IETF Logo Mail Archive

Re: [Ohai] The OHAI WG has placed draft-ohai-chunked-ohttp in state "Call For Adoption By WG Issued"

Tommy Pauly <tpauly@apple.com> Thu, 25 January 2024 23:50 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: ohai@ietfa.amsl.com
Delivered-To: ohai@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FFBCC14F60D for <ohai@ietfa.amsl.com>; Thu, 25 Jan 2024 15:50:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LN6zqee0ZfQl for <ohai@ietfa.amsl.com>; Thu, 25 Jan 2024 15:50:12 -0800 (PST)
Received: from rn-mailsvcp-mx-lapp03.apple.com (rn-mailsvcp-mx-lapp03.apple.com [17.179.253.24]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FD36C14F60A for <ohai@ietf.org>; Thu, 25 Jan 2024 15:50:12 -0800 (PST)
Received: from rn-mailsvcp-mta-lapp04.rno.apple.com (rn-mailsvcp-mta-lapp04.rno.apple.com [10.225.203.152]) by rn-mailsvcp-mx-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S7U00JBZCVM2810@rn-mailsvcp-mx-lapp03.rno.apple.com> for ohai@ietf.org; Thu, 25 Jan 2024 15:50:12 -0800 (PST)
X-Proofpoint-ORIG-GUID: JAwRQ9t3AxJ9x2ru1XkfRmdfyyOxmq1-
X-Proofpoint-GUID: JAwRQ9t3AxJ9x2ru1XkfRmdfyyOxmq1-
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.1011 definitions=2024-01-25_14:2024-01-25, 2024-01-25 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 phishscore=0 malwarescore=0 mlxlogscore=999 mlxscore=0 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311290000 definitions=main-2401250171
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=1lp+KESiTHhQM6oVtefXEN3Uv+fQYz6B+GLUlvBD/jc=; b=P0sPeSDGSx6+9B5Ii6xSReV7DjSjhNrtTzXBURdq3oCMGmOVLG540FlJFF9ufj0rQPle Bkf7e0XyMZiWKBTFlqznljjFbB1MR/bA4idgwiMeR/IXE5dxfTo2ngBxVL9uJEc0tZLg K9QhwkEyxvFD5Cc3Go3Q0Fqw0Y0vLluVOn1A22llErMEQY5iBTD4VM+I2Tm5AFh218oU gRV3bRtkVQYcGBZuPyi7pNoN7+oHM1+igigYeyIfiJurqlyOXiQBKf1FN79YurMFNb0I 8mzYtRWCyoLa77XoBYgcdAYO0HXD2e/b9+70CpQztX8tVpndIQAIVGW2ErBkt9G+415F ig==
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPS id <0S7U00Z6RCVLPSD0@rn-mailsvcp-mta-lapp04.rno.apple.com>; Thu, 25 Jan 2024 15:50:10 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) id <0S7U00G00CMG0Y00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 25 Jan 2024 15:50:09 -0800 (PST)
X-Va-A:
X-Va-T-CD: cdaa14cfcfc144345f8b3130a3d22b5b
X-Va-E-CD: 5e7d854d81fcb69d35c4e07ccdb480a3
X-Va-R-CD: 76ddbe0d4b44e5ee0927874722350381
X-Va-ID: 233bf1a2-683f-4371-87be-a7f57484a406
X-Va-CD: 0
X-V-A:
X-V-T-CD: cdaa14cfcfc144345f8b3130a3d22b5b
X-V-E-CD: 5e7d854d81fcb69d35c4e07ccdb480a3
X-V-R-CD: 76ddbe0d4b44e5ee0927874722350381
X-V-ID: fd89a038-6f9e-4833-91bc-923958b47c0a
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.619, 18.0.1011 definitions=2024-01-25_14:2024-01-25, 2024-01-25 signatures=0
Received: from smtpclient.apple ([17.11.133.249]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.23.20230328 64bit (built Mar 28 2023)) with ESMTPSA id <0S7U005D8CVKDU00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Thu, 25 Jan 2024 15:50:09 -0800 (PST)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <BA994197-6917-4119-8BCA-0B53860D3516@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_1DD2F777-8F89-4EFE-80CF-BF575E313899"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Thu, 25 Jan 2024 15:49:57 -0800
In-reply-to: <CAPDSy+5T6shZm9B0BC6gEB6uAckJHEGD8veeOyrFka3O3f366Q@mail.gmail.com>
Cc: ohai@ietf.org, Shivan Kaul Sahib <shivankaulsahib@gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
References: <170605229077.32114.14133160573475368161@ietfa.amsl.com> <CAG3f7MgroSwXa=QpTU-vxx4fXRs3+-PyUxMtEsJXwncoD3v7pQ@mail.gmail.com> <2534E21A-7B9A-46E0-AE88-D1F6BD70F2C2@mnot.net> <CAPDSy+5T6shZm9B0BC6gEB6uAckJHEGD8veeOyrFka3O3f366Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ohai/r8b7Y-1YKc1jPeZUHkIbAJh4nXo>
Subject: Re: [Ohai] The OHAI WG has placed draft-ohai-chunked-ohttp in state "Call For Adoption By WG Issued"
X-BeenThere: ohai@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Oblivious HTTP Application Intermediation <ohai.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ohai>, <mailto:ohai-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ohai/>
List-Post: <mailto:ohai@ietf.org>
List-Help: <mailto:ohai-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ohai>, <mailto:ohai-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2024 23:50:17 -0000

Hi David,

A few salient points I want to highlight from the meeting that will help with context (sorry they’re not in the document yet, that’s what needs to be done):

- As Eric Rosenberg brought up, one of the main benefits here is when a client is making requests and 90% of them will be short/fast responses, but there’s another 10% that may be slower to generate, it makes far more sense for clients to request with OHTTP as opposed to making unique TLS connections for each request that might be slow.

- As Jana brought up, the role of a relay to do OHTTP (essentially a specific kind of reverse proxy) compared to a TLS forwarding / MASQUE proxying is quite different. A MASQUE-style proxy with per-request decoupling needs establish new connections to the next hop for every request, dealing with port allocation, IPs, etc. For OHTTP, it’s just a normal reverse proxy model. This is one reason the proposal of doing short TLS connections for every single request doesn’t really scale in practice.

- While it’s totally true that OHTTP doesn’t come with PFS, it also has many privacy advantages: not exposing the latency to the client, and being able to support 0-RTT data without incurring correlation. The sketch you include below would currently involve having likability between these 0-RTT requests and also would end up exposing latency to the client as the client finished the full handshake.

As I said in the meeting, I think we do need to make sure we are not reinventing TLS at a different layer, but there are solutions that fit squarely in the OHTTP privacy model that are best solved by letting an OHTTP message come in multiple pieces. I’m certainly not advocating that “everything should be built on chunked OHTTP”, but rather that there is a (limited) place for it in the overall solution ecosystem.

Thanks,
Tommy

> On Jan 24, 2024, at 6:00 PM, David Schinazi <dschinazi.ietf@gmail.com> wrote:
> 
> I'm opposed to adoption.
> 
> This mechanism appears to be geared at use cases that would be better served by single-HTTP-request-over-TLS-over-CONNECT (which I'll conveniently abbreviate to SHROTOC for the rest of this email). The reason that OHTTP itself exists is that it provides better performance than SHROTOC for small requests and responses, because the TLS handshake overhead is quite noticeable when the application data is small. This performance win justified the weaker security that OHTTP provides compared to SHROTOC. In particular, OHTTP lacks perfect forward secrecy and is vulnerable to replay attacks. Extending OHTTP to large messages creates something that has performance similar to SHROTOC but with much weaker security. If early data is considered useful, SHROTOC can leverage TLS 0-RTT with much better security properties: only the early data lacks PFS and replay-protection, any data exchanged after the client first's flights gets those protections. I'm opposed to creating a new mechanism when there is already an available solution with better security.
> 
> Apologies if this was covered in yesterday's meeting, I was unable to attend and did not find minutes or recordings for it.
> 
> Thanks,
> David
> 
> On Wed, Jan 24, 2024 at 2:10 PM Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org <mailto:40mnot.net@dmarc.ietf.org>> wrote:
>> I support adoption.
>> 
>> > On 24 Jan 2024, at 10:27 am, Shivan Kaul Sahib <shivankaulsahib@gmail.com <mailto:shivankaulsahib@gmail.com>> wrote:
>> > 
>> > ohai all, 
>> > 
>> > Thanks to folks who attended the interim today to discuss https://www.ietf.org/archive/id/draft-ohai-chunked-ohttp-01.html. Overall, there was interest in adopting and working on the document. 
>> > 
>> > This email starts a 2 week call for adoption for https://datatracker.ietf.org/doc/draft-ohai-chunked-ohttp/. Please let us know what you think about OHAI adopting this document by February 6.
>> > 
>> > Thanks,
>> > Shivan & Richard
>> > 
>> > On Tue, 23 Jan 2024 at 15:24, IETF Secretariat <ietf-secretariat-reply@ietf.org <mailto:ietf-secretariat-reply@ietf.org>> wrote:
>> > 
>> > The OHAI WG has placed draft-ohai-chunked-ohttp in state
>> > Call For Adoption By WG Issued (entered by Shivan Sahib)
>> > 
>> > The document is available at
>> > https://datatracker.ietf.org/doc/draft-ohai-chunked-ohttp/
>> > 
>> > 
>> > -- 
>> > Ohai mailing list
>> > Ohai@ietf.org <mailto:Ohai@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/ohai
>> 
>> --
>> Mark Nottingham   https://www.mnot.net/
>> 
>> -- 
>> Ohai mailing list
>> Ohai@ietf.org <mailto:Ohai@ietf.org>
>> https://www.ietf.org/mailman/listinfo/ohai
> -- 
> Ohai mailing list
> Ohai@ietf.org
> https://www.ietf.org/mailman/listinfo/ohai

v2.23.0 | Report a Bug | By Email