy5Kk+KuBRux097gAVaoscSpFWke 8bwLdU2fcVIDtgVMI417KjuomrWi3j3PrihDAgtbNc/8OLhlaapLkNg+elHhuQUDGk/p gBAeVCZwIUlehWqQcY/s4Vm2HgVrPHv5lZzBz1qZhGAAzZlgO4IfviA7yb5lhcbrAnpl VrySeUZ/XNxKhsi7zmybHzj5YHwUfvwfDUUIs9TnX9b4U6TXl1xZtkwDG9H4aFYclAcN 6e2HCdOuDh35DinKuKH05YyI7JN7T0f5R3Uqad5Pj1u5UAF0evmLWkQqIhvXgffdB+Cq CmBw==
X-Forwarded-Encrypted: i=1; AJvYcCX+5p/Ts96UPgxxblmLu0wMCFpnuNyaeIcET3FSWM9Bs8RXqjyhKO0eiSnfw3fZEZOl0mW4Wga2uJ8olHUV7ofJsBx1
X-Gm-Message-State: AOJu0YzSze17wRdRBXnmkLRBkDwI93405FAdZMnFqwWmYfMidUrz2S4s JHyJTBLQTkPXx1W8kK1uVtKouvTci+clUm2SELHP/0rLhJ/VxZG7ku0afVxdvnh1lzZJQTlsQ// kUOS8x9YcbJzmF6TiBCRuD8MIRMqv9583ZtBnbw==
X-Google-Smtp-Source: AGHT+IFkoqh5Ce2NnCgN1dtdbEln8hZB3IbrkhBKuLo9aSlAcryWFszQVch4d3CI9WfAKfNUzjUdNztXHw4TNTyjk7o=
X-Received: by 2002:aa7:c60b:0:b0:565:b666:a663 with SMTP id h11-20020aa7c60b000000b00565b666a663mr2621293edq.3.1708929314110; Sun, 25 Feb 2024 22:35:14 -0800 (PST)
MIME-Version: 1.0
References: <170807134367.25372.9131938145722079298@ietfa.amsl.com> <CANatvzyLJnZH9UHaSoMWbv20VhEtAzY7HqRHCSWt-O65f24uwQ@mail.gmail.com> <CAFyC=UcyG1OGprsTWvkEBK-tf-Oqs=HPmxZs8X42XR+yfgfv0w@mail.gmail.com> <CANatvzx-YSouO5aA0T4RXjXm9aTWGGf1HUut39an+2HAYTY_kA@mail.gmail.com> <CAFyC=UeQ73EiLpP44AN0RqTf91VH3+ULr_df8y3A7s36POy9cA@mail.gmail.com>
In-Reply-To: <CAFyC=UeQ73EiLpP44AN0RqTf91VH3+ULr_df8y3A7s36POy9cA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Mon, 26 Feb 2024 15:35:02 +0900
Message-ID: <CANatvzx6HCtd7oTmhiuvtEPpsYoR37XFE6ihdLgtVAVJWAHE3A@mail.gmail.com>
To: Dmitry Adamushka <dmitry@twingate.com>
Cc: IETF QUIC WG <quic@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/related; boundary="000000000000b6d6a80612431c54"
X-W3C-Hub-DKIM-Status: validation passed: (address=kazuhooku@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: puck.w3.org 1reUa6-001zJd-1Q 81d85aa2d5a87d8b9cb62b3b0fd0b5ca
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Proposal Towards Universal HTTP/3, with a polyfill of QUIC for TCP (Fwd: New Version Notification for draft-kazuho-httpbis-http3-on-streams-00.txt)
Archived-At: <https://www.w3.org/mid/CANatvzx6HCtd7oTmhiuvtEPpsYoR37XFE6ihdLgtVAVJWAHE3A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/51830
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

2024年2月23日(金) 0:42 Dmitry Adamushka <dmitry@twingate.com>:

> Hi Kazuho,
>
>
>> I am interested in what constraints this use-case introduces to QUIC on
>> Streams. Am I correct to understand that your interest in forwarding the
>> stream-related frames of QUIC (and possibly also DATAGRAM frames) through
>> multiple hops, with each hop being either QUIC v1 (UDP) or QUIC on Streams
>> (TCP)?
>>
>
> Yes, but there is more to it. And as you suggested, I'm also sharing our
> use cases with the mailing list. If nothing else, maybe some people will
> find them interesting or entertaining.
>
> In principle, it looks like QUIC on Streams takes just the
> streams/multiplexing part of QUIC and runs it on TCP/TLS-like transports.
> Our use case seems to require 'QUIC on Streams' + 'QUIC v1 crypto'. I
> wonder whether it is so extremely unusual or not. Let me elaborate.
>
> QUIC on Streams is designed to work on top of transports that provide the
> 4 capabilities listed in 3.1.
> <https://datatracker.ietf.org/doc/html/draft-kazuho-quic-quic-on-streams#section-3.1>Properties
> of Underlying Transpor
> <https://datatracker.ietf.org/doc/html/draft-kazuho-quic-quic-on-streams#name-properties-of-underlying-tr>
> t.
> For QUIC v1, the underlying transport is plain UDP, which doesn't provide
> any of these 4 capabilities.
>
> Thus, it's either all four or none, which prompts the question: are there
> any useful transports* that possess only a subset of these capabilities?
>
> We want end-to-end Client<->Connector QUIC connections (which represent
> secure tunnels) between Clients and Connectors. The streams of these QUIC
> connections carry the payload of the user's TCP (transparently terminated
> by our proxy on the Client side) or UDP flows. Both Clients and Connectors
> are transport-layer proxies.
>
>
> [image: design2(5).png]
> Path 3 is the classical QUIC v1.
> Path 4 is addressed by QUIC on Streams.
> Paths 1 and 2 consist of multiple transports, each possessing all four
> capabilities. However, as a whole, these paths lack 'Confidentiality and
> Integrity' because of the presence of Relay.
>
> For Paths 1 and 2, we would need something like 'QUIC on Streams' + 'QUIC
> v1 crypto'. It would need to start with a TLS handshake similar to regular
> QUIC v1. Then, its behavior might resemble QUIC on Streams, but with QUIC
> frames likely embedded into QUIC packets -- providing cryptographic
> functions but no reliable delivery, congestion control, or other QUIC v1
> services.
>

Thank you for sharing the use case. This is very interesting.

I think we can use QUIC on Streams as is to fulfill both the use cases, in
either of the following ways:

1. Run QUIC on Streams on top of end-to-end TLS.

The idea here is that the Relay can forward encrypted bytes of an
end-to-end TLS connection.

In the case of path 1, I think it would be possible to set up a TLS
connection between Client and Connector, on top of "TCP/TLS Connection 1"
and "TCP/TLS Connection 2"? Then, we can run QUIC on Streams on top of that
end-to-end TLS connection for multiplexing streams.

In the case of path 2, Client and Connector can establish an end-to-end TLS
connection atop of QUIC streams provided by the two hops. Then, we would
run QUIC on Streams on top of that end-to-end TLS connection.

2. Run QUIC v1 on top of unreliable multi-hop transport, each hop provided
either by QUIC v1 or QUIC on Streams.

The idea here is that the Client and the Connector would send QUIC v1
packets through the hops (i.e., "TCP/TLS connection X" and "QUIC/UDP
Connection X"). The hops or the Relay between the hops might drop the
end-to-end QUIC v1 packets, but that'd be fine as they would be
retransmitted as needed.

In the case of path 1, QUIC on Streams would be used atop each hop (i.e.,
"TCP/TLS connection 1" and 2), and the end-to-end QUIC v1 packets will be
conveyed by the DATAGRAM frames.

In the case of path 2, each hop (i.e., "QUIC/UDP Connection 1") would
convey the end-to-end QUIC v1 packets using the DATAGRAM frames.

WDYT?


> There is another possibility for using Path 2 with QUIC v1. Path 2 is
> special because it can either possess three capabilities
> (in-order-delivery, reliable-delivery, congestion-control) or only
> (congestion-control*) when QUIC DATAGRAMs are used for tunneling. On one
> hand, if we intend to tunnel QUIC packets through this path, congestion
> control may be redundant here (which is anyway the case with some QUIC
> implementations). On the other hand, it might be preferable to keep
> congestion control enabled on these two connections but disable it on the
> end-to-end QUIC connection.
>
> Now, another outrageous question: Would it be useful to have Multipath
> QUIC running simultaneously on top of UDP and TCP/TLS at least? The ideal
> case for us is to have a single QUIC connection (secure tunnel) working on
> top of all these paths above.
>
> One of the user use cases is to allow uninterrupted migration of user
> flows, say, SSH sessions, between network paths. For example, an SSH
> session starts through a Relay (Path 1 or 2) and later switches to a
> peer-to-peer path (Path 3) once it becomes available.
>
> Kind regards,
> Dmitry
>
>

-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email