Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)
Kazuho Oku <kazuhooku@gmail.com> Thu, 24 May 2018 05:49 UTC
Return-Path: <kazuhooku@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C705712D945 for <quic@ietfa.amsl.com>; Wed, 23 May 2018 22:49:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YaC7ItQVo36L for <quic@ietfa.amsl.com>; Wed, 23 May 2018 22:49:15 -0700 (PDT)
Received: from mail-pf0-x241.google.com (mail-pf0-x241.google.com [IPv6:2607:f8b0:400e:c00::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E44112D944 for <quic@ietf.org>; Wed, 23 May 2018 22:49:14 -0700 (PDT)
Received: by mail-pf0-x241.google.com with SMTP id o76-v6so284382pfi.5 for <quic@ietf.org>; Wed, 23 May 2018 22:49:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cVHhOGXo/EpzX4pagav4x0LxdVkoSkiQE2ltykr8PzY=; b=gE2cxTM9gxQWoAohdxhBvsbEvEW2rmDKsLz42RLv+peJq8J/avBpg6hgohWpu24Rvh WZjxwazx7NwoavOUoKByBLN8og4TztfXI2BPUVdcJGK2ZSb4uwt3JSbsdEy1sOcMNZ82 t694dkK8jl7Shh0C3/fpJxiH76DU/ORTtJNLtmbDGQxg4JnMZdzcJGk4VyApEwDc+l// 3wyzScOG6jyAZvMYJnYKv5O5BlWMqExiLHZB+7OdOKCBZk2Rj5mqMWSnMGVQ6KetsgU5 2+UrN+kkPa8pFhb/eP5ImPNlRprWFUN/SH1Hk9HNBjpiWhHZv1b47a/6PCUZQ267ykDt emMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cVHhOGXo/EpzX4pagav4x0LxdVkoSkiQE2ltykr8PzY=; b=osmbKuA9+7tyuP/L3wGZlw9FP+y42EdqDgeXWGssaodKAHkw4emnuf6mTtbDw6dS/m ASiyv6NUUnfGshMJItCliQbCcjPrRmZblvnS21el6sg4KXYsBTWXiggs0WRAxT8w+Lat U9/7njt3UHtloyvnIUWNgqFP9/0Ake7T/VKLz9T0czKFtsmHzPwMoOIHOQ3Kv3e4v/YI 4BRBrn7YH2rnpDwCQa5M/V0/LTWaJkZLJzsf5pW8lSe1iMyBcIpPjV1QDPEonasjbxSk gi/esRxdNb6ZpZh9BxUvqWfKpS0r9Nnlrrp0iu6VG+gAffaaid+Iu/oCzxSSjjS50hv8 7cAQ==
X-Gm-Message-State: ALKqPwehUggFrAxeMKkP/xh4GdI3Sdx3/Ge8XTkLzOuNPF57M8hHG8eX MBqwLAlir4bHrpiOCNI+BETVTEvJRTAbTvdW8do=
X-Google-Smtp-Source: AB8JxZp7XGIpZzJJgacQA9gtV7635Mpf+VEjM4UU/V3gLPZRdQVw0viCWa1LFMIH69cJxWLorKW6abFckKuAJG/Fabk=
X-Received: by 2002:a62:ccdc:: with SMTP id j89-v6mr5887580pfk.182.1527140953515; Wed, 23 May 2018 22:49:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:1189:0:0:0:0 with HTTP; Wed, 23 May 2018 22:49:12 -0700 (PDT)
In-Reply-To: <CABkgnnUjw4WYDv5mmsFp2nDq4LtdJBzsgdFkxFzEdHrA37tejw@mail.gmail.com>
References: <CANatvzwN1kVO3ofvyYX9cg=cKcg4FdqUT3VB6hneEDa5UjT_0w@mail.gmail.com> <CABkgnnUjw4WYDv5mmsFp2nDq4LtdJBzsgdFkxFzEdHrA37tejw@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Thu, 24 May 2018 14:49:12 +0900
Message-ID: <CANatvzyNHpTFpdS6_A-gijn2+dOiU=zxyiRJsQuSZVy+EyZ1gQ@mail.gmail.com>
Subject: Re: Stream0 Proposal: Explicit vs. Implicit ACK (Re: Stream0 Design Team Proposal)
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Jana Iyengar <jri.ietf@gmail.com>, Eric Rescorla <ekr@mozilla.com>, QUIC WG <quic@ietf.org>, Ian Swett <ianswett=40google.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/JQAvSqYzNgsixCzpSJMTyeVRifs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 05:49:17 -0000
2018-05-24 13:43 GMT+09:00 Martin Thomson <martin.thomson@gmail.com>: > The obvious solution for the problem of not retransmitting the client > Finished is to retransmit it until it is acknowledged. With the proposed > design, that means that the server sends a Handshake message after the > handshake is done, which I think is fine. If the client sends Finished > until it is acknowledged, then I think we're good. I agree that that would work. IIUC downsides compared to the implicit ACK approach are that the server needs to keep the old keys for certain amount of time (e.g., 2 MSL) and that the additional Handshake packet will consume about 30 octets of the 3 packet window that we have for the server's first flights. > I can see the appeal in saying that if you receive an ACK for 1-RTT data > then your Handshake packets must have been received. I can see that > working even, but you have to be careful. It's just a signal that you can > stop sending CRYPTO frames, not that you are done with the keys. You might > need to send ACK again and you might still receive packets at that level. > You could drop read keys and ACK only the old packets that you did decrypt, > but I suspect that it's better to authenticate any packet and ACK > faithfully, which would be better for your peer's congestion state. > > That also means that you probably need to have timers for cleaning up, to > avoid the pathological case where acknowledgments are sent indefinitely. I agree with your argument about congestion control. One way of acquiring correct congestion control information in the implicit ACK approach will be to send coalesced packets that combines a Handshake packet with a packet protected by a higher encryption key. That will guarantee that you would receive an ACK for the delivery of the datagrams, and you can feed the information to the congestion controller. FWIW, I have implemented implicit ACK in quicly, and it only required about 40 additional lines of code, including the retransmission logic for Handshake_Done. The code can be found at https://github.com/h2o/quicly/pull/8/commits/eee6eb5fc7c0359edfeb0b8f89ae9ac191ef0758. Coalesced packets is not implemented. > > I think that the FIN bit idea might work to close out the use of the > "stream" for each set of keys. That is, as opposed to the crypto stream as > a whole. But it's duplicative: the crypto handshake needs to know when it > moves from one set of keys to the next and replicating that signaling at > the QUIC layer only really adds things to check for consistency. > On Thu, May 24, 2018 at 11:07 AM Kazuho Oku <kazuhooku@gmail.com> wrote: > >> 2018-05-24 3:46 GMT+09:00 Jana Iyengar <jri.ietf@gmail.com>: > >> > A thought occurs to me: a CRYPTO_HS frame with the fin bit set can be > used >> > to indicate that the handshake is done.This could be used as a signal > (aka >> > HANDSHAKE_DONE) to solve Marten's problem of a client rtxing a CFIN. Of >> > course, this would mean that this particular CRYPTO_HS frame would be >> > encrypted with a 1-RTT key... which *I think* is fine. What do you > think? > >> I am not sure if that is a good approach. > >> I would assume that we would like to keep the handshake flow on the >> 1-RTT key open for the lifetime of the QUIC connection, so that we >> could send things related to the TLS (e.g. session tickets). Sending >> FIN from the server right after receiving ClientFinished makes that >> impossible. > >> Having said that, I do agree that the need for a dedicated frame is a >> pain. It is a pain because we need to have a retransmission logic for >> the frame. > >> I think that you are making a good point in suggesting to consider >> reusing the retransmission logic that already exists for bidirectional >> flows. But as said, FIN bit does not seem like an answer in this case. > >> IMO, ideally we should define a new TLS post-handshake message (that >> does not convey any data), and send that from the server in response >> to ClientFinished using 1-RTT packet. The message will act as a signal >> that the server has received ClientFinished. > >> The benefit of this approach is that we can reuse the retransmission >> logic that will exist for handshake flows. The downside is that TLS >> stacks need to be aware of the new handshake message. > >> Considering the fact that the Design Team is already suggesting a >> substantial change to the TLS stack, we might have chance in asking >> for the addition of a new handshake message. But I am not sure. > >> -- >> Kazuho Oku -- Kazuho Oku
- Stream0 Proposal: Explicit vs. Implicit ACK (Re: … Kazuho Oku
- Re: Stream0 Proposal: Explicit vs. Implicit ACK (… Martin Thomson
- Re: Stream0 Proposal: Explicit vs. Implicit ACK (… Kazuho Oku
- Re: Stream0 Proposal: Explicit vs. Implicit ACK (… Kazuho Oku
- Re: Stream0 Proposal: Explicit vs. Implicit ACK (… Mikkel Fahnøe Jørgensen
- Re: Stream0 Proposal: Explicit vs. Implicit ACK (… Kazuho Oku
- Re: Stream0 Proposal: Explicit vs. Implicit ACK (… Eric Rescorla