Re: [MLS] Move / Add-in-place / Compounding
Richard Barnes <rlb@ipv.sx> Tue, 23 October 2018 14:45 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9DF9128BCC for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 07:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHk2b0CCXk5a for <mls@ietfa.amsl.com>; Tue, 23 Oct 2018 07:45:17 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89020128D09 for <mls@ietf.org>; Tue, 23 Oct 2018 07:45:12 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id p23so1603745otf.11 for <mls@ietf.org>; Tue, 23 Oct 2018 07:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RWYUm1h700o6QCOWGNOmS6VHuLKIJAft30Pk/vmZzlA=; b=kRJxgJDF7+7WpbOHSOSE8C/vHyeE5zQYF6wcNEnPkpa6l9MDk04S1WZGiKfYlT6x+D Fj1gWVDUoSEsGV4n6vE6VnQdvsji8EU4Di0pwPExLqhkHvkstMEKsx6TFigar4TJRf4n j9OqvvKp9ZSaTPMfrByWNvDMk2UouSnAnzxUwvKIMl5LXpYAC37qw3JWSBmLsovWGpOm 5tTxrEYcD4gUcLlhkzDuWE1Zmgzk/PqbeaeXc2i0BhPyr+NvY4rt5zciDBazrGRmNRDa XgW6PFAiaCPBtiGPQpPZu3nu4Bzn5s9JaNMifY6ksqmryywnPsCYUF1ZAuqIvzPZefe3 9fbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RWYUm1h700o6QCOWGNOmS6VHuLKIJAft30Pk/vmZzlA=; b=e4b/7vG0LS78I/rq44k4XiyRRd34pDWD8u5chAWixFd/ZeOXRm6MyFGrEYb9erJdNC U8QpCYGx//l5Ov51k8Q/Yxqbew7fQXGU0vCUvcarMnFIIIlCm/CyIDmkfWyf8N1L0j6o toDDjwucxa8JHR9SxFd/pHwaPVK5BrI2XysG1B43KdI/ljinA8W00IA8G2VnuWTs+vT5 mp7odp+Kmup59z1lv8aDjUbpP3N+BfUAmuaY42xldgo6Fd4TFs/A5IHshd2+k13Cg0Dn FMz6r5buHnqZlZjTXXSM8ibnN+fOXL25kZ/oS2/vEbO/Z+nOBiVo8Uk9gI840oiIPcxB 1XHw==
X-Gm-Message-State: AGRZ1gK4U3W55Z36u7iUWI6fzcBvk83NLYdiVF9diH6TVpZHp+9exTpt i16rDV64T0zZEPb8INMIa+50hQaMtqOI932iyULHMA==
X-Google-Smtp-Source: AJdET5e4qTiE+0z0uFycopLONXSSsErmU5A0HhTfve/A63nRm8t8FWhheZKSDK5eHbvBSj6SLDB78j7GhaxbyJSMGRo=
X-Received: by 2002:a9d:1c85:: with SMTP id l5mr294944ota.331.1540305911476; Tue, 23 Oct 2018 07:45:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgTYLTkkB-WhjeBtorVcdiurPibi9eqmQmG3qib1gLhEkA@mail.gmail.com> <D1060454-E518-4D82-B95F-D14099C388D6@wire.com> <C96B8919-34A3-4B21-B6CF-538F95D53CBC@vigilsec.com>
In-Reply-To: <C96B8919-34A3-4B21-B6CF-538F95D53CBC@vigilsec.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Tue, 23 Oct 2018 07:44:56 -0700
Message-ID: <CAL02cgTpNQnyURErtJUvGsxLUc=0_xhz-+xJe3tn728PQtzX4w@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Raphael Robert <raphael@wire.com>, mls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b3087e0578e66a51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/YX_VzSjKhMC1jwVSLNcYCDczeN0>
Subject: Re: [MLS] Move / Add-in-place / Compounding
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 14:45:21 -0000
I agree there are synchronization problems, but I don't think they're appreciably worse than before. Right now, when you have an Update or Add conflict now, the retry logic is "do it again"; for Remove, it's either "do it again" or "never mind", depending on whether the thing you conflicted with was a Remove for the same slot. When you have a conflict with Move / Add-in-place, the retry logic is "do it again with a different slot" or "never mind", where the latter hits if you were going to move to a lower slot to compact the tree, but all the lower slots are now filled. So the only major difference relative to the above is that you need to pick a new target. That seems as straightforward as a lowest_available_slot() method, which returns the next leaf if the tree is full. In any case, once we settle down on the set of operations, we should take another stab at describing retry considerations. I filed an issue [1]. --Richard [1] https://github.com/mlswg/mls-protocol/issues/76 On Tue, Oct 23, 2018 at 5:15 AM Russ Housley <housley@vigilsec.com> wrote: > Don't add and move make synchronization concerns worse? Can two clients > ask for the same empty-when-they-looked node? > > Russ > > > On Oct 22, 2018, at 2:59 PM, Raphael Robert <raphael@wire.com> wrote: > > I think these two operations make perfect sense (had the same ones in > mind). Some comments: > > Regarding Move: > We should work on a recommendation of when to do a Move instead of an > Update, and also of when to do a Move even if no Update was planned. > The recommendation could initially be something naive, such as: when the > ratio of blank leaves / full leaves is greater than xxx, do a Move. > > Regarding Add-in-place: > I think this has the potential of becoming the default, as opposed to the > current Add. Maybe both operations could be one and the same if we just add > an index to the current Add. In that case the recommendation for the index > would simply be the left-most empty leaf node. > > If both operations are correctly applied by clients, the tree should have > the optimal size. > There is however a case where trees will not shrink, but only if the > following three conditions are met: > > - A large number of members left the group (large is relative to the > group size) > - A large number of the remaining members never come online again and > therefore cannot move themselves (large is again relative to the remaining > group size) > - Only very few new members are added subsequently > > I suspect that the above scenario is however an edge case. If it occurs > “in the wild” it might eventually get solved on a social level (when > unresponsive members get removed by active ones). > > > On 22 Oct 2018, at 20:34, Richard Barnes <rlb@ipv.sx> wrote: > > Hey MLS folks, > > tl;dr: > - Would there be interest in a Move operation? > - How about an operation to Add a new member in an open slot instead of > the right edge? > > In looking at the "partial tree" stuff (#67), it occurred to me that once > you have partial trees with blank leaves, you can in principle do two new > operations: An existing member can move from one leaf in the tree to > another; and an existing member can add a new member at a leaf that is > currently blank. These operations would work roughly as follows: > > - Move: > - Blank out old dirpath > - Move credential from old slot to new slow > - Send update along new dirpath > - Add-in-place: > - Blank out dirpath for slot > - Install new member's leaf key in slot > - Install new member's credential in slot > > For Move, you would also want to have people step down the size of the > tree. For example, if you go from having 10 leaves (X _ X X _ _ _ _ _ X) > to four leaves (X X X X) as the result of a move, then the resulting tree > should only have height 2, not 4 (as is required for 10 leaves). > Fortunately, this is trivial with the tree math defined in the document; > you just truncate the node vector, and the calculated root gets > correspondingly smaller. > > I've prototyped this out in my JS stack [1][2]. Once you've built a tree, > and removed a couple of members, you can click one of the "Move" buttons to > move that node to the lowest open slot. As you can see, it's not a ton of > code. > > In any case, this seems to me to be potentially useful, since it addresses > the issue that was raised in the BoF that the size of the resources for a > group increases monotically. Move allows you to reclaim resources that are > unused (assuming some orchestration outside of MLS), and Add-in-place > allows us to be conservative with resources that are already allocated (cf. > realloc). > > If folks think these sound like useful tools, I'll write up a PR and we > can discuss in BKK. > > --Richard > > [1] https://ipv.sx/treekem/ > [2] > https://github.com/bifurcation/treekem/commit/7f470422ba61ce668c3ab1d6b2d18edd9d6e06fd > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls > > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls > > >
- [MLS] Move / Add-in-place / Compounding Richard Barnes
- Re: [MLS] Move / Add-in-place / Compounding Raphael Robert
- Re: [MLS] Move / Add-in-place / Compounding Russ Housley
- Re: [MLS] Move / Add-in-place / Compounding Richard Barnes