Re: a proposed way forward was Re: Spin bit decision

["Brian Trammell (IETF)" <ietf@trammell.ch>]

hi Kazuho,

> On 3 Oct 2018, at 01:31, Kazuho Oku <kazuhooku@gmail.com> wrote:
> 
> 2018年10月3日(水) 6:11 Brian Trammell (IETF) <ietf@trammell.ch>:
>> 
>> hi Ian, all,
>> 
>> Perhaps we can exploit the asymmetry inherent in QUIC (there are servers and clients), the spin bit (the server reflects, the client inverts), and the desire to participate or not (ISTM that most of the discussion we've had about opting out have focused on client opt-out, based either on the principle of the thing and/or a suspicion that the signal is useless) to resolve this discussion.
>> 
>> 
>> A proposal:
>> 
>> 1. Servers MUST reflect the spin value. Clients MAY treat an unambiguously detected non-reflected bit as a protocol error.
> 
> I oppose to using MUST for the server, because some *servers* might
> not be willing to expose the path RTT, for example when it is running
> hidden behind a UDP proxy.

s/MUST/SHOULD, unless.../ is an acceptable change, as long as we have a nice tight box around the unless. The tradeoff is that every caveat we put on the server-side reduces server-side deployment, which reduces the chances that a cooperating server and a cooperating client meet up.

I'm also quite sympathetic to Marten's argument that "server" and "client" are more arbitrary in P2P situations. However, the asymmetry of the spinbit is pretty far down the list of asymmetries (stream handling, handshake, TLS certs, etc) that I'd want to see optionally addressed in a QUIC version i2 (is this the terminology we're using now?)

Backing off the MUST for now for such situations is IMO a good tradeoff, though, especially since we only need fractions of a percent of deployment to start seeing useful signal for baseline/anomaly measurement of large aggregates.

> I also do not think that maintaining the spin-bit for each
> "connection" works. My understanding is that it should be per-5-tuple
> because multiple QUIC connections can be coalesced onto single UDP
> port on both sides, and because it is impossible for an observer to
> track the pair of CIDs identifying the same connection across CID
> changes.

Well, it should be per 5-tuple, but it should also change when CIDs change. Dumping state on any CID change is the easiest way I know to break linkability, and the most obvious way to do this when you have CID concurrency is to keep state per CID.

That might be too far into the implementation weeds for the spec though... the language needs to be clear (and clearer than in my initial proposal, which is one reason that's a list message and not a PR ;) )

> I have opened https://github.com/quicwg/base-drafts/issues/1828 to
> track the issue.

Thanks, will follow discussion there as well.

Cheers,

Brian


> 
>> 2a. Clients SHOULD invert the spin value, unless [EDNOTE: someone other than me should write convincing reasons for non-implementation here], or the client has been configured not to spin, or to use some other client behavior.
>> 
>> -OR-
>> 
>> 2b. Clients set the spin bit value as they see fit, provided that this behavior is consistent per connection ID. In order to provide RTT information to the path, clients MAY invert the spin value (per reference to a separate RFC that looks a lot like draft-tsvwg-quic=spin, to be published by QUIC, TSVWG, or IPPM).
>> 
>> 3. Servers and clients MUST NOT expose spin state from one Connection ID to another Connection ID.
>> 
>> 
>> 1 is intended to drive deployment through server defaults. Yes, one can argue that the protocol error here is artificial (and the proposal explicitly acknowledges that through the client MAY error out), but the client can always opt out by clamping to a random value per CID.
>> 
>> The 2a variant is essentially a 2119-compliant way of saying "we'd really like it if you implemented the spin bit", leaving the question of client defaults (opt in versus opt out) up to the client implementors.
>> 
>> The 2b variant is designed to allow for future or parallel client-side behaviors other than spinning to support different measurement goals. For example, using the adaptive square wave proposed for on-path loss measurement (by either Mikkel or Kazuho, I believe) at the client with server reflection would allow accumulation of loss on the upstream as well as the downstream path, as well as upstream (toward the server) RTT measurement. Obviously, the set of these deployed in the wild would have to be kept small in order to allow a measurement device to heuristically determine which signal was in use given a spinbit stream.
>> 
>> 3 prevents spin state from leaking across CIDs, reducing the (already tiny but nonzero) linkability surface.
>> 
>> (Obviously, the above needs wordsmithing, but these are the broad lines.)
>> 
>> Cheers,
>> 
>> Brian
>> 
>>> On 2 Oct 2018, at 19:13, Ian Swett <ianswett=40google.com@dmarc.ietf.org> wrote:
>>> 
>>> One piece of information related to the above discussion is whether detecting who is and is not spinning is easy and reliable.
>>> 
>>> One of my concerns is unintentional mis-use of the signal, and if it can't be detected reliably in a mixed environment, that means SHOULD is unwise and argues for either not including it or making it a MUST.
>>> 
>>> On Tue, Oct 2, 2018 at 12:51 PM Mike Bishop <mbishop@evequefou.be> wrote:
>>> I don’t think it’s a grim view, I think it’s a pragmatic view.  Our role is to specify the things which are fundamental to the protocol and have to happen for peers to interoperate.  Mis-using normative language for other things is an abuse of the process -- that's kind of the point of RFC 6919.
>>> 
>>> 
>>> 
>>> RFC 2119 says:
>>> 
>>> In particular, [normative language] MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmisssions)  For example, they must not be used to try to impose a particular method on implementors where the method is not required for interoperability.
>>> 
>>> 
>>> 
>>> Given that the spin bit is not “actually required for interoperation,” but is the very definition of “try to impose a particular method on implementors,” I’d say that RFC 2119 imperatives are unwarranted.
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: QUIC <quic-bounces@ietf.org> On Behalf Of alexandre.ferrieux@orange.com
>>> Sent: Tuesday, October 2, 2018 8:05 AM
>>> To: Lars Eggert <lars@eggert.org>
>>> Cc: IETF QUIC WG <quic@ietf.org>
>>> Subject: Re: Spin bit decision
>>> 
>>> 
>>> 
>>> On 10/02/18 16:00, Lars Eggert wrote:
>>> 
>>>> 
>>> 
>>>> The point I can't seem to be getting across is that irrespective of
>>> 
>>>> what the WG decides to require, there is no penalty for individual
>>> 
>>>> stacks at deployment time (or after) to do whatever they wish, since
>>> 
>>>> the spin bit by design has no impact on protocol operation and interop.
>>> 
>>> 
>>> 
>>> It is getting across, but it is a very grim view of the standardization process itself. Are there many examples of MUST in RFCs that turned out to be ignored by implementations just because they were not part of the core semantics and hence not enforced by other peers ?
>>> 
>>> 
>>> 
>>> 
>>> 
>>> _________________________________________________________________________________________________________________________
>>> 
>>> 
>>> 
>>> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>>> 
>>> 
>>> 
>>> This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
>>> 
>>> If you have received this email in error, please notify the sender and delete this message and its attachments.
>>> 
>>> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
>>> 
>>> Thank you.
>>> 
>>> 
>>> 
>> 
> 
> 
> --
> Kazuho Oku