IETF Logo Mail Archive

Re: [quicwg/base-drafts] Servers are not expected to validate multiple paths simultaneously (#3932)

Eric Kinnear <notifications@github.com> Sun, 26 July 2020 01:59 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E80C3A0874 for <quic-issues@ietfa.amsl.com>; Sat, 25 Jul 2020 18:59:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73TAeB4F2VJC for <quic-issues@ietfa.amsl.com>; Sat, 25 Jul 2020 18:59:07 -0700 (PDT)
Received: from out-25.smtp.github.com (out-25.smtp.github.com [192.30.252.208]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D72A3A0872 for <quic-issues@ietf.org>; Sat, 25 Jul 2020 18:59:06 -0700 (PDT)
Received: from github-lowworker-a27607f.ash1-iad.github.net (github-lowworker-a27607f.ash1-iad.github.net [10.56.18.61]) by smtp.github.com (Postfix) with ESMTP id DB9FC840E34 for <quic-issues@ietf.org>; Sat, 25 Jul 2020 18:59:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1595728745; bh=jLAfj0UlUEx3yLHsiV3qoebutRnXPUrQPbpHNX0iqnU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=xacGrUNBZZG2nIkiVT1Nga+cpXrnEv6a9P4mf5ZOfNrXJeDVuejjOnmpBBJ/D/k7c NCdnCQSg94YknRnG2EshklYsy15RqwxKTdSh/xK31SVZ5LmPRj9dUIUbpyDdsSLkuP lNCM1Vp+G6s0W2aumsYyp0nGCeHn4asLLsW3DskQ=
Date: Sat, 25 Jul 2020 18:59:05 -0700
From: Eric Kinnear <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6377MVCX7DS32D4OV5FDCGTEVBNHHCPCRAZE@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3932/663925866@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3932@github.com>
References: <quicwg/base-drafts/issues/3932@github.com>
Subject: Re: [quicwg/base-drafts] Servers are not expected to validate multiple paths simultaneously (#3932)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f1ce369cb7b0_79713fbf4b0cd95c5126d6"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: ekinnear
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/yLNPfZvqHDgDdVd1Hblv1WCsf_M>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2020 01:59:10 -0000

> I'm a bit confused about why a client needs to probe multiple paths simultaneously, given we have connection migration, not multipath.

I think there's a pretty big distinction between probing a path to establish the potential for connectivity and migrating the connection to that path. For example, I would not be at all surprised if a client were to probe all available paths and choose the "best" one to migrate to when the need arises (often, although not always, there is some warning that conditions are worsening on the current path which provides the opportunity to evaluate alternatives).

> What if they all succeed? A client can still only use one.

That said, I think a large part of the reason to allow probing on multiple paths is to avoid requiring synchronization of a shared understanding as to the state of current probes. We don't want to add a bunch of machinery to establish _failure_ of a probe on a different path. So even if we don't think that a client would ever _intentionally_ probe multiple paths, if a client probes one path and hears no response, it seems completely reasonable to think that it would switch and probe a different path if it had one available. If it turns out that there was just some delay for that initial path, say it had a 1.5s RTT, now the server is going to think the client probed two paths at the same time, when in reality the client thinks it's just talking to one.

It also doesn't seem particularly harmful to allow this?

As @kazuho noted, there's some good text in there about limiting state required on the server, and of course path validation can happen at any time, so it seems completely reasonable to "forget" that any given path was validated if a client probes and then doesn't end up using the path. (Note that you'd likely want to retire the CID used on that path, so as to replace it with a new one when you did that forgetting, which also serves as a nice heuristic for the other endpoint to say "oh, hmm, they don't think they're talking to me over there", but we can dig into that later.)

> @ekinnear can you clarify the packet racing issue a bit more or point me to text that already does?

The packet racing thing is a reference to [9.3.3](https://quicwg.org/base-drafts/draft-ietf-quic-transport.html#section-9.3.3) and the previous section. This led us to require endpoints to validate both the current and the new path when it changes, which conveniently provokes some traffic to reconfirm the active path and makes it more difficult to disrupt a connection that's gone idle.

```
In response to an apparent migration, endpoints MUST validate the previously active 
path using a PATH_CHALLENGE frame. This induces the sending of new packets on 
that path. If the path is no longer viable, the validation attempt will time out and fail;
if the path is viable, but no longer desired, the validation will succeed, but only
results in probing packets being sent on the path.

An endpoint that receives a PATH_CHALLENGE on an active path SHOULD send a 
non-probing packet in response. If the non-probing packet arrives before any copy 
made by an attacker, this results in the connection being migrated back to the original 
path. Any subsequent migration to another path restarts this entire process.
```

While technically this is only discussing one "new" path and then the old path being validated at the same time, it seems as though it would be trivial for such an attacker to convince an endpoint that it was seeing "probes" (since we've discussed that it's not that difficult to identify a probing packet as an observer) from multiple paths and therefore be quite upset if such behavior were restricted.

> future hardware could make that possible

I'm not saying this happens all the time, but it seems pretty reasonable to have a Wi-Fi interface and then a dual SIM device with multiple cellular interfaces.

Overall, it seems as though (even if this isn't crazy common) it's not unreasonable to expect that this behavior might happen, and it doesn't seem like there's a big benefit to restricting it, nor harm in allowing it, beyond the existing text reminding endpoints to be careful with the amount of state they're willing to allocate to any individual client (which is a thing outside of any probing/migration concept anyways).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3932#issuecomment-663925866

v2.43.4 | Report a Bug | By Email | System Status