IETF Logo Mail Archive

Re: Is "Version Greasing" a new benfit or a new obstacle?

Roberto Peon <fenix@fb.com> Wed, 10 April 2019 16:53 UTC

Return-Path: <prvs=90033198a1=fenix@fb.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6088B1203E2 for <quic@ietfa.amsl.com>; Wed, 10 Apr 2019 09:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.337
X-Spam-Level:
X-Spam-Status: No, score=-1.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=1.363, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=nwqq/Dp/; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=cn0DxrJH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6DaSREs6VJP for <quic@ietfa.amsl.com>; Wed, 10 Apr 2019 09:53:31 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B60EE1203DE for <quic@ietf.org>; Wed, 10 Apr 2019 09:53:31 -0700 (PDT)
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x3AGmre7025960; Wed, 10 Apr 2019 09:53:27 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=facebook; bh=6BB6jOyn2Xb3LKKtnEQ6MW2kvK9rZxZC3C45KXg+qCE=; b=nwqq/Dp/alb3ebsEaBwlre9H4x6EYGM2XIY6ax9MMsQmEZ0jJBC35KLHYKFAD7V9JZaz FZRb9U4Nf7EFLJ1mTyUv8z16WF/sq37Q/2L4PdtJGAfsw6xsRkC7eCVpRYCIN1gpzSYE 5tTKAajY/EYrCXNhvQv5+KWgH9S4ClGWfAU=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2rsm5tgcbd-7 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 10 Apr 2019 09:53:26 -0700
Received: from frc-mbx05.TheFacebook.com (2620:10d:c0a1:f82::29) by frc-hub03.TheFacebook.com (2620:10d:c021:18::173) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5; Wed, 10 Apr 2019 09:51:41 -0700
Received: from frc-hub04.TheFacebook.com (2620:10d:c021:18::174) by frc-mbx05.TheFacebook.com (2620:10d:c0a1:f82::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5; Wed, 10 Apr 2019 09:51:41 -0700
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.74) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1713.5 via Frontend Transport; Wed, 10 Apr 2019 09:51:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6BB6jOyn2Xb3LKKtnEQ6MW2kvK9rZxZC3C45KXg+qCE=; b=cn0DxrJHeomqLaeFy5AGRnbg459d9WOQed68pqd6YOgaKxMXDdZ2lgb3pXbPsR0KpUtA7+isFnhknlc/FGsQxq0pKwO+vXLPkiohvuYl5DU/slB+YAB718gG1KY06z+TuMVNXfvSr3s7HOe+Uwkeb70QddnTpF4iO2365g0eG68=
Received: from BYAPR15MB2312.namprd15.prod.outlook.com (52.135.197.146) by BYAPR15MB3429.namprd15.prod.outlook.com (20.179.59.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.15; Wed, 10 Apr 2019 16:51:39 +0000
Received: from BYAPR15MB2312.namprd15.prod.outlook.com ([fe80::91d3:bc32:a475:76d7]) by BYAPR15MB2312.namprd15.prod.outlook.com ([fe80::91d3:bc32:a475:76d7%2]) with mapi id 15.20.1771.021; Wed, 10 Apr 2019 16:51:39 +0000
From: Roberto Peon <fenix@fb.com>
To: G Fairhurst <gorry@erg.abdn.ac.uk>, "quic@ietf.org" <quic@ietf.org>
Subject: Re: Is "Version Greasing" a new benfit or a new obstacle?
Thread-Topic: Is "Version Greasing" a new benfit or a new obstacle?
Thread-Index: AQHU73o3xTufubPn9E2URSuto2uLa6Y1JwYA
Date: Wed, 10 Apr 2019 16:51:39 +0000
Message-ID: <EBF1BF30-62A5-4659-8AEC-0D5B3F2D65C6@fb.com>
References: <5CADADDD.7010005@erg.abdn.ac.uk>
In-Reply-To: <5CADADDD.7010005@erg.abdn.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
x-originating-ip: [2620:10d:c090:200::1ab6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cef81c3a-1439-4e6f-8c8e-08d6bdd4cd9f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:BYAPR15MB3429;
x-ms-traffictypediagnostic: BYAPR15MB3429:
x-microsoft-antispam-prvs: <BYAPR15MB3429A661CF9E9930242574BDCD2E0@BYAPR15MB3429.namprd15.prod.outlook.com>
x-forefront-prvs: 00032065B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(39860400002)(366004)(376002)(396003)(346002)(199004)(189003)(256004)(478600001)(71190400001)(81166006)(2906002)(71200400001)(229853002)(14454004)(25786009)(14444005)(86362001)(5660300002)(97736004)(83716004)(106356001)(105586002)(53936002)(186003)(82746002)(7736002)(446003)(46003)(6436002)(486006)(6116002)(33656002)(6246003)(2501003)(6512007)(305945005)(6486002)(68736007)(110136005)(296002)(102836004)(8936002)(36756003)(316002)(58126008)(2616005)(81156014)(6506007)(8676002)(76176011)(99286004)(476003)(11346002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR15MB3429; H:BYAPR15MB2312.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ABVgVx8Zc8HkyQtE8PejowdhQIYcTr0Y5yBoKlMhFMAxDcjpYsoRL6XERkzRG2RsBKVCp5yYt35TNl1niRnuFjr8K8EVIsGagoe3FdvzYWmH1OVnAwWdoX45qZ8Uk2FQBu94EmabijM5XyiiWhBAbBxMnY0ZhtkfMSUQtxljmIfKP+6r+tLdH38LL100m/jkBvBX6Kd6FQZygWVVT5iknIypBoXMz5yZ5b5JW71URhdGqzPOSzPwVca7jJ8SgbE7qMmS6eg0LerHzuiI0qeZ2Xi9k+WVY5rTqkp7HK7Sxmpyl7ITKuoRD4YicRsv7tBSIlvMaQqorN8zpDAIBRFCnw/bQ9YYjxPpiuFcFPDH5mzIRrG8Nis+qQkgy1ngX8PXnDtJtdo/9nBKUeSTe/xgbiw1DY0ECLPajhTRVSGafYg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <2FD387570BE464428EF8EA46735349E2@namprd15.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: cef81c3a-1439-4e6f-8c8e-08d6bdd4cd9f
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2019 16:51:39.8054 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR15MB3429
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-10_07:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/5EedeGrD8HvU4KanCvL41RHD-m8>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 16:53:33 -0000

You're kinda between a rock-and-a-hard-place either way:

  - We've seen how much fun ossification is in TCP and HTTP. If the thing is observable, it will be ossified seems to be the lesson. A lot of the reason why QUIC was started in the first place was because of the inability to improve TCP due to this ossification.
  - OTOH, there is the fear of unknown/unobservable which might cause operators to block things, whether predictably or not.

My opinion is that it is better to start with preventing ossification, and then if that results in too large a percentage of operators blocking things, to re-evaluate. 

My guesses:
IP+port tuples and traffic patterns are still observable (for better and worse), which implies operators will still have significant tools for managing traffic. I believe that these are acted on/matched (ML or not) regardless of any other data presented. In other words, I have a doubt that stating the version in an observable way will prevent the use of such tools.

Most problems I've seen associated with implementations rather than protocol versions (though when the latter happens it is pretty severe). If you believe this assertion, then acting on protocol version is less interesting than attempting to act based on implementation fingerprints.
-=R


On 4/10/19, 1:48 AM, "QUIC on behalf of G Fairhurst" <quic-bounces@ietf.org on behalf of gorry@erg.abdn.ac.uk> wrote:

    Obscuring the version of a protocol seems like a major design design 
    decision for wider use cases. So, I'm trying to understand the 
    motivation for version greasing.
    
    (1) I know there were instances where some early versions of QUIC were 
    blocked due to an uninitentional matching of the header. Is there 
    evidence of intentional attempts to block updates to protocols?
    
    (2) Thinking about operating a network that cares about user support and 
    protection from unwanted traffic, I would expect that there would be 
    cases where traffic pattern anomolies are found and the appropriate 
    thing would be to try to determine if a new protocol had been deployed 
    and monitor it, if not, then the next most obvious thing could be to 
    block all unexpected traffic, that seems like a decision to hide the 
    version could increase ossification for new versions in these cases.
    
    (3) Similarly, if a threat is known to impact only a specific (older) 
    version, it would seem to motivate a drop of that traffic that seeks to 
    use that version, while still permitting other traffic. Forcing version 
    detection to use pattern matching/ML will lead to less predictable 
    outcomes, or blocking based on address, etc.
    
    (4) This obfusticates the most basic piece of reporting information used 
    for support. It hides the extent of deployment of the current protocol 
    version and prevlance of old implementations.
    
    (5) On the support, if a problem only emerges when a particular version 
    is used with a particular address, then this helps pinpoint the issues. 
    Matching client versions to servers is much more of an issue if the user 
    community uses a wide range of servers (less so, I expect for major 
    providers: google, facebook, etc, etc), but significant when there is a 
    use of a diverse set of external sites and sites with their own load 
    balancers, etc and a need to manage interactions with L2 services.
    
    I am intersted in knowing if this is likely to benefit or be a new obstacle?
    
    Gorry

v2.23.0 | Report a Bug | By Email