Re: Fast Address Validation - about
"Qing An" <anqing.aq@alibaba-inc.com> Thu, 31 October 2019 12:56 UTC
Return-Path: <anqing.aq@alibaba-inc.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 133B8120851 for <quic@ietfa.amsl.com>; Thu, 31 Oct 2019 05:56:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alibaba-inc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXovrFVfUL3Y for <quic@ietfa.amsl.com>; Thu, 31 Oct 2019 05:56:02 -0700 (PDT)
Received: from out0-139.mail.aliyun.com (out0-139.mail.aliyun.com [140.205.0.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F17F9120074 for <quic@ietf.org>; Thu, 31 Oct 2019 05:56:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1572526558; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; bh=9OYjlGlBnsFYukVDzTTwanctfkqp9wje8Y+21HYSKy0=; b=lGkMFiPyohDs5PZ/dzG7KOsifnOmEIBMBy4nylx9vsAZ9ibKrHZqGw5pEKG1rQqqbGf7IIF0x0gD5y5IkSZJlF8wwHtmlNgR531tweDriv7rtuZ9DfCuLVrmzSupVQljCjkHYVAWnnoagCeYuFSU0IIkZzqNQ70Al8ptW2aEkjA=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R141e4; CH=green; DM=||false|; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03310; MF=anqing.aq@alibaba-inc.com; NM=1; PH=DW; RN=4; SR=0; TI=W4_5657687_v5ForWebDing_0A930BF4_1572515468662_o7001c4443s;
Received: from WS-web (anqing.aq@alibaba-inc.com[W4_5657687_v5ForWebDing_0A930BF4_1572515468662_o7001c4443s]) by e02c03267.eu6 at Thu, 31 Oct 2019 20:55:56 +0800
Date: Thu, 31 Oct 2019 20:55:56 +0800
From: Qing An <anqing.aq@alibaba-inc.com>
To: quic <quic@ietf.org>, "jri.ietf" <jri.ietf@gmail.com>, mt <mt@lowentropy.net>, mikkelfj <mikkelfj@gmail.com>
Reply-To: Qing An <anqing.aq@alibaba-inc.com>
Message-ID: <f55efb80-1a95-4190-84e5-b81948a7f081.anqing.aq@alibaba-inc.com>
Subject: Re: Fast Address Validation - about
X-Mailer: [Alimail-Mailagent revision 2765257][W4_5657687][v5ForWebDing][Chrome]
MIME-Version: 1.0
References: <4974ed86-0fa9-435d-880f-80af637ef180.anqing.aq@alibaba-inc.com> <BN6PR2201MB1700F72F3DC8F6C3CF79902CDA600@BN6PR2201MB1700.namprd22.prod.outlook.com>, <bd15f357-8e7a-42af-bf28-79f7177da385@www.fastmail.com>
x-aliyun-mail-creator: W4_5657687_v5ForWebDing_NTMTW96aWxsYS81LjAgKE1hY2ludG9zaDsgSW50ZWwgTWFjIE9TIFggMTBfMTVfMCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzc4LjAuMzkwNC43MCBTYWZhcmkvNTM3LjM2XQ
In-Reply-To: <bd15f357-8e7a-42af-bf28-79f7177da385@www.fastmail.com>
Content-Type: multipart/alternative; boundary="----=ALIBOUNDARY_80694_4c170940_5dbad9dc_324138"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/dEcauC04uYkevzFzOxkOHrsJNms>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 12:56:05 -0000
To clarify, the proposal is not to replace the existing Retry-based validation, but to provide another option for server to do the client validation. I understand that in server side, exchanging the token at the Handshake encryption level will make the server start to maintain handshake states. But in client side, it can accelerate the connection establishment from client to server. And it is the server's decision whether to exchange token in Retry or in Handshake. If server chooses to accept the cost brought by token exchanging in Handshake, it will bring more enhanced experience in client side. BR, Qing ------------------------------------------------------------------ From:Martin Thomson <mt@lowentropy.net> Send Time:2019年10月31日(星期四) 06:07 To:quic <quic@ietf.org> Subject:Re: Fast Address Validation - about Also note that exchange of Handshake packets provides proof of return routeability via the use of the encryption keys, so there is no need to exchange tokens at that level. On Thu, Oct 31, 2019, at 03:29, Mike Bishop wrote: > > The advantage of using Retry, however, is that the server is able to > keep minimal (if any) state about the client. Exchanging the token at > the Handshake encryption level means the server is already doing work > and maintaining state in order to process the handshake, which is > exactly what the server is trying to avoid. > > > *From:* QUIC <quic-bounces@ietf.org> *On Behalf Of * Qing An > *Sent:* Wednesday, October 30, 2019 9:41 AM > *To:* quic <quic@ietf.org>; jri.ietf <jri.ietf@gmail.com>; mt > <mt@lowentropy.net> > *Cc:* 刘大鹏(鹏成) <max.ldp@alibaba-inc.com> > *Subject:* Fast Address Validation - about > > > > > Hi Martin, Jana, > > I read through https://www.ietf.org/id/draft-ietf-quic-transport-23.txt > and have a few comments and ideas to discuss. > > > [QUIC-Trans] defines a token based scheme to facilitate address > validation of a client. The token MUST be covered by integrity > protection against modification or falsification by clients. The server > remembers the value it sends to clients and validates the token sent > back from a client. In its design, Retry packet is used to deliver the > token to a client which address has not yet been validated. It voids > the first transmission of the Initial packet sent by the client, and > triggers a second Initial packet to be sent with the token. The > exchange of token will cause longer connection establishment delay for > a client. > > > To improve the efficiency of address validation during handshake, one > idea is that the same token can be exchanged via a different container > i.e. the Handshake packet, that eliminates the use of Retry packet for > token delivery. > > > I am working on the complete draft and will submit it by Friday. Before > that, hope this can be discussed in email first. > > > BR, > > Qing An >
- Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- RE: Fast Address Validation - about Mike Bishop
- Re: Fast Address Validation - about Martin Thomson
- Re: Fast Address Validation - about Qing An
- RE: Fast Address Validation - about Mike Bishop
- Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Marten Seemann
- Re: Fast Address Validation - about Töma Gavrichenkov
- Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- Re: Fast Address Validation - about Töma Gavrichenkov
- Re:Re: Fast Address Validation - about Qing An
- Re:Re: Fast Address Validation - about Qing An
- Re:Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- Re: Re: Fast Address Validation - about Töma Gavrichenkov
- Re: Fast Address Validation - about Töma Gavrichenkov
- Re: Fast Address Validation - about Jana Iyengar
- Re:Re: Fast Address Validation - about Qing An
- Re:Re:Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Christian Huitema
- Re:Re: Fast Address Validation - about Qing An
- Re: Fast Address Validation - about Christian Huitema
- Re:Re:Re: Fast Address Validation - about Mikkel Fahnøe Jørgensen
- Re: Fast Address Validation - about Christian Huitema