IETF Logo Mail Archive

Re: [quicwg/base-drafts] Provide Signal that SCID is client assigned (#2838)

MikkelFJ <notifications@github.com> Tue, 25 June 2019 00:12 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E56F512010F for <quic-issues@ietfa.amsl.com>; Mon, 24 Jun 2019 17:12:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJYMNpijEnTx for <quic-issues@ietfa.amsl.com>; Mon, 24 Jun 2019 17:12:00 -0700 (PDT)
Received: from out-17.smtp.github.com (out-17.smtp.github.com [192.30.252.200]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8313120041 for <quic-issues@ietf.org>; Mon, 24 Jun 2019 17:11:59 -0700 (PDT)
Date: Mon, 24 Jun 2019 17:11:58 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1561421518; bh=dTxV8CCLrNTSKYT+PTdzYIFin7yz5wNV0OhN7KxoMwk=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Qy4h6+YMhb/O12wIU3b1scAEYouixmtWxBbI44sagKA7PFae4DJLZ7zS5t6+LZe9y sa8d8bqxp0Z9bmohhRE7MeScfYFlunX7iW/rFskVnYLxjJkcpvMDaG8IAZg2y6moBo ONKwOv06LIv2Ley/PCkv9zfa2EX157ldnYgCgiv0=
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6ZA3KEOVWCI4F7ZYF3D2MU5EVBNHHBW3C4Q4@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2838/505227174@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2838@github.com>
References: <quicwg/base-drafts/issues/2838@github.com>
Subject: Re: [quicwg/base-drafts] Provide Signal that SCID is client assigned (#2838)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d1166ce3a382_6f2b3f88da0cd9681640d9"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/M18YOFIKfrirtehmWcznaqVMYAU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 00:12:02 -0000

An LB may use this signal as an indication that it may choose an arbitrary endpoint without the need for consistent routing and consequently QUIC versions should be designed accordingly.

Load Balancers need to make qualified decision on how to route traffic, especially when the connection is being established. If the LB is always willing to do a cryptographic validation of the CID, it can use that as a signal but a load balancer that needs to a fast decision cannot trust client generated CID's because they might just have poor entropy, or they might be constructed to DoS a single endpoint.

The signal could also be encoded as a bit in the CID itself, but that is just moving a header bit.
Some have proposed using the long header to detect if the CID is client generated, but that prevents the long header from switching to server chosen CID early, and it would ossify in LB at the peril of future QUIC versions.

A common solution for CID'less routing is to use a 4-tuple hash, instead of a client CID, but that requires that you know that you need to do it, as opposed to using a server generated CID. A 4-tuple hash will not work behind a proxy where the original source IP is lost. It will also not work in future non-IP networks where CID is used for routing alone. Today QUIC v1 requires the handshake to be 4-tuple stable which is probably fine, but it is not necessarily fine in all future versions or all kinds of deployments.

Of course an endpoint can lie about the CID bit, but that should be enable to successfully establish or maintain a connection. Other on-path entities could manipulate the bit, but the same can be said for other header parts that might affect routing.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2838#issuecomment-505227174

v2.23.0 | Report a Bug | By Email