Re: draft-duke-quic-load-balancers-05.txt
Martin Duke <martin.h.duke@gmail.com> Tue, 29 October 2019 20:25 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA79120125 for <quic@ietfa.amsl.com>; Tue, 29 Oct 2019 13:25:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uu5PvWgoo83r for <quic@ietfa.amsl.com>; Tue, 29 Oct 2019 13:25:15 -0700 (PDT)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C46841200E3 for <quic@ietf.org>; Tue, 29 Oct 2019 13:25:14 -0700 (PDT)
Received: by mail-wm1-x32a.google.com with SMTP id g7so4009859wmk.4 for <quic@ietf.org>; Tue, 29 Oct 2019 13:25:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=l2EfxQFvS4/CLQFcTRDGbJk7ko9pDW2R3MEy75XPU3E=; b=vhasHWHBHHBM4uQCNuoIkTJjiFIHVLDGMogN6F0InRTjojAXwphMoUPFMwZH35XxT+ Y+6L4AYVIRTzo3Rc4h/MH9UMT/ac8WcbN/RGbBNmzQumwynuXKo3r7Mz720cC6F8eyiw HweEnpvj9ko3PJjUWrdB35Ma2Z79YVomuQgoBMehxKdg8LgbmN4sBaLwlfntxPxvnGuQ 7B/l/o/JnCbw5EZwXjWf442OT4g2WL4a3v/76MqHLs96g0v2NTZPdH4QXBrEEviwZyLE jUvKYrhftlLrGRapFon7gDL41nHNlaNCce0gXw9Iy/0HVOyJp21Iklh7q3S1zMfbq2D3 4jfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=l2EfxQFvS4/CLQFcTRDGbJk7ko9pDW2R3MEy75XPU3E=; b=D4VMRGKte5t8Kpm4Ri88xtCppzXFZ/zga0L+dG1Lb0rgyQcnzMTVn6h33l3djRBpxS JG5EdY4dKVbXV1MfBq4ugBTJMuvnxmvpW3gFu+/zZq+Nmn2pVEb7DjGInjgU2F98lIff hWAL5qxulHdK3v34Ge34+yfRyTFWMfP6i38RA3KWfLNvvGFUEZ71iCBagfkrIHDMc5Rh HrDVsp50Ti6QU+0X6EKcUi2U/9uWYTSjr/ArdR2vLyQpCUzlbiVHaU2rQ3ZF3IFJET9E asEbPGRIUgFSPr8jA8ctPl+bWJ+OlpFxiI+dopbsFNMPB6lryp7q+ojjnTIoEXvugvEN f/1A==
X-Gm-Message-State: APjAAAUnWWgcUtuQW4djYvuYPN/3yC2L4QCNHo8NlnoXVSDDkrtClwcm u3SYmW/d2qKsnnTNu+4VPL0bBEq+cVEQSy++Ty4g0RjdfmA=
X-Google-Smtp-Source: APXvYqz+dbQxr/JEJmvJjyemChS/mXEXNVDQlVD3gVeqJeOw3N4T/xlo0tEOWVe4WNNqjF2X7rrQg26gfr6hkUf+lKw=
X-Received: by 2002:a1c:2846:: with SMTP id o67mr5850875wmo.7.1572380713215; Tue, 29 Oct 2019 13:25:13 -0700 (PDT)
MIME-Version: 1.0
References: <20191028194956.GC420@gmail.com>
In-Reply-To: <20191028194956.GC420@gmail.com>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Tue, 29 Oct 2019 13:25:01 -0700
Message-ID: <CAM4esxTJUFD-G-WUOwZQbgSafpMJXHVtYCm1eF=_1g8tDxru=A@mail.gmail.com>
Subject: Re: draft-duke-quic-load-balancers-05.txt
To: Sowmini Varadhan <sowmini05@gmail.com>
Cc: IETF QUIC WG <quic@ietf.org>, Nick Banks <nibanks@microsoft.com>, sovaradh@microsoft.com
Content-Type: multipart/alternative; boundary="000000000000dceb290596126941"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/aJ18LjKncsIt4usmoeYIOCoM9Fc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 20:25:18 -0000
Hi Sowmini, Thanks for the review. I'll file a PR for your editorial changes. Responses inline: On Mon, Oct 28, 2019 at 12:50 PM Sowmini Varadhan <sowmini05@gmail.com> wrote: > > <snip> > - Section 3.2: Config rotation is one octet (per Section 3.3) and > there are 2 bits for config rotation, so it is confusing when Section 3.2 > says > 361 received these, it MUST generate connection IDs with the config > 362 rotation bits set to '0b11' and MUST use the "disable_migration" > (0b11 is 2 bytes? In general, it would help to provide more context about > what/when/how this can happen, and why it is needed) > 0b11 is 2 bits. The '0b' notation indicates each digit is a bit; '0x' would be hexadecimal, where 2 characters = 1 Bytes. > > - Section 4 ("Routing Algorithms"). The 0-RTT can have application data. > Given that Section 4 discusses an "alternate algorithm" for 0-RTT, > is it possible that the data from 0-RTT gets routed differently than > the remainder of the packet? > In section 4, it says: " The load balancer SHOULD route Initial and 0-RTT packets from the client using an alternate algorithm". The point here is that the destination CID for these packets is chosen by the client. It may not be long enough to apply the chosen algorithm, so something else should be done. However, " This algorithm SHOULD generate consistent results for Initial and 0RTT packets that arrive with the same source and destination connection ID" so they all end up at the same place. If the LB doesn't do this, then the 0RTT packets will be lost. This is suboptimal but doesn't break the protocol. <snip> > > > - Section 4.3.1 refers to "token". Is this the token from the Initial? > From the Retry? The LB is just a service in the middle, between the > 2 quic endpoints, so it would help to explain which token to use. > To be clear, I am referring to: > 604 The load balancer decrypts the server ID using 128-bit AES > Electronic > 605 Codebook (ECB) mode, much like QUIC header protection. The nonce > 606 octets are padded to 16 octets using the as many of the first > octets > 607 of the token as necessary. AES-ECB encrypts this nonce using its > key > 608 to generate a mask which it applies to the encrypted server id. > > This is the QUIC-LB authentication token, which I should clarify. In any case, I don't believe that servers get this token if there's out-of-band configuration, so I need to fix this. > > - Editorial: s/decrypts/encrypts in second paragraph of Section 4.3.2: > 631 4.3.2. Server Actions > : > 640 The server decrypts the server ID using 128-bit AES Electronic > 641 Codebook (ECB) mode, much like QUIC header protection. The nonce > > - Section 5: this one was particularly hard for me to read. I think it > would help if this section of the draft hsd a top-level discussion on > why this is needed (i.e., what are the sort of things that can go > wrong if it is not there? Also, in Figure 5, why do we need to encode > ODCIL and ODCID in the Retry token, given that they are already there > in the Retry packet itself?) > This is for the benefit of the QUIC server. When the server gets an Initial Packet with a Retry token in it, it needs to extract the ODCID from that token so that it can send it back in a transport parameter. If the client got a Retry but then doesn't get the ODCID transport parameter, it means there's an unauthorized man in the middle and the client should terminate the connection. > > --Sowmini >
- draft-duke-quic-load-balancers-05.txt Sowmini Varadhan
- Re: draft-duke-quic-load-balancers-05.txt Martin Duke
- Re: draft-duke-quic-load-balancers-05.txt Sowmini Varadhan
- Re: draft-duke-quic-load-balancers-05.txt Martin Duke
- Re: draft-duke-quic-load-balancers-05.txt Sowmini Varadhan