Re: [Plus] Supporting connection tracking and basic diagnostics: a minimal PLUS

[Ian Swett <ianswett@google.com>]

On Sun, Dec 11, 2016 at 1:33 AM, Christian Huitema <huitema@huitema.net>
wrote:

> On Saturday, December 10, 2016 4:35 PM, Tommy Pauly wrote:
> >
> > I agree with Ian that the first option is probably easier and more
> viable as a
> > solution. The second option is attractive in how it makes the
> association and
> > confirmation values less predictable, and thus more trustworthy. However,
> > the extra state required to debug and reconstruct the flow does seem too
> high
> > if want wide adoption.
>
> I too think that the first option is more practical. I am a bit concerned
> that the "token" suggested in the second option does not have any link to
> the mechanism of the transport protocol. That means lazy implementation
> could take their sweet time and "rotate the token" once in a blue moon,
> making it seriously unfit for RTT assessment.
>
> In the first option, the echo is the "last seen sequence number" that
> would otherwise be carried in the ACK frame. If we move it out of the ACK
> frame and into the header, then we have pretty much a guarantee that
> applications will do it right. I like that. I also like that the scheme
> does not make the "connection start" special, and works just as well after
> a rerouting or a NAT state change.
>
> OTOH, there is going to be a "feature interaction" between this
> sequence+echo scheme and the senders' strategy of skipping some sequence
> numbers in order to verify that the recipients are not making up ACKS. The
> intermediate boxes will have no way to distinguish between a packet number
> voluntarily skipped by the sender, and a packet loss between the sender and
> the middlebox. I hope this won't affect the "wireshark diagnostics" too
> much.
>

We could specify that if a peer wants to skip packet numbers, it should be
by more than 256, assuming 256 packet gaps are rare(which they are, though
they do happen).    Or some other known approach that is relatively simple
to identify.


> > When we are looking at the first option, you mentioned strategies to
> avoid on-path
> > injection attacks of stops.
>
> I like the "two ways stop". It definitely increases the robustness. Also,
> sending the sequence number and last seen in "clear text" solves the "guess
> the sequence number" issue for the "rebooted server." Maybe we can use
> EKR's scheme after all.
>
> > ... Is there any attack that could be made regarding the PSN? If the
> attacker can modify
> > PSN values or inject packets with higher PSN values in either direction,
> what side effects
> > can we see? I'm assuming that the endpoints themselves will be able to
> validate the
> > authenticity of the fields, but could a middle box that is trying to
> monitor the
> > plausible-ness of the PSN get thrown off? Or does it only ever adjust
> its plausibility
> > window when it sees a PSN acknowledged? (To that end, if an
> acknowledgment
> > value is faked, what does that do?)
>
> That's a very good observation, and in fact it applies to current QUIC as
> well. A man-on-the side can inject a series of plausible packets before the
> sender does. The "real" packets coming from the sender will repeat packet
> numbers that are 'already seen'. A middlebox that is too clever might drop
> those in an attempt to "remove duplicates." We can always say that
> middleboxes should not try to be too clever, but that's a bit like saying
> that the bubonic plague should be nicer...
>
>
Agreed.  Since QUIC does not reuse packet numbers, the only times a
middlebox would expect to see duplicate PSNs is if the network duplicates
them(insanely rare) or if there is an attack.  In both cases, the best
course of action is to do nothing and not remove duplicates, since only
endpoints know which packets are valid, so there is no practical incentive
for a middlebox to do that.  That being said, this and many other points
may need to be documented to reduce the chances of someone trying to be
clever.


> -- Christian Huitema
>
>
>
>