Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: Is "Version Greasing" a new benfit or a new obstacle?
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
In-Reply-To: <5CB1C214.4030501@erg.abdn.ac.uk>
Date: Mon, 15 Apr 2019 11:19:48 +0200
Cc: Roberto Peon <fenix@fb.com>, Praveen Balasubramanian <pravb@microsoft.com>,
 Ian Swett <ianswett@google.com>, Christian Huitema <huitema@huitema.net>,
 Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>,
 =?utf-8?Q?Mikkel_Fahn=C3=B8e_J=C3=B8rgensen?= <mikkelfj@gmail.com>,
 "quic@ietf.org" <quic@ietf.org>, "Border, John" <john.border@hughes.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F82FCD62-8FE3-49AC-A449-6109735BFA88@trammell.ch>
References: <5CADADDD.7010005@erg.abdn.ac.uk>
 <EBF1BF30-62A5-4659-8AEC-0D5B3F2D65C6@fb.com>
 <BL0PR11MB3394294313F8F54A3D0CF4A3902E0@BL0PR11MB3394.namprd11.prod.outlook.com>
 <CAN1APdcm0hnT_Mu7D7x5QM6pApOQw1RdWCBkgY16bd5YWNtFkA@mail.gmail.com>
 <9084B09D-5E13-49FA-BA93-0D7276CDE420@erg.abdn.ac.uk>
 <CAN1APdeSF0-_N=mb1xkoe_qLwoVqP+X9_Wawi=Zu__6wdHtbOQ@mail.gmail.com>
 <699E2135-A3CE-4D33-91F6-D3C96E66674F@ericsson.com>
 <CAN1APde2SO6fkNzyznbv2-xNuXkkuC=bN3p8xRgwmRAmsZxrgA@mail.gmail.com>
 <MW2PR2101MB104902B6BC7C67D8688EA852B6280@MW2PR2101MB1049.namprd21.prod.outlook.com>
 <MW2PR2101MB104996C29680DF7B79230C8CB6280@MW2PR2101MB1049.namprd21.prod.outlook.com>
 <CAKcm_gMwcwZ0VzK4vDt-sCQctHVrwOm9ekPPi3O3Y2UnRrZaBw@mail.gmail.com>
 <02f27c4e-2d1e-29ab-6891-236442436a3c@huitema.net>
 <9C6D92FF-7635-48BD-A65B-FAB4B544476D@fb.com>
 <MW2PR2101MB10498605DC0F1FC3905865F4B6280@MW2PR2101MB1049.namprd21.prod.outlook.com>
 <BDEE786D-9CCE-457F-946A-8CC195E3CDA8@fb.com>
 <5CB1C214.4030501@erg.abdn.ac.uk>
To: G Fairhurst <gorry@erg.abdn.ac.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/QsSsOwxq7iabhaa3tqIncsJn9P0>
Precedence: list

hi Gorry, all,

> On 13 Apr 2019, at 13:03, G Fairhurst <gorry@erg.abdn.ac.uk> wrote:
>=20
> Bringing this thread back - to me it seems there has been lots of =
discussion about how "version greasing" can be added in various ways, =
and very little on what makes this necessary and worth the impact on the =
network.
>=20
> I still don't do not see that the side effects are worse when the =
protocol requires the version to be unobfusticated (as in most other =
IETF transport protocols).

+1. I continue to be confused about the amount of effort we're =
apparently willing to put into version negotiation protection of a =
protocol that is *explicitly* designed to be blockable outright (by =
virtue of the TCP fallback requirement). I haven't seen anything in this =
thread, or any of these discussions preceding it on this subject, that =
indicates that the actual risk of harm with respect to version blocking =
is discernibly worse (or even discernibly different) than the risk of =
harm with respect to blocking of the entire protocol regardless of =
version.=20

I can see two reasons a version negotiation process could get blocked in =
the network:


(1) As an explicit choice by a traffic inspection function that it must =
have a specific version (or versions) of a protocol because it inspects =
information only available in that version of the wire image.

Note that QUIC is different from all other situations from which we =
could derive experience, since there simply isn't that much wire image =
for an inspection function to grab on to, and I can't imagine a future =
in which a future version would omit information it'd be worth blocking =
the version over (as opposed to all of QUIC, forcing TCP). Indeed, note =
that we made the latency spin bit probabilistic, as opposed to =
negotiated, in part to remove a potential incentive to ossify version =
negotiation.

It's possible that a device might want to block non-V1 versions because =
the handshake protection keys are hardcoded into the device. I'm not =
sure I see how dynamic aliasing could be reliably made to address this =
problem, though publishing v1 with N aliases (i.e. static aliasing) with =
different keys would at least ensure that devices with only one key slot =
don't work.


(2) As an overcorrection by a traffic inspection function that mistakes =
thinks that a particular sequence of version negotiation packets is a =
protocol identifier.

As I see it, the current version negotiation proposals only make this =
worse, not better, by creating a semantically indistinguishable set of =
aliases for the same operation. This problem could be nicely sidestepped =
by punting version negotiation into the future.

Cheers,

Brian


> Gorry
>=20
>=20
> On 12/04/2019, 17:41, Roberto Peon wrote:
>>=20
>> I=E2=80=99m not sure that I agree there=E2=80=94there is no need to =
have it standardized so long as the LB is involved in picking it. Each =
LB system can choose whatever it wants. Thus, every LB **deployment** =
could use a different scheme with different grease. Every LB deployment =
could change the scheme it uses pseudo-randomly or according to the =
lunar calendar, etc.
>>=20
>> Because there is a dynamic (and controlling) component (namely the =
part of the LB system which vends and then later routes CIDs), there is =
no need for anything else.
>>=20
>> -=3DR
>>=20
>> *From: *Praveen Balasubramanian <pravb@microsoft.com>
>> *Date: *Friday, April 12, 2019 at 9:28 AM
>> *To: *Roberto Peon <fenix@fb.com>, Christian Huitema =
<huitema@huitema.net>, Ian Swett <ianswett@google.com>
>> *Cc: *"Gorry (erg)" <gorry@erg.abdn.ac.uk>, Mirja Kuehlewind =
<mirja.kuehlewind@ericsson.com>, Mikkel Fahn=C3=B8e J=C3=B8rgensen =
<mikkelfj@gmail.com>, "quic@ietf.org" <quic@ietf.org>, "Border, John" =
<john.border@hughes.com>
>> *Subject: *RE: Is "Version Greasing" a new benfit or a new obstacle?
>>=20
>> Re. Encoding in CID. Then it needs to be standardized and if it is =
standardized what=E2=80=99s the point in greasing? Let=E2=80=99s not =
ignore the smaller services who use the cloud i.e. people deploying say =
NGINX web servers in AWS, Azure or GCP. Not every QUIC deployment is a =
large first party service which controls all aspects how LB and DDoS are =
done. In public clouds LB and DDoS protection are network functions =
(services) and are middleboxes under a completely different =
administrative domain.
>>=20
>> Christian, this is about source address validation by the middlebox. =
This is how it works for TCP (think SYN cookies) and we need to have =
parity for QUIC. When under attack, short header packets will be dropped =
for addresses that have not been validated, but this is the same for =
non-SYN packets for TCP. I don=E2=80=99t understand how invariants can =
be used here. If we don=E2=80=99t have parity for DoS protection in =
network then QUIC traffic will be rate limited which is going to be =
really bad for performance. FWIW there is already DoS traffic that looks =
like QUIC.
>>=20
>> *From:* Roberto Peon <fenix@fb.com>
>> *Sent:* Friday, April 12, 2019 9:16 AM
>> *To:* Christian Huitema <huitema@huitema.net>; Ian Swett =
<ianswett@google.com>; Praveen Balasubramanian <pravb@microsoft.com>
>> *Cc:* Gorry (erg) <gorry@erg.abdn.ac.uk>; Mirja Kuehlewind =
<mirja.kuehlewind@ericsson.com>; Mikkel Fahn=C3=B8e J=C3=B8rgensen =
<mikkelfj@gmail.com>; quic@ietf.org; Border, John =
<john.border@hughes.com>
>> *Subject:* Re: Is "Version Greasing" a new benfit or a new obstacle?
>>=20
>> For any large deployment, I suspect they=E2=80=99ll need LB.
>>=20
>> For most kinds of LB-ing, I=E2=80=99d expect the LB system to either =
directly or indirectly be involved in choosing/vending connection IDs.
>>=20
>> If it is involved in vending/choosing connection IDs, it can encode =
version information into the CID.
>>=20
>> -=3DR
>>=20
>> *From: *Christian Huitema <huitema@huitema.net =
<mailto:huitema@huitema.net><mailto:huitema@huitema.net =
<mailto:huitema@huitema.net>>>
>> *Date: *Friday, April 12, 2019 at 9:13 AM
>> *To: *Ian Swett <ianswett=3D40google.com@dmarc.ietf.org =
<mailto:ianswett=3D40google.com@dmarc.ietf.org><mailto:ianswett=3D40google=
.com@dmarc.ietf.org <mailto:ianswett=3D40google.com@dmarc.ietf.org>>>, =
Praveen Balasubramanian <pravb=3D40microsoft.com@dmarc.ietf.org =
<mailto:pravb=3D40microsoft.com@dmarc.ietf.org><mailto:pravb=3D40microsoft=
.com@dmarc.ietf.org <mailto:pravb=3D40microsoft.com@dmarc.ietf.org>>>
>> *Cc: *"Gorry (erg)" <gorry@erg.abdn.ac.uk =
<mailto:gorry@erg.abdn.ac.uk><mailto:gorry@erg.abdn.ac.uk =
<mailto:gorry@erg.abdn.ac.uk>>>, Roberto Peon <fenix@fb.com =
<mailto:fenix@fb.com><mailto:fenix@fb.com <mailto:fenix@fb.com>>>, Mirja =
Kuehlewind <mirja.kuehlewind@ericsson.com =
<mailto:mirja.kuehlewind@ericsson.com><mailto:mirja.kuehlewind@ericsson.co=
m <mailto:mirja.kuehlewind@ericsson.com>>>, Mikkel Fahn=C3=B8e =
J=C3=B8rgensen <mikkelfj@gmail.com =
<mailto:mikkelfj@gmail.com><mailto:mikkelfj@gmail.com =
<mailto:mikkelfj@gmail.com>>>, "quic@ietf.org <mailto:quic@ietf.org> =
<mailto:quic@ietf.org <mailto:quic@ietf.org>>" <quic@ietf.org =
<mailto:quic@ietf.org><mailto:quic@ietf.org <mailto:quic@ietf.org>>>, =
"Border, John" <john.border@hughes.com =
<mailto:john.border@hughes.com><mailto:john.border@hughes.com =
<mailto:john.border@hughes.com>>>
>> *Subject: *Re: Is "Version Greasing" a new benfit or a new obstacle?
>>=20
>> On 4/12/2019 8:57 AM, Ian Swett wrote:
>>=20
>>    *From:* Praveen Balasubramanian
>>    *...*
>>=20
>>    Version greasing will create problems for DDoS protection. The
>>    DDoS protection middlebox will have to treat all traffic with
>>    unknown version numbers as plain old QUIC and rate limit it. Any
>>    solution that requires per connection state to track version
>>    numbers doesn=E2=80=99t scale. Especially in the cloud scenario =
customers
>>    bring their own web servers so this makes any opt-out solution not
>>    good enough. So I do think this is an obstacle for many =
deployments.
>>=20
>> Don't we have an example of middle-box ossification just there?
>>=20
>> Praveen's example points to the perils of the "shortest path" =
approach to middle-box design. Taking the shortest path means finding =
something that works now, and once you have found it deploy it without =
worry about consequences -- which very often include ossification. If =
the DDOS protection box looks for "QUIC versions that it knows" and just =
rate limits the other types of packets, then the box will by design =
prevent deployment of versions that it does not know.
>>=20
>> I assume that big organizations like Azure will update their =
protections once a new version is out, but the experience shows that =
many other organizations don't. And even when they do, the focus on =
published versions will block experimenting with new versions, not to =
mention interfering with other features like connection migration. I =
take Praveen's example as an argument why we should in fact standardize =
version greasing, precisely to avoid this "shortest path middle-box =
design".
>>=20
>> In the case of DDOS protection, I will point out that DDOS protection =
also needs to work with short header packets, which do not carry any =
version number. In order to avoid DDOS by short header packets, the =
boxes have to be able to distinguish between packets that belong to =
authorized connections and packets that don't. And if you do that, then =
you don't really need to look at the version numbers, you can simply =
rely on the invariants.
>>=20
>> -- Christian Huitema