IETF Logo Mail Archive

Re: Fast Address Validation - about

Marten Seemann <martenseemann@gmail.com> Fri, 01 November 2019 12:54 UTC

Return-Path: <martenseemann@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC2E1200FE; Fri, 1 Nov 2019 05:54:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0-fTD-HutrPW; Fri, 1 Nov 2019 05:54:05 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9E5D12002E; Fri, 1 Nov 2019 05:54:04 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id g3so4038510ljl.11; Fri, 01 Nov 2019 05:54:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ca0/vQIKP81eRii8nmzw4llzvd+nVzqZK4HcvQzG02g=; b=Zg52DamdYni29g5jVntxAaauA8T2/kBr7yv67QNYB0qe2yE1ajGSeXQiHpoE6ntNL8 feU4+KSt2oWouxcCBfruIiL3GIVPNNHldINPD468rEHqshjgQSnn7Zl0rMVoGe+M3rNd 2dI4V3iDEBeHpjO/x+n6wnmnT+HTBA3CwuY1wSucgMpShEZS9SOM71ZT+5LH4WRcvAX2 QOV0tDbzEx4K10IPX4IOCdhblwX3hTRRoQI8oU+aooTPDTaBa0FQvDZd3PFHzZg38vTC jqzVl0jX9cNDhyD9v+IESkhu3BFSBUk3b6pKWTW89fSkZAkoQakkfQC/GrisejLV5dTK mgag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ca0/vQIKP81eRii8nmzw4llzvd+nVzqZK4HcvQzG02g=; b=F51HFDDR5kIs3NMdprGotDqye5HDXV4JB7XtW/1BgrE55+46ukazkqPG6ZlMdqSN/R +XAyu9HzXOu8O480+gwCn4Re7uiPo4UugPOeW4UXTv+jrK1JbSwfuTevSdnQNgfDxr5Z PATr+Lvna5DPENSSELbUKmFD0lGvM6WeX3pv8O5zDOt4ok+PkuiAtrAZnh8CzVun0kSj Oggo/Ioaw5yGdNl8FZ72aO1gIIaFVXs19jKxBrvPj0t5zEBUS8jLhAKBeH4QmdJ1uFlx Fw1Q/zjAvpqfjipHZVIW6EzfpGgi8HEpFFeBpkLWgcYQI8dZQOLiLODHNAvSuHnki1sm eNyA==
X-Gm-Message-State: APjAAAXuKw69eVxhJSurRsYfdaahkxytdWv8jtXbJaJFJU7HNX+IjV4W ROV0cKhc3H+hGnjeyWXUtUrxggPHWRVJaHl8rsc=
X-Google-Smtp-Source: APXvYqzxwGSH5zJHQlVDkuMMT8hObEdPTq4qGlwCmgKf9EzjIz0o/S5nZWwawFks0ZxcQ4gQlQAKL1KUcU5PLx9mmZU=
X-Received: by 2002:a2e:2c10:: with SMTP id s16mr8470325ljs.160.1572612842811; Fri, 01 Nov 2019 05:54:02 -0700 (PDT)
MIME-Version: 1.0
References: <4974ed86-0fa9-435d-880f-80af637ef180.anqing.aq@alibaba-inc.com> <BN6PR2201MB1700F72F3DC8F6C3CF79902CDA600@BN6PR2201MB1700.namprd22.prod.outlook.com> <bd15f357-8e7a-42af-bf28-79f7177da385@www.fastmail.com> <f55efb80-1a95-4190-84e5-b81948a7f081.anqing.aq@alibaba-inc.com> <BN6PR2201MB17005571E88F1C68769091A3DA630@BN6PR2201MB1700.namprd22.prod.outlook.com> <69d1a917-b1f9-4142-afb0-f5c67abe7334.anqing.aq@alibaba-inc.com>
In-Reply-To: <69d1a917-b1f9-4142-afb0-f5c67abe7334.anqing.aq@alibaba-inc.com>
From: Marten Seemann <martenseemann@gmail.com>
Date: Fri, 01 Nov 2019 19:53:51 +0700
Message-ID: <CAOYVs2r0zJzbfw5L2Mck8VEJhtyfQtHwF-db5VG45HDTF0WoOQ@mail.gmail.com>
Subject: Re: Fast Address Validation - about
To: Qing An <anqing.aq@alibaba-inc.com>
Cc: QUIC <quic-bounces@ietf.org>, quic <quic@ietf.org>, "jri.ietf" <jri.ietf@gmail.com>, mt <mt@lowentropy.net>, mikkelfj <mikkelfj@gmail.com>, "刘大鹏(鹏成)" <max.ldp@alibaba-inc.com>
Content-Type: multipart/alternative; boundary="000000000000dd75810596487508"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/1ozMFWeQ-o5vS1FoI4h3JbuQ7B8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 12:54:08 -0000

I don't see any enhanced client experience, since the handshake takes
exactly the same number of round trips with your proposal as with the
current version of the QUIC draft.
Sending NEW_TOKEN in Initial packets provides no benefit over sending it in
1-RTT packets, but comes with worse privacy properties, since Initial
packets are not encrypted and can therefore be read by on-path observers.

On Fri, Nov 1, 2019 at 7:37 PM Qing An <anqing.aq@alibaba-inc.com> wrote:

>
> If so, for the first connection between client and server, server can
> choose to eliminate the use of Retry packet for token delivery, and
> rely on handshake encryption layer to prove return routability.
> In addition, New_Token frame is used by
> server, via i.e. the Initial packet, to provide the client with an
> address validation token that can be used to validate future connections.
>
> It can enhance the experience in client side for the first connection
> establishment.
>
> I submitted the draft,
> https://datatracker.ietf.org/doc/draft-an-fast-address-validation/
>
> Qing
>
>
>
> ------------------------------------------------------------------
> From:Mike Bishop <mbishop@evequefou.be>
> Send Time:2019年11月1日(星期五) 00:06
> To:安勍(莳逸) <anqing.aq@alibaba-inc.com>; quic <quic@ietf.org>; jri.ietf <
> jri.ietf@gmail.com>; mt <mt@lowentropy.net>; mikkelfj <mikkelfj@gmail.com>
> Subject:RE: Fast Address Validation - about
>
> As Martin pointed out in the e-mail you replied to, if the server is
> willing to maintain state, any packet at the Handshake encryption layer
> proves return routability.  There seems to be no need for a separate
> address validation mechanism if the server is willing to proceed with the
> handshake.
>
>
>
> *From:* QUIC <quic-bounces@ietf.org> *On Behalf Of * Qing An
> *Sent:* Thursday, October 31, 2019 8:56 AM
> *To:* quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt <
> mt@lowentropy.net>; mikkelfj <mikkelfj@gmail.com>
> *Subject:* Re: Fast Address Validation - about
>
>
>
>
>
>
>
> To clarify, the proposal is not to replace the existing Retry-based
> validation, but to provide another option for server to do the client
> validation.
>
>
>
> I understand that in server side, exchanging the token at the Handshake encryption level
> will make the server start to maintain handshake states. But in client
> side, it can accelerate the connection establishment from client to server.
>
>
>
> And it is the server's decision whether to exchange token in Retry or in
> Handshake. If server chooses to accept the cost brought by token exchanging
> in Handshake, it will bring more enhanced experience in client side.
>
>
>
>
>
> BR,
>
> Qing
>
>
>
>
>
> ------------------------------------------------------------------
>
> From:Martin Thomson <mt@lowentropy.net>
>
> Send Time:2019年10月31日(星期四) 06:07
>
> To:quic <quic@ietf.org>
>
> Subject:Re: Fast Address Validation - about
>
>
>
>
> Also note that exchange of Handshake packets provides proof of return routeability via the use of the encryption keys, so there is no need to exchange tokens at that level.
>
> On Thu, Oct 31, 2019, at 03:29, Mike Bishop wrote:
> >
> > The advantage of using Retry, however, is that the server is able to
> > keep minimal (if any) state about the client. Exchanging the token at
> > the Handshake encryption level means the server is already doing work
> > and maintaining state in order to process the handshake, which is
> > exactly what the server is trying to avoid.
> >
> >
> > *From:* QUIC <quic-bounces@ietf.org> *On Behalf Of * Qing An
> > *Sent:* Wednesday, October 30, 2019 9:41 AM
> > *To:* quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt
> > <mt@lowentropy.net>
> > *Cc:* 刘大鹏(鹏成) <max.ldp@alibaba-inc.com>
> > *Subject:* Fast Address Validation - about
> >
> >
> >
> >
> > Hi Martin, Jana,
> >
> > I read through https://www.ietf.org/id/draft-ietf-quic-transport-23.txt
> > and have a few comments and ideas to discuss.
> >
> >
> > [QUIC-Trans] defines a token based scheme to facilitate address
> > validation of a client. The token MUST be covered by integrity
> > protection against modification or falsification by clients. The server
> > remembers the value it sends to clients and validates the token sent
> > back from a client. In its design, Retry packet is used to deliver the
> > token to a client which address has not yet been validated. It voids
> > the first transmission of the Initial packet sent by the client, and
> > triggers a second Initial packet to be sent with the token. The
> > exchange of token will cause longer connection establishment delay for
> > a client.
> >
> >
> > To improve the efficiency of address validation during handshake, one
> > idea is that the same token can be exchanged via a different container
> > i.e. the Handshake packet, that eliminates the use of Retry packet for
> > token delivery.
> >
> >
> > I am working on the complete draft and will submit it by Friday. Before
> > that, hope this can be discussed in email first.
> >
> >
> > BR,
> >
> > Qing An
> >
>
>
>
>
>

v2.23.0 | Report a Bug | By Email