IETF Logo Mail Archive

Re: Is "Version Greasing" a new benfit or a new obstacle?

"Gorry (erg)" <gorry@erg.abdn.ac.uk> Wed, 10 April 2019 18:14 UTC

Return-Path: <gorry@erg.abdn.ac.uk>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 365DA12030E for <quic@ietfa.amsl.com>; Wed, 10 Apr 2019 11:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id poTQZUnhS0-2 for <quic@ietfa.amsl.com>; Wed, 10 Apr 2019 11:14:01 -0700 (PDT)
Received: from pegasus.erg.abdn.ac.uk (pegasus.erg.abdn.ac.uk [IPv6:2001:630:42:150::2]) by ietfa.amsl.com (Postfix) with ESMTP id AFB2E12004E for <quic@ietf.org>; Wed, 10 Apr 2019 11:14:00 -0700 (PDT)
Received: from [172.21.29.146] (unknown [152.71.207.141]) by pegasus.erg.abdn.ac.uk (Postfix) with ESMTPSA id 6F21D1B001BF; Wed, 10 Apr 2019 19:13:54 +0100 (BST)
Content-Type: multipart/alternative; boundary="Apple-Mail-04D40974-1936-4AF3-BF1C-FBA4C2B4A6FE"
Mime-Version: 1.0 (1.0)
Subject: Re: Is "Version Greasing" a new benfit or a new obstacle?
From: "Gorry (erg)" <gorry@erg.abdn.ac.uk>
X-Mailer: iPhone Mail (16D57)
In-Reply-To: <CAN1APdcm0hnT_Mu7D7x5QM6pApOQw1RdWCBkgY16bd5YWNtFkA@mail.gmail.com>
Date: Wed, 10 Apr 2019 19:13:52 +0100
Cc: "Border, John" <john.border@hughes.com>, Roberto Peon <fenix@fb.com>, "quic@ietf.org" <quic@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <9084B09D-5E13-49FA-BA93-0D7276CDE420@erg.abdn.ac.uk>
References: <5CADADDD.7010005@erg.abdn.ac.uk> <EBF1BF30-62A5-4659-8AEC-0D5B3F2D65C6@fb.com> <BL0PR11MB3394294313F8F54A3D0CF4A3902E0@BL0PR11MB3394.namprd11.prod.outlook.com> <CAN1APdcm0hnT_Mu7D7x5QM6pApOQw1RdWCBkgY16bd5YWNtFkA@mail.gmail.com>
To: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/VyaIqCMAdAZ7RCsWKUSHhazoTQY>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 18:14:04 -0000

Thanks Mikkel, I do understand that various actors intentionally drop - but are you saying these actors would specifically choose to block a new version of QUIC ...  I do not understand that assertion.

Gorry

> On 10 Apr 2019, at 18:25, Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> wrote:
> 
> China blocks as a rule.
> Russia is running an experiment to block the rest of the internet.
> USA blocks net neutrality.
> EU blocks cookies.
> GB blocks itself.
> 
> So blocking is not limited to what an operator considers best for business.
> 
> 
>> On 10 April 2019 at 18.59.15, Border, John (john.border@hughes.com) wrote:
>> 
>> 
>> I understand why people want to come down on the side of preventing ossification. But, things have changed. There are a lot of more negative consequences now when people unnecessarily block things. I think operators would put a lot of pressure on vendors to not do it now and to fix it if they did "by accident". Of course, I am only one operator. It would be nice to hear from others... 
>> 
>> 
>> 
>> John 
>> 
>> 
>> -----Original Message----- 
>> From: QUIC <quic-bounces@ietf.org> On Behalf Of Roberto Peon 
>> Sent: Wednesday, April 10, 2019 12:52 PM 
>> To: G Fairhurst <gorry@erg.abdn.ac.uk>; quic@ietf.org 
>> Subject: Re: Is "Version Greasing" a new benfit or a new obstacle? 
>> 
>> WARNING: The sender of this email could not be validated and may not match the person in the "From" field. 
>> 
>> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 
>> 
>> 
>> You're kinda between a rock-and-a-hard-place either way: 
>> 
>> - We've seen how much fun ossification is in TCP and HTTP. If the thing is observable, it will be ossified seems to be the lesson. A lot of the reason why QUIC was started in the first place was because of the inability to improve TCP due to this ossification. 
>> - OTOH, there is the fear of unknown/unobservable which might cause operators to block things, whether predictably or not. 
>> 
>> My opinion is that it is better to start with preventing ossification, and then if that results in too large a percentage of operators blocking things, to re-evaluate. 
>> 
>> My guesses: 
>> IP+port tuples and traffic patterns are still observable (for better and worse), which implies operators will still have significant tools for managing traffic. I believe that these are acted on/matched (ML or not) regardless of any other data presented. In other words, I have a doubt that stating the version in an observable way will prevent the use of such tools. 
>> 
>> Most problems I've seen associated with implementations rather than protocol versions (though when the latter happens it is pretty severe). If you believe this assertion, then acting on protocol version is less interesting than attempting to act based on implementation fingerprints. 
>> -=R 
>> 
>> 
>> On 4/10/19, 1:48 AM, "QUIC on behalf of G Fairhurst" <quic-bounces@ietf.org on behalf of gorry@erg.abdn.ac.uk> wrote: 
>> 
>> Obscuring the version of a protocol seems like a major design design 
>> decision for wider use cases. So, I'm trying to understand the 
>> motivation for version greasing. 
>> 
>> (1) I know there were instances where some early versions of QUIC were 
>> blocked due to an uninitentional matching of the header. Is there 
>> evidence of intentional attempts to block updates to protocols? 
>> 
>> (2) Thinking about operating a network that cares about user support and 
>> protection from unwanted traffic, I would expect that there would be 
>> cases where traffic pattern anomolies are found and the appropriate 
>> thing would be to try to determine if a new protocol had been deployed 
>> and monitor it, if not, then the next most obvious thing could be to 
>> block all unexpected traffic, that seems like a decision to hide the 
>> version could increase ossification for new versions in these cases. 
>> 
>> (3) Similarly, if a threat is known to impact only a specific (older) 
>> version, it would seem to motivate a drop of that traffic that seeks to 
>> use that version, while still permitting other traffic. Forcing version 
>> detection to use pattern matching/ML will lead to less predictable 
>> outcomes, or blocking based on address, etc. 
>> 
>> (4) This obfusticates the most basic piece of reporting information used 
>> for support. It hides the extent of deployment of the current protocol 
>> version and prevlance of old implementations. 
>> 
>> (5) On the support, if a problem only emerges when a particular version 
>> is used with a particular address, then this helps pinpoint the issues. 
>> Matching client versions to servers is much more of an issue if the user 
>> community uses a wide range of servers (less so, I expect for major 
>> providers: google, facebook, etc, etc), but significant when there is a 
>> use of a diverse set of external sites and sites with their own load 
>> balancers, etc and a need to manage interactions with L2 services. 
>> 
>> I am intersted in knowing if this is likely to benefit or be a new obstacle? 
>> 
>> Gorry 
>> 
>> 
>>

v2.23.0 | Report a Bug | By Email