IETF Logo Mail Archive

Re: Back to work

Eric Kinnear <ekinnear@apple.com> Thu, 29 October 2020 22:07 UTC

Return-Path: <ekinnear@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03D483A08A9 for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 15:07:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCs62uMeP56j for <quic@ietfa.amsl.com>; Thu, 29 Oct 2020 15:07:10 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 229583A0995 for <quic@ietf.org>; Thu, 29 Oct 2020 15:07:08 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 09TLlYv0060913; Thu, 29 Oct 2020 15:07:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=8pXND7jn/tq7dGar6W1aW5QZ7Xu/PeshUxNClx9QgAA=; b=LJVh0C0czMLJirMqIVWk6dlqWGjdstHnJhZ1q209sORzhRXtr+Gw2pC8AdMJejDD50lh 4oaQKurnaOXRTCulcjKgc8I/HpBI/qLB2fePR+CjiSDjs93rsPBuDd0vIPL1Qcb+hhkl bcFeA7y8xN2U+3EQ5rCSV0tgZt+bDdOcGLAkxE22j8d3ieDXwD2hrBqlBD6NaJq8NWJh yfgVQ2rLReWvzUlv6sikulD4xj6I5K7YuXpMC3DUb3LWFaf3pwH+OTKX+pez2IvD/2Jr RfdbafyuwzaEzGVt4aGNBY67cvCBBd1Q0AfQ2MMn9D6sBnSsCYNlHjIUTeGTEzl+IB0I vQ==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 34cjx6jcgt-14 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 29 Oct 2020 15:07:08 -0700
Received: from rn-mailsvcp-mmp-lapp04.rno.apple.com (rn-mailsvcp-mmp-lapp04.rno.apple.com [17.179.253.17]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPS id <0QIZ00UPLHFVPOK0@rn-mailsvcp-mta-lapp02.rno.apple.com>; Thu, 29 Oct 2020 15:07:07 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp04.rno.apple.com by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) id <0QIZ01000H2UBO00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 29 Oct 2020 15:07:07 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 01a37c4388be431533d60b3d58eeb299
X-Va-E-CD: f9547cdfcf1db34a2e58b4894fc4b8f8
X-Va-R-CD: 2ba71f0fef3449a5a37d3b7967c49b1e
X-Va-CD: 0
X-Va-ID: 7079eeac-8616-46fe-aa2f-4062385a7af7
X-V-A:
X-V-T-CD: 01a37c4388be431533d60b3d58eeb299
X-V-E-CD: f9547cdfcf1db34a2e58b4894fc4b8f8
X-V-R-CD: 2ba71f0fef3449a5a37d3b7967c49b1e
X-V-CD: 0
X-V-ID: 219a3c34-8c71-47f0-812d-fb98cd44610b
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-29_12:2020-10-29, 2020-10-29 signatures=0
Received: from [17.234.49.26] (unknown [17.234.49.26]) by rn-mailsvcp-mmp-lapp04.rno.apple.com (Oracle Communications Messaging Server 8.1.0.6.20200729 64bit (built Jul 29 2020)) with ESMTPSA id <0QIZ00K0XHFU1J00@rn-mailsvcp-mmp-lapp04.rno.apple.com>; Thu, 29 Oct 2020 15:07:06 -0700 (PDT)
Content-type: text/plain; charset="utf-8"
MIME-version: 1.0 (Mac OS X Mail 14.0 \(3654.0.3.2.91\))
Subject: Re: Back to work
From: Eric Kinnear <ekinnear@apple.com>
In-reply-to: <7fca948f-6c71-45c8-8c76-8cfabf11898b@www.fastmail.com>
Date: Thu, 29 Oct 2020 15:07:06 -0700
Cc: quic@ietf.org
Content-transfer-encoding: quoted-printable
Message-id: <5CD85C94-CFB2-47FF-9178-0DBE354EFCBF@apple.com>
References: <0f150dec-e408-48bf-8e54-05e3e96e7a85@www.fastmail.com> <CALZ3u+a1fBq1MB52H-h-JYY=OOkOo9=jEu7smNVeyy_9U3abEw@mail.gmail.com> <CAKcm_gNoB=nP050VRfw5MXAAw-HhpnKHp6pAx9onaA4a5CH5-Q@mail.gmail.com> <b80cf41524865c171712bfcfca7ef92e2a472044.camel@ericsson.com> <efe63bdf-7af2-49c0-932d-3a36de61bdd6@www.fastmail.com> <41A07550-1BFA-43E6-83A0-93FA96DF1E9B@apple.com> <CAN1APddS_qtMoUiUL9uwtAB3rXuAQ0NmiipXGDkS4hcA5od6Ag@mail.gmail.com> <CAKcm_gOcuuF_REWszJyYC6eO6swavMD3D9VnzgJTHEwEAXOsnw@mail.gmail.com> <CAM4esxT2kD6U-Hb5cOSfykBPvTmboEozqqiYiFF63ywxstm-LQ@mail.gmail.com> <CAKcm_gPzEgEssO3LMyW=t9tvbsRrLQBJ7M=2mxySs3H-YUXF5A@mail.gmail.com> <CACpbDceKFAVZ=Vrvj8ZoOj95TNfkCqNrpLh8FOBMBUBU=Qx_eQ@mail.gmail.com> <cc9aca43-7556-7fed-8ef8-1b5343316a0d@huitema.net> <59211AC5-0D72-4295-9E67-DA0BF5B92965@apple.com> <7fca948f-6c71-45c8-8c76-8cfabf11898b@www.fastmail.com>
To: Martin Thomson <mt@lowentropy.net>
X-Mailer: Apple Mail (2.3654.0.3.2.91)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-29_12:2020-10-29, 2020-10-29 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QV8yu1h_qe29j7l9fAfsCzUakCw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 22:07:14 -0000

Hi Martin, 

> On Oct 28, 2020, at 10:17 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> Hi Eric,
> 
> I don't know what you mean by: "How worried are we about the 3x limit?".

The one place where it seems that the proposed change (which is otherwise very nice, general, and fairly clean) could introduce some issues is around NAT rebinding — consider what could be a fairly common case: 

Client is fetching a decently large web resource from a server over QUIC. NAT rebinds and so the server sees un-padded QUIC packets arriving on a different port. We’ve said that the server does not need to reset the CC state if it has strong reason to believe that it’s likely the same path, and in this case the fact that the address did not change and it was solely the port is sufficient for that server implementation to match that condition.

With the 3x amplification limit, the server can only send 3x the bytes that are coming in — normally, this is fine because an endpoint is also getting padded PATH_CHALLENGE packets from the remote endpoint. However, in this case the client isn’t aware that it has migrated (this is also the case with a number of other MOTS attacks), and so is just sending a steady stream of small packets containing ACKs.

> I got the impression that Christian's request was that we avoid padding where it is unnecessary.

This case described above is what I thought Christian was describing in the final paragraph of his message, but it’s quite likely I’m wrong there. :) 

When we enter into this situation, we’re now getting fairly minimally-sized packets for at least the first RTT until the client responds with a padded PATH_RESPONSE to our (maybe not padded due to the 3x limit) PATH_CHALLENGE.

After that first RTT, the fact that we’re getting back a padded PATH_RESPONSE doesn’t matter for path validation because the path is already considered valid and we’re free to continue sending full-sized flights as allowed by our not-reset congestion controller.

And of course, I completely agree with you that we can use the actual data we’re trying to deliver for that MTU validation rather than wasting space with PADDING frames.

I’m not bothered by a requirement to do another PATH_CHALLENGE to validate MTU (wiring that up anywhere would work for PMTUD, path validation seems fine) afterward, the potential problem is simply the larger-than-before reduction in delivery rate.

The reason I ask “how worried” we are about that is because it’s a bit of an edge case, things were never going to be perfectly smooth during a NAT rebinding, etc. This happens to be one specific case that’s almost the most common of the unintentional migration cases, but even here we don’t usually expect a NAT rebinding in the middle of an active flow that’s trying to send significant amounts of data in each flight.

So, it seems to me that a completely reasonable consensus here would be “yeah, that’s a thing, but we don’t think that will matter in practice”. :) 

> 
> The two things we need to balance here are:
> * Amplification (the reason we have a 3x limit)
> * Odd failures when things only work sometimes (the reason we require padding of probes)
> 
> My belief is that the proposed PR #4264 achieves this balance in a minimal fashion.
> 
> Yes, there are two things you need to verify for a new path, but for the most part, probes can be padded and so will verify both.  Both that the address is live and that the path supports a reasonable MTU.  These are separated into two separate checks if checking the latter would violate the amplification limit.
> 
> Padding packets sent on either path is sub-optimal if you already know that the MTU is OK, so I'd be happy to create a carve-out for that.  It seems like a fine optimization, but the space can be used for things other than PADDING frames, so I don't see it as critical.  My migration implementation (almost finished, thanks) will include other frames in these packets where possible.

This totally makes sense, I think the amplification issue introduced by the padding requirement could be sorted out if we only applied that padding requirement to the one of two path validation situations that need it (i.e. the one where the client is sending PATH_CHALLENGEs, if we’re requiring the PATH_RESPONSE to come back on the same path). So just noting that this is one area where there may be further fallout and since we were discussing reducing change and risk of fallout it seemed like it would be good to consider options that reduce the scope of the previous change, rather than building on it.

If we look at that and say, “yeah, but this approach is unlikely to cause real-world fallout and the 3x limit is more general and clean”, I’m totally in agreement with that and have no issue with #4264.

Thanks,
Eric


> 
> Cheers,
> Martin
> 
> On Thu, Oct 29, 2020, at 13:13, Eric Kinnear wrote:
>> I was originally shying a bit away from that option, Christian, but the 
>> more I think about it the less painful it seems: back out the padding 
>> requirement, add in a note that “after a new path has been validated, 
>> endpoints can/should/must do PMTUD to validate the MTU on that path”. 
>> 
>> The natural responses that an endpoint goes through during path 
>> validation (or abrupt migration) leave it with either a working or 
>> failing path when trying to migrate; this was always the case and is no 
>> more or less the case due to MTU concerns. 
>> 
>> Alternately, you also note that we might want to avoid forcing the 
>> server specifically to send large packets — in my opinion, that would 
>> be another equally valid way to tackle this: require the padding only 
>> for PATH_CHALLENGES sent from the client and any PATH_RESPONSE to a 
>> padded challenge.
>> That’s really nice in a number of ways, especially for the MOTS cases 
>> where I can make the server think that every new packet is on a new 
>> path, etc.
>> 
>> So… lots of words to say: I very much agree with what you’re saying. :) 
>> 
>> It seems like these would be good options to use if we think that 
>> there’s something we *don’t* like about the 3x limit (perhaps how it 
>> interacts with NAT rebinding). Otherwise, the 3x limit is nice and 
>> general.
>> 
>> How worried are we about the 3x limit?
>> 
>> Thanks,
>> Eric
>> 
>> 
>>> On Oct 28, 2020, at 5:41 PM, Christian Huitema <huitema@huitema.net> wrote:
>>> 
>>> 
>>> On 10/28/2020 5:17 PM, Jana Iyengar wrote:
>>>> I like the universality of the 3x limit. The reasoning applies broadly
>>>> and there's no reason to separately reason about how a server responds
>>>> to new addresses, be it at the start of a connection or
>>>> mid-connection. Overall, I have a few minor suggestions to make, but
>>>> I'm happy with the way the PR is headed.
>>> 
>>> 
>>> I think that we can devise proper solutions for "organized migrations",
>>> such as requiring both receipt and acknowledgement of a long enough
>>> packet before validating a path. I am not going to belabor that. But NAT
>>> traversal is a can of worms, and some of the norms are going to bite us.
>>> 
>>> I order to support NAT traversal, we request servers to take action if
>>> they see a packet arriving from a new address of the client. This opens
>>> a huge hole through which enterprising MOTS or "specially crafted
>>> clients" can harass servers. We have an OK defense: send a challenge to
>>> both old and new IP to force "proof of address ownership". That defense
>>> is OK because it uses minimal length packets, and thus does not cause
>>> too much amplification. I think we should leave it at that, and not
>>> force the server to send large packets. There is a need to then validate
>>> that the path can carry traffic, which will happen naturally when the
>>> server tries to send a large packet. But if the server only sends these
>>> large packets after address ownership has been verified, things ought to
>>> be quite good.
>>> 
>>> -- Christian Huitema
>>> 
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email