IETF Logo Mail Archive

Re: Quic: the Elephant in the Room

Michael Thomas <mike@mtcc.com> Tue, 20 April 2021 17:31 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B771D3A0B58 for <quic@ietfa.amsl.com>; Tue, 20 Apr 2021 10:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKdE89CrJoXV for <quic@ietfa.amsl.com>; Tue, 20 Apr 2021 10:31:23 -0700 (PDT)
Received: from mail-pf1-x42c.google.com (mail-pf1-x42c.google.com [IPv6:2607:f8b0:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B81F3A0CEA for <quic@ietf.org>; Tue, 20 Apr 2021 10:31:22 -0700 (PDT)
Received: by mail-pf1-x42c.google.com with SMTP id m11so26046826pfc.11 for <quic@ietf.org>; Tue, 20 Apr 2021 10:31:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=WSrGyw0AJKbLP8KUdFLPLIa2tpiBGVbxekjhZYjBwNs=; b=QW40gyr8BmiFmuMmMJFHnZ1e8q2Xc1IHAQitWTXZ/2cM28OnBZjdeMrOyor4McqIqm 88gq4pFsUyj+Wti69UNHrW++dEQG/z4syzmj6ZYvEbqGSVvBRhPHMwSmjmAJ9FlDbnky owPrQwXz0PBYsin+bg2zacLLBTgtnl21bmqqGfnqmoOkc7Qf0x9rZocV2uRpTc8M712e C3RZKEJFMfmtLY3iefk65OxGo/l9kmlwAHpwuv3M1HLyBPNVbB9y6BFV/YQknYpKU89d VtGlqaiqUJF9Fo7JbszZv+7cpDBDLQ7BpcsyCd7fFa6uKRsCqdaawXuSTmCf/z6Kzo+E nIOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=WSrGyw0AJKbLP8KUdFLPLIa2tpiBGVbxekjhZYjBwNs=; b=Ps/6ou+LKZ5dk8e8kTlpX1ViFy8/P+4P9W56ijv26zBGLsu2YtiC+qUWFD73R8tt1+ /hVkTAzmzsPYGCSdP3dEUxWg5spP9h2wkAxdYCgEOyXr6PczfDfxPrUK19ITmsDzDnoF 8DlLj/0+XD1+rs4Z6kBzlWIyRxGnGZZICKNApaDw2/qtDBFT3q2ZqV/JngcRc5rVtZXX /3mpdqzEImcn93ztpBv3vlhDVjWy79cAUZUCBJUjJAvHUYWgGuC/OjDwur/OlPxMQGFF xo0rFRKiglyrRklAcYjHWJ64mWW5kggNDbEmeSf42uf91MTRGzLihyqmYUbQ5RofSi9Q sxJg==
X-Gm-Message-State: AOAM533TZltRQDR5MTDmSJ37aHnjn+1luYTDdCpWYCYad7xzusP7fTW+ e4bZ1QPjqqTjeUi67p5PpRYYOw==
X-Google-Smtp-Source: ABdhPJzJMnHFwmzGBrO8/BGipEXIniYbsYXmCygchriLmomGv3L4uVjhVqIYeTkliEjHSwIYTyBagA==
X-Received: by 2002:a62:528e:0:b029:1f5:c5ee:a487 with SMTP id g136-20020a62528e0000b02901f5c5eea487mr25428412pfb.7.1618939880389; Tue, 20 Apr 2021 10:31:20 -0700 (PDT)
Received: from mike-mac.lan (107-182-43-245.volcanocom.com. [107.182.43.245]) by smtp.gmail.com with ESMTPSA id p22sm2984247pjz.20.2021.04.20.10.31.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 20 Apr 2021 10:31:19 -0700 (PDT)
Subject: Re: Quic: the Elephant in the Room
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: Lucas Pardue <lucaspardue.24.7@gmail.com>, IETF QUIC WG <quic@ietf.org>, Matt Joras <matt.joras@gmail.com>
References: <311e3e67-2e87-1650-22b3-614378fbf88f@mtcc.com> <CADdTf+jRMfNo1EiFBj-fOeZJkKM2TCvN9yJFEmJEVcZj5JMD_Q@mail.gmail.com> <e5856173-5c7a-1f2b-3be0-b2a155786ff8@mtcc.com> <CALGR9oY0-aVT+Hv0gj45pxwH7zxTw=TVpQGqCVC2NFCa+y16JA@mail.gmail.com> <4191ed66-11e4-7ac6-bd0d-d4713dd0873b@mtcc.com> <CAPDSy+6rWkgB49RKThFCsBLdMjquBBX9=h-Mz9AMAknu=2KhEA@mail.gmail.com> <2c400bd6-30cf-c46f-6e87-9ca62ef25ed2@mtcc.com> <CAPDSy+55oPNi8DBkQO+XGyrBMMB4kMLtVnDVU75Myh116jnwbw@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <53799740-81f8-2102-5ff8-c90fc8455aaa@mtcc.com>
Date: Tue, 20 Apr 2021 10:31:18 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAPDSy+55oPNi8DBkQO+XGyrBMMB4kMLtVnDVU75Myh116jnwbw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7E473547A78181A6FA41CC37"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/DsUnW7C-20XzsuC7_ZsRhDBFspU>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Apr 2021 17:31:28 -0000

On 4/20/21 10:20 AM, David Schinazi wrote:
> Cutting down the number of packets was never a goal for QUIC.
> The goal was to save round trips in connection establishment,
> as that significantly impacts user-visible latency. The number of
> packets only slightly increases the probability of loss during the
> handshake which can be correlated to user-visible latency, but
> much less.
>
> I'm not saying that a 3-packet handshake would be bad, I'm saying
> that it's not worth boiling the ocean to remove 2 packets. I'll also
> note that your proposal doesn't fully reduce the number of packets
> because you still need a DNS TLSA request and response, and loss
> of those is much worse as DNS retransmissions are less optimized.

Signing your DNS zone is considered "ocean boiling" now? Really? And I 
didn't claim that it would "fully" reduce the number of packet, though 
that could be accomplished if TLSA records were stapled to the A/AAAA 
lookup. Half of this has already been done by Google when they 
implemented DANE for Chrome. All it would take is for them to dust off 
that code and sign their zone. Is Google really incapable of deploying a 
20 year old standard?

Mike

>
> David
>
> On Tue, Apr 20, 2021 at 10:15 AM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>
>     On 4/20/21 10:07 AM, David Schinazi wrote:
>>     Hi Mike,
>>
>>     I read your blog post, and I failed to find what problem you're
>>     trying to solve.
>>     The fact that some handshakes spend a couple packets on certificates?
>>     We can actually quantify the user-visible impact of the handshake
>>     size, and
>>     from everything I've seen this particular topic isn't impactful
>>     enough to solve,
>>     apart from ensuring support for RFC 8879. It's even less
>>     realistic if the
>>     solution involves the minor task of switching PKIs and roots of
>>     trust.
>>     Speaking as one of the QUIC tech leads at a "Google-like
>>     company", I can
>>     ensure you that we don't spend time on experiments that don't
>>     benefit users.
>>     It seems that you have a solution in search of a problem here.
>
>     I thought the entire point of QUIC (aside from HoL blocking) was
>     to cut down the number of packets needed to start a connection.
>     From what I can tell, it takes it from an 8 packet exchange to a 5
>     packet exchange. If you were to use a DANE-like solution that
>     would be a 3 packet exchange most of the time. Why is a 5 packet
>     exchange good but a 3 packet exchange not?
>
>     Mike
>
>
>>
>>     David
>>
>>     On Mon, Apr 19, 2021 at 3:39 PM Michael Thomas <mike@mtcc.com
>>     <mailto:mike@mtcc.com>> wrote:
>>
>>
>>         On 4/19/21 3:33 PM, Lucas Pardue wrote:
>>         > I'm struggling to see what the problem statement that is
>>         unique to the
>>         > QUIC protocol is.
>>         >
>>         > That certificates can be large is not new information, it
>>         was a prime
>>         > motivator for RFC 7924 [1] and RFC 8879 [2].
>>         >
>>         > Operators can, of course, experiment with new optimal ways
>>         of doing
>>         > things. The broader IETF community is likely interested in
>>         the outcome
>>         > of such experiments. Since QUIC version 1 uses TLS, any
>>         changes that
>>         > stand to improve a QUIC handshake would likely be
>>         applicable to TLS
>>         > too. So the concept of replacing current TLS mechanisms
>>         with the DNS
>>         > doesn't seem to be something the QUIC WG should be leading.
>>         Should
>>         > such work identify QUIC protocol design evolution or
>>         extension, then
>>         > it could be suitable for WG consideration.
>>         >
>>         I'm not asking this working group to do anything. Just
>>         socializing
>>         something that generated a lot of discussion on the IETF list
>>         that might
>>         be of interest to the Quic community.
>>
>>         Mike
>>

v2.23.0 | Report a Bug | By Email