IETF Logo Mail Archive

Re: Expected Client Response to SERVER_BUSY

Ian Swett <ianswett@google.com> Wed, 20 February 2019 14:42 UTC

Return-Path: <ianswett@google.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A53AA130E09 for <quic@ietfa.amsl.com>; Wed, 20 Feb 2019 06:42:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.501
X-Spam-Level:
X-Spam-Status: No, score=-17.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eSb_y1Vp5ly9 for <quic@ietfa.amsl.com>; Wed, 20 Feb 2019 06:41:59 -0800 (PST)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FC78127AC2 for <quic@ietf.org>; Wed, 20 Feb 2019 06:41:59 -0800 (PST)
Received: by mail-wm1-x32d.google.com with SMTP id x10so6647033wmg.2 for <quic@ietf.org>; Wed, 20 Feb 2019 06:41:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9PfG2AI8RheDos3yeJM2X+UDZ8ngBTuWWtzqskmSNJ0=; b=N1lLzW+sXAqoTAF83q07SU3iApCbWUF36KvNJW+h0bzk9W+p2zkmPh+7ptUW0D1HHy RDeSv/60EaVGENvhWnZMu/ishLwnBL1T554V7lJvanG+wGj5M6oxwckKuu/8Xqd/wkmE rB6SEbePW/yB0XMhJ+cNGuvM9hh4oy5rlnk1ChqmrCizTU6orD+L3U/H2Eduf/HvpDsa uzRfiKfi5yZGZrbN36Q86+yXqmGPILnxxP+cKahhBsIaKvZ5uK1zs56QGjKIE2x0n8YY doXJmILFR/0AtJ53Ao6EtswaHA6EXVP4XXYduR1X4/re3iDxsF2/WcS6lU2YAf6Gk/Wz OkTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9PfG2AI8RheDos3yeJM2X+UDZ8ngBTuWWtzqskmSNJ0=; b=pKNw3GKC4aYT65ELEn8gZkv/FpsB69Gx51yHdG4thayGjylmkgKUOYZcD+L7Ha7y4F 1s7rkdDmdWZ4vPQLq8ZUQ3CvIwe2TzZDtZh2X7MAJvuygn6Js6s4SvzK/Jg77QU89s6/ MWIpm77U6eQe0FdEDykT2HxHdQVhj36ymHlimVT2rg3EYVAc7+0q9vNul0vGCW2HJMEO STkss4n6IutiC1oTmLbn+mKkr/jPJ3kfkQ2A5NlVQjh03zoLepX4wuvrx8cJPxyPlN0k MUoihkWJ7j+BAhTGWT0k/jekv/KgeBYySuEDqCSLJ6xEU8ZwxxOQ0Um4Euq3NDUwMQbf PjpQ==
X-Gm-Message-State: AHQUAubYZKtp9EPW0XpXEWpDb2U3E2TzCrUAhOWJYj7f8Qk3EiA6JUc+ 7aL6hbIMtB+JMr5OQK8bDVtlbZxUxUKeyFkul0EE4g==
X-Google-Smtp-Source: AHgI3IaKwjvscMENBqK5T8dDQU32Bf821RP2saciMqErZkSRFI/mSGOJt8VpDsIcK+/7hfIcdIxkX3wpzV+HKuZBcGU=
X-Received: by 2002:a1c:6789:: with SMTP id b131mr6881905wmc.22.1550673717274; Wed, 20 Feb 2019 06:41:57 -0800 (PST)
MIME-Version: 1.0
References: <CY4PR21MB0854341128C64E450E7C2DA2B37C0@CY4PR21MB0854.namprd21.prod.outlook.com> <CAKcm_gPmQiMhzfXnkEB4u+X+84bCbL8FE3Lj3ZdPPQBBu+4uPg@mail.gmail.com> <1AF7E952-4542-4C40-8652-BFFBFA61784A@trammell.ch>
In-Reply-To: <1AF7E952-4542-4C40-8652-BFFBFA61784A@trammell.ch>
From: Ian Swett <ianswett@google.com>
Date: Wed, 20 Feb 2019 09:41:40 -0500
Message-ID: <CAKcm_gN11=DcV2v-JrX+Ym88D7P1Ey3rDvYomTf1seemsWDSwA@mail.gmail.com>
Subject: Re: Expected Client Response to SERVER_BUSY
To: "Brian Trammell (IETF)" <ietf@trammell.ch>
Cc: Nick Banks <nibanks@microsoft.com>, IETF QUIC WG <quic@ietf.org>, Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>
Content-Type: multipart/alternative; boundary="0000000000001539f00582545c15"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/dQav4pHpj9SbtMl0QTVlJvXyC78>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 14:42:02 -0000

If a client follows 3xx redirects by default, then it seems sensible it'd
fall back to TCP automatically, but I'm not sure an immediate QUIC
connection close is equivalent to a redirect.  I can also imagine clients
that don't follow redirects by default falling back to TCP, so I think I
just chose a poor example.


On Wed, Feb 20, 2019 at 8:52 AM Brian Trammell (IETF) <ietf@trammell.ch>
wrote:

> hi Ian,
>
> Sent from my iPhone
>
> On 20 Feb 2019, at 14:34, Ian Swett <ianswett=40google.com@dmarc.ietf.org>
> wrote:
>
> For HTTP/3, my intent was to close the connection immediately with a
> connection close as you suggest, then the client would fall back to TCP,
> and then ensure the next Alt-Svc advertisement via TCP cleared any existing
> Alt-Svc entry so QUIC wasn't tried again in the immediate future.
>
> I hadn't thought of assigning semantics to a specific error code, but I'm
> reluctant to do so.  In our case, I think a more likely error code would
> indicate the infrastructure doesn't support QUIC, rather than DDoS, but the
> desired behavior of falling back to TCP and not attempting QUIC for a while
> is the same.
>
> The assumption I made above is that the client immediately falls back to
> TCP.  That of course depends upon the type of client it is.  I'd expect a
> browser to fall back, but I wouldn't expect curl or wget to.
>
>
> This is a bit of an aside, but I’m curious here: why not? I’ve always
> thought of the semantics of TCP fallback as equivalent to a 3xx redirect
> (either temporary or permanent, depending on the client heuristics wrt the
> underlying reason for the redirect). curl won’t do this automagically
> unless you tell it to, but iirc wget will...
>
> Am I wrong in thinking that most clients will see this as YA form of
> redirect?
>
> Cheers,
>
> Brian
>
> There is a decent amount of text on fallback in the Applicability draft:
> https://github.com/quicwg/ops-drafts/blob/master/draft-ietf-quic-applicability..md
> <https://github.com/quicwg/ops-drafts/blob/master/draft-ietf-quic-applicability.md>
>
>
>
> On Tue, Feb 19, 2019 at 5:11 PM Nick Banks <nibanks=
> 40microsoft.com@dmarc.ietf.org <40microsoft.com@dmarc.ietf..org>> wrote:
>
>> Hello Folks,
>>
>>
>>
>> I’ve been looking at interim DDoS mitigation strategies for QUIC until we
>> can have a more complete and QUIC aware DDoS and LB solution. One thing I
>> came up with is just trying to force the client to fallback to TCP.
>> Eventually, we will use Stateless Retry but that still requires a good bit
>> of design work and cooperation between the offload device and the backend
>> server. Until that is complete, a simple solution could be a device in path
>> just responding to new QUIC connection attempts (while an attack is in
>> progress) with a connection close frame containing the SERVER_BUSY error.
>> The logic to implement a simple device to do that should be quite trivial.
>>
>>
>>
>> To that end, I was trying to figure out what the expected client response
>> to any immediate (in the first RTT) connection close packets/frames would
>> be and it seems we don’t have anything in the spec. What about SERVER_BUSY
>> specifically? Is the client supposed to retry a new connection attempt?
>> Should they fallback to TCP immediately? Should we say anything in the spec?
>>
>>
>>
>> Thanks,
>>
>> - Nick
>>
>

v2.23.0 | Report a Bug | By Email