Re: Opsdir last call review of draft-ietf-quic-manageability-14

[Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>]

Hi Al,

thanks again! See below!

On 27.02.22, 19:50, "MORTON JR., AL" <acmorton@att.com> wrote:

[snip]

    >     >     2.4.  The QUIC Handshake
    >     >
    >     >     ...
    >     >
    >     >        Client                                    Server
    >     >          |                                          |
    >     >          +----Client Initial----------------------->|
    >     >          +----(zero or more 0RTT)------------------>|
    >     >          |                                          |
    >     >          |<-----------------------Server Initial----+
    >     >          |<---------(1RTT encrypted data starts)----+
    >     >          |                                          |
    >     >          +----Client Completion-------------------->|
    >     >          +----(1RTT encrypted data starts)--------->|
    >     >          |                                          |
    >     >          |<--------------------Server Completion----+
    >     >          |                                          |
    >     >
    >     >        Figure 1: General communication pattern visible in the QUIC
    > handshake
    >     >
    >     >        As shown here, the client can send 0-RTT data as soon as it has
    > sent
    >     >        its Client Hello, and the server can send 1-RTT data as soon as
    > it
    >     >        has sent its Server Hello.  The Client Completion flight contains
    > at
    >     >        least one Handshake packet and could also include an Initial
    > packet.
    >     >        QUIC packets in separate contexts during the handshake can be
    >     >        coalesced (see Section 2.2) in order to reduce the number of UDP
    >     >        datagrams sent during the handshake.  QUIC packets can be lost
    > and
    >     >        reordered, so packets within a flight might not be sent close in
    >     >        time, though the sequence of the flights will not change, because
    > one
    >     >        flight depends upon the peer's previous flight.
    >     >
    >     >     [acm]
    >     >     It's great to add some Not-Sunny-Day info in the description,
    > thanks!
    >     >     But can you add a little more?  For example:
    >     >     Is it possible that network reordering can cause the handshake to
    > fail?
    >     >     What rerodering extent (yes, that's a metric) would be required to
    > cause
    >     >     failure or unnecessary retransmission? Lost packets would result in
    > time-outs
    >     >     and retransmission, so what are the default time-outs? Is there a
    > paper where
    >     >     some/all of the above have been investigated, that you could
    > reference to save
    >     >     some work?
    >     >
    >     > [MK] I don't think I have a good answer to these questions. However, I
    > don't
    >     > think these questions are necessarily QUIC specific. Reordering in
    > itself is
    >     > not a problem for the QUIC handshake, however, if some packets are also
    >     > delayed a lot and therefore detected as loss, it might get the handshake
    > to
    >     > fail. How long you keep state to wait for delayed packets in mostly
    >     > implementation specific, however, as I said this is also not a unique
    > problem
    >     > to the QUIC handshake.
    >     [acm]
    >     You've partly answered the questions above, and with help from Gorry and
    > Martin's replies let me suggest the following (mostly stuff I didn't know
    > about QUIC yet):
    > 
    >     Whether packet reordering affects/can be observed on the handshake depends
    > on the timeout period (which varies, but might be 10s or 30s in common cases),
    > the constraints implemented in a server (whether to take on arbitrary state
    > based on the first packet), and the extent of reordering incurred on the path.
    > Reordering having sufficient extent might inferred as packet loss, as with any
    > protocol.
    > 
    > [Mk] Okay I ended up with the following:
    > 
    > "Handshake packets can arrive out-of-order without impacting the handshake as
    > long as the reordering did not cause extensive delays which would be consider
    > as loss by either side. If QUIC packets get lost or reordered, packets
    > belonging
    > to the same flight might not be observed in close in time, though the sequence
    > of the flights will not change, because one flight depends upon the peer's
    > previous flight."
    > 
    > [Mk] Does that work?
    > 
    > [MK] See also: https://urldefense.com/v3/__https://github.com/quicwg/ops-
    > drafts/pull/458/files__;!!BhdT!jhSx83YqoVthpH2tB3oiivf7HPOhFDpLtxuPvRpfshchNQL
    > nnC-HGSULZeODPj6SGXmzIGgVEiIrCIQg5OBu0NjH$
    > 
    [acm] I see that there was additional editing since you wrote last Monday, so I made a comment and suggestions on GitHub.

[MK] Thx! Added you suggestions!

[snip]


    >     >
    >     >     2.8.  Version Negotiation and Greasing
    >     >
    >     >     ...
    >     >        QUIC is expected to evolve rapidly, so new versions, both
    >     >        experimental and IETF standard versions, will be deployed on the
    >     >        Internet more often than with traditional Internet- and
    > transport-
    >     >        layer protocols.  Using a particular version number to recognize
    >     >        valid QUIC traffic is likely to persistently miss a fraction of
    > QUIC
    >     >        flows and completely fail in the near future, and is therefore
    > not
    >     >        recommended.
    >     >     [acm] Where "valid traffic" is the focus, I agree, let it flow.
    >     >     But the Operator's focus may instead be "admissible traffic", where
    >     >     experimental traffic is not wanted or allowed. IOW, only traffic
    > that is
    >     >     understood to conform to <RFC list> shall pass, because "Active
    > Attacks are
    >     >     also Pervasive", to put a different spin on 7258. [acm] See also the
    > comment in
    >     >     3.4.1.
    >     >
    >     > [MK] This is not about experimentation.
    >     [acm]
    >     OK, let's just say unexpected traffic.
    > 
    >     > The expectation is that QUIC versions
    >     > will change often, e.g. we already have a draft for a new version
    > adopted in
    >     > the group and there might be another RFC some time this year. So if you
    >     > "manually" have to allow for new versions in all your equipment that
    > will
    >     > delay deployment of new versions (or even hinder them because there is
    > always
    >     > one box that doesn't get updated). Therefore we strongly recommend to
    > not use
    >     > the version to filter QUIC traffic. Is that not clear enough in the
    > text?
    >     >
    >     >        In addition, due to the speed of evolution of the
    >     >        protocol, devices that attempt to distinguish QUIC traffic from
    > non-
    >     >        QUIC traffic for purposes of network admission control should
    > admit
    >     >        all QUIC traffic regardless of version.
    >     [acm]
    >     I think it is clear, and at the same time, it is aspirational for many
    > networks.
    >     This sentence informs, but then strays into policy.
    > 
    >     Maybe this will work:
    >           ...devices that attempt to distinguish QUIC traffic from non-
    >            QUIC traffic for purposes of network admission control should not
    > rely
    >            on the version field alone.
    > 
    > [MK] I think your proposal is not correct because the whole point is that you
    > really should not use the version field _at all_. I know that people will
    > still do that, but I think we should at least spell it out clearly here that
    > this is problematic and hinders evolution.
    [acm] 
    Evolution is what happens when a succeeding RFC is approved.
    Experimentation is the many months between approvals.

    	...devices that attempt to distinguish QUIC traffic from non-
         QUIC traffic for purposes of network admission control 
    *** should admit all QUIC traffic regardless of version.***
    The last phrase attempts to define operator policy. 
    Don't do that. 
    The version field exists. It's specified in a standard. 
    If you simply say, 
    "The version field will change in the future." no one will be surprised. 

[MK] Okay I got your point about policy. However, this document is meant to provide guidance/recommendations to operators. I also see now that this in the "background" part which is also rather to explain QUIC than give recommendations. However, I think this is actually one of the essential recommendations of the document, so I would like to still spell this out clearly and as early/often as possible. I tried a slightly different wording in a new PR on github. Is that any better?

https://github.com/quicwg/ops-drafts/pull/459/files



    > 
    >     >
    >     >     [acm] I was hoping to see a description of fallback to TCP (I see
    > that fallback
    >     >     is mentioned briefly at the end of section 4.2., and later, fail
    > over and
    >     >     failover. pick one...)
    >     >
    >     >     How can Network Operators observe when a QUIC setup has failed, and
    > the
    >     >     corresponding TCP fallback connection(s) succeeded?
    >     >
    >     > [MK] There is no unified way how and if fallback is implemented.
    > However, why
    >     > do you think a network operator would need that information?
    >     [acm]
    >     To affirm that their admission policy is working properly, for one reason.
    > 
    > [MK] However, there is really no guarantee that all QUIC will have a fallback.
    > Without further knowledge about what higher layer service the QUIC transport
    > carries, I don't think you can make any assumption about fallback. If you want
    > to support evolution, you need to support QUIC and not rely on any potentially
    > fallbacks.
    [acm] 
    I chose example carefully: the operator wants to support QUIC, but has reports that QUIC setup is failing and needs to make measurements to gather symptoms & info. Experience will indicate the circumstances where QUIC setup failure is accompanied by fallback, and other possibilities. Repeated experiences become heuristics for passive observation.
    No assumptions necessary.  
    Has QUIC setup failed if the exchanges in Figure 1 are incomplete? 
    I think there might be a yes or no answer...
    If no, then the passive observation procedure will mostly be governed by heuristics.

[MK] I think I lost the point now. If QUIC fails even if there is a fallback, that's still not great because the original intention was obviously to use QUIC. Is there anything we need to say in the draft that is missing?

    > 
    >     >
    >     >     Is there a reference available with this info, to save effort here?
    >     >
    >     > [MK] As I said this is rather implementation specific, so I would say
    > no.
    >     >
    >     >     ...
    >     >
    >     >     3.4.1.  Extracting Server Name Indication (SNI) Information
    >     >
    >     >     ...
    >     >
    >     >        Note that proprietary QUIC versions, that have been deployed
    > before
    >     >        standardization, might not set the first bit in a QUIC long
    > header
    >     >        packet to 1.  However, it is expected that these versions will
    >     >        gradually disappear over time.
    >     >     [acm]
    >     >     And some networks may prefer not to admit experimental traffic. The
    > goal of the
    >     >     experiment may be problematic for the network operator and/or their
    >     >     subscribers. I think this is legitimate operator behavior, and worth
    > a few more
    >     >     words in the draft.
    >     >
    >     > [MK] To be honest I don't understand this point. How would an operator
    > even
    >     > know if an experiment would be problematic or no? QUIC is fully
    > encrypted.
    >     > Versioning is only one extension mechanism. So basically even if you see
    > the
    >     > same version number, the QUIC behind that could behave very differently
    >     > depending on which extensions are used and because of the encryption,
    > there is
    >     > no chance for the operator to know about this. Is this not clear in the
    >     > document? Do we need to state this more clearly?
    >     [acm]
    >     First, let's say s/experimental/unexpected/ or s/experimental/proprietary/
    >     Then, I'm responding to your reply more than the paragraph in the draft
    > now:
    >     Network operators are also end users, and often act on their subscriber's
    > behalf. Observations are not strictly limited to mid-points, where encryption
    > is present.
    >     Harboring old notions of what operators cannot do will not sit well with
    > your audience...
    > 
    >     So, (in the paragraph above) you've informed operators that some
    > proprietary QUIC versions remain in use as of this writing.
    >     But traffic that doesn't conform *might* be considered nefarious. That's
    > all. It's a message for everyone involved.
    > 
    > [MK] I think the point is actually rather that we want to say here: if you
    > don't support these old versions that will not be a problem in the near
    > future.
    [acm] 
    Ok, say that in the draft, please.

[MK] Okay started a PR on github. Is that more clear now?

https://github.com/quicwg/ops-drafts/pull/460/files