Re: Spin bit as a negotiated option

[<alexandre.ferrieux@orange.com>]

As Kazuho reminded, the aim is to fight ossification by having a wealth of 
different versions around from the beginning. Typically, each major server would 
choose its QUIC implementation and supported versions. So, an active middlebox 
that would block traffic on these grounds would instantly break access to a 
major application or content provider. No sane operator would tolerate that for 
more than an hour.

On 10/05/18 12:33, Marten Seemann wrote:
> The problem with using a specific version for implementations that use and 
> don’t use the spin bit is that middleboxes can effectively enforce usage of 
> the spin bit version by blackholing every packet advertising a version that 
> doesn’t use the spin bit. If only a few middleboxes do that, this would force 
> *all* implementations to avoid these versions.
> Implementations that don’t want to expose their RTT would then have to 
> negotiate a version that is supposed to use the spin bit, but then grease the 
> corresponding bits in order to preserve their privacy. Of course, this would 
> only work if the peer doesn’t enforce compliance. Otherwise, we’ll end up in a 
> world where it’s basically impossible to opt-out of the spin-bit.
>
> On Fri, Oct 5, 2018 at 12:15 Marcus Ihlar <marcus.ihlar@ericsson.com 
> <mailto:marcus.ihlar@ericsson.com>> wrote:
>
>     Hi,
>     I like this approach since it allows us to disregard non-spinning flows by
>     simply observing the initial handshake. This saves us quite some work.
>     On the heuristics part, we cannot get away from it, even if we see the
>     spin version in the initial handshake as there´s no guarantee that an
>     endpoint will set the bit properly anyway.
>     However, for the version where the intent to use spinbit is explicit it
>     actually makes sense for an endpoint to treat non-participating behavior
>     as a protocol error.
>
>     Marcus
>
>     -----Original Message-----
>     From: QUIC <quic-bounces@ietf.org <mailto:quic-bounces@ietf.org>> On
>     Behalf Of Mike Bishop
>     Sent: den 5 oktober 2018 00:40
>     To: alexandre.ferrieux@orange.com <mailto:alexandre.ferrieux@orange.com>;
>     Kazuho Oku <kazuhooku@gmail.com <mailto:kazuhooku@gmail.com>>
>     Cc: Brian Trammell <ietf@trammell.ch <mailto:ietf@trammell.ch>>; IETF QUIC
>     WG <quic@ietf.org <mailto:quic@ietf.org>>; Christian Huitema
>     <huitema@huitema.net <mailto:huitema@huitema.net>>
>     Subject: RE: Spin bit as a negotiated option
>
>     So long as this is the only thing being negotiated, it's not too bad.  If
>     we want to negotiate other things, it quickly gets out of hand.  One could
>     plausibly argue that the spin bit is special in that we actually want
>     parties observing the transaction to understand which option has been
>     selected.
>
>     It's important to remember, though, that this is information you get only
>     at the beginning of a new connection.  If there's migration or NAT
>     rebinding, it's not guaranteed (and in fact, not intended) than you can
>     correlate it back to a particular previous handshake.  You'll still either
>     need heuristics to identify whether the spin bit is actually in use, or
>     you'll need to ignore any traffic for which you didn't see the handshake.
>
>     -----Original Message-----
>     From: QUIC <quic-bounces@ietf.org <mailto:quic-bounces@ietf.org>> On
>     Behalf Of alexandre.ferrieux@orange.com <mailto:alexandre.ferrieux@orange.com>
>     Sent: Thursday, October 4, 2018 3:47 AM
>     To: Kazuho Oku <kazuhooku@gmail.com <mailto:kazuhooku@gmail.com>>
>     Cc: Brian Trammell <ietf@trammell.ch <mailto:ietf@trammell.ch>>; IETF QUIC
>     WG <quic@ietf.org <mailto:quic@ietf.org>>; Christian Huitema
>     <huitema@huitema.net <mailto:huitema@huitema.net>>
>     Subject: Re: Spin bit as a negotiated option
>
>     Thanks Kazuho. Using version numbers directly was an obvious choice, but
>     so far I was discouraged by strong language in the spec, saying 0x00000001
>     was the unavoidable point of convergence after all 0xFF0000XX experiments.
>     So in essence you're proposing to weaken that a bit, right ?
>
>     If so, how do you envision segmenting the version number space ?
>
>       - direct enumeration:
>
>             0x00000001 = v1dry
>             0x00000002 = v1 + spinbit
>             0x00000003 = v1 + spinbit + VEC
>
>       - low order bits for options:
>
>             0x000001XX = v1 + option XX
>             0x000002YY = v2 + option YY
>
>     Also, are we sure that this explosion won't weigh on the new VN scheme,
>     inducing slower convergence due to longer lists on either side ?
>
>     On 10/04/18 11:50, Kazuho Oku wrote:
>     > Hi,
>     >
>     > Thank you for starting the discussion specific to how we could
>     > possibly negotiate the use of spin bits.
>     >
>     > Regarding the topic, my preference goes to using the version number
>     > field of the long header for negotiating the presence of spin bits, or
>     > any additional signal being exposed to the network.
>     >
>     > For example, QUICv1 without spin bit could use version 0x101, and v1
>     > with spin bit could use 0x102. In the future, we can assign a
>     > different version number for QUICv1 with multiple spin + VEC (or
>     > people interested in testing the feature can designate a private
>     > version number even before that).
>     >
>     > I see the following benefits to using the version field as a method to
>     > negotiate the use of spin bits.
>     >
>     > 1. One of the concern regarding spin bits has been that they could
>     > lead to ossification. Spin bits are not part of the Invariants, but if
>     > the observation tools start looking at those bits without checking the
>     > version number field, we will have the pressure to not change how the
>     > bits are used. Using the version number to indicate the presence of
>     > spin bits is the best approach to resolve such concern.
>     >
>     > 2. We have hoped to roll out multiple versions of QUIC in a small
>     > interval so that the version number field does not get ossified. The
>     > best solution is obviously to roll out two flavors of the protocol
>     > that uses different version numbers at the same time. We will have a
>     > real-world use of version negotiation from day one, because we are in
>     > a condition where implementors have different opinions on if they
>     > should support spin bit :-)
>     >
>     > The blocker to this approach has been version negotiation requiring an
>     > additional round-trip, but that is going to be resolved by #1755.
>     >
>     > 2018年10月3日(水) 19:06 <alexandre.ferrieux@orange.com
>     <mailto:alexandre.ferrieux@orange.com>>:
>     >>
>     >> On 10/03/18 09:58, Brian Trammell (IETF) wrote:
>     >> > Backing off the MUST for now for such situations is IMO a good
>     >> > tradeoff, though, especially since we only need fractions of a
>     >> > percent of deployment to start seeing useful signal for
>     >> > baseline/anomaly measurement of large aggregates.
>     >>
>     >> If the consensus is that we must allow for such situations, then
>     >> there are two
>     >> possibilities:
>     >>
>     >>   (a) weak spec language (MAY WISH TO or similar) => many
>     >> implementations will simply drop it
>     >>
>     >>   (b) negotiated option where the negotiation mechanism is mandatory
>     >>
>     >> In the vein of (b), Christian suggested offline to introduce
>     >> negotiation to allow for experimentation of the remaining two
>     >> reserved bits. Then may be we can synthesize both ideas by the
>     following proposal:
>     >>
>     >>   - in the first few exchanges of the 5-tuple, use the three bits for
>     >> option negotiation
>     >>
>     >>   - then use them as defined by the selected option
>     >>
>     >> Example encodings:
>     >>
>     >>   000 : nothing
>     >>   001 : spin bit alone : S00
>     >>   010 : spin bit + VEC : SVV
>     >>   ... : other extensions
>     >>
>     >> The negotiation mechanism allows both endpoints to force 000.
>     >> And since it is in the clear first byte, it allows on-path observers
>     >> to identify the option without resorting to heuristics; this helps in
>     >> the case of a small support ratio.
>     >>
>     >>
>     >>
>     >>
>     >> _____________________________________________________________________
>     >> ____________________________________________________
>     >>
>     >> Ce message et ses pieces jointes peuvent contenir des informations
>     >> confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
>     >> exploites ou copies sans autorisation. Si vous avez recu ce message
>     >> par erreur, veuillez le signaler a l'expediteur et le detruire ainsi
>     que les pieces jointes. Les messages electroniques etant susceptibles
>     d'alteration, Orange decline toute responsabilite si ce message a ete
>     altere, deforme ou falsifie. Merci.
>     >>
>     >> This message and its attachments may contain confidential or
>     >> privileged information that may be protected by law; they should not be
>     distributed, used or copied without authorisation.
>     >> If you have received this email in error, please notify the sender and
>     delete this message and its attachments.
>     >> As emails may be altered, Orange is not liable for messages that have
>     been modified, changed or falsified.
>     >> Thank you.
>     >>
>     >
>     >
>
>
>
>     _________________________________________________________________________________________________________________________
>
>     Ce message et ses pieces jointes peuvent contenir des informations
>     confidentielles ou privilegiees et ne doivent donc pas etre diffuses,
>     exploites ou copies sans autorisation. Si vous avez recu ce message par
>     erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les
>     pieces jointes. Les messages electroniques etant susceptibles
>     d'alteration, Orange decline toute responsabilite si ce message a ete
>     altere, deforme ou falsifie. Merci.
>
>     This message and its attachments may contain confidential or privileged
>     information that may be protected by law; they should not be distributed,
>     used or copied without authorisation.
>     If you have received this email in error, please notify the sender and
>     delete this message and its attachments.
>     As emails may be altered, Orange is not liable for messages that have been
>     modified, changed or falsified.
>     Thank you.
>


_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.