IETF Logo Mail Archive

Re: [quicwg/base-drafts] Long Header Packets and Routing Connection IDs (#2834)

Kazuho Oku <notifications@github.com> Mon, 24 June 2019 21:51 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F28F120178 for <quic-issues@ietfa.amsl.com>; Mon, 24 Jun 2019 14:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8
X-Spam-Level:
X-Spam-Status: No, score=-8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt8QmaO5lI6z for <quic-issues@ietfa.amsl.com>; Mon, 24 Jun 2019 14:51:53 -0700 (PDT)
Received: from out-21.smtp.github.com (out-21.smtp.github.com [192.30.252.204]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8645412017F for <quic-issues@ietf.org>; Mon, 24 Jun 2019 14:51:53 -0700 (PDT)
Date: Mon, 24 Jun 2019 14:51:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1561413112; bh=CgiaRDr4PWq944bmsXTifHUVlBrpqhFPApHYqNuABdA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=rS0tLeRhfZTu2nB/cc09E5iOcGCBblXSauza5Fht91eEyj1mO3JAZkEvwewCgQlFC DByveXXmwAlOKPDcAzpAeqgNRYlB4MmxP3VpAtSsaaAYo1wuzb0hXkfLS3Fp/MJq+O LhzTqjChE2SUxzX4UMBmVWwmtCG4sNVNQEb3ZzX4=
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4HI5F2G4S4CPLN2HN3DZ4HREVBNHHBWZGHNE@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/2834/505195683@github.com>
In-Reply-To: <quicwg/base-drafts/issues/2834@github.com>
References: <quicwg/base-drafts/issues/2834@github.com>
Subject: Re: [quicwg/base-drafts] Long Header Packets and Routing Connection IDs (#2834)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d1145f85efb5_13123f87b28cd95c1521ca"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/raXvx3PxtWuGrDEigzO1236SXGg>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2019 21:51:57 -0000

@nibanks 
>> I do not think that this is a viable design.
>> 
>> An attacker controls both the client tuple and the initial CID. A stateless load balancer has to have the capability to change the CID, otherwise, it cannot balance the load between the servers running behind.
> 
> @kazuho I don't understand how your statement shows that changing the CID only with Short Header packets is not a viable design. First, the LB isn't the one to change the CID, the backend server is the one. Second, the CID would be changing, but until a little later in the exchange.

The problem is this "a little later in the exchange" that is introduced by the proposal.

In QUIC v1, if we ignore use of 0-RTT packets (that we do not need to care under attack), the only type of packet that has client-chosen CID is the first flight sent from the client. All the packets that the client sends in response to server's packet contains a server-chosen CID.

This is an excellent property.

When receiving an Initial packet carrying a CID that does not authenticate, a load balancer can assign the connection to a server that is the least loaded (or a server can choose a thread that is the least loaded). The assigned server (or the thread) would generate an authenticated CID that maps to itself, and responds with an Initial packet that contains that CID. Then, all the subsequent packets from the client that need to be processed would carry that authenticated CID, allowing these packets to be routed using only the CID.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/2834#issuecomment-505195683

v2.39.1 | Report a Bug | By Email | System Status