Re: Going STEK-less with QUIC?
Christian Huitema <huitema@huitema.net> Wed, 28 July 2021 17:08 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C06473A1891 for <quic@ietfa.amsl.com>; Wed, 28 Jul 2021 10:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ox6MZBeFfNAb for <quic@ietfa.amsl.com>; Wed, 28 Jul 2021 10:08:01 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE6EA3A1890 for <quic@ietf.org>; Wed, 28 Jul 2021 10:08:00 -0700 (PDT)
Received: from xse18.mail2web.com ([66.113.196.18] helo=xse.mail2web.com) by mx133.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m8n2C-000xoH-Jn for quic@ietf.org; Wed, 28 Jul 2021 19:07:57 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4GZg8W3TSjznMX for <quic@ietf.org>; Wed, 28 Jul 2021 10:07:55 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m8n2B-0001Qe-BY for quic@ietf.org; Wed, 28 Jul 2021 10:07:55 -0700
Received: (qmail 28474 invoked from network); 28 Jul 2021 17:07:54 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 28 Jul 2021 17:07:54 -0000
To: Martin Thomson <mt@lowentropy.net>, quic@ietf.org
References: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net> <CANatvzxBKNf+YdNLPwG=QpZv33o0Mp7uRU+N4JQUpYfbDypQkQ@mail.gmail.com> <b89f83f8-951d-4407-a12c-9d9e85e46fe0@www.fastmail.com> <9beffffb-e7a6-1c57-be8d-a56f3ef2f1e9@huitema.net> <4a7aea30-9013-4550-b5da-27d7e6ad370d@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Subject: Re: Going STEK-less with QUIC?
Message-ID: <1cf23147-d89e-65ce-409c-7a4d5bfe504f@huitema.net>
Date: Wed, 28 Jul 2021 10:07:54 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <4a7aea30-9013-4550-b5da-27d7e6ad370d@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.18
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCHL4 fZBZLqqoINSx3i1GUljmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imcapebr0kNyYC289u5HlaNj1BQ6V51u76v35b1wNe/MvdKAGdwU TZKlze5ERymXAD3v2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7jZ1h/HfDRQ5Ig8VhPsPE8NaP2gA77cO7WeI9Ftai6fusDXp7t2nLqCQxvxn0YNWXuZ rA/P56ZOlCskQszXxvyJDRojSVizNl0ce/s7u0P9b9Tml6eOMCV9kYYwkPx6ZsXvIUzTXkDAiiJi mGhLUFuSW8D9t0kz0vlag+LRt89q4Nl8q1G3UBTmPCN9PVdSafiyuLfHqAnAj7rgKH7+eCmmF+Gd 50Wlk9tDuYu3a1mfE1ShcA6Xvva2QAVEjpqzANap+28aWyCRVT7YkY7LckVcObEs72Hsj12Q2wQm QeRzV713qFZSq8Fx+9otn0aqja8VKPqpdskk5LxBR/9t1zMMkdu6/R2FM84kxYRFSvC1IDg1BRW7 hzp8w3iHcOwbVtsmWfnQGGis4EvbR3jXsI0ESXwhBU2hwt/J18C+HygJl/jEzm1SsR8v3aJbN/NZ fa8pHhHaz+HPa0HAgEx4sWDF
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/AgZj3iydCsC_n9pyc8mDrunl-gw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 17:08:06 -0000
On 7/27/2021 11:42 PM, Martin Thomson wrote: > On Wed, Jul 28, 2021, at 11:55, Christian Huitema wrote: >> [...] reuse one of the NEW TOKENS as Initial CID, [...] > Are you talking about NEW_CONNECTION_ID here? Yes. Sorry for the confusion. (Skipping comments on the progressive effect of aging on Christian's brain cells.) My initial idea was for creating an extension frame, with the server providing a new connection ID for the specific purpose of use in resumption of this connection. In a private message, Martin Duke suggested that clients could just as well use one of the NEW CONNECTION ID provided by the server. Clients can do that today, no change in spec required. > If you are talking about the client taking a connection ID from an old connection and using that when establishing a new connection, that's an interesting choice. I don't think it works because it undermines the return routeability check for the subsequent connection. The server now knows what the connection ID might be. I can't think of an exploit for that given that the server has already demonstrated that it is on path, but we do pretty much say that the connection ID can't be predictable like that, and there are no firm requirements that the subsequent connection attempt follow the same network path in any way. I was not suggesting that placing a specific value in the ICID replaces the need for tokens and checking return routeability. Now, it is true that the servers and the load balancers could also coordinate their handling of token, and achieve the desired effect of sending connection resumption attempts to the same server as the original connection. That may very well be a better design than relying on the client to put specific values in the ICID. > I had assumed that the load balancer would be able to identify an initial and then route based on the Token field in that packet, rather than the connection ID. Maybe that's too complicated, but it is something that could be used without protocol modifications. Yes. Looks like the way to go if we want to experiment with STEK-less. I think placing the NEW CONNECTION ID in an ICID has a different usage -- testing the robustness of load balancing... -- Christian Huitema
- Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: [EXTERNAL] Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: Going STEK-less with QUIC? Kazuho Oku
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Duke