IETF Logo Mail Archive

RE: Expected Client Response to SERVER_BUSY

Nick Banks <nibanks@microsoft.com> Wed, 20 February 2019 14:49 UTC

Return-Path: <nibanks@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB3C129741 for <quic@ietfa.amsl.com>; Wed, 20 Feb 2019 06:49:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Level:
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3LCcxiVi_Jcg for <quic@ietfa.amsl.com>; Wed, 20 Feb 2019 06:49:45 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-eopbgr750104.outbound.protection.outlook.com [40.107.75.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D453127AC2 for <quic@ietf.org>; Wed, 20 Feb 2019 06:49:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dPu8j4PVqfDcjUbicCzP4jfzZdyaO6+gUh5EH7xym6A=; b=cWPu82iRHRkveNMUBzrHCUnvxS198TCiqzjC1QI6QeXip1l6c30cTCL/5qFQyNxCn56k/AtObqLmB80gI4pcRS2NXbiQWkUBJ6tjzwAufE5cjqdb9l3hc4o+MXXUpoBDNHo8AQuIZ783tSNnvUR2KNwT3Y9j8/3cqkO8lgUZa2Y=
Received: from CY4PR21MB0854.namprd21.prod.outlook.com (10.173.192.143) by CY4PR21MB0694.namprd21.prod.outlook.com (10.175.121.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.2; Wed, 20 Feb 2019 14:49:43 +0000
Received: from CY4PR21MB0854.namprd21.prod.outlook.com ([fe80::ccd2:aa1d:e646:fa46]) by CY4PR21MB0854.namprd21.prod.outlook.com ([fe80::ccd2:aa1d:e646:fa46%3]) with mapi id 15.20.1665.002; Wed, 20 Feb 2019 14:49:42 +0000
From: Nick Banks <nibanks@microsoft.com>
To: Ian Swett <ianswett@google.com>, "Brian Trammell (IETF)" <ietf@trammell.ch>
CC: IETF QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Subject: RE: Expected Client Response to SERVER_BUSY
Thread-Topic: Expected Client Response to SERVER_BUSY
Thread-Index: AdTInrfRZAbJSsLZSlWCCrlUkiWX7AAgkIeAAACdzgAAAbynAAAAN6co
Date: Wed, 20 Feb 2019 14:49:42 +0000
Message-ID: <CY4PR21MB0854D8F7383CDF72EEDAE9FBB37D0@CY4PR21MB0854.namprd21.prod.outlook.com>
References: <CY4PR21MB0854341128C64E450E7C2DA2B37C0@CY4PR21MB0854.namprd21.prod.outlook.com> <CAKcm_gPmQiMhzfXnkEB4u+X+84bCbL8FE3Lj3ZdPPQBBu+4uPg@mail.gmail.com> <1AF7E952-4542-4C40-8652-BFFBFA61784A@trammell.ch>, <CAKcm_gN11=DcV2v-JrX+Ym88D7P1Ey3rDvYomTf1seemsWDSwA@mail.gmail.com>
In-Reply-To: <CAKcm_gN11=DcV2v-JrX+Ym88D7P1Ey3rDvYomTf1seemsWDSwA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [167.220.2.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3aeefaef-b7ae-459e-6f8a-08d69742a617
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:CY4PR21MB0694;
x-ms-traffictypediagnostic: CY4PR21MB0694:
x-ms-exchange-purlcount: 2
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0694; 23:+O/j8VDCnvTKDS/2wfPsGkI+GbyPRQ/M2zVYJZUeR2+lGYqGL1OihCu+BzS5EWImV3BxuqGxwzxY7WBOgFZmCBe3sCGr1+GL2rtqd/9/JW3FsYNPPinKKaiK1Zbg38TblpK6S9XBdfgdI+fy5GCKWSM9Dg/3gU4UTZ5QhWMmHGZn1jf8xIj5/gVy6dvNnj5GnYfis+g8lYuFTAln3g0JcwZqzQH+qo6xtCpTss4SKgI1+Y+rjN4W9pGepfnNNH2f7wjbIU+KbCvK7h+/49HkgeQA9ZRctZ895/01k1YymQ0rlY+ELuEexMaCcu00w3W1v0DxC7FJL00cW0JpFl0aI7tH7I2f5gZIESOJuL29WOSNfws3Lm5wTe1Y6+DxWWCi4HVo9h3SatBd5rymw4v1pOPO7P2WUr2l5QLEU7xsWAaIvtIbFevGprXDigWskGWBACZVXpCT0sGZ0pzPSQ2Lu0SKzSe0fWMwJcC1UIkYhs3oA3nWnMoEJ19OeBwUd5HBKnum8qcXThAd5cVtQbK/4YC7lCjViPIIkcWeee4BPmBh2/caDO974hfGWHdlU7Z2eBiXWwrjuffoOeZR6lYXgmoQWIAZO47okH1IEuqY4bLvwvQFwPMbMDb5O5tcdp13enaLvxLYmQ0YhTaaUhX8ylFENB9zu/vjOYbWs/C6giYNIEwsIHTWpbmqAxWKGKLHYIDvrLivx98NiPsiDv1N2ZIgtnl4zU6qnyXSIoz6MooTmz58phGvPS+cXKVWGRuIwupLPvQBJlB0rYCSKQl5AuKWF1FwrjOLD/ooOQ1jpz2LpFWfZ/dOjn+TjT+hIgJLE39E9Twgq4eZX0Vpp+kZv0pkoXPkdwfgoOg/E4wcp2uljfga42jJmIv5MUsyfUxGbSK2Qeeiq8i0PPIwa4dqXJLfA3JA2WRkeKY0LyU0hVK/RVtTa9gQ9nzhS2Ddwrgtc/J2G3MUFlmrabscWaYVabjofpJBJXDavaV7C7fc2XZ9r9HrTkNumvE+OwXxkN7Wlf0SKJF1F7FMkVorcKLfN/VsnKMPzAznllcTqD9XieBZHE6AfUNvBxqxWRjIEGw974XUGgbrTY/qt8Fm00fT6V/f7ny5HbnddieRN/xfa4uTlKYXS580CtCwQL2hL6I9KDzayJ7BNYjIlUtF08qTnK0VWWufZN3ejGGMDxpEireBfjy1aPIAyZGcUQBzbq0Aj+lT2JTuBB125UHcbQfCQHNBoWNz8RJ0Gr25Uw8goS0Tog2a5FgOtU7StqZf+VbmHko7lTw7VuRlstU/bOEMKUZn5J2lYWD03Tn965AQv64wk6U+XHBkML0ACoiA9VlPrsFpFgmcqv18NqXCF/bwDEpfmDQC+ga952ax3jWOaa02B71nDJIS+HOP9paaPdtYfeI+NLG8d8UKMR9444hB1ZxSiqasiv0hfssnpUQF68Rm0HkKeIx5MHnIwfp8hiCNs6J/vZzWew1fVg2vagGb/j820qKjIaGjhe39yVVjrh4pVyh1j4xgCHEhZyy/8DMVLSO2N06a1y5WW3HKQZBRfw==
x-microsoft-antispam-prvs: <CY4PR21MB0694AA9BD71701C5CB092BE5B37D0@CY4PR21MB0694.namprd21.prod.outlook.com>
x-forefront-prvs: 0954EE4910
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(346002)(366004)(376002)(136003)(189003)(199004)(8990500004)(68736007)(6436002)(229853002)(33656002)(517774005)(14454004)(97736004)(440504004)(606006)(66574012)(2906002)(6246003)(76176011)(10290500003)(966005)(10090500001)(478600001)(71200400001)(71190400001)(105586002)(99286004)(14444005)(102836004)(6346003)(6506007)(53546011)(4326008)(110136005)(54906003)(316002)(93886005)(486006)(53936002)(86612001)(106356001)(256004)(446003)(11346002)(9686003)(5660300002)(55016002)(8676002)(476003)(6306002)(7736002)(81166006)(26005)(5070765005)(8936002)(236005)(81156014)(54896002)(186003)(86362001)(22452003)(74316002)(3846002)(6116002)(66066001)(25786009)(7696005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0694; H:CY4PR21MB0854.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=nibanks@microsoft.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Xpoo7YF5p7tUUee5nNGnWTdYgey/NjORNIEQxvrOzwAIa2A274tuxi5BB2ZF5NOxFcy8tedyn+ml3c4xb4umOWcucBNVCSCkJLBwvCXviN2sSJaYWZE63TwkgsylRyJVNlJefyjDdEm+qGa6EWunOyW6uiUuDTD46nYni6xR928OZ4G77s02LStYeo5avG1/zrybHqkEeyXGpyq8jDLICt6naJRyz7SDTlScdx0hA8fQkehAyf5NZ/+wsp4nj6Wmib3QCAlu4Z/qVbwljwZfEGyzMt7gGHYMOROPGru+0lkP7lgTjvEM3C2tzMyBl4MQ9GnnSw0eMppWB5CZ0iJFVGD1eGVJiS73Mz+VMfoQyw2QJe2O1FIlIc9rtPX8WxP1KMU/8uCeG2unLYgrTguXhOmrbQFRW8CUGSKV57HGubM=
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0854D8F7383CDF72EEDAE9FBB37D0CY4PR21MB0854namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3aeefaef-b7ae-459e-6f8a-08d69742a617
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2019 14:49:42.8432 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0694
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/fuZLlKTAZ3rd3TKT0FbiSSW3uSk>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 14:49:49 -0000

It would be nice to have a way for the server to say “QUIC is temporarily unavailable right now, please go use TCP instead.” Additionally, I don’t want to have to modify anything on the TCP side (Alt-Svc). The next connection after you fallback to TCP may try QUIC again, but you might just get the same behavior.

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

________________________________
From: Ian Swett <ianswett@google.com>
Sent: Wednesday, February 20, 2019 6:41:40 AM
To: Brian Trammell (IETF)
Cc: Nick Banks; IETF QUIC WG; Mirja Kühlewind
Subject: Re: Expected Client Response to SERVER_BUSY

If a client follows 3xx redirects by default, then it seems sensible it'd fall back to TCP automatically, but I'm not sure an immediate QUIC connection close is equivalent to a redirect.  I can also imagine clients that don't follow redirects by default falling back to TCP, so I think I just chose a poor example.


On Wed, Feb 20, 2019 at 8:52 AM Brian Trammell (IETF) <ietf@trammell.ch<mailto:ietf@trammell.ch>> wrote:
hi Ian,

Sent from my iPhone

On 20 Feb 2019, at 14:34, Ian Swett <ianswett=40google.com@dmarc.ietf.org<mailto:ianswett=40google.com@dmarc.ietf.org>> wrote:

For HTTP/3, my intent was to close the connection immediately with a connection close as you suggest, then the client would fall back to TCP, and then ensure the next Alt-Svc advertisement via TCP cleared any existing Alt-Svc entry so QUIC wasn't tried again in the immediate future.

I hadn't thought of assigning semantics to a specific error code, but I'm reluctant to do so.  In our case, I think a more likely error code would indicate the infrastructure doesn't support QUIC, rather than DDoS, but the desired behavior of falling back to TCP and not attempting QUIC for a while is the same.

The assumption I made above is that the client immediately falls back to TCP.  That of course depends upon the type of client it is.  I'd expect a browser to fall back, but I wouldn't expect curl or wget to.

This is a bit of an aside, but I’m curious here: why not? I’ve always thought of the semantics of TCP fallback as equivalent to a 3xx redirect (either temporary or permanent, depending on the client heuristics wrt the underlying reason for the redirect). curl won’t do this automagically unless you tell it to, but iirc wget will...

Am I wrong in thinking that most clients will see this as YA form of redirect?

Cheers,

Brian

There is a decent amount of text on fallback in the Applicability draft: https://github.com/quicwg/ops-drafts/blob/master/draft-ietf-quic-applicability..md<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fquicwg%2Fops-drafts%2Fblob%2Fmaster%2Fdraft-ietf-quic-applicability.md&data=02%7C01%7Cnibanks%40microsoft.com%7Cda54737de15f4f6a414d08d697419140%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636862705204591925&sdata=F7YkRR5oHUTuGTPGHdji929999WlXfSK7nIBeFohyLo%3D&reserved=0>



On Tue, Feb 19, 2019 at 5:11 PM Nick Banks <nibanks=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf..org>> wrote:
Hello Folks,

I’ve been looking at interim DDoS mitigation strategies for QUIC until we can have a more complete and QUIC aware DDoS and LB solution. One thing I came up with is just trying to force the client to fallback to TCP. Eventually, we will use Stateless Retry but that still requires a good bit of design work and cooperation between the offload device and the backend server. Until that is complete, a simple solution could be a device in path just responding to new QUIC connection attempts (while an attack is in progress) with a connection close frame containing the SERVER_BUSY error. The logic to implement a simple device to do that should be quite trivial.

To that end, I was trying to figure out what the expected client response to any immediate (in the first RTT) connection close packets/frames would be and it seems we don’t have anything in the spec. What about SERVER_BUSY specifically? Is the client supposed to retry a new connection attempt? Should they fallback to TCP immediately? Should we say anything in the spec?

Thanks,
- Nick

v2.23.0 | Report a Bug | By Email