Re: [quicwg/base-drafts] introduce a version alias mechanism (#2573)

Marten Seemann <> Fri, 12 April 2019 13:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 58E0812035D for <>; Fri, 12 Apr 2019 06:48:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.001
X-Spam-Status: No, score=-8.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hoowZiA1OhEh for <>; Fri, 12 Apr 2019 06:48:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 04214120702 for <>; Fri, 12 Apr 2019 06:48:20 -0700 (PDT)
Date: Fri, 12 Apr 2019 06:48:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1555076900; bh=L4pE4us54hYwUZyZ8tyM3I2heKZh3ioic466kZ2AnzU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=PG5rEj5M/ZNvg38ZFSLyJrv8cYxff6QAUsLj/QgCT9hnWgz2X1tqvCPTZryLbYDT+ ytq4ddlWi0PjPjNr1SbvZOsOTqHfKi0IEu/8EiKELNCyEHjSh+1GaFkZq1c8D58wgM MKaXHKjQy0kX9N7Ms1JaViK1gof8P5dyJAt5OPOs=
From: Marten Seemann <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/2573/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] introduce a version alias mechanism (#2573)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5cb097241e420_4ff63f80d80d45c4237979"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Apr 2019 13:48:23 -0000

> I do fear that this feature will make a generic, independent DDoS solution practically impossible. The more I talk to folks on the DDoS side, the more push back I get from any type of coordination between backend servers and the DDoS device. If there is no coordination, then the device will not understand these aliased version numbers; and therefore will not be able to reply with a version specific response (Retry).

We had this discussion on the NY interim, and we concluded that it's a design feature of QUIC that middleboxes can't send retries **unless** they coordinate with the server. That's why we introduced the `original_connection_id` transport parameter, in which the server has to prove knowledge of the connection ID that the client initially used for its connection attempt. If a middlebox wants to send a Retry, it therefore must either communicate this connection ID directly to the server, or (which is the more practical solution) share a key with the server and encode it into the token.

To decode the version number of greased versions, it's not hard to imagine a similar arrangement between the middlebox and the server. Defining an algorithm to do so safely would probably belong in the LB draft.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: