Re: comments on the spin bit, in lieu of the mic line

Tommy Pauly <tpauly@apple.com> Wed, 07 November 2018 01:30 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC051128CE4 for <quic@ietfa.amsl.com>; Tue, 6 Nov 2018 17:30:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level:
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1jU8-Ydl2R4V for <quic@ietfa.amsl.com>; Tue, 6 Nov 2018 17:30:47 -0800 (PST)
Received: from nwk-aaemail-lapp03.apple.com (nwk-aaemail-lapp03.apple.com [17.151.62.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3B8B127598 for <quic@ietf.org>; Tue, 6 Nov 2018 17:30:47 -0800 (PST)
Received: from pps.filterd (nwk-aaemail-lapp03.apple.com [127.0.0.1]) by nwk-aaemail-lapp03.apple.com (8.16.0.22/8.16.0.22) with SMTP id wA71MLJ2020905; Tue, 6 Nov 2018 17:30:46 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-type : sender : from : message-id : subject : date : in-reply-to : cc : to : references; s=20180706; bh=2OMM7oVrxvIR2y5WCfX0/2YnjC8ZZCB3XGzo3rWT7QU=; b=kUxE/SQm+IpxFfpfpWrvv3FpEtZIt7Y9op9mW7zmf7X/4+/NvZB/FUqs2zmCppp8Foj6 0mvled+Deo3Lq3O1ceSwEr6B5mcguuBP/41QocmDXUNZiUIRnHOhkK8hl7hbud1nVpyV flIP3VcvjcWrIQYbYyLM2lzYufPsitzEzR1Af3y+2SW0mMQmFHk2NZ8i+7RKpSZX08J/ BIyTmEj1HWyvz19jsI/S9N3eL+HXmJlIdrUSL6UJV5A7RcaNxX5T/0alrtWmXXUDWW6j u5otZF2Uaa3/2+4UP/RYdsCYJiGC3mXIGe4/yfS9AyOziaiwTpXqrpIIOTNBv/8cVsfY uw==
Received: from mr2-mtap-s01.rno.apple.com (mr2-mtap-s01.rno.apple.com [17.179.226.133]) by nwk-aaemail-lapp03.apple.com with ESMTP id 2njv76j46s-7 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 06 Nov 2018 17:30:46 -0800
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_0vAUP7zezaJmjvyAIBT3sA)"
Received: from ma1-mmpp-sz10.apple.com (ma1-mmpp-sz10.apple.com [17.171.128.150]) by mr2-mtap-s01.rno.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPS id <0PHS009GKUV8AU10@mr2-mtap-s01.rno.apple.com>; Tue, 06 Nov 2018 17:30:45 -0800 (PST)
Received: from process_viserion-daemon.ma1-mmpp-sz10.apple.com by ma1-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PHS00600U68QP00@ma1-mmpp-sz10.apple.com>; Tue, 06 Nov 2018 17:30:44 -0800 (PST)
X-Va-A:
X-Va-T-CD: 0613c62973e0edaa536c346ace790f0c
X-Va-E-CD: e23f86a8d329a2c7665da7729fe2353d
X-Va-R-CD: ac1a299699fa10cf41ef3ac9e54f3b11
X-Va-CD: 0
X-Va-ID: 05181067-a4f1-4bb1-a2d5-eefde2afafbd
X-V-A:
X-V-T-CD: e35a78e4c47125ab08eac8fd8a04005c
X-V-E-CD: e23f86a8d329a2c7665da7729fe2353d
X-V-R-CD: ac1a299699fa10cf41ef3ac9e54f3b11
X-V-CD: 0
X-V-ID: 5ac68f2d-8597-4eca-90a8-1a0bab33e76a
Received: from process_milters-daemon.ma1-mmpp-sz10.apple.com by ma1-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) id <0PHS00500U4H6100@ma1-mmpp-sz10.apple.com>; Tue, 06 Nov 2018 17:30:44 -0800 (PST)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-06_14:,, signatures=0
Received: from [17.234.219.157] (unknown [17.234.219.157]) by ma1-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20180614 64bit (built Jun 14 2018)) with ESMTPSA id <0PHS00GEJUUXMT40@ma1-mmpp-sz10.apple.com>; Tue, 06 Nov 2018 17:30:44 -0800 (PST)
Sender: tpauly@apple.com
From: Tommy Pauly <tpauly@apple.com>
Message-id: <50009962-B1A3-4371-818E-6E479831ABFE@apple.com>
Subject: Re: comments on the spin bit, in lieu of the mic line
Date: Wed, 07 Nov 2018 08:30:28 +0700
In-reply-to: <CA+9kkMC0_bJkypuPNDG8rvUtmHjg6=iLf=sEuSc7S5C0S1nCYA@mail.gmail.com>
Cc: Kazuho Oku <kazuhooku@gmail.com>, Brian Trammell <ietf@trammell.ch>, IETF QUIC WG <quic@ietf.org>
To: Ted Hardie <ted.ietf@gmail.com>
References: <31F20CF7-3B82-4856-B8AF-485117A10B7B@trammell.ch> <CANatvzyXSTCjp4o2E+Xw2_MvYQ=i3HoCntQ-JW_miZq_yzrbmg@mail.gmail.com> <CA+9kkMC0_bJkypuPNDG8rvUtmHjg6=iLf=sEuSc7S5C0S1nCYA@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.100.36)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-06_14:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/ciIWmr70oIXfIlnLByOkpOBedmc>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 01:30:51 -0000

+1

I agree with Ted that the time for a QUIC handshake would give away the use of a tunnel much the same as the spin bit would. The one case in which a connection could indeed hide the use of a tunnel better would be to establish over a non-tunneled path, and then migrate the connection to a path over a tunnel. This would eliminate performing a handshake over a path that includes a tunnel.

Regardless, my understanding is that negotiation for the spin bit is an added complexity that doesn't provide too much value. Each of the client and the server may have a desire to not spin if they are concerned about a given situation (say, the use of a VPN tunnel). If the client is aware of this situation on its end, it can choose not to spin the bit. If the server is aware of this situation on its end, it can choose to not reflect changes to the bit. This awareness must be present in order to make a negotiated spin bit possible, so it seems like this situation is strictly no worse.

Thanks,
Tommy

> On Nov 7, 2018, at 8:15 AM, Ted Hardie <ted.ietf@gmail.com>; wrote:
> 
> Hi Kazuho,
> 
> Some responses in-line.
> On Wed, Nov 7, 2018 at 6:58 AM Kazuho Oku <kazuhooku@gmail.com <mailto:kazuhooku@gmail.com>> wrote:
> 2018年11月6日(火) 23:03 Brian Trammell (IETF) <ietf@trammell.ch <mailto:ietf@trammell.ch>>:
> >
> > Greetings, all,
> >
> > As I might not make it to tomorrow's discussion remotely, I wanted to go ahead and say a few things that I would say in the mic line. To the questions posed in the agenda:
> >
> >
> > - Yes, we should consider only the 1-bit variant. The VEC protects the fidelity of the signal very well (indeed, well beyond the bounds of network conditions the transport will tolerate), but (1) Marcus' work in particular has shown that even in challenging network conditions, relatively simple heuristics at the observers can compensate for not having it, so (2) at the cost of two extra bits the marginal value is low.
> >
> > - Yes, the spin bit is clearly fit for purpose. I'll note we've done more research on this question than for any other single feature under consideration for inclusion in QUIC.
> >
> > - I am not at this time responsible for any sizeable deployment, so I can't speak directly to the third question. While I hope we'll hear from more implementers during the discussion tomorrow that they intend to implement, IMO even just a deployment from Microsoft would be sufficient to generate enough spinning flows to make deployment of observers useful.
> >
> > - The spin bit should be included in the specification. It provides the continued ability to measure RTT passively in a future world where TCP traffic is increasingly replaced by QUIC traffic, at negligible complexity cost, essentially zero runtime overhead, with negligible privacy impact, and what negligible impact it may have on privacy in certain corner cases can be easily mitigated.
> >
> > - As to requirement levels, I'd stick with my own recommendation from the earlier thread: client and server SHOULD implement, though server SHOULD is IMO marginally more important than client SHOULD.
> >
> >
> > Now some details (presuming, of course, that the discussion gets that far):
> >
> > - In any case, both server and client SHOULD independently randomly disable spinning on some proportion of connections (1/8 to 1/16) to target a given proportion (1/4 to 1/8) of connections spinning, as in [section 4 of the author's copy of spin-exp](https://quicwg.org/base-drafts/draft-ietf-quic-spin-exp.html#rfc..section.4 <https://quicwg.org/base-drafts/draft-ietf-quic-spin-exp.html#rfc..section.4>). This is to ensure that those endpoints that wish to opt out have a large anonymity set to hide in.
> >
> > - If we want to maintain the principle of linkability reduction across CIDs, then this non-spinning-state should be independent for each CID. In contrast to what's in section 4 of spin-exp, non-spinning spin bits shouldn't be set to zero, rather to a random value on a per-CID basis. This is easily recognizable by an observer in all cases (client/server participate/nonparticipate-1/nonparticipate-0), and reduces the risk of ossification around nonparticipant action. (This risk is small, to be sure, but we should not clamp a bit to a constant value, if only because we want the protocol's design to consistent.)
> >
> > - As to whether non-spinning should be negotiated (see [the appendix in the author's copy](https://quicwg.org/base-drafts/draft-ietf-quic-spin-exp.html#rfc.appendix.A <https://quicwg.org/base-drafts/draft-ietf-quic-spin-exp.html#rfc.appendix.A>)) versus "discretionary", I was originally a fan of negotiation (as it provides a better-than-greasing way to exercise the version negotiation mechanism), but the rules for maintaining the principle of linkability reduction across CIDs become more complicated for negotiated spin, and the benefits for observers (i.e., that an observer can classify flows by version) become far less clear in the face of that linkability reduction. So I would lean toward the discretionary approach for the sake of simplicity -- we'll just have to exercise version negotiation by shipping version 2 soon after version 1. ;)
> 
> Brian, thank you for starting the discussion.
> 
> I’m attending, but let me respond here, because I would like to
> “optimize to avoid” people using their brain to parse my broken
> English expressed verbally :-)
> 
> If we are to adopt spin bit, my view is that the use MUST be negotiated.
> 
> It seemed to me that we agree to the fact that at least in extreme
> cases (e.g. a client or a server behind a intercontinental VPN), there
> is a privacy concern in exposing the spin.
> 
> 
> I pointed out that this privacy concern also exists for the handshake, and I did not see a response.  Did I miss a mitigation there, or do you agree that watching the handshake would also disclose this?
> 
> Assuming that is true, an endpoint cannot discretionary start exposing
> spin bits, because it exposes to the observer who knows the location
> of the endpoint (which is the common case) how far the peer is from
> it's VPN gateway.
> 
> While I don't personally see that this reveals any new data beyond the handshake data, I think making this discretionary handles this cases very well.  A local configuration that says not to spin when going out a tunnel interface eliminates this risk completely.  The large window of randomly disabled other flows means that this discretionary choice is not highlighted in the data.
> 
> 
> It might be true that negotiating the use makes implementations
> slightly complex. But the complexity should not be used as a reason to
> ignore privacy concerns, especially in case where the additional
> complexity is small.
> 
> I think the complexity of including a configuration option for "no spinning on tun0-like interfaces" is less than the negotiation complexity.  I would even support that being a default configuration, if that allays your concerns.
> 
> best regards,
> 
> Ted Hardie
> 
>  
> >
> > If I can't join, have fun tomorrow. Cheers,
> >
> > Brian
> >
> 
> 
> -- 
> Kazuho Oku