Re: 0-RTT Design for HTTP/2
Ian Swett <ianswett@google.com> Sat, 19 December 2020 19:39 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51E743A0EAF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Dec 2020 11:39:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.237
X-Spam-Level:
X-Spam-Status: No, score=-10.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87voZtINClyK for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 19 Dec 2020 11:39:42 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D506C3A0E4D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 19 Dec 2020 11:39:41 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kqi1p-0000mk-C0 for ietf-http-wg-dist@listhub.w3.org; Sat, 19 Dec 2020 19:36:35 +0000
Resent-Date: Sat, 19 Dec 2020 19:36:33 +0000
Resent-Message-Id: <E1kqi1p-0000mk-C0@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ianswett@google.com>) id 1kqi1l-0000m7-8K for ietf-http-wg@listhub.w3.org; Sat, 19 Dec 2020 19:36:29 +0000
Received: from mail-yb1-xb2a.google.com ([2607:f8b0:4864:20::b2a]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <ianswett@google.com>) id 1kqi1i-0002K5-Tg for ietf-http-wg@w3.org; Sat, 19 Dec 2020 19:36:29 +0000
Received: by mail-yb1-xb2a.google.com with SMTP id k4so1284266ybp.6 for <ietf-http-wg@w3.org>; Sat, 19 Dec 2020 11:36:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VJsEtEnGRJuZONJ01UqGi5D33LKOlm7SrEq1NhBE4ME=; b=S01n/6ag3munphoa4vbW6nLF4NZgGz96q71JXA+hxgnvfRynmA9xcv/nGE5ndgxOni RBfkOZDtNjp4MpfMmxq29LsJEJlsylmTspYAU1aUaQRHEPQOQsYGksI+11NUO3Xo+AOI GPrw5KeS8Y0263No9wPmggiw9Lr3zh32X4uubdc0v6bYe6qJqlpYxw/v2UGD4+7F9Dmi 4QvNGvrdcNbFVUIjiWO9Ib32SQKuQ2Cr0ZLYDz012D0KcJkagNpD0/V0G3TWx1fgnVVh d2jB4IG+ia7ilcQQi01FMJiC0rT9k5MYk+w/k4Lhj1vrrmoiDvALOw0GI4IgAPO3DCav aplg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VJsEtEnGRJuZONJ01UqGi5D33LKOlm7SrEq1NhBE4ME=; b=KJMVA1sSbgf21s3OHxJazLiQs4lHKSd4BfxKtRRR5egQ3MQd157WLkGlIx5OkROJf0 OanrMikBRYGSejko6onf8D/hDUSrCFyGrD5+0rPL8l8X5dkCCiVZVdtaynJvhsBYa0s2 8/kytnEHUThJ2YqrIz0Uy5DxIdEm2Q4rxbrZMDBx6dfqnQggGKn2flFwhq7/nMPMiEhU WgK/Yt4mNTizfcB1enDwnchPkFqVLYj1gobNrDWs0zixR5symNFzM2kP5EyVUa0hJLG9 I/wSy1dw4BykD2aMfBWvD3k+KD95RFoPq4pbPexv2is7pC91jRYequdt+ry37XC1beFY P93w==
X-Gm-Message-State: AOAM5333DiG5ocP/oz12tEE4vsU1DOlf++I/9cWfLkz42WwrFXQpSB/y jBj0olbpNwBagt1o4rFBFJsS+fuzwHsEN8zKRseOALBpBUM=
X-Google-Smtp-Source: ABdhPJwwvPW1VQX1RxoVLQHuMvkqkYMV0SacLwCw7h8/aOB8gpeKfaaY7Kbv/1cCprhXSqnWYezHzieaEJlQI88+Nas=
X-Received: by 2002:a25:2610:: with SMTP id m16mr604361ybm.389.1608406575516; Sat, 19 Dec 2020 11:36:15 -0800 (PST)
MIME-Version: 1.0
References: <126ee381-7828-451f-865a-db6357928243@www.fastmail.com> <CAH_hAJEmDzfsQQ_V9vpFkGAZcXHtfKzfSDM0r6WJERb6y0_qMA@mail.gmail.com> <CAKcm_gP=2uix9wd_uOw9JgR2OeobNPAdR4s7Sp=r6CEUEng58g@mail.gmail.com> <CAPDSy+55brsH9c_RkvmjzFX6CmKu10go2_G-w2Ub=iO2LZjpbQ@mail.gmail.com> <0adce792-13b3-4e87-a31e-6d3bc4cd5367@www.fastmail.com>
In-Reply-To: <0adce792-13b3-4e87-a31e-6d3bc4cd5367@www.fastmail.com>
From: Ian Swett <ianswett@google.com>
Date: Sat, 19 Dec 2020 14:36:04 -0500
Message-ID: <CAKcm_gMWc_Ew_sDNkkyjGZJjwsCfr+rw9xs3SUbT0KTAbkoRHw@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000096eea905b6d656d6"
Received-SPF: pass client-ip=2607:f8b0:4864:20::b2a; envelope-from=ianswett@google.com; helo=mail-yb1-xb2a.google.com
X-W3C-Hub-Spam-Status: No, score=-19.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1kqi1i-0002K5-Tg fd51e5da4293e9f2e7972e60a1391715
X-Original-To: ietf-http-wg@w3.org
Subject: Re: 0-RTT Design for HTTP/2
Archived-At: <https://www.w3.org/mid/CAKcm_gMWc_Ew_sDNkkyjGZJjwsCfr+rw9xs3SUbT0KTAbkoRHw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38329
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Dec 16, 2020 at 8:46 PM Martin Thomson <mt@lowentropy.net> wrote: > Mega-reply... > > On Wed, Dec 16, 2020, at 21:33, Cory Benfield wrote: > > I am somewhat nervous here about how many servers will implement this. > > > > Typical OSS server implementations have a somewhat arms-length > > relationship with their TLS stack. This tends to mean they don't > > actually know exactly when new session ticket messages were sent. > > While this is not a hard limitation (OpenSSL has the requisite > > functions) it's the kind of barrier to entry that could be quite > > awkward. This may also lead to limitations in how many HTTP/2 stacks > > go through the effort of implementing the extension. > > So there is a lot of text here, but it is very easy to implement the > server side of this if you don't change settings often. Just set the value > to 1 in the preface and remember those values. Confirm that the TLS stack > isn't spitting out session tickets except during the handshake (which is > the only place they appear in TLS 1.2) and you are good. > > There is a risk with TLS 1.3 that sending session tickets might take some > time. This depends on things like ticket requests with large numbers and > how the stack schedules those relative to application data. Basically, you > need to ensure that you delay any changes to settings (changes you might > not be able to synchronize with ticket issuance properly) until you are > reasonable sure that tickets aren't being sent. > > BTW, I like how NSS manages this, and not just because it's my code :). > NSS makes it the responsibility of the application to send extra tickets > [1]. It might send one, but that is sent ahead of any responses you might > generate. > > Short story: I believe that it is easy to implement this with TLS 1.2; TLS > 1.3 might take a little care. > > [1] > https://searchfox.org/nss/rev/51b18ad6c1e627ada90028df9062f7200f7cec94/lib/ssl/sslexp.h#245-264 > (I really need to promote that one from experimental some time.) > > On Wed, Dec 16, 2020, at 23:34, David Schinazi wrote: > > If there's energy in the community to improve HTTP/2 SETTINGS, > > I would personally prefer to direct that energy at also solving the > > "not having SETTINGS when sending the first request" problem. > > Once potential solution is ALPS [1]. Would it make sense to join > > these two efforts to ensure we fix SETTINGS for good? > > I'm glad you raise ALPS David. My view is that we can't really deploy > ALPS in an incremental fashion for HTTP/2. Part of what I'm looking for > here is an incremental solution. > > I do see the possibility of just trying ALPS when it is available. > However, I think that is enough of a different protocol that it requires a > new ALPN to go along with it. > > I've watched the discussion regarding the possibility of defining a new > ALPN for HTTP/2 and my sense is that there isn't overwhelming support for > the idea. If we had that support, then it might be good to try to fix ALPS > into the design of a new protocol, but that isn't how things appear to be > going. > > On Wed, Dec 16, 2020 at 4:31 AM Ian Swett <ianswett@google.com> wrote: > > Before we get to that, one Q on deployability: Does the working group > think enough of the ecosystem can handle this new EARLY_DATA_SETTINGS > setting? If no one sends it, even if they support the functionality, it > sort of defeats the purpose. > > Good question and worth answering before considering this. I think that > the work Bence has done here shows that there is some hope of success on > this front. That goes back to the "new ALPN" question. I'm reading a > pretty strong desire to fix "h2" rather than give up on it, but I'm sure > that everyone is open to conceding that the bustage cost is too high if > that is where things stand. > I think Bence's work showed that the major servers can be fixed. However, upgrades still take time and I'm not sure if they've yet been completed. I suspect there's a long tail of servers out there that don't upgrade very often(or ever :( ), and I feel a bit uncomfortable saying we're just going to break them. If I only had to send the SETTING client to server, I think that might be deployable in the near future, though Chrome would have to run more widespread tests. I'm actually more concerned about the fact that the server has to send the SETTING(which makes complete sense, given what you're trying to accomplish). It's impractical to wait for receipt of the client SETTING before sending the server one, and the client ecosystem is much slower to upgrade, unfortunately. Given this, ALPS looks better from a deployability perspective. To my knowledge, there are no known issues deploying new TLS 1.3 extensions. Given the lack of interest in a new h2 ALPN, I'm suggesting ALPS include a GREASE recommendation, so if one deploys ALPS, it's also an indication it's a fully compliant h2 implementation.
- 0-RTT Design for HTTP/2 Martin Thomson
- Re: 0-RTT Design for HTTP/2 Cory Benfield
- Re: 0-RTT Design for HTTP/2 Ian Swett
- Re: 0-RTT Design for HTTP/2 David Schinazi
- Re: 0-RTT Design for HTTP/2 Martin Thomson
- Re: 0-RTT Design for HTTP/2 David Schinazi
- RE: 0-RTT Design for HTTP/2 Mike Bishop
- Re: 0-RTT Design for HTTP/2 Martin Thomson
- Re: 0-RTT Design for HTTP/2 Ian Swett
- Re: 0-RTT Design for HTTP/2 Willy Tarreau
- Re: 0-RTT Design for HTTP/2 Martin Thomson
- Re: 0-RTT Design for HTTP/2 Martin Thomson
- Re: 0-RTT Design for HTTP/2 Willy Tarreau
- Re: 0-RTT Design for HTTP/2 Martin Thomson
- Re: 0-RTT Design for HTTP/2 Ian Swett
- Re: 0-RTT Design for HTTP/2 Cory Benfield