IETF Logo Mail Archive

Re: Fast Address Validation - about

"Martin Thomson" <mt@lowentropy.net> Wed, 30 October 2019 22:07 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8D512080C for <quic@ietfa.amsl.com>; Wed, 30 Oct 2019 15:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=BkT7AznS; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=DPKXfzOm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hNj7XuHjvWb0 for <quic@ietfa.amsl.com>; Wed, 30 Oct 2019 15:07:40 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AAC412011A for <quic@ietf.org>; Wed, 30 Oct 2019 15:07:40 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 2881B22402 for <quic@ietf.org>; Wed, 30 Oct 2019 18:07:39 -0400 (EDT)
Received: from imap2 ([10.202.2.52]) by compute1.internal (MEProxy); Wed, 30 Oct 2019 18:07:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm3; bh=knIEA 69cxW4G2xSRvnXlYlNPWeFnNcQ0dAJSn+mvm3Q=; b=BkT7AznSbLBnAvpnu3Id3 cwEz8BTTsf2Sl8lFQIug/wbADTyDV7JX08dLKji9lTugbQgFMBsxMk3EHcZwxsWn KdLBo9I1A5ug4qWxykmCohdceYtNGhsLQF4JPdnYIxner2pZQ7tau+JFs31yS6a+ fm5oNfvxcNF50fuVARtY19rRyxI68t6GH4JnHdnCI1wZ9OAq76o0lCaGiOV1NCNC KEHgStJ++hHxf5ORuN4YPOEwj0ZOZy7gZWe8nnyE7ME4+citRcXQeqhxIX/eSx0c /HRT6balgeiKytv1YIQbsAgNDfgYNQbgebNj/x5pBXn8ZAHg9N7aYl0RA9Ehh8WX A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=knIEA69cxW4G2xSRvnXlYlNPWeFnNcQ0dAJSn+mvm 3Q=; b=DPKXfzOmA0c6eMsDpyHG6Zh0iFdWPTsRAMwOADOk4oCWIobzwjMMEmjlX cC2L3irD8TbaY8CrxRUs/5zL31gSIG3s/Zw8AjOXzr91dT3R/mYVO2gwRYML2Yrd BqNo7A4amKAmAkNwbJMmUrO3+NXQtw3U7td6s6pej1WamaS1CMGz7TorkJSU9GNm In8AY4J1uLcscYFkQheBor0xsMF/vigE7TGcSubDfgzux/Rl6VUH/363NluuV6KG /oYkCv2Y5cQTSjAiC/NmcedYmXB592E10bRTHy8HdfRbNPnoAG9mUAQd16qC2XLJ HDXFZN+5iFQAfzvSUMIOYAxzZz+eQ==
X-ME-Sender: <xms:qgm6XTeIICC8buXh76rBLzhWBrMqK0p_7dCDFgbJGG19HcilAGJK3w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedruddtfedgudeivdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgse htqhertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmthes lhhofigvnhhtrhhophihrdhnvghtqeenucffohhmrghinhepihgvthhfrdhorhhgnecurf grrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtnecuvehl uhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:qgm6XS2h0fIan3S3exTCQwM8Ix91JIBfCswoK8UjgcOFkx2jC4e1kg> <xmx:qgm6XZPhT-XKmXdLYiA_yGhJ3aigxpQBokYv0ge2ttTEhpjTtizZTQ> <xmx:qgm6XWfdYRjv4YYlxz0KoczrpYjWJxKCqa8Niq1jG1RyoQu1VlQmYA> <xmx:qwm6XbNQHV0zxCp-ZJOz4CgJ0HYCjQDNn29hz2zq0hQuh9VugzcVuA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 918D8E00A3; Wed, 30 Oct 2019 18:07:38 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-509-ge3ec61c-fmstable-20191030v1
Mime-Version: 1.0
Message-Id: <bd15f357-8e7a-42af-bf28-79f7177da385@www.fastmail.com>
In-Reply-To: <BN6PR2201MB1700F72F3DC8F6C3CF79902CDA600@BN6PR2201MB1700.namprd22.prod.outlook.com>
References: <4974ed86-0fa9-435d-880f-80af637ef180.anqing.aq@alibaba-inc.com> <BN6PR2201MB1700F72F3DC8F6C3CF79902CDA600@BN6PR2201MB1700.namprd22.prod.outlook.com>
Date: Thu, 31 Oct 2019 09:07:19 +1100
From: Martin Thomson <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: Fast Address Validation - about
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/I-82xmfvsztXFDE4gdSdDH1q8DA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 22:07:42 -0000

Also note that exchange of Handshake packets provides proof of return routeability via the use of the encryption keys, so there is no need to exchange tokens at that level.

On Thu, Oct 31, 2019, at 03:29, Mike Bishop wrote:
>  
> The advantage of using Retry, however, is that the server is able to 
> keep minimal (if any) state about the client. Exchanging the token at 
> the Handshake encryption level means the server is already doing work 
> and maintaining state in order to process the handshake, which is 
> exactly what the server is trying to avoid.
> 
> 
> *From:* QUIC <quic-bounces@ietf.org> *On Behalf Of * Qing An
> *Sent:* Wednesday, October 30, 2019 9:41 AM
> *To:* quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt 
> <mt@lowentropy.net>
> *Cc:* 刘大鹏(鹏成) <max.ldp@alibaba-inc.com>
> *Subject:* Fast Address Validation - about
> 
> 
> 
> 
> Hi Martin, Jana, 
> 
> I read through https://www.ietf.org/id/draft-ietf-quic-transport-23.txt 
> and have a few comments and ideas to discuss.
> 
> 
> [QUIC-Trans] defines a token based scheme to facilitate address 
> validation of a client. The token MUST be covered by integrity 
> protection against modification or falsification by clients. The server 
> remembers the value it sends to clients and validates the token sent 
> back from a client. In its design, Retry packet is used to deliver the 
> token to a client which address has not yet been validated. It voids 
> the first transmission of the Initial packet sent by the client, and 
> triggers a second Initial packet to be sent with the token. The 
> exchange of token will cause longer connection establishment delay for 
> a client.
> 
> 
> To improve the efficiency of address validation during handshake, one 
> idea is that the same token can be exchanged via a different container 
> i.e. the Handshake packet, that eliminates the use of Retry packet for 
> token delivery. 
> 
> 
> I am working on the complete draft and will submit it by Friday. Before 
> that, hope this can be discussed in email first.
> 
> 
> BR,
> 
> Qing An
>

v2.23.0 | Report a Bug | By Email