Re: Increasing QUIC connection ID size

Willy Tarreau <> Fri, 12 January 2018 05:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4BD071201FA for <>; Thu, 11 Jan 2018 21:56:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5mCEa-QiVSXC for <>; Thu, 11 Jan 2018 21:56:06 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 210C4120727 for <>; Thu, 11 Jan 2018 21:56:05 -0800 (PST)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id w0C5tsRE015883; Fri, 12 Jan 2018 06:55:54 +0100
Date: Fri, 12 Jan 2018 06:55:54 +0100
From: Willy Tarreau <>
To: Roberto Peon <>
Cc: "Lubashev, Igor" <>, Mikkel =?iso-8859-1?Q?Fahn=F8e_J=F8rgensen?= <>, Victor Vasiliev <>, IETF QUIC WG <>
Subject: Re: Increasing QUIC connection ID size
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.6.1 (2016-04-27)
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Jan 2018 05:56:08 -0000

On Fri, Jan 12, 2018 at 01:05:02AM +0000, Roberto Peon wrote:
> Correct/agreed. The L4 'router' must be able to decrypt/interpret the data in
> order to act upon it. This requires sharing of some key material.

At least we need to keep in mind that it's critical to ensure consistency
between all front nodes (think DNS+anycast BGP+ECMP LB before reaching the
L7 LB). It's critical that all equipments in the path are able to coherently
find the correct path to the origin node without having to actually learn
anything from the packets. And synchronizing keys between multiple nodes
is often a pain (though never impossible).

At the HTTP workshop 2 years ago, I proposed to place some upfront routing
information on TLS to save LBs from having to decrypting the stream to
find what server the stream had to be sent to. The proposal was to have
a small ID, typically 16 bits, for this. In my opinion this is another
option we can consider here : with only 16 bits, you can easily store a
server ID in a reasonable farm size (even dynamic), but you don't have
enough information to track users. So it could remain accessible in
clear, saving front nodes from having to decrypt anything or share keys.