RE: Treatment of ICMP for PMTU
"Lubashev, Igor" <ilubashe@akamai.com> Thu, 28 June 2018 18:32 UTC
Return-Path: <ilubashe@akamai.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A19131026 for <quic@ietfa.amsl.com>; Thu, 28 Jun 2018 11:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oH4tq_V_vlCC for <quic@ietfa.amsl.com>; Thu, 28 Jun 2018 11:32:31 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72DDE130E03 for <quic@ietf.org>; Thu, 28 Jun 2018 11:32:31 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w5SIQM1f019484; Thu, 28 Jun 2018 19:31:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=qr7+1+XrUjJfuT7WJz21tkuR3Oact0aqSbZEoe00J2Q=; b=SKSwUAS4yhSv8mnT70zehUG9f70IxyjpFyh7ahrix8lExbl9qXtF9NTWI6c7sHItZO3N dGVoTe2M9/LQMV6Nh3wCXGFPmjtDkqBCt6MTA9Z5NKni4au1lcYdpAVHsDPvmu7HK8EG 2y+apqTzawMJ8pHXDd7WJDUgQ2NAGp1NOjdFliXuZBtgiv2wAaUfEcizORy+hW/acDNu 42qPl8TQUYedvviUyAWJuR8vbdad14z0tnaBd3lCOB/a7eBK+rFeMf7j+HYXSx8DaZZM LcKjn0wKqrzhnP7XYyljRdZK7zuSZPVusTKmIfu74+zwla4Lzxhfk0kyYps4jmaY8mqF Ng==
Received: from prod-mail-ppoint3 (a96-6-114-86.deploy.static.akamaitechnologies.com [96.6.114.86] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2jvk1kjx99-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 28 Jun 2018 19:31:34 +0100
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w5SIV7ih001520; Thu, 28 Jun 2018 14:31:33 -0400
Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint3.akamai.com with ESMTP id 2ju9bvtv60-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 28 Jun 2018 14:31:33 -0400
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com (172.27.27.105) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 28 Jun 2018 13:31:32 -0500
Received: from USTX2EX-DAG1MB5.msg.corp.akamai.com ([172.27.27.105]) by ustx2ex-dag1mb5.msg.corp.akamai.com ([172.27.27.105]) with mapi id 15.00.1365.000; Thu, 28 Jun 2018 13:31:32 -0500
From: "Lubashev, Igor" <ilubashe@akamai.com>
To: "mikkelfj@gmail.com" <mikkelfj@gmail.com>, "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>
CC: "quic@ietf.org" <quic@ietf.org>, "lucas.pardue@bbc.co.uk" <lucas.pardue@bbc.co.uk>, "martin.h.duke@gmail.com" <martin.h.duke@gmail.com>
Subject: RE: Treatment of ICMP for PMTU
Thread-Topic: Treatment of ICMP for PMTU
Thread-Index: AdQOVlbAt8rn27zdQrag9H62mpvY5wABihw5AANGU0AABKuwsgAJFrAwAAfLncAADHqsgAAJiIOA///svv4=
Date: Thu, 28 Jun 2018 18:31:31 +0000
Message-ID: <f40cfa3f20c84ffba8faa6b2c36fb71e@ustx2ex-dag1mb5.msg.corp.akamai.com>
References: <924fbd75dbcf4d62a9062570b0d2ba5a@ustx2ex-dag1mb5.msg.corp.akamai.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB5B9DC@bgb01xud1012> <2f0e251a9b274272968a8b3053d3a3a5@ustx2ex-dag1mb5.msg.corp.akamai.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB5BA29@bgb01xud1012> <4674cc2be90e4b5b9056cc63a0735664@ustx2ex-dag1mb5.msg.corp.akamai.com> <7CF7F94CB496BF4FAB1676F375F9666A3BB5BA9B@bgb01xud1012> <CAN1APdeH5yQELW9wv4Oj=UtaVcC=zCNz6su8_R-hrB3T8_Yp2w@mail.gmail.com>, <71164BBA-551D-4281-9E46-B4759401351E@erg.abdn.ac.uk>
In-Reply-To: <71164BBA-551D-4281-9E46-B4759401351E@erg.abdn.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_f40cfa3f20c84ffba8faa6b2c36fb71eustx2exdag1mb5msgcorpak_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-28_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=799 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1806280207
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-28_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=720 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1806280206
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QXMeUd6YIza6uq4e_pjMMGBG7WE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2018 18:32:35 -0000
In the PR, I say to ignore the signal, if it comes after the handshake. I do not want an effective way for a man-on-a-side to DoS connections in progress. When this happens during handshake, there is a much more nuanced decision. Basically, sever ignores such signals. However, client abandons this server or QUIC entirely, if it has an alternative server IP to try or protocol to fall over to. This is because a man-on-a-side attacker interested in disputing QUIC handshake could already do it via spoofed version negotiation packets. - Igor -----Original Message----- From: Gorry (erg) [gorry@erg.abdn.ac.uk] Received: Thursday, 28 Jun 2018, 10:41AM To: Mikkel Fahnøe Jørgensen [mikkelfj@gmail.com] CC: Lucas Pardue [lucas.pardue@bbc.co.uk] IETF QUIC WG [quic@ietf.org] Martin Duke [martin.h.duke@gmail.com] Lubashev, Igor [ilubashe@akamai.com] Subject: Re: Treatment of ICMP for PMTU On 28 Jun 2018, at 12:07, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com<mailto:mikkelfj@gmail.com>> wrote: I think QUIC needs a tunnel extension frame. On 28 June 2018 at 11.25.20, Lucas Pardue (lucas.pardue@bbc.co.uk<mailto:lucas.pardue@bbc.co.uk>) wrote: Igor Lubashev wrote: >I think I see what you are talking about. > >At least the way it is specced in H2 and HTTP/QUIC, CONNECT proxies forward >data streams, not packets. Hence, MTU concept on a tunnel-stream is >meaningless. The text says it explicitly: "Note that the size and number of TCP >segments is not guaranteed to map predictably to the size and number of >HTTP DATA or QUIC STREAM frames." From the client's perspective there is >only one PMTU that is relevant -- the one to the proxy. The proxy will keep >tracks of the PMTUs to the CONNECT endpoints itself and will generate TCP >segments accordingly. Right, that's how I was seeing it. >Trying to design a CONNECT-like method to proxy an entire QUIC connection >over a single QUIC stream would create HOLB for QUIC packets to and from >the proxy. Some sort of a partially reliable QUIC stream could help here. Both you and Mikkel have identified HOL as something that needs more thought. Thanks. Mikkel's view is a little more extreme, to paraphrase "HOL is enough to make QUIC not QUIC". I've taken the view that it may be desirable to tunnel QUIC over TLS/TCP too (perhaps using HTTP/2 frames), so I view HOL avoidance as an optimisation rather than a requirement. Partial reliability (of streams, or of some new frame type) could help solve that puzzle. Now I think about it, a complimentary mitigation could be to reserve a set of tunnel-streams to provide some basic multiplexing. However, the complexity of that might not be worth it. >This proxying scheme would require an extension to CONNECT to open a >UDP/IP tunnel instead of a TCP/IP tunnel. That extension would also mandate >that HTTP/QUIC DATA frame corresponds to a UDP frame. I suspect that it >would be a very good idea for such a proxy to add a new frame for providing >ICMP-like explicit PMTU feedback to the sender (why leave the sender >guessing and probing, if the PMTU is already known to the proxy?). This is good feedback. Thanks! Kind regards Lucas And when you say: " for ICMP w/ on-path proof, I think it makes sense to allow a reduction in PMTU up to 1280." - I agree the values could be trusted. - what then also happens when PTB message indicated less than 1280, does the sender close the connection? Or ignore the message and wait to see if there is a timeout? Gorry
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Mikkel Fahnøe Jørgensen
- Re: Treatment of ICMP for PMTU Gorry (erg)
- Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Lucas Pardue
- RE: Treatment of ICMP for PMTU Lucas Pardue
- Re: Treatment of ICMP for PMTU Eggert, Lars
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Mikkel Fahnøe Jørgensen
- RE: Treatment of ICMP for PMTU Mikkel Fahnøe Jørgensen
- Re: Treatment of ICMP for PMTU Gorry (erg)
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- Re: Treatment of ICMP for PMTU joel jaeggli
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- Re: Treatment of ICMP for PMTU Magnus Westerlund
- RE: Treatment of ICMP for PMTU Lubashev, Igor
- Re: Treatment of ICMP for PMTU Magnus Westerlund