IETF Logo Mail Archive

Re: Fast Address Validation - about

Christian Huitema <huitema@huitema.net> Sat, 02 November 2019 07:27 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0B8120F7A for <quic@ietfa.amsl.com>; Sat, 2 Nov 2019 00:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.587
X-Spam-Level:
X-Spam-Status: No, score=-2.587 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14iqwsXDzH2D for <quic@ietfa.amsl.com>; Sat, 2 Nov 2019 00:27:04 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 545F2120F6F for <quic@ietf.org>; Sat, 2 Nov 2019 00:26:49 -0700 (PDT)
Received: from xse1.mail2web.com ([66.113.196.1] helo=xse.mail2web.com) by mx37.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1iQno4-00052T-7I for quic@ietf.org; Sat, 02 Nov 2019 08:26:45 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 474rGV5LDBz26Yb for <quic@ietf.org>; Sat, 2 Nov 2019 00:26:42 -0700 (PDT)
Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1iQno2-0000GK-K2 for quic@ietf.org; Sat, 02 Nov 2019 00:26:42 -0700
Received: (qmail 14468 invoked from network); 2 Nov 2019 07:26:42 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.58.43.199]) (envelope-sender <huitema@huitema.net>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <anqing.aq@alibaba-inc.com>; 2 Nov 2019 07:26:41 -0000
Content-Type: multipart/alternative; boundary="Apple-Mail-221D5986-567F-4BD9-999C-06EEB9E03C0C"
Content-Transfer-Encoding: 7bit
From: Christian Huitema <huitema@huitema.net>
Mime-Version: 1.0 (1.0)
Subject: Re: Fast Address Validation - about
Date: Sat, 02 Nov 2019 00:26:40 -0700
Message-Id: <375F3961-B73B-4457-923F-7FA4DDF796F8@huitema.net>
References: <CAN1APdeo78H5cfoDOcwiS3AJ9mx2jYEJB3X0qD3LBP8xQYc3Vw@mail.gmail.com>
Cc: Qing An <anqing.aq@alibaba-inc.com>, Marten Seemann <martenseemann@gmail.com>, "jri.ietf" <jri.ietf@gmail.com>, "\"刘大鹏(鹏成)\"" <max.ldp@alibaba-inc.com>, QUIC <quic-bounces@ietf.org>, mt <mt@lowentropy.net>, quic <quic@ietf.org>
In-Reply-To: <CAN1APdeo78H5cfoDOcwiS3AJ9mx2jYEJB3X0qD3LBP8xQYc3Vw@mail.gmail.com>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
X-Mailer: iPhone Mail (17A878)
X-Originating-IP: 66.113.196.1
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.1/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.1/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0eT2jivapI8P7M2alpZfRhCpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDcnqpk5VeF3xR4kF6iVwRtbgN zB/4Jkrw1eDLcif59ftAvp/1ifpaG8i7GymIyD1pU7Tmz6iKnkQL9gqsxD347235Nhqq+/HvroPq 8GSPg+7KJix/R2qbtdH2ZflMjNgfMm/JD3cPBOX47Hg3FEpDo46jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhMjx7v77N42Z/zX3DQBtZa/0j9rMdVQseW3F+doIupqmER9E+btGG8Xk1uugE/FU 4J9TrjYo22Tif+7yfJXbGyN6EipRzMVZ5LqwTx7Vvn9SP+LiFhV9TEgXGI3XmDfDnB5aBPiMI+5j SdCRNhQ7VQKZusCm1UASYxmQqsGnM7tlFes1lrjuf/yms9xisrbG3zKR6RgQ6scM/oDJnhhySxmG 2fTOgpcK8g6VLh2DhW3+8YhI0T+E7bfVzyzh3DkvygyEZ9MYp5iiF2omUcFCWyHfp5jvIRkgf1tp JI7UlnPwuzTaGSeL3jmx6uXmdFXlkT4Lel6+lRVXf9ufYOgEjsm2LIu4VpW9PnyVI47sBfejIbtf 63VNbf0lrvssY+k7ANT9RVml4guvn3w4lnA08DXdRWSFfvxlx1m1Ym2uLiVdLjn318QNPUYQ2jrZ 34OoP6Bq8RrgJ/UgukAoEtIMdAQ2COlcvbL8404LTj9gR9O7Wyz6fZ9+dDG3ponuSVlpvwK85PZi OWsDG95exPBTMJOSJfirJfZ3lrXFsN6NSPKpFV6IlDleOcfiDMC4IxDxpTEvuGslKTrRIXcXpFg5 ivY=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/4RUMVYdgFRkaXa-qDqWOSpWY1qo>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2019 07:27:08 -0000

There may be scenarios in which having address proof tokens would help. For example, provision the token during normal operation but only enforce them when under attack. I assume that's what Qing An has in mind. But it is safer and more reliable to provision the tokens using 1rtt packets, after the handshake is verified.

-- Christian Huitema 

> On Nov 1, 2019, at 11:51 PM, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> wrote:
> 
> 
> I can see how a token in the initial packet can speed up a second connection because you can drop the handshake if you do not like the token.
> 
> But isn’t that exactly what 0-RTT connections / tokens are supposed to do?
> 
> And for delivering new tokens for future use it does not really matter if it is delivered in the handshake from a performance perspective because 1) you are likely to continue doing more work anyway, and 2) if not, you still need to confirm the handshake before trusting the connection, and 3) coalescing 1-RTT packets are not usually slower than sending in handshake.
> 
> From a security perspective there are other concerns as Christian has discussed.
> 
> Delivering Retry tokens for future use (as you mention your next mail) may be problematic due to life time concerns. 0-RTT tokens are expected to live longer than Retry and Retry tokens and the Connection ID associated with it, reflects the current server farms load such that new connections can redirect immediately, not sometime later.
> 
>> On 1 November 2019 at 23.28.03, Qing An (anqing.aq@alibaba-inc.com) wrote:
>> 
>> 
>> Based on discussion, the proposal is for first connection establishment, server chooses to eliminate Retry and rely on handshake. But server can also use New_Token frame via Handshake or Initial to deliver token for future connection.
>> 
>> 
>> ------------------Original Mail ------------------
>> Sender:Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
>> Send Date:Fri Nov 1 23:19:30 2019
>> Recipients:Qing An <anqing.aq@alibaba-inc.com>, Marten Seemann <martenseemann@gmail.com>
>> CC:jri.ietf <jri.ietf@gmail.com>, QUIC <quic-bounces@ietf.org>, quic <quic@ietf.org>, mt <mt@lowentropy.net>, 刘大鹏(鹏成) <max.ldp@alibaba-inc.com>
>> Subject:Re:Re: Fast Address Validation - about
>>> But what do you need to the token for in this case? The token is to prove that you previously spoken to the server. But the TLS handshake provides the same proof (but cannot redirect and must carry state). Any additional information the token might carry is only interesting in Initial packets where the connection can be stopped early or (in ongoing work) to encrypt the initial packet. That is not relevant during handshake. The Diffie Helman key exchange takes care of all this. Since you proposal also cannot redirect and must carry state, I don’t see the purpose. I do agree you can deliver that token, but since it is not obvious what the token is needed for, the purpose is unclear.
>>> 
>>> You appear to assume that address validation only happens if you have a Retry token, bu that is not correct, it just happens with less server resources.
>>> 
>>> On 1 November 2019 at 15.55.09, Qing An (anqing.aq@alibaba-inc.com) wrote:
>>> 
>>> 
>>> Again, the fast address validation is to provide another option for server, not to drop the Retry approach.
>>> 
>>> I think if choose not to send a Retry, it is necessary to define how to deliver token from server to client. In this case,  via new_token frame in handshake can be an approach.
>>> 
>>> 
>>> ------------------Original Mail ------------------
>>> Sender:Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
>>> Send Date:Fri Nov 1 21:37:42 2019
>>> Recipients:Qing An <anqing.aq@alibaba-inc.com>, Marten Seemann <martenseemann@gmail.com>
>>> CC:jri.ietf <jri.ietf@gmail.com>, QUIC <quic-bounces@ietf.org>, quic <quic@ietf.org>, mt <mt@lowentropy.net>, 刘大鹏(鹏成) <max.ldp@alibaba-inc.com>
>>> Subject:Re: Fast Address Validation - about
>>>> You only save a roundtrip because you do not send a Retry.
>>>> 
>>>> If you choose not to send a Retry, the client eventually gets validated anyway because otherwise the handshake could not complete. Therefore a Retry token is not needed if you go down that path. In this case the RTT overhead with fast address validation is the same as ordinary QUIC 1-RTT handshake.
>>>> 
>>>> On the other hand, in the case where Retry is needed, the fast address validation approach does not solve the problem which is one of 1) defer handshake processing and server state until after the address is verified, or 2) redirect the client to another server through a change in ConnectionID.
>>>> 
>>>> 
>>>> 
>>>> On 1 November 2019 at 14.26.24, Qing An (anqing.aq@alibaba-inc.com) wrote:
>>>> 
>>>> 
>>>> I believe this can save 1-RTT.
>>>> 
>>>> As for the privacy risk, new_token frame can be delivered via handshake
>>>> 
>>>> 
>>>> ------------------------------------------------------------------
>>>> From:Marten Seemann <martenseemann@gmail.com>
>>>> Send Time:2019年11月1日(星期五) 20:54
>>>> To:安勍(莳逸) <anqing.aq@alibaba-inc.com>
>>>> Cc:QUIC <quic-bounces@ietf.org>; quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt <mt@lowentropy.net>; mikkelfj <mikkelfj@gmail.com>; 刘大鹏(鹏成) <max.ldp@alibaba-inc.com>
>>>> Subject:Re: Fast Address Validation - about
>>>> 
>>>> I don't see any enhanced client experience, since the handshake takes exactly the same number of round trips with your proposal as with the current version of the QUIC draft.
>>>> Sending NEW_TOKEN in Initial packets provides no benefit over sending it in 1-RTT packets, but comes with worse privacy properties, since Initial packets are not encrypted and can therefore be read by on-path observers.
>>>> 
>>>> On Fri, Nov 1, 2019 at 7:37 PM Qing An <anqing.aq@alibaba-inc.com> wrote:
>>>> 
>>>> If so, for the first connection between client and server, server can choose to eliminate the use of Retry packet for token delivery, and rely on handshake encryption layer to prove return routability.  In addition, New_Token frame is used by server, via i.e. the Initial packet, to provide the client with an address validation token that can be used to validate future connections.
>>>> 
>>>> It can enhance the experience in client side for the first connection establishment.
>>>> 
>>>> I submitted the draft, https://datatracker.ietf.org/doc/draft-an-fast-address-validation/
>>>> 
>>>> Qing
>>>> 
>>>> 
>>>> 
>>>> ------------------------------------------------------------------
>>>> From:Mike Bishop <mbishop@evequefou.be>
>>>> Send Time:2019年11月1日(星期五) 00:06
>>>> To:安勍(莳逸) <anqing.aq@alibaba-inc.com>; quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt <mt@lowentropy.net>; mikkelfj <mikkelfj@gmail.com>
>>>> Subject:RE: Fast Address Validation - about
>>>> 
>>>> As Martin pointed out in the e-mail you replied to, if the server is willing to maintain state, any packet at the Handshake encryption layer proves return routability.  There seems to be no need for a separate address validation mechanism if the server is willing to proceed with the handshake.
>>>>  
>>>> From: QUIC <quic-bounces@ietf.org> On Behalf Of Qing An
>>>> Sent: Thursday, October 31, 2019 8:56 AM
>>>> To: quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt <mt@lowentropy.net>; mikkelfj <mikkelfj@gmail.com>
>>>> Subject: Re: Fast Address Validation - about
>>>>  
>>>>  
>>>>  
>>>> To clarify, the proposal is not to replace the existing Retry-based validation, but to provide another option for server to do the client validation.
>>>>  
>>>> I understand that in server side, exchanging the token at the Handshake encryption level will make the server start to maintain handshake states. But in client side, it can accelerate the connection establishment from client to server.
>>>>  
>>>> And it is the server's decision whether to exchange token in Retry or in Handshake. If server chooses to accept the cost brought by token exchanging in Handshake, it will bring more enhanced experience in client side.
>>>>  
>>>>  
>>>> BR,
>>>> Qing
>>>>  
>>>>  
>>>> ------------------------------------------------------------------
>>>> From:Martin Thomson <mt@lowentropy.net>
>>>> Send Time:2019年10月31日(星期四) 06:07
>>>> To:quic <quic@ietf.org>
>>>> Subject:Re: Fast Address Validation - about
>>>>  
>>>> Also note that exchange of Handshake packets provides proof of return routeability via the use of the encryption keys, so there is no need to exchange tokens at that level.
>>>> 
>>>> On Thu, Oct 31, 2019, at 03:29, Mike Bishop wrote:
>>>> >  
>>>> > The advantage of using Retry, however, is that the server is able to 
>>>> > keep minimal (if any) state about the client. Exchanging the token at 
>>>> > the Handshake encryption level means the server is already doing work 
>>>> > and maintaining state in order to process the handshake, which is 
>>>> > exactly what the server is trying to avoid.
>>>> > 
>>>> > 
>>>> > *From:* QUIC <quic-bounces@ietf.org> *On Behalf Of * Qing An
>>>> > *Sent:* Wednesday, October 30, 2019 9:41 AM
>>>> > *To:* quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt 
>>>> > <mt@lowentropy.net>
>>>> > *Cc:* 刘大鹏(鹏成) <max.ldp@alibaba-inc.com>
>>>> > *Subject:* Fast Address Validation - about
>>>> > 
>>>> > 
>>>> > 
>>>> > 
>>>> > Hi Martin, Jana, 
>>>> > 
>>>> > I read through https://www.ietf.org/id/draft-ietf-quic-transport-23.txt 
>>>> > and have a few comments and ideas to discuss.
>>>> > 
>>>> > 
>>>> > [QUIC-Trans] defines a token based scheme to facilitate address 
>>>> > validation of a client. The token MUST be covered by integrity 
>>>> > protection against modification or falsification by clients. The server 
>>>> > remembers the value it sends to clients and validates the token sent 
>>>> > back from a client. In its design, Retry packet is used to deliver the 
>>>> > token to a client which address has not yet been validated. It voids 
>>>> > the first transmission of the Initial packet sent by the client, and 
>>>> > triggers a second Initial packet to be sent with the token. The 
>>>> > exchange of token will cause longer connection establishment delay for 
>>>> > a client.
>>>> > 
>>>> > 
>>>> > To improve the efficiency of address validation during handshake, one 
>>>> > idea is that the same token can be exchanged via a different container 
>>>> > i.e. the Handshake packet, that eliminates the use of Retry packet for 
>>>> > token delivery. 
>>>> > 
>>>> > 
>>>> > I am working on the complete draft and will submit it by Friday. Before 
>>>> > that, hope this can be discussed in email first.
>>>> > 
>>>> > 
>>>> > BR,
>>>> > 
>>>> > Qing An
>>>> >
>>>>  
>>>> 
>>>>

v2.23.0 | Report a Bug | By Email