IETF Logo Mail Archive

Reducing ossification through protocol design (was Re: Packet number encryption)

"Brian Trammell (IETF)" <ietf@trammell.ch> Sun, 04 February 2018 21:31 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5B53129516 for <quic@ietfa.amsl.com>; Sun, 4 Feb 2018 13:31:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQRH9Z00klFV for <quic@ietfa.amsl.com>; Sun, 4 Feb 2018 13:31:28 -0800 (PST)
Received: from gozo.iway.ch (gozo.iway.ch [212.25.24.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4207126DCA for <quic@ietf.org>; Sun, 4 Feb 2018 13:31:27 -0800 (PST)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 6DE42340552; Sun, 4 Feb 2018 22:31:26 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/6597.29361); Sun, 4 Feb 2018 22:31:26 +0100 (CET)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Sun, 4 Feb 2018 22:31:26 +0100 (CET)
Received: from [145.14.214.39] (account ietf@trammell.ch HELO [10.11.33.5]) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 44292559; Sun, 04 Feb 2018 22:31:26 +0100
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
Message-Id: <F9D94BFE-3DAE-493D-BC06-F88B417C70F4@trammell.ch>
Content-Type: multipart/signed; boundary="Apple-Mail=_D820FCF1-0160-46B5-B0F0-B1FE6731A040"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Subject: Reducing ossification through protocol design (was Re: Packet number encryption)
Date: Sun, 04 Feb 2018 22:31:26 +0100
In-Reply-To: <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com>
Cc: QUIC WG <quic@ietf.org>
To: Roberto Peon <fenix@fb.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/Yxu6I27tR143NHtThvKBZVDIMeE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Feb 2018 21:31:30 -0000

hi Roberto, all,

(trimming CC, forking thread, since this *really* is separate from the question of packet number encryption.)

> On 3 Feb 2018, at 19:37, Roberto Peon <fenix@fb.com> wrote:
> 
> Ossification:
> In the past tcp middleboxes expected in-order, monotonically increasing offsets and tried to fix reordering before forwarding. This middlebox behavior, predicated on observable flows, prevented deployment of things which would have made tcp more efficient.
> 
>  This is the kind of non-theoretical ossification that drove the creation of QUIC in the first place.

This becomes more theoretical when you apply observations about TCP to QUIC:

(1) Sequence numbering in TCP is far more broken than packet numbering (encrypted or not) ever could be, simply because it's not end-to-end integrity protected. The first deployed sequence number meddling boxes, IIRC, were designed to randomize ISNs (i.e., rewrite them), since stacks that did so were slow to deploy. PN rewriting is not only useless in QUIC, it'll break the connection.

(2) Many TCP stacks actually had (and some have) crap performance under certain reordering patterns, such that the deployment of a middlebox that did "fix" reordered packets would have had measurable benefits when tested against the stacks prevalent on the networks on which they were deployed at the time they were deployed. A QUIC PN-reordering middlebox would not show any such benefit, and would be correspondingly difficult to sell.

(3) The time to "path interference decay" for the TCP sequence number was years. Yes, things move more quickly now (indeed, as evidenced by experience with GUIC), but unless we intend not to deploy QUIC version 2 rapidly on the heels of QUIC version 1, I would submit that there's still time to revise everything not in the invariants. (And, indeed, if we do *not* intend to deploy QUIC version 2 rapidly on the heels of QUIC version 1, i.e., not until the "path interference decay" time, then this entire exercise is academic and we can all go home, because the version negotiation mechanism will ossify, greasing or not.)

I think we need to take a step back and take a more systematic view toward ossification prevention.

Greasing, in the TLS sense, refers to not allowing extensibility codepoints to have a single value or set of values that can be used for traffic classification and/or bad traffic rejection by a naive device on the path. This is useful when you're trying to keep parts of the codepoint space available for future use, but the design of QUIC is such that the set of codepoints *in the wire image* is completely determined by the negotiated version; i.e., adding a new packet type to the QUIC long header would require a new version. Therefore, protecting the version negotiation mechanism itself is necessary and sufficient to prevent the wire image from ossifying.

This points the way to an alternate approach which will free us from having to have the ossification discussion about every single bit in the Version 1 header. Early and meaningful exercise of the version negotiation mechanism, with at least two versions whose wire images have *only* our intended invariants in common, is far superior to greasing the version codepoints as a method to protect the version negotiation mechanism. Greasing is a way to "fake" agility when you don't have any real agility yet -- but we're designing a protocol with real agility, with a version negotiation mechanism based at least in its core operation on GUIC's mechanism -- i.e., on one which we know at least one deployer of the protocol has used successfully multiple times.

Greasing is still useful for fields in the invariants that have static values for codepoints we might want to use in the future -- but the greasing space should cover the whole codepoint space in these cases, since post VN we know which values are grease.

(The PN encryption question is separate. The fundamental question here is "should the path see the PN?"... before Melbourne, the answer was "it doesn't matter because we haven't figured out a scalable way to do that". Now the answer is "probably not the whole PN, but the bottom N bits seem quite useful for maintaining TCP-equivalent measurability for the protocol, with a linear linkability risk / measurement utility tradeoff depending on N." Those N bits ossify only if Version 1 is the only QUIC version for the foreseeable future, or if we put them at the same observable offset in the Version 2 header.)

Cheers,

Brian

v2.23.0 | Report a Bug | By Email