[quicwg/base-drafts] Improve Large Server Certificate Scenario (#3784)
Nick Banks <notifications@github.com> Wed, 24 June 2020 00:48 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A64703A0D04 for <quic-issues@ietfa.amsl.com>; Tue, 23 Jun 2020 17:48:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.482
X-Spam-Level:
X-Spam-Status: No, score=-1.482 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ejFosjdHo9g1 for <quic-issues@ietfa.amsl.com>; Tue, 23 Jun 2020 17:48:12 -0700 (PDT)
Received: from out-24.smtp.github.com (out-24.smtp.github.com [192.30.252.207]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FEDD3A0D03 for <quic-issues@ietf.org>; Tue, 23 Jun 2020 17:48:12 -0700 (PDT)
Received: from github-lowworker-3a0df0f.ac4-iad.github.net (github-lowworker-3a0df0f.ac4-iad.github.net [10.52.25.92]) by smtp.github.com (Postfix) with ESMTP id 497656A11D1 for <quic-issues@ietf.org>; Tue, 23 Jun 2020 17:48:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1592959691; bh=KAayssHaQrTbKhvRmV4LQunFXjoFVUsUjXB7ox3ofVw=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=R66EClBw5Y2pn9Pp00vXYmfhQh4bHFZdp27xSteUsn7lsMNdvGGdyBjJWr0WayUNw 0oK3wBe3aEeTU+z1+UqrorTk40UExtNzrrGPPVlISCFGuSG/Q4QUR65ZsL6v06B8yJ qP8Sx5HXerwXgCTP16U9e3UlFNTq0G6f8pV8dnTk=
Date: Tue, 23 Jun 2020 17:48:11 -0700
From: Nick Banks <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6LMTC7I4ROS4HRWB5472B4XEVBNHHCMZSKYY@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3784@github.com>
Subject: [quicwg/base-drafts] Improve Large Server Certificate Scenario (#3784)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ef2a2cb3a5a0_12e43ffcf14cd96030766"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: nibanks
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/NO5KrARZczfjkz5ohGvX-jve7M4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 00:48:14 -0000
### Problem Amplification protection (send no more than 3x of receive) on the server side ends up adding an extra round trip in many scenarios than use a large server certificate. ### Proposed Solution Send more in the initial client flight. We already require client Initial packets to be padded to at least 1200 bytes to force them to "pay to play" so to speak, but that's not enough if the server's certificate is larger than ~3K. [This blog post](https://www.fastly.com/blog/quic-handshake-tls-compression-certificates-extension-study) does a good job of outlining the problem and proposes certificate compression as a possible solution. A simpler solution (IMO) is to recommend clients send more in their initial flight; perhaps two fully padded copies of their Client Hello. This effectively doubles the size of certificate that would fit in the server's first flight. Doubling the number of initial packets may increase congestion at the start of the handshake, but QUIC has already made the decision to send 2 probe packets for recovery, compared to TCP's 1. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/3784
- [quicwg/base-drafts] Improve Large Server Certifi… Nick Banks
- Re: [quicwg/base-drafts] Improve Large Server Cer… Martin Thomson
- Re: [quicwg/base-drafts] Improve Large Server Cer… Nick Banks
- Re: [quicwg/base-drafts] Improve Large Server Cer… Jana Iyengar
- Re: [quicwg/base-drafts] Improve Large Server Cer… Martin Thomson
- Re: [quicwg/base-drafts] Improve Large Server Cer… Lars Eggert
- Re: [quicwg/base-drafts] Improve Large Server Cer… Lucas Pardue
- Re: [quicwg/base-drafts] Improve Large Server Cer… Lars Eggert
- Re: [quicwg/base-drafts] Improve Large Server Cer… Martin Thomson
- Re: [quicwg/base-drafts] Improve Large Server Cer… Martin Thomson