IETF Logo Mail Archive

RE: Getting to consensus on packet number encryption

Praveen Balasubramanian <pravb@microsoft.com> Tue, 01 May 2018 16:34 UTC

Return-Path: <pravb@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 752A312DA6E for <quic@ietfa.amsl.com>; Tue, 1 May 2018 09:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9UtZ852xnek for <quic@ietfa.amsl.com>; Tue, 1 May 2018 09:34:29 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0092.outbound.protection.outlook.com [104.47.40.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C945F12DA4F for <quic@ietf.org>; Tue, 1 May 2018 09:34:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=80hOVRNXvzm32EgbqVmUSAabASfYpnzXDsmdKoNFZVk=; b=jVnbAtd7o0K2CEJmQdfS95B+kMPC/a/rklaDT3MOrdHZ2mnugLsNp5D2sZ9+iwBL55hfH2vDHCzgySXQRe9Gcpnd0wSrt1JQXeyrraiXtmQQXRf5sgH2pudc5Tf/hi2c6koIXw5/SpezP3vpkn/YF4WYr90EaISUiu6+oSdws5o=
Received: from MWHPR21MB0638.namprd21.prod.outlook.com (10.175.141.139) by MWHPR21MB0160.namprd21.prod.outlook.com (10.173.52.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.735.5; Tue, 1 May 2018 16:34:28 +0000
Received: from MWHPR21MB0638.namprd21.prod.outlook.com ([fe80::6d48:f7af:d267:2021]) by MWHPR21MB0638.namprd21.prod.outlook.com ([fe80::6d48:f7af:d267:2021%7]) with mapi id 15.20.0735.006; Tue, 1 May 2018 16:34:28 +0000
From: Praveen Balasubramanian <pravb@microsoft.com>
To: Ted Hardie <ted.ietf@gmail.com>, Roberto Peon <fenix@fb.com>
CC: "Salz, Rich" <rsalz@akamai.com>, Benjamin Kaduk <bkaduk@akamai.com>, IETF QUIC WG <quic@ietf.org>
Subject: RE: Getting to consensus on packet number encryption
Thread-Topic: Getting to consensus on packet number encryption
Thread-Index: AQHTy9GYaiUVNrU6h0aiyBQtEo3l9KPwZ0sAgAC4ugCAAARcAIAAFTbwgAALYgCAAAAgYIAAEcIAgACR+YCAB09lAIAFXyIAgAVK+oCAAJlSAIABxdSAgACOHICAB/EyAIACo7YAgACiMICAAADPgIAAIs8AgAAm/YCAABExgIAABpMAgAAK5wCAAPIgAIAA5wcAgACzcYCAAHHMgIAEe1cAgAABEACAABL8QIAA89MAgAABeQCAAC8kAIAAC7UAgAAHZZA=
Date: Tue, 01 May 2018 16:34:28 +0000
Message-ID: <MWHPR21MB063883F004E055CC91C153EBB6810@MWHPR21MB0638.namprd21.prod.outlook.com>
References: <CANatvzwCYrOZULG3iVmDFp97nr=M5=Gufo8TZjOGQVFUpsn0bQ@mail.gmail.com> <CAAedzxqDcPXJUE83KVnDiU23PvqDcTCrc6rRMw09FexjJA-Y6Q@mail.gmail.com> <CANatvzwjYE6EdvFtOXJMVQnutbVQ4YY+=XsQFzKwHzqWzZ4U+w@mail.gmail.com> <d32ade7b56bf4651952659307c08893b@usma1ex-dag1mb5.msg.corp.akamai.com> <CANatvzwHtCn8rLB8npf3i7PGyYZhVDRd2uojh5hv3uxtFPEsSA@mail.gmail.com> <58447D8E-782C-431C-8FC3-71124B10A047@trammell.ch> <CACpbDcdfF9w3qqrH1eB0sGU_4vheD9aMP5EXnp1o3Y19N19NUg@mail.gmail.com> <e8b4931a-3931-5b8d-8dad-3ca1939d5542@huitema.net> <CAKcm_gPaj3o-VTdA_0+Kk+nTcVJrYcs_BMyOiDGXKub3gB=GLg@mail.gmail.com> <MWHPR21MB063869878060E850137210FEB6820@MWHPR21MB0638.namprd21.prod.outlook.com> <20180501121906.GA5742@akamai.com> <F63059EA-BA14-4886-A4FB-AA5F04AC164B@akamai.com> <BY2PR15MB07757EAB6A818F1D8D8CCED9CD810@BY2PR15MB0775.namprd15.prod.outlook.com> <CA+9kkMCpxve3CKhQk45YKbvyOyQ6kvzyhpJhrTq1UM-QM+ms2Q@mail.gmail.com>
In-Reply-To: <CA+9kkMCpxve3CKhQk45YKbvyOyQ6kvzyhpJhrTq1UM-QM+ms2Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:7::316]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR21MB0160; 7:XN/LGoOK17O/2Ho7MdQqUwoNN45+rdA4gyS9bRB4t4v08CO2c5Bi3gXvxi3kqVtk4I3yBKnw+vdcHWVA2iZNPavUz+RbBscCddVjY+N0T6GlT/rDUKr8AqP7+P0QkYdcxSuAdtKlu4p6Zwgy0c7aCIk1fGisC+1BdXEn2g2wC+xTWrFehjHyz5SFaYDxbw2vu08s13LdJnGmJc5Dj2Ix5XTbyI9rV0MW5mQpKiHnAJ6v8K0OZZP6H/54jB2kuU4D; 20:by9yEJP23MFrGEueEuCBgopA0FticKMbMYeQ9pWXSoFyj0X6YLhi5+4wyKJYGia4YKalhAwNA8mp9oaix5DGcXjoyQ/pY05ZvSGuNG3pfHVSDp0jNG8TNgRMyQaolX2p9Cf94dmhgisYm5eT6wfVm3CGMlrfI68gmCMpW786B4E=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(2017052603328)(7193020); SRVR:MWHPR21MB0160;
x-ms-traffictypediagnostic: MWHPR21MB0160:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pravb@microsoft.com;
x-microsoft-antispam-prvs: <MWHPR21MB0160F54548D4B3B305E10B9EB6810@MWHPR21MB0160.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(189930954265078)(85827821059158)(67672495146484)(100405760836317)(219752817060721)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(2018427008)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041310)(20161123562045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011); SRVR:MWHPR21MB0160; BCL:0; PCL:0; RULEID:; SRVR:MWHPR21MB0160;
x-forefront-prvs: 06592CCE58
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(366004)(39380400002)(346002)(376002)(189003)(199004)(3280700002)(102836004)(476003)(11346002)(68736007)(2906002)(186003)(54906003)(3660700001)(46003)(316002)(110136005)(6506007)(86362001)(53546011)(59450400001)(6116002)(10290500003)(8936002)(99286004)(74316002)(22452003)(81166006)(81156014)(446003)(93886005)(486006)(5660300001)(7696005)(19609705001)(478600001)(790700001)(76176011)(6246003)(33656002)(53936002)(8990500004)(54896002)(236005)(6306002)(4326008)(229853002)(25786009)(2900100001)(9686003)(106356001)(10090500001)(8676002)(97736004)(105586002)(606006)(14454004)(7736002)(86612001)(6436002)(5250100002)(55016002)(39060400002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0160; H:MWHPR21MB0638.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: psfL/PnSuQTGNsvtFh+zd53rYbniQU3rx/N6TqADuqJxKFAWRcUKwp748/7rIQy/TGhRqiT+HLKvTbWxegaKwbpDAufpOtx3wZvsm97qcPCl8gco6lkfVrbIVaHMrrGzNKhwe9a+tvxDW45m+MNsiL8Q9sHDwC+N8E4PZh73LmLT+jl/L4QITB0GzxF6i70c
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB063883F004E055CC91C153EBB6810MWHPR21MB0638namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 04c44440-719e-4fa2-4bbf-08d5af8168cb
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 04c44440-719e-4fa2-4bbf-08d5af8168cb
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 May 2018 16:34:28.4607 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0160
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QqEr_iLbYuvHlbMgRNe7dQccqnA>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2018 16:34:33 -0000

This is not about putting plaintext data on the network, this is about not adding PNE which is intended for preventing ossification. So I don’t understand what the trust issue being referred to is in case of the rare misconfig.

Within a DC several things are different – the deployment may need different congestion control like DCTCP, different settings for various transport parameters (like minrto and max ACK delay), larger flow control window etc. This is true for TCP today. The out of box default uses the handshake RTT to make a determination of what’s intra-DC but there is rich configuration to override the default and set it based on 4-tuple filters.

And there workloads like cloud storage and live migration that are by virtue of deployment intra-DC. These cannot be load shifted as they use private IP address space.

From: Ted Hardie [mailto:ted.ietf@gmail.com]
Sent: Tuesday, May 1, 2018 8:55 AM
To: Roberto Peon <fenix@fb.com>
Cc: Salz, Rich <rsalz@akamai.com>; Benjamin Kaduk <bkaduk@akamai.com>; Praveen Balasubramanian <pravb@microsoft.com>; IETF QUIC WG <quic@ietf.org>
Subject: Re: Getting to consensus on packet number encryption

On Tue, May 1, 2018 at 8:13 AM, Roberto Peon <fenix@fb.com<mailto:fenix@fb.com>> wrote:
Also, Prism.

-=R



That's a little more succinct than I would be, but yes.  How does an application know that the flow it is initiating will traverse a topology that is deemed to be within a controlled environment?  You can say "configuration" but I fear it will turn up on a post-it  <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fi.kinja-img.com%2Fgawker-media%2Fimage%2Fupload%2Fs--Edu6LPu9--%2Fc_scale%2Cf_auto%2Cfl_progressive%2Cq_80%2Cw_800%2F194thbtyencs0jpg.jpg&data=02%7C01%7Cpravb%40microsoft.com%7C4da44e8ac1df4708ad8808d5af7bfca8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636607869411258976&sdata=ProlSHkbF2SgMH3qdQN%2BZFokXvsEBf%2F3o9MaUnil0g8%3D&reserved=0> if you do.  Loads shift, resources move, and suddenly you find that host which used to be in the same rack, being down, has load-shifted to the next instance,  in a datacenter 500 miles away across a very different network.

Many modern deployments are also in someone else's data center, so saying "Data center networks" doesn't say much about why you're trusting the network inside.
Ted

Sent via the Samsung Galaxy S7, an AT&T 4G LTE smartphone


-------- Original message --------
From: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>
Date: 5/1/18 5:25 AM (GMT-08:00)
To: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>>, Praveen Balasubramanian <pravb=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>>
Cc: IETF QUIC WG <quic@ietf.org<mailto:quic@ietf.org>>
Subject: Re: Getting to consensus on packet number encryption

    > I disagree that we need any more data for not doing PNE in the datacenter. Why would we add an extra encrypt-decrypt step for no obvious benefit?

I am concerned that people will mis-interpret the meaning of a datacenter, and think that a bunch of servers, or even a rack, in an open colo space is a "datacenter."  Computers keep getting faster.

v2.23.0 | Report a Bug | By Email